Joe Sandbox Desktop Analysis Report

Loading ...

General Information

Analysis ID:42374
Start time:12:01:24
Start date:03/04/2014
Overall analysis duration:0h 5m 4s
Report type:full
Sample file name:Internal.scr
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:2
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:3
HCA enabled:true
HCA success:
  • true, ratio: 92%
  • Number of executed functions: 214
  • Number of non-executed functions: 1557
Warnings:
  • Report size getting too big, too many NtMapViewOfSection calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyReport FP/FN
Threshold


Signature Overview

Key, Mouse, Clipboard, Microphone and Screen Caputering:

Contains functionality to record screenshotsShow sources
Contains functionality to retrieve information about pressed keystrokesShow sources
Hooks clipboard functions (used to sniff clipboard data)Show sources

E-Banking Fraud:

Hooks winsocket function (used for sniffing or altering network traffic)Show sources

Networking:

Contains functionality to download additional files from the internetShow sources
Downloads filesShow sources
Urls found in memory or binary dataShow sources
Downloads files from webservers via HTTPShow sources
Performs DNS lookupsShow sources
Posts data to webserverShow sources
HTTP GET or POST without a user agentShow sources
Uses a known web browser user agent for HTTP communicationShow sources

Boot Survival:

Contains functionality to start windows servicesShow sources
Creates an autostart registry keyShow sources
Creates or modifies windows servicesShow sources
Modifies existing windows servicesShow sources
Monitors registry run keys for changesShow sources

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Opens a port and listens for incoming connection (possibly a backdoor)Show sources

Persistence and Installation Behavior:

Drops PE filesShow sources
Drops PE files to the windows directory (C:\Windows)Show sources

Data Obfuscation:

Binary may include packed or encrypted dataShow sources
Contains functionality to dynamically determine API callsShow sources
PE file contains an invalid checksumShow sources

Spreading:

Contains functionality to enumerate / list files inside a directoryShow sources

System Summary:

Binary contains paths to debug symbolsShow sources
Contains functionality to access the windows certificate storeShow sources
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Contains functionality to check free disk spaceShow sources
Contains functionality to enum processes or threadsShow sources
Creates files inside the user directoryShow sources
Creates temporary filesShow sources
Executes batch filesShow sources
Reads ini filesShow sources
Spawns processesShow sources
Contains functionality to call native functionsShow sources
Contains functionality to communicate with device driversShow sources
Contains functionality to launch a process as a different userShow sources
Contains functionality to shutdown / reboot the systemShow sources
Creates driver filesShow sources
Creates files inside the driver directoryShow sources
Creates files inside the system directoryShow sources
Creates mutexesShow sources
Enables driver privilegesShow sources
Reads the hosts fileShow sources
Spawns driversShow sources
Tries to load missing DLLsShow sources

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to add an ACL to a security descriptorShow sources
Contains functionality to create a new security descriptorShow sources
Contains functionality to inject threads in other processesShow sources
Contains functionality to launch a program with higher privilegesShow sources
May try to detect the Windows Explorer process (often used for injection)Show sources
Allocates memory in foreign processesShow sources
Changes memory attributes in foreign processes to executable or writableShow sources
Contains functionality to write to remote processesShow sources
Creates a thread in another existing process (thread injection)Show sources
Injects a PE file into a foreign processesShow sources
Writes to foreign memory regionsShow sources

Anti Debugging:

Contains functionality to query system informationShow sources
Contains functionality to register its own exception handlerShow sources
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Contains functionality for execution timing, often used to detect debuggersShow sources
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Contains functionality to dynamically determine API callsShow sources
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Found dropped PE file which has not been started or loadedShow sources

Virtual Machine Detection:

Contains functionality to enumerate / list files inside a directoryShow sources
Contains functionality to query system informationShow sources
Queries a list of all running processesShow sources

Hooking and other Techniques for Stealthness and Protection:

Creates PE files with a name already existing in WindowsShow sources
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Deletes itself after installationShow sources
Hooks processes query functions (used to hide processes)Show sources
Icon mismatch, uses an Icon from a different legit application in order to fool usersShow sources
Modifies the prolog of user mode functions (user mode inline hooks)Show sources
Modifies the system service dispatch table (places SSDT hooks)Show sources
Registers kernel notifiers (kernel callbacks)Show sources

Lowering of HIPS / PFW / Operating System Security Settings:

May initialize a security null descriptorShow sources
Modifies the windows firewallShow sources

Language, Device and Operating System Detection:

Contains functionality to query local / system timeShow sources
Contains functionality to query the account / user nameShow sources
Contains functionality to query time zone informationShow sources
Contains functionality to query windows versionShow sources
Queries the cryptographic machine GUIDShow sources
Queries the installation date of WindowsShow sources
Queries the installation date of WindowsShow sources
Queries the product ID of WindowsShow sources
Queries the volume information (name, serial number etc) of a deviceShow sources

Startup

  • system is xp
  • Internal.scr (PID: 1988 MD5: C05D7F1CFF16C7AF9B9D3B6F79CE7A02)
    • update.exe (PID: 1524 MD5: 917E21271D4C01B35A881246D8116DEF)
      • winsec.exe (PID: 496 MD5: 25ECDFFA169BEC23946F99782C5455D8)
        • uqny.exe (PID: 244 MD5: 3740968E82FE178B7A18C9673F42E870)
          • 10a0d.sys (PID: 4 MD5: A2F2B24BD6FA13095C319F7F61C21D2F)
          • explorer.exe (PID: 1564 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)
          • ctfmon.exe (PID: 1768 MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3)
          • wscntfy.exe (PID: 1796 MD5: F92E1076C42FCD6DB3D72D8CFE9816D5)
        • cmd.exe (PID: 3600 cmdline: C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QSOFCB0.bat MD5: 6D778E0F95447E6546553EEEA709D03C)
  • cleanup

Created / dropped Files

File PathType and Hashes
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab1.tmp
  • Type: Microsoft Cabinet archive data, 47186 bytes, 1 file
  • MD5: F581048AA8697DA74A9BE736B6035542
  • SHA: 9EA06E2F446782EA60D685520FC38891FB6B8332
  • SHA-256: 8A2B17AC9DCC076AB307854E79854F7906C68A50C8865B289F848341D90750A8
  • SHA-512: E24BB92B27FD97A6409DE096714EE59FAB6B82A5BB72E1DBE92EA7E97324ABD6C64C8584C62E2AC9830700461F05014210B9FC148AB01ECE178DCEA1F0A2D546
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab3.tmp
  • Type: Microsoft Cabinet archive data, 47186 bytes, 1 file
  • MD5: F581048AA8697DA74A9BE736B6035542
  • SHA: 9EA06E2F446782EA60D685520FC38891FB6B8332
  • SHA-256: 8A2B17AC9DCC076AB307854E79854F7906C68A50C8865B289F848341D90750A8
  • SHA-512: E24BB92B27FD97A6409DE096714EE59FAB6B82A5BB72E1DBE92EA7E97324ABD6C64C8584C62E2AC9830700461F05014210B9FC148AB01ECE178DCEA1F0A2D546
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab5.tmp
  • Type: Microsoft Cabinet archive data, 54007 bytes, 1 file
  • MD5: F44363D23CD082C1A99EB91D33E1C927
  • SHA: DB88A832074CF222B498EEF018E2B4A056456F93
  • SHA-256: 9A81FE41D5360C40F4B51DA948A2E2741C63E37E4713E8D99346372A626D318F
  • SHA-512: 7185229E0D282E551E3B304BDD9F968F42F779697DDE45BA9B33D7EF8DB54632DB7173547602730BB86A2B8BD512A9CB69E3A936FF1F14AAA20BE7694A7FB4DD
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QSOFCB0.bat
  • Type: DOS batch file text
  • MD5: 15BC944C2EF288A79DCFABF6141DDE16
  • SHA: 7E4E15D0A06ACC3FE652452FD3A6A793F2A9A2C0
  • SHA-256: F4BBD361B2FD83C13B0C677FAF52F61E815F09F03D3B06654BFFF95EE89CA637
  • SHA-512: B5DFAFEF403F1661A6323A89D100B87AD6BD058FA87E5B4E9135CA422480D2B57D6495102CEC2454E9593662793112F435C7234FEDA30C96A3DB506BCDCB061C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar2.tmp
  • Type: data
  • MD5: EF9FB765C2D58205E6DCB7BC9B1ED954
  • SHA: AD09FD6B5F537A5ED6654B5AA3C0B84A9107BB7B
  • SHA-256: 0CB216D73402ACE7B2F15F2F7D0D81A464EFC2732EDB001FA6F9A28EAF972BB4
  • SHA-512: E1D552D75996BDEB625BC70FBA6880EA5A6C9D780AFB328228F97418B54F377B37DC4EECAE95A346FAB610B3EBFFB8B85FC986BFA5B602ABEE381DE70AB3BA2F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar4.tmp
  • Type: data
  • MD5: EF9FB765C2D58205E6DCB7BC9B1ED954
  • SHA: AD09FD6B5F537A5ED6654B5AA3C0B84A9107BB7B
  • SHA-256: 0CB216D73402ACE7B2F15F2F7D0D81A464EFC2732EDB001FA6F9A28EAF972BB4
  • SHA-512: E1D552D75996BDEB625BC70FBA6880EA5A6C9D780AFB328228F97418B54F377B37DC4EECAE95A346FAB610B3EBFFB8B85FC986BFA5B602ABEE381DE70AB3BA2F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar6.tmp
  • Type: data
  • MD5: 1941F2EC5BFCE446FE607ACDC513FF25
  • SHA: A4935CFCC137B2056CE7BE35DC6BE98B7A77F21C
  • SHA-256: 5D1789C00B84CEC79E1653C3E74BA8E4068B8A943E4587D81D93B1B38F90660F
  • SHA-512: 23669BBCFD9CFA57B7FD5264F88EA837B53C07F4CC15FA80B7D9F2D746988506762FF269D6D35D7E835130DF7606C23C34B9C311F4532661B679CC4774DE5107
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\update.exe
  • Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  • MD5: 917E21271D4C01B35A881246D8116DEF
  • SHA: 81CB74E3C202EBACF804BADC5DAB7B9252669B43
  • SHA-256: DDE937ABDEB4AFDFB1E1C04F6B5A93B70EF7D11D9A7EC2093E7AAC5275E33F61
  • SHA-512: 9992EFE09D25DFDE93DC3CB8C42AEBE819B6F2385A22C7CF43965489FF6050AFB9AE2A46EFCB71B3F68AAA070BB732272DC234CE3247BC6AF1FC709305E9F748
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winsec.exe
  • Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  • MD5: 25ECDFFA169BEC23946F99782C5455D8
  • SHA: 5F5BB611EED1B024D7E8EE9D1B6D5D43BC678EAF
  • SHA-256: D86DD56DE7D725F83E038CA6B9D442142682A1DF819E696DE0041AD54453465C
  • SHA-512: DC14A7F91DCDCC18E8259F5D154035AE88F8F2B5EBE2F20DFAD305D37BAECAA77CED983816215DB85304371FA6D7BD6ADF48A3C8BD704C08DEFD4100E2E478E7
C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab
  • Type: data
  • MD5: 02962AB958FD8410CA1B04F6E17678D4
  • SHA: FCA7F88477EC587D7DB697D0304B2CD4C866589E
  • SHA-256: FFCDD9AB874B1D78AC8ADD26AF64C4F30F5D15FCC95313E5D4AA8779A50EB142
  • SHA-512: 19866C137DC835737C3E50A0168BD6FA254496147DB6A7003C2319EDF02733D64D19C1479B6B035D8C6BBC3D13A1A80E287829960CAB4544CFC79A3A7A2C4678
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
  • Type: ASCII text, with no line terminators
  • MD5: FB5EFCBD715B1546755E7410C95FD41E
  • SHA: EB9D0CA3F0C6CC3BB5F41EBCBCDE73FEA88401AF
  • SHA-256: D03C9DC857923C64DF17152258A83B1BA27E83793461469A5CCB7DE4CAC0FE6D
  • SHA-512: 876CD1D06071E16E33D30F00FD62D5154C4C0DD3328C8D88C0C662E6A3ECA8B8DC86DEC365B54E5AB5329AB104635856490E2B60F5872D6FD86C29B39E32BC6E
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
  • Type: Microsoft Cabinet archive data, 54007 bytes, 1 file
  • MD5: F44363D23CD082C1A99EB91D33E1C927
  • SHA: DB88A832074CF222B498EEF018E2B4A056456F93
  • SHA-256: 9A81FE41D5360C40F4B51DA948A2E2741C63E37E4713E8D99346372A626D318F
  • SHA-512: 7185229E0D282E551E3B304BDD9F968F42F779697DDE45BA9B33D7EF8DB54632DB7173547602730BB86A2B8BD512A9CB69E3A936FF1F14AAA20BE7694A7FB4DD
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
  • Type: data
  • MD5: 092ABC6642BC403D96F996375BB0E51A
  • SHA: CCED376AD13FC85EAB1129921AB970A450EDC4D9
  • SHA-256: 22C1B71E71A8B9D5C6026EB95EF101F1FCB5B497EED14A9A671EE6E4A9AD4BDF
  • SHA-512: BD960B3215EC100200209DE35C07DD5D710C638F64EA8E0422FF25ECF79A7B04E5122F2AAE45B376B3BFF63E556B4E16885457E28E8814E82318E9B82684DFEA
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
  • Type: data
  • MD5: 972ADE0F741909A70011759F58C04674
  • SHA: 8313E6397EB1801A63B2EB0E07132DF2B9ECD74A
  • SHA-256: D464EE3FDE40EE71150E501489D26B8A8FD580505D19F637B101FFC35AA8B387
  • SHA-512: F9EE718EFF3AC988408ACFD32BBCFBFAA29A54B8E9F52DE2CD22E6E6719E55A4FD8C47C10990BCEDD8C7F34E50A1C73907B6B3031BD0B04E1F2EE61133B87850
C:\Documents and Settings\Administrator\Local Settings\Temp\Zekyn\uqny.exe
  • Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  • MD5: 3740968E82FE178B7A18C9673F42E870
  • SHA: C9689BFE6FB6710B0F0D6465F3F263985151FB8A
  • SHA-256: 4C13D97781D1C2F65306355CA339C3CE7D9539B16B69C4B5CB84FF6B0EF35071
  • SHA-512: 0478AE6781C9F822D9F2E1BBB7E7BD13CB8288BAC1263781ADCBC2FD50389F8E8FD9C777E511669B08CFF23DD6E6FBEBC137E7A940C362B541E1FA942A60E6EB
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RC9GAWT2\0104AUm[1].exe
  • Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  • MD5: 25ECDFFA169BEC23946F99782C5455D8
  • SHA: 5F5BB611EED1B024D7E8EE9D1B6D5D43BC678EAF
  • SHA-256: D86DD56DE7D725F83E038CA6B9D442142682A1DF819E696DE0041AD54453465C
  • SHA-512: DC14A7F91DCDCC18E8259F5D154035AE88F8F2B5EBE2F20DFAD305D37BAECAA77CED983816215DB85304371FA6D7BD6ADF48A3C8BD704C08DEFD4100E2E478E7
C:\WINDOWS\system32\drivers\10a0d.sys
  • Type: PE32 executable for MS Windows (native) Intel 80386 32-bit
  • MD5: A2F2B24BD6FA13095C319F7F61C21D2F
  • SHA: 38169E6DCC43A7831D1E995D87686AA26D6D4F46
  • SHA-256: F1473D776BCA32DF38F449B5E4E82BDC58825AABF5B5AB03F02E0B3CAAF2A661
  • SHA-512: 28DF947227F3ED6E4E5D474DE7CF4F36FF0F7070B8B0D8E180A4C6B370E4FB3185C1CFDB5A74438A61D99721C4C2255B2B48EFDB44275B1CB45E03D2C3539687
\ROUTER
  • Type: GLS_BINARY_LSB_FIRST
  • MD5: BB03B9FAD108A5ED6DB4E34DB8436349
  • SHA: 0C781135C068643B239C34ABECB5F64F68A53828
  • SHA-256: 834E35A3763FD3D41640D53F68C514C4EBE626C9F89304EF2184DD9C60C7FCDB
  • SHA-512: EF1FC355AA52A7696FC50CFE8F7B3E4FB96A0C03AD43B5FAA91773DBFF304CB1FCE57601973700127931BFE8195B128C3FA2DBCDB059A7225CFA45F5D46D02A0

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
huuofukzdeguflbhmafyivkj.biz23.92.19.67unknowntrueunknownunknown
partners-gs.com94.23.146.92unknowntrueunknownunknown
www.download.windowsupdate.com92.123.155.25unknowntrueunknownunknown
www.google.com173.194.65.105unknowntrueunknownunknown
aulbbiwslxpvvphxnjij.biz50.116.4.71unknowntrueunknownunknown
dikzhhiealaypkbvwlemha.infounknownunknownunknownunknownunknown
mnvrwhzhskyxceucztswavohcegu.orgunknownunknownunknownunknownunknown
emqsfyducjnmbibibhizpcufqnrpo.infounknownunknownunknownunknownunknown
alvohyhgypfyrsgewgifcrgifjz.netunknownunknownunknownunknownunknown
hdrgcshsjbnbobylampt.ruunknownunknownunknownunknownunknown
hdcujzgmhqgweufmjfrwthmdupn.orgunknownunknownunknownunknownunknown
ojamxrwylyxwshgixjzormqo.comunknownunknownunknownunknownunknown
vheaiheudairozltvxwhscx.comunknownunknownunknownunknownunknown

Contacted IPs

IPCountryPingableOpen Ports
125.192.77.86Japanunknownunknown
99.122.66.193United Statesunknownunknown
115.126.143.176Japanunknownunknown
213.123.192.140United Kingdomunknownunknown
50.116.4.71United Statesunknownunknown
173.194.65.105United Statesunknownunknown
195.186.1.121Switzerlandunknownunknown
174.95.148.169Canadaunknownunknown
109.152.14.70United Kingdomunknownunknown
23.92.19.67United Statesunknownunknown
180.32.45.40Japanunknownunknown
124.102.71.137Japanunknownunknown
81.134.111.58United Kingdomunknownunknown
94.23.146.92Franceunknownunknown
181.28.56.2Argentinaunknownunknown
119.172.162.34Japanunknownunknown
50.100.208.136Canadaunknownunknown
99.37.80.46United Statesunknownunknown
92.123.155.25European Unionunknownunknown
121.6.40.64Singaporeunknownunknown
195.186.4.121Switzerlandunknownunknown

Static File Info

File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File name:Internal.scr
File size:25600
MD5:c05d7f1cff16c7af9b9d3b6f79ce7a02
SHA1:68a2d1b034a68a801d612ac24938ea221ee37455
SHA256:3a219057118feabb49d1333d43239563304201af46fdc8b1a0eb4275ba2919a1
SHA512:84f5a96436dae52017007c5eb98dc884ae609766a632f490a1df9f99617513cf9b33c2a25112ed79195dc8e99b63acb2bd8ddd55f855d396f3c4d53340ca0152

File Icon

Static PE Info

General
Entrypoint:0x4021a0
Entrypoint Section:.text
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x533B2BF1 [Tue Apr 01 21:13:21 2014 UTC]
TLS Callbacks:
Digitally signed:False
CLR (.Net) Version:
Resources
NameRVASizeTypeLanguageCountry
RT_ICON0x60ec0x2a64ump; dataEnglishUnited States
RT_GROUP_ICON0x8b500x14ump; MS Windows icon resource - 1 iconEnglishUnited States
RT_MANIFEST0x8b640x15aump; ASCII text, with CRLF line terminatorsEnglishUnited States
Imports
DLLImport
MSVCRT.dll_adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _controlfp, _exit, _initterm, __wgetmainargs, _wcmdln, exit, _XcptFilter, _except_handler3
KERNEL32.dllExitProcess, GetStartupInfoW, UnhandledExceptionFilter, LoadLibraryW, InitializeCriticalSectionAndSpinCount, GetModuleHandleW
USER32.dllDispatchMessageW, CreateWindowExW, RegisterClassExW, ShowWindow, PeekMessageW, DefWindowProcW, AdjustWindowRectEx
SHELL32.dllSHGetDesktopFolder
Sections
NameVirtual AddressVirtual SizeRaw SizeEntropy
.text0x10000x13aa0x14006.52472451551
.rdata0x30000x5980x6005.02690951779
.data0x40000x16ec0x18005.64045748358
.rsrc0x60000x2cc00x2e004.643827612
Possible Origin
Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Apr 3, 2014 12:02:05.982043028 MESZ6395253192.168.1.10195.186.1.121
Apr 3, 2014 12:02:06.316936970 MESZ5363952195.186.1.121192.168.1.10
Apr 3, 2014 12:02:06.331769943 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:06.331789017 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:06.331888914 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:06.339533091 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:06.339544058 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:06.574330091 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:06.707801104 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:06.707854033 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:06.713912964 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:06.713926077 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:06.818871975 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:07.036010981 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:07.405324936 MESZ6014653192.168.1.10195.186.1.121
Apr 3, 2014 12:02:07.651335955 MESZ5360146195.186.1.121192.168.1.10
Apr 3, 2014 12:02:07.662128925 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:07.662147045 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:07.662219048 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.645258904 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.645339012 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.645672083 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.680429935 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.680443048 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.796554089 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.830758095 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.830773115 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.906096935 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.908709049 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.908754110 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.908766031 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.909149885 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.909207106 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.909339905 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.918570042 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.918605089 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.918922901 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.918968916 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.919599056 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.926739931 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.945070028 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.945076942 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.945152044 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.945163012 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.945270061 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.945432901 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.945439100 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.945441961 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.945543051 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.945971966 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.945976973 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.946073055 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.946080923 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.946185112 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.958765030 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.959160089 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.959167004 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.959260941 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.959269047 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.959359884 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.964056969 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.964610100 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.964616060 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.964699030 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.964706898 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.964796066 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.964823008 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.964828968 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.964831114 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.964945078 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.965390921 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.965398073 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.965491056 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.965497971 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.965600967 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.977912903 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.984586000 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.984616995 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.984627962 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.985017061 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.985069990 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.985203028 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.985901117 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.985907078 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.986008883 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.986018896 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.986200094 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.987273932 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.988744974 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.988749981 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.988852024 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.988862038 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.988969088 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.995527983 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.997195959 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.997203112 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.997303963 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.997313976 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.997404099 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:10.997545958 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.997554064 MESZ80103492.123.155.25192.168.1.10
Apr 3, 2014 12:02:10.997659922 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:11.058403015 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.058425903 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.224895954 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.228884935 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.228914976 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.229480982 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.229533911 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.229984045 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.239279032 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.239286900 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.239289045 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.239391088 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.251422882 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.251430035 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.251528978 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.251538992 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.251643896 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.263637066 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.264086008 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.264240980 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.264252901 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.270638943 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.270646095 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.270771027 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.270783901 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.270816088 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.270821095 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.270910025 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.270917892 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.270951033 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.282047033 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.282054901 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.282078981 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.282167912 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.282180071 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.282210112 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.283601999 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.283608913 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.283711910 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.283721924 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.283826113 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.301091909 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.301099062 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.301101923 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.301209927 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.306698084 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.306755066 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.307148933 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.307195902 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.307394028 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.307415009 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.307657003 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.307689905 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.307820082 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.308037996 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.308176994 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.308201075 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.308566093 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.312603951 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.312635899 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.312647104 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.313040018 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.320750952 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.320780993 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.321166992 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.321206093 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.321229935 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.321258068 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.321355104 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.321697950 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.321721077 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.322171926 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.325356007 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.326225996 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.326255083 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.326642036 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.326682091 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.326714039 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.326735020 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.327244997 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.327275991 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.327405930 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.327693939 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.327714920 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.327879906 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.327907085 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.328311920 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.328459024 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.331851006 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.331876040 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.331885099 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.332274914 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.343024015 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.343055964 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.343065977 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.343455076 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.343492985 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.343616009 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.346292019 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.346322060 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.346709967 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.346746922 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.346842051 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.346863985 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.347248077 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.347276926 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.347404957 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.347764969 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.347784042 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.347795963 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.347805023 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.348033905 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.348265886 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.348294020 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.348448038 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.349167109 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.356403112 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.356432915 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.356823921 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.356862068 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.357311964 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.359508991 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.359540939 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.359551907 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.359944105 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.360172033 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.360194921 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.360588074 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.360619068 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.360718966 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.360734940 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.361133099 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.361160994 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.361239910 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.361269951 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.361351967 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.361721039 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.361745119 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.361898899 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.362252951 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.366038084 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.366772890 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.366816044 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.367177010 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.367217064 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.367352962 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.367372036 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.367609024 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.367635965 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.367764950 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.368115902 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.380060911 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.380093098 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.380104065 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.380451918 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.393382072 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.393413067 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.393711090 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.393755913 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.393958092 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.394885063 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.395843029 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.395848989 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.395975113 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.395984888 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.396075010 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.396569967 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.397375107 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.397381067 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.397511959 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.397521019 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.397553921 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.398111105 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.398118019 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.398221016 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.398231030 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.398330927 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.399045944 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.399051905 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.399054050 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.399156094 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.399786949 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.399792910 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.399889946 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.399899006 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.399997950 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.406234980 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.406239986 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.406241894 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.406353951 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.406965971 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.406972885 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.407095909 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.407108068 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.407215118 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.410651922 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.411129951 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.411135912 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.411247969 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.411259890 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.411366940 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.411511898 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.411520004 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.411523104 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.411631107 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.411876917 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.411883116 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.411906958 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.412005901 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.412015915 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.412050962 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.412240982 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.412245989 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.412337065 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.412343979 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.412517071 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.417277098 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.417282104 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.417284966 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.417402029 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.418189049 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.418195963 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.418309927 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.418323040 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.418416977 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.418703079 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.424849987 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.424855947 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.424972057 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.424983978 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.425095081 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.425219059 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.425225973 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.425229073 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.425304890 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.425942898 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.425950050 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.426054955 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.426064014 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.426155090 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.427028894 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.427552938 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.427557945 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.427673101 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.427685022 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.427777052 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.429682970 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.430397034 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.430416107 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.430726051 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.430772066 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.430855989 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.430871010 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.431185007 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.431211948 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.431317091 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.431335926 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.431365013 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.431680918 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.431704044 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.431755066 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.431777954 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.431852102 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.432143927 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.432163000 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.432266951 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.432543993 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.434762001 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.434782028 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.434788942 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.435081959 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.435218096 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.435231924 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.435416937 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.435441971 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.435739040 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.436744928 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.436779022 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.436788082 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.437047005 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.437170982 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.437179089 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.437192917 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.437203884 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.437659025 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.456692934 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.456723928 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.456733942 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.457170010 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.457222939 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.457355022 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.471141100 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.471170902 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.471662998 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.471718073 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.471744061 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.471761942 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.471875906 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.472234964 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.472260952 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.472326040 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.472342968 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.472809076 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.472840071 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.472971916 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.473275900 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.473298073 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.473320961 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.473340988 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.473947048 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.474087000 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.474123955 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.474308014 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.474333048 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.474667072 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.474680901 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.474685907 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.474704027 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.475090981 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.475152969 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.475183964 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.475533009 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.475558043 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.475711107 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.475728035 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.475902081 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.475996971 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.476022959 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.476166010 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.476502895 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.477072954 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.477097034 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.477107048 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.477435112 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.478802919 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.481494904 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.481525898 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.481537104 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.481920004 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.482088089 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.482155085 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.482177019 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.482192039 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.482475042 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.490782022 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.490813017 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.491172075 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.491214991 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.491369963 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.491389990 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.491775036 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.491807938 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.491898060 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.491914034 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.491938114 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.492010117 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.492451906 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.492480040 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.492609978 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.492747068 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.498198986 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.498229980 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.498600960 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.498639107 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.499023914 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.511030912 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.511060953 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.511070967 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.511509895 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.513842106 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.513880014 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.513904095 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.514328003 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.514383078 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.514549971 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.514657974 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.514688969 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.514972925 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.515012026 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.515357018 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.515399933 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.515434980 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.515902042 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.516150951 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.516194105 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.516206026 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.516469002 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.519042969 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.519062042 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.519428015 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.519468069 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.519553900 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.519573927 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.519952059 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.519982100 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.520116091 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.520123005 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.520137072 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.520250082 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.520591974 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.520617962 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.520770073 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.520855904 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.520875931 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.521388054 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.521416903 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.521770000 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.522063971 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.522094965 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.522105932 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.522419930 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.522627115 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.522646904 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.522938967 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.522969007 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.523324013 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.524882078 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.526328087 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.527426958 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.527455091 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.527466059 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.527808905 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.527991056 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.528017998 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.529757977 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.529823065 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.530083895 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.530122995 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.530569077 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.530591965 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.530910969 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.530946016 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.531076908 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.540292978 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.540324926 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.540337086 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.540695906 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.540736914 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.540863991 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.542783976 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.542814970 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.543205976 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.543217897 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.543235064 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.543251991 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.543703079 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.543864012 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.549964905 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.556329966 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.556363106 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.556768894 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.556823969 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.557169914 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.557198048 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.557231903 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.557257891 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.557754993 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.557774067 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.557795048 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.557944059 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.558042049 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.558070898 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.558425903 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.558573961 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.558708906 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.558731079 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.558913946 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.558937073 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.559149981 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.559262991 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.559284925 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.559619904 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.559645891 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.559667110 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.559676886 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.560091972 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.560216904 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.560245991 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.560528040 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.560551882 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.560786009 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.560802937 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.560892105 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.560914040 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.561249971 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.561342955 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.561359882 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.561680079 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.561702967 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.561862946 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.561867952 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.561903000 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.561909914 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.562002897 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.562202930 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.562210083 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.562405109 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.562411070 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.562555075 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.562561989 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.562654018 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.562907934 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.562997103 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.564343929 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.564348936 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.564441919 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.564450026 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.564554930 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.564834118 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.565570116 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.565573931 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.565668106 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.565676928 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.565768003 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.569231987 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.569715977 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.569722891 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.569859982 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.569869041 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.569931030 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.569937944 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.569971085 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.569977045 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.570067883 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.570101023 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.576514006 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.583694935 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.583700895 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.583803892 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.583817005 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.583930016 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.588716030 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.588722944 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.588725090 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.588828087 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.589555025 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.589561939 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.589662075 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.589670897 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.589761019 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.595597982 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.597958088 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.597985983 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.598500967 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.598541021 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.598886967 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.598906994 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.598925114 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.598941088 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.598953009 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.599133015 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.599458933 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.599610090 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.599618912 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.599636078 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.599646091 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.599670887 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.599744081 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.600095987 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.600224018 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.600336075 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.600357056 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.600646019 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.600672007 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.600970984 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.600994110 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.601015091 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.601035118 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.601486921 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.601499081 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.601516008 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.601923943 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.601953030 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.602088928 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.602108955 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.602349043 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.602374077 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.602504969 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.602754116 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.602785110 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.603106976 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.603131056 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.603457928 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.603703022 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.603738070 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.603751898 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.604146957 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.604254961 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.604274035 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.604760885 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.604789019 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.605015993 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.605036020 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.605155945 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.605469942 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.605494976 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.606045961 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.607388973 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.609092951 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.609186888 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.609219074 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.609231949 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.609487057 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.609631062 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.609882116 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.610075951 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.610080004 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.610160112 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.610167980 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.610224009 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.627810001 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.627818108 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.627918959 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.627928019 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.628034115 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.666946888 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.675079107 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.675107002 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.675575018 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.675627947 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.676039934 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.677182913 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.677212954 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.677227974 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.677691936 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.678069115 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.678097963 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.678402901 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.678442001 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.678600073 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.678620100 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.679121017 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.679157019 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.679290056 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.704608917 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.704639912 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.705107927 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.705159903 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.705571890 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.714159966 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.714189053 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.714200020 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.714672089 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.714811087 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.714829922 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.714993000 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.715276003 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.715313911 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.715475082 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.717583895 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.718064070 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.718102932 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.764410973 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.764441967 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.764452934 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.764909983 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.764966965 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.765099049 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.765117884 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.765137911 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.765630007 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.765662909 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.766140938 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.768110991 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.768140078 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.768151045 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.768605947 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.768616915 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.768625021 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.769001007 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.769038916 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.769406080 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.769434929 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.770060062 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.770106077 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.770520926 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.770556927 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.770682096 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.770703077 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.771038055 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.771065950 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.771197081 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.771307945 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.771327972 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.771606922 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.771632910 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.771754980 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.771859884 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.771889925 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.772187948 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.772212982 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.772531033 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.772550106 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.772552967 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.772572994 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.773020983 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.773122072 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.773139954 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.773458004 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.773480892 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.773617029 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.773633957 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.773844004 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.773869038 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.773999929 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.774214983 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.774238110 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.774585962 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.774609089 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.774758101 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.774774075 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.774983883 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.775007963 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.775141954 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.775276899 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.775293112 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.775451899 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.775528908 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.775551081 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.775893927 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.775940895 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.775966883 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.776320934 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.776344061 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.776679993 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.778604031 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.784679890 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.785394907 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.785418034 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.785969019 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.785986900 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.785996914 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.786026001 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.786065102 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.786604881 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.786747932 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.787446976 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.787470102 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.787565947 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.787765980 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.787796974 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.787950993 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.806503057 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.806535959 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.806843042 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.806885004 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.810034990 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.815618992 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.816451073 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.816468000 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.816591024 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.816600084 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.816725969 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.818504095 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.818520069 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.818522930 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.818640947 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.818672895 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.819057941 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.819075108 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.819077015 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.819190979 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.819220066 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.819436073 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.819900036 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.819905996 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.820039034 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.820058107 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.820178986 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.821620941 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.821626902 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.821639061 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.821770906 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.823141098 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.823146105 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.823271036 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.823276997 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.823410034 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.824605942 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.824610949 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.824623108 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.824733973 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.825448990 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.825453043 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.825557947 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.825565100 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.825831890 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.826021910 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.826026917 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.826039076 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.826683044 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.826688051 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.826875925 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.826879978 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.826894045 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.827514887 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.827574015 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.827578068 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.827636957 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.827703953 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.827722073 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.827729940 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.827841997 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.827847004 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.827936888 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.828227997 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.828233004 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.828247070 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.828299046 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.828399897 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.828754902 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.828763962 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.829360008 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.834789991 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.834794044 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.834796906 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:11.834897995 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.957402945 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:11.957412958 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:12.137850046 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:12.138350964 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:12.138405085 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:12.286421061 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:12.286473036 MESZ443103394.23.146.92192.168.1.10
Apr 3, 2014 12:02:12.504281044 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:13.324711084 MESZ1033443192.168.1.1094.23.146.92
Apr 3, 2014 12:02:13.325006008 MESZ103480192.168.1.1092.123.155.25
Apr 3, 2014 12:02:33.285137892 MESZ51498656192.168.1.1050.100.208.136
Apr 3, 2014 12:02:38.743045092 MESZ51496781192.168.1.10174.95.148.169
Apr 3, 2014 12:02:45.680710077 MESZ51494283192.168.1.10181.28.56.2
Apr 3, 2014 12:02:54.183640003 MESZ51495693192.168.1.10121.6.40.64
Apr 3, 2014 12:03:02.042473078 MESZ51492453192.168.1.1099.122.66.193
Apr 3, 2014 12:03:08.162892103 MESZ51496589192.168.1.10180.32.45.40
Apr 3, 2014 12:03:16.868084908 MESZ51499551192.168.1.10115.126.143.176
Apr 3, 2014 12:03:17.275559902 MESZ5996553192.168.1.10195.186.1.121
Apr 3, 2014 12:03:18.271532059 MESZ5996553192.168.1.10195.186.4.121
Apr 3, 2014 12:03:18.578278065 MESZ5359965195.186.4.121192.168.1.10
Apr 3, 2014 12:03:18.595432997 MESZ103580192.168.1.1050.116.4.71
Apr 3, 2014 12:03:18.595453024 MESZ80103550.116.4.71192.168.1.10
Apr 3, 2014 12:03:18.595537901 MESZ103580192.168.1.1050.116.4.71
Apr 3, 2014 12:03:18.606722116 MESZ103580192.168.1.1050.116.4.71
Apr 3, 2014 12:03:18.606733084 MESZ80103550.116.4.71192.168.1.10
Apr 3, 2014 12:03:18.606894970 MESZ103580192.168.1.1050.116.4.71
Apr 3, 2014 12:03:18.606900930 MESZ80103550.116.4.71192.168.1.10
Apr 3, 2014 12:03:18.614217997 MESZ5359965195.186.1.121192.168.1.10
Apr 3, 2014 12:03:25.446681023 MESZ51492058192.168.1.1081.134.111.58
Apr 3, 2014 12:03:31.588347912 MESZ51493736192.168.1.1099.37.80.46
Apr 3, 2014 12:03:37.102421045 MESZ51491193192.168.1.10124.102.71.137
Apr 3, 2014 12:03:45.192882061 MESZ51495049192.168.1.10125.192.77.86
Apr 3, 2014 12:03:45.424109936 MESZ80103550.116.4.71192.168.1.10
Apr 3, 2014 12:03:45.424247980 MESZ103580192.168.1.1050.116.4.71
Apr 3, 2014 12:03:45.424695969 MESZ103580192.168.1.1050.116.4.71
Apr 3, 2014 12:03:45.424709082 MESZ80103550.116.4.71192.168.1.10
Apr 3, 2014 12:03:45.522948027 MESZ5661753192.168.1.10195.186.1.121
Apr 3, 2014 12:03:45.767858982 MESZ5356617195.186.1.121192.168.1.10
Apr 3, 2014 12:03:45.779170036 MESZ104080192.168.1.10173.194.65.105
Apr 3, 2014 12:03:45.779242992 MESZ801040173.194.65.105192.168.1.10
Apr 3, 2014 12:03:45.779639006 MESZ104080192.168.1.10173.194.65.105
Apr 3, 2014 12:03:45.784476995 MESZ104080192.168.1.10173.194.65.105
Apr 3, 2014 12:03:45.784528971 MESZ801040173.194.65.105192.168.1.10
Apr 3, 2014 12:03:46.289760113 MESZ801040173.194.65.105192.168.1.10
Apr 3, 2014 12:03:46.291330099 MESZ104080192.168.1.10173.194.65.105
Apr 3, 2014 12:03:46.291552067 MESZ801040173.194.65.105192.168.1.10
Apr 3, 2014 12:03:46.292006016 MESZ104080192.168.1.10173.194.65.105
Apr 3, 2014 12:03:47.802067995 MESZ5118653192.168.1.10195.186.1.121
Apr 3, 2014 12:03:48.075978041 MESZ5351186195.186.1.121192.168.1.10
Apr 3, 2014 12:03:49.570564032 MESZ5826453192.168.1.10195.186.1.121
Apr 3, 2014 12:03:49.863223076 MESZ5358264195.186.1.121192.168.1.10
Apr 3, 2014 12:03:51.378194094 MESZ5464853192.168.1.10195.186.1.121
Apr 3, 2014 12:03:51.635523081 MESZ5354648195.186.1.121192.168.1.10
Apr 3, 2014 12:03:52.337196112 MESZ51497972192.168.1.10119.172.162.34
Apr 3, 2014 12:03:53.143256903 MESZ5583053192.168.1.10195.186.1.121
Apr 3, 2014 12:03:53.457185984 MESZ5355830195.186.1.121192.168.1.10
Apr 3, 2014 12:03:54.967502117 MESZ5734753192.168.1.10195.186.1.121
Apr 3, 2014 12:03:55.228133917 MESZ5357347195.186.1.121192.168.1.10
Apr 3, 2014 12:03:56.742449045 MESZ5522253192.168.1.10195.186.1.121
Apr 3, 2014 12:03:56.985740900 MESZ5355222195.186.1.121192.168.1.10
Apr 3, 2014 12:03:58.496400118 MESZ5331153192.168.1.10195.186.1.121
Apr 3, 2014 12:03:58.774403095 MESZ5353311195.186.1.121192.168.1.10
Apr 3, 2014 12:04:00.052472115 MESZ51492106192.168.1.10109.152.14.70
Apr 3, 2014 12:04:00.273022890 MESZ5817553192.168.1.10195.186.1.121
Apr 3, 2014 12:04:00.534153938 MESZ5358175195.186.1.121192.168.1.10
Apr 3, 2014 12:04:02.047331095 MESZ5899653192.168.1.10195.186.1.121
Apr 3, 2014 12:04:02.321883917 MESZ5358996195.186.1.121192.168.1.10
Apr 3, 2014 12:04:02.329840899 MESZ104280192.168.1.1023.92.19.67
Apr 3, 2014 12:04:02.329910994 MESZ80104223.92.19.67192.168.1.10
Apr 3, 2014 12:04:02.330322981 MESZ104280192.168.1.1023.92.19.67
Apr 3, 2014 12:04:02.342402935 MESZ104280192.168.1.1023.92.19.67
Apr 3, 2014 12:04:02.342423916 MESZ80104223.92.19.67192.168.1.10
Apr 3, 2014 12:04:02.342566967 MESZ104280192.168.1.1023.92.19.67
Apr 3, 2014 12:04:02.342583895 MESZ80104223.92.19.67192.168.1.10
Apr 3, 2014 12:04:08.933561087 MESZ51494392192.168.1.10213.123.192.140
UDP Packets
TimestampSource PortDest PortSource IPDest IP
Apr 3, 2014 12:02:05.982043028 MESZ6395253192.168.1.10195.186.1.121
Apr 3, 2014 12:02:06.316936970 MESZ5363952195.186.1.121192.168.1.10
Apr 3, 2014 12:02:07.405324936 MESZ6014653192.168.1.10195.186.1.121
Apr 3, 2014 12:02:07.651335955 MESZ5360146195.186.1.121192.168.1.10
Apr 3, 2014 12:02:33.285137892 MESZ51498656192.168.1.1050.100.208.136
Apr 3, 2014 12:02:38.743045092 MESZ51496781192.168.1.10174.95.148.169
Apr 3, 2014 12:02:45.680710077 MESZ51494283192.168.1.10181.28.56.2
Apr 3, 2014 12:02:54.183640003 MESZ51495693192.168.1.10121.6.40.64
Apr 3, 2014 12:03:02.042473078 MESZ51492453192.168.1.1099.122.66.193
Apr 3, 2014 12:03:08.162892103 MESZ51496589192.168.1.10180.32.45.40
Apr 3, 2014 12:03:16.868084908 MESZ51499551192.168.1.10115.126.143.176
Apr 3, 2014 12:03:17.275559902 MESZ5996553192.168.1.10195.186.1.121
Apr 3, 2014 12:03:18.271532059 MESZ5996553192.168.1.10195.186.4.121
Apr 3, 2014 12:03:18.578278065 MESZ5359965195.186.4.121192.168.1.10
Apr 3, 2014 12:03:18.614217997 MESZ5359965195.186.1.121192.168.1.10
Apr 3, 2014 12:03:25.446681023 MESZ51492058192.168.1.1081.134.111.58
Apr 3, 2014 12:03:31.588347912 MESZ51493736192.168.1.1099.37.80.46
Apr 3, 2014 12:03:37.102421045 MESZ51491193192.168.1.10124.102.71.137
Apr 3, 2014 12:03:45.192882061 MESZ51495049192.168.1.10125.192.77.86
Apr 3, 2014 12:03:45.522948027 MESZ5661753192.168.1.10195.186.1.121
Apr 3, 2014 12:03:45.767858982 MESZ5356617195.186.1.121192.168.1.10
Apr 3, 2014 12:03:47.802067995 MESZ5118653192.168.1.10195.186.1.121
Apr 3, 2014 12:03:48.075978041 MESZ5351186195.186.1.121192.168.1.10
Apr 3, 2014 12:03:49.570564032 MESZ5826453192.168.1.10195.186.1.121
Apr 3, 2014 12:03:49.863223076 MESZ5358264195.186.1.121192.168.1.10
Apr 3, 2014 12:03:51.378194094 MESZ5464853192.168.1.10195.186.1.121
Apr 3, 2014 12:03:51.635523081 MESZ5354648195.186.1.121192.168.1.10
Apr 3, 2014 12:03:52.337196112 MESZ51497972192.168.1.10119.172.162.34
Apr 3, 2014 12:03:53.143256903 MESZ5583053192.168.1.10195.186.1.121
Apr 3, 2014 12:03:53.457185984 MESZ5355830195.186.1.121192.168.1.10
Apr 3, 2014 12:03:54.967502117 MESZ5734753192.168.1.10195.186.1.121
Apr 3, 2014 12:03:55.228133917 MESZ5357347195.186.1.121192.168.1.10
Apr 3, 2014 12:03:56.742449045 MESZ5522253192.168.1.10195.186.1.121
Apr 3, 2014 12:03:56.985740900 MESZ5355222195.186.1.121192.168.1.10
Apr 3, 2014 12:03:58.496400118 MESZ5331153192.168.1.10195.186.1.121
Apr 3, 2014 12:03:58.774403095 MESZ5353311195.186.1.121192.168.1.10
Apr 3, 2014 12:04:00.052472115 MESZ51492106192.168.1.10109.152.14.70
Apr 3, 2014 12:04:00.273022890 MESZ5817553192.168.1.10195.186.1.121
Apr 3, 2014 12:04:00.534153938 MESZ5358175195.186.1.121192.168.1.10
Apr 3, 2014 12:04:02.047331095 MESZ5899653192.168.1.10195.186.1.121
Apr 3, 2014 12:04:02.321883917 MESZ5358996195.186.1.121192.168.1.10
Apr 3, 2014 12:04:08.933561087 MESZ51494392192.168.1.10213.123.192.140
ICMP Packets
TimestampSource IPDest IPChecksumCodeType
Apr 3, 2014 12:03:18.614321947 MESZ192.168.1.10195.186.1.1218436(Port unreachable)Destination Unreachable
DNS Queries
TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Apr 3, 2014 12:02:05.982043028 MESZ192.168.1.10195.186.1.1210xd4b7Standard query (0)partners-gs.comA (IP address)IN (0x0001)
Apr 3, 2014 12:02:07.405324936 MESZ192.168.1.10195.186.1.1210xf76dStandard query (0)www.download.windowsupdate.comA (IP address)IN (0x0001)
Apr 3, 2014 12:03:17.275559902 MESZ192.168.1.10195.186.1.1210x6863Standard query (0)aulbbiwslxpvvphxnjij.bizA (IP address)IN (0x0001)
Apr 3, 2014 12:03:18.271532059 MESZ192.168.1.10195.186.4.1210x6863Standard query (0)aulbbiwslxpvvphxnjij.bizA (IP address)IN (0x0001)
Apr 3, 2014 12:03:45.522948027 MESZ192.168.1.10195.186.1.1210x9c28Standard query (0)www.google.comA (IP address)IN (0x0001)
Apr 3, 2014 12:03:47.802067995 MESZ192.168.1.10195.186.1.1210xbf48Standard query (0)hdcujzgmhqgweufmjfrwthmdupn.orgA (IP address)IN (0x0001)
Apr 3, 2014 12:03:49.570564032 MESZ192.168.1.10195.186.1.1210x313eStandard query (0)emqsfyducjnmbibibhizpcufqnrpo.infoA (IP address)IN (0x0001)
Apr 3, 2014 12:03:51.378194094 MESZ192.168.1.10195.186.1.1210x8a6fStandard query (0)vheaiheudairozltvxwhscx.comA (IP address)IN (0x0001)
Apr 3, 2014 12:03:53.143256903 MESZ192.168.1.10195.186.1.1210xcf3bStandard query (0)hdrgcshsjbnbobylampt.ruA (IP address)IN (0x0001)
Apr 3, 2014 12:03:54.967502117 MESZ192.168.1.10195.186.1.1210x4e9bStandard query (0)ojamxrwylyxwshgixjzormqo.comA (IP address)IN (0x0001)
Apr 3, 2014 12:03:56.742449045 MESZ192.168.1.10195.186.1.1210xd18Standard query (0)dikzhhiealaypkbvwlemha.infoA (IP address)IN (0x0001)
Apr 3, 2014 12:03:58.496400118 MESZ192.168.1.10195.186.1.1210x148eStandard query (0)mnvrwhzhskyxceucztswavohcegu.orgA (IP address)IN (0x0001)
Apr 3, 2014 12:04:00.273022890 MESZ192.168.1.10195.186.1.1210xb2e9Standard query (0)alvohyhgypfyrsgewgifcrgifjz.netA (IP address)IN (0x0001)
Apr 3, 2014 12:04:02.047331095 MESZ192.168.1.10195.186.1.1210xabd2Standard query (0)huuofukzdeguflbhmafyivkj.bizA (IP address)IN (0x0001)
DNS Answers
TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Apr 3, 2014 12:02:06.316936970 MESZ195.186.1.121192.168.1.100xd4b7No error (0)partners-gs.com94.23.146.92A (IP address)IN (0x0001)
Apr 3, 2014 12:02:07.651335955 MESZ195.186.1.121192.168.1.100xf76dNo error (0)www.download.windowsupdate.com92.123.155.25A (IP address)IN (0x0001)
Apr 3, 2014 12:03:18.578278065 MESZ195.186.4.121192.168.1.100x6863No error (0)aulbbiwslxpvvphxnjij.biz50.116.4.71A (IP address)IN (0x0001)
Apr 3, 2014 12:03:18.614217997 MESZ195.186.1.121192.168.1.100x6863No error (0)aulbbiwslxpvvphxnjij.biz50.116.4.71A (IP address)IN (0x0001)
Apr 3, 2014 12:03:45.767858982 MESZ195.186.1.121192.168.1.100x9c28No error (0)www.google.com173.194.65.105A (IP address)IN (0x0001)
Apr 3, 2014 12:03:48.075978041 MESZ195.186.1.121192.168.1.100xbf48Name error (3)hdcujzgmhqgweufmjfrwthmdupn.orgnonenoneA (IP address)IN (0x0001)
Apr 3, 2014 12:03:49.863223076 MESZ195.186.1.121192.168.1.100x313eName error (3)emqsfyducjnmbibibhizpcufqnrpo.infononenoneA (IP address)IN (0x0001)
Apr 3, 2014 12:03:51.635523081 MESZ195.186.1.121192.168.1.100x8a6fName error (3)vheaiheudairozltvxwhscx.comnonenoneA (IP address)IN (0x0001)
Apr 3, 2014 12:03:53.457185984 MESZ195.186.1.121192.168.1.100xcf3bName error (3)hdrgcshsjbnbobylampt.runonenoneA (IP address)IN (0x0001)
Apr 3, 2014 12:03:55.228133917 MESZ195.186.1.121192.168.1.100x4e9bName error (3)ojamxrwylyxwshgixjzormqo.comnonenoneA (IP address)IN (0x0001)
Apr 3, 2014 12:03:56.985740900 MESZ195.186.1.121192.168.1.100xd18Name error (3)dikzhhiealaypkbvwlemha.infononenoneA (IP address)IN (0x0001)
Apr 3, 2014 12:03:58.774403095 MESZ195.186.1.121192.168.1.100x148eName error (3)mnvrwhzhskyxceucztswavohcegu.orgnonenoneA (IP address)IN (0x0001)
Apr 3, 2014 12:04:00.534153938 MESZ195.186.1.121192.168.1.100xb2e9Name error (3)alvohyhgypfyrsgewgifcrgifjz.netnonenoneA (IP address)IN (0x0001)
Apr 3, 2014 12:04:02.321883917 MESZ195.186.1.121192.168.1.100xabd2No error (0)huuofukzdeguflbhmafyivkj.biz23.92.19.67A (IP address)IN (0x0001)
HTTP Request Dependency Graph
  • www.download.windowsupdate.com
  • default
  • www.google.com
HTTP Packets
TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Apr 3, 2014 12:02:10.680429935 MESZ103480192.168.1.1092.123.155.25GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: www.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
3
Apr 3, 2014 12:02:10.796554089 MESZ80103492.123.155.25192.168.1.10HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=3203
Date: Thu, 03 Apr 2014 10:02:10 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
Data Raw: 31 34 30 31 43 46 33 44 42 34 30 42 36 30 39 38 39 32
Data Ascii: 1401CF3DB40B609892
3
Apr 3, 2014 12:02:10.830758095 MESZ103480192.168.1.1092.123.155.25GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: www.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
3
Apr 3, 2014 12:02:10.906096935 MESZ80103492.123.155.25192.168.1.10HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Wed, 12 Mar 2014 20:20:10 GMT
Accept-Ranges: bytes
ETag: "0b96c77303ecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 54007
Cache-Control: max-age=3412
Date: Thu, 03 Apr 2014 10:02:10 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
Data Raw: 4d 53 43 46 00 00 00 00 f7 d2 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 49 00 00 00 04 00 01 00 f7 f1 01 00 00 00 00 00 00 00 6c 44 78 61 20 00 61 75 74 68 72 6f 6f 74 2e 73 74 6c 00 c0 82 0c d6 81 38 00 80 43 4b d4 9c 09 3c 54 dd ff c7 67 b8 76 21 4d f6 64 0d d9 66 10 25 64 df f7 7d 4b d6 90 35 fb 9a 46 f6 a5 64 27 4b 92 ca d2 a2 a4 92 25 4b c9 92 25 84 ca 1e 21 da 90 3d ff 6b d4 13 cf 9d a7 e7 c9 d3 ff f5 7b 3d 2f af 19 f7 9e 7b 67 e6 7e de
Data Ascii: MSCF,IlDxa authroot.stl8CK<Tgv!Mdf%d}K5Fd'K%K%!=k{=/{g~
4
Apr 3, 2014 12:02:10.908709049 MESZ80103492.123.155.25192.168.1.10Data Raw: e7 9c ef f9 de ef f9 9e 8b 3c 03 ff f4 19 9f 68 7f 98 62 d8 fc 0e 38 01 ce 45 70 7f 78 bd b0 0f 07 0e 47 91 20 89 f0 f1 b8 c9 70 71 e8 f0 60 60 61 c7 69 7c 22 6e 7c 38 00 0f 16 21 86 83 67 76 b8 ae 17 3a 20 49 f1 89 bf 17 e3 12 e1 10 21 e0 ad e2
Data Ascii: <hb8EpxG pq``ai|"n|8!gv: I!%$;PBHA!AL':0IfD"N#_?Em1\${P:/\YBm:dE)V$Dn:0ES"oqKIK(
5
Apr 3, 2014 12:02:10.908754110 MESZ80103492.123.155.25192.168.1.10Data Raw: ee cc 26 a3 0c 0e 9f d4 5c ed 0d 97 73 d1 f0 79 bd f4 a2 73 dd 3f fb d9 a8 0c 87 42 5c 72 a8 d0 d8 f3 f1 76 fb a8 3e 8f 37 a1 ed f0 c3 ed 42 d4 11 68 bf d3 1a b4 34 f8 e9 e2 d1 50 f5 f8 e7 59 72 7b 4a 34 a0 48 42 97 f9 cf f7 51 72 18 c3 e5 4a 85
Data Ascii: &\sys?B\rv>7Bh4PYr{J4HBQrJu4Bp_Da1S@S+WRmu%+[9cfPqh(<Ts:U_'?PkRJ76uYtA1zB3m&B]>D
7
Apr 3, 2014 12:02:10.908766031 MESZ80103492.123.155.25192.168.1.10Data Raw: 39 14 e2 cb 4a ee c7 f9 a8 3f 1c 8f 47 a0 10 88 93 e8 c5 61 71 6e fb 1c 6e 3a 11 be 9f 69 ac 1b 32 54 2e b7 7a 9a af b0 ff 31 d7 cd b4 99 f9 f3 a8 74 19 6f 73 ab b9 d8 46 64 c0 16 0e ce 80 a3 32 58 f5 ae 98 5b 5e ec 61 87 ef 8d 42 07 73 cc 0b 53
Data Ascii: 9J?Gaqnn:i2T.z1tosFd2X[^aBsS#V0oG@nvbUEm6Bn(=fow_f+LM +B41j ->y)=qSh]@n(,1cYwo{7k
8
Apr 3, 2014 12:02:10.909207106 MESZ80103492.123.155.25192.168.1.10Data Raw: 40 30 a5 c1 4a c5 93 0c 38 11 a4 ed c2 2c 3d 4f c2 2f bf 83 85 a2 d0 35 bf 0e 85 7b 35 dd 75 ac d3 9f 25 bf a5 7e e0 83 df 21 6f 28 14 37 a5 1a 77 a1 27 7a b3 24 5e 6e e8 53 de b3 e1 6f 9f dc 26 fb 29 94 4d 33 5c 50 28 06 70 0d b1 4a ea e0 82 0b
Data Ascii: @0J8,=O/5{5u%~!o(7w'z$^nSo&)M3\P(pJGWu&z!8|
9
Apr 3, 2014 12:02:10.918570042 MESZ80103492.123.155.25192.168.1.10Data Raw: d1 82 a0 ba 51 d0 e1 7d 1b b3 47 5b 9c a1 37 49 a3 88 8e ee 4e 85 58 59 8e c9 0a 0a dd fc eb ea 44 17 82 c9 8a b4 75 c8 39 56 42 82 a2 ad 05 5d a0 ea 6e 3e 91 73 2b ec 1d bf 13 91 c8 5b 36 66 b9 64 1d 96 f8 24 f6 a7 ce 11 ce 3f 9b 2f e7 a7 b0 5c
Data Ascii: Q}G[7INXYDu9VB]n>s+[6fd$?/\y/=,ZzT>tuFx=$zY.=amDZcXvm3cfP9=e3j/1C'g_c@;eftc-u\7}x7
10
Apr 3, 2014 12:02:10.918605089 MESZ80103492.123.155.25192.168.1.10Data Raw: b5 5b 44 e7 e7 eb 21 d6 66 0d 8a e6 be 04 f9 fe 66 6d b7 6e 19 fa 7e b0 c7 d4 61 eb 8c f9 1c 5b 13 d3 a7 af d7 23 61 2e 41 86 27 38 4d 78 4d b0 d6 e1 c8 ac e5 b4 c4 b3 c9 82 fc 07 43 ab a4 23 21 e5 db bb 72 4a 91 32 39 ea f7 d7 b9 f6 ad 56 3f fb
Data Ascii: [D!ffmn~a[#a.A'8MxMC#!rJ29V?Z9a;8iOxT$4X?GB??Tu7zByTIBV@*0-|s{ZS2>D4B+xM{^FViVfNx'kuO3YasfR
12
Apr 3, 2014 12:02:10.918968916 MESZ80103492.123.155.25192.168.1.10Data Raw: ca 13 ad b0 ab bd 6b 6f a0 82 8b 6a 1a ae 0a 9c ba 5e a2 41 df 2c b6 5c 9c 71 bc ff 80 ef 3f 5d 82 8b 2d 91 d8 bd 93 70 bf bf bc 40 82 86 62 5e 33 e3 28 2c 81 ff 38 a3 7e ad 7c 80 69 48 07 42 41 c1 81 14 3a f9 f4 a3 e3 ea 81 0e a1 3d c6 30 5a 63
Data Ascii: koj^A,\q?]-p@b^3(,8~|iHBA:=0Zc&0-l#LeR%Ob}ilLv[DAyE)L5}_kkeOdSoG)4L|<[o>[fpHK(~(~3;XA
12
Apr 3, 2014 12:02:10.926739931 MESZ80103492.123.155.25192.168.1.10Data Raw: e7 67 6f 1d a9 6d f5 bf 1d 1f 66 69 77 4f 8b 45 fc 2e 85 10 5e 13 76 7a a9 2f 56 51 d9 7e 85 78 3b 7b db cc de 45 d4 d2 42 e9 5d e3 4c 6b ce 8b 50 0a 86 0d cf 6b ba a6 0d 31 78 89 67 c1 b6 4f ef 46 fc 04 0c a6 4b 97 55 4e 41 ef 5a 5a 2b 6a 39 97
Data Ascii: gomfiwOE.^vz/VQ~x;{EB]LkPk1xgOFKUNAZZ+j9'W6CwUjcY<o[\NO+W/72+(#hE2bIgt>=6jV}Wug&t_$9 %C|OpZ-[_YU'85
13
Apr 3, 2014 12:02:10.945070028 MESZ80103492.123.155.25192.168.1.10Data Raw: a4 58 6b 27 97 b2 53 3f 95 32 8b e0 c5 32 79 cb 37 30 81 2e 69 0b 59 3d fb 30 bf 6f 91 34 77 64 46 49 07 c9 b9 45 07 1d 40 63 00 5e cb 0f 9b 81 82 1d c2 fc 61 73 8e 03 63 c6 59 58 b8 e3 1e 15 cb 48 d7 5f 43 1c dd cb 76 60 af 1a dd de c1 e9 55 14
Data Ascii: Xk'S?22y70.iY=0o4wdFIE@c^ascYXH_Cv`U#J?/h8k*@cz!Z+\~3T9Go7FzJZBuGdZ{ifk1-n>6U]ct6ikKx2|4=6@@J&,r_::|6BA
14
Apr 3, 2014 12:02:10.945076942 MESZ80103492.123.155.25192.168.1.10Data Raw: f7 8d 9f f5 58 e4 a6 2b df 7d f8 0b dd ab bf 09 8a ff 10 80 d3 cf 9d ba 3c 8f dd cf 95 8b 9a 8c 6b 48 45 55 94 78 e6 6a 5f 34 2d 66 28 49 f1 70 90 f9 d7 84 81 e8 df 9f 04 d8 7c 42 49 07 f4 cc 0e 61 a5 2e 6a 45 d0 58 3f 2d 6a 19 8c 90 4b 85 6d 3e
Data Ascii: X+}<kHEUxj_4-f(Ip|BIa.jEX?-jKm>'_Ucv}6Uq.%Z8Y?o(9Y^,5ud53j`/"~/]_jW41C`|IayfgtD
16
Apr 3, 2014 12:02:10.945163012 MESZ80103492.123.155.25192.168.1.10Data Raw: fb a7 4b 93 8b b1 1d ac bb f5 d0 7f 19 bd b6 05 a0 a8 1d b9 22 7c f5 4e 12 9f 72 4d b3 c1 6d aa ac d7 44 a9 f3 99 48 28 6a 63 87 f2 e9 3e 47 3c 3c 7d 29 c8 26 49 a5 f9 60 df ee d4 45 93 68 a9 16 c2 30 4f ea f2 3c 8e f3 23 d0 ed 78 04 a4 37 da ae
Data Ascii: K"|NrMmDH(jc>G<<})&I`Eh0O<#x7RdRHUV@V}He|>[13=VEtLI5(>iIHn?g%l9L%/>+9hLHQL$AdJ^`,qVl.C,+NJZA.O;/Tbo
17
Apr 3, 2014 12:02:10.945432901 MESZ80103492.123.155.25192.168.1.10Data Raw: 67 3c 4e ab e4 98 2d fe 71 1b cc 45 32 8f 74 b3 9b df c5 50 44 5d a5 61 8d 36 a1 39 5e e0 c5 46 98 a6 13 4f 2b 7b 87 71 d7 ab 6b cc e4 bf cc eb b2 02 c8 a4 16 1f f6 4f bb 43 2f 11 28 90 b9 46 a5 5e 6e 72 7c 3e 67 0f 7f b9 09 d5 a2 75 62 46 d1 68
Data Ascii: g<N-qE2tPD]a69^FO+{qkOC/(F^nr|>gubFhkr*]slKBWxKQ1,@n}#Tt*=?>=1@Zc5v\MB!EZoATbO,Y6LS$.[8iNtTn$+.YvHxkOgm
19
Apr 3, 2014 12:02:10.945439100 MESZ80103492.123.155.25192.168.1.10Data Raw: 0f ed 15 0b 66 80 e2 50 7d 06 87 f6 62 21 2c 71 f9 c4 d1 6b 9f 71 d9 c3 86 c9 d0 c5 83 88 63 c6 90 6e 8a fd a1 aa f5 9b 9f 30 6e 52 d8 0a dc ff cb b7 e9 02 48 f6 28 31 e3 93 ea 3e f3 6f 5c 8e 91 db a6 b7 df 4b 3b 3a f9 0e c2 c9 07 d1 15 72 2e cc
Data Ascii: fP}b!,qkqcn0nRH(1>o\K;:r.M^@u`T&sS$U%kz0t+zGZ83F5ukthqAC0aYXtM8rJME!W=2K+.iAx|`:L?p
20
Apr 3, 2014 12:02:10.945441961 MESZ80103492.123.155.25192.168.1.10Data Raw: a9 e4 22 9e f8 3a 28 88 e6 c4 c5 b8 dc d2 36 bc 26 5d 23 c2 e4 fa 5d a9 c5 9f 70 60 54 fa 03 e2 7d 16 e7 6e be 71 d9 39 1b cd 8f 1f 1c 41 30 6f f4 80 f2 6d d5 f6 e9 84 ad 95 4d fb 73 a5 ae 6d d2 ca 81 8c 55 fe f1 b6 4c 96 af a9 aa 3d 00 c2 96 47
Data Ascii: ":(6&]#]p`T}nq9A0omMsmUL=G^z)0]MUx~kb<e*b/0A&y.Pvi,^8Bz7d:.zfV7O]@Dg5(bIj`$wK-4a6eIt
21
Apr 3, 2014 12:02:10.945971966 MESZ80103492.123.155.25192.168.1.10Data Raw: a0 a0 bc a2 7b 09 75 ad 18 91 c5 c7 09 ba f5 f3 a2 b8 7b 3a e9 2e a1 36 f0 22 c1 f0 5a 5f 06 bb ce ab 80 16 7a cb 74 49 3b 9b d4 3f 40 3e dc b2 7f ef 5c db d3 53 31 09 4f 18 90 8b 21 0e 86 ca 91 53 7b 19 62 bf 7b 00 c6 f3 e3 c2 bb 59 3f 9a a2 c3
Data Ascii: {u{:.6"Z_ztI;?@>\S1O!S{b{Y?~)NG-IUBfDcA((^eekLb{}tLe)?5$L9S;=GU;iZmJDd64ay%~wTzNQ*!T&:6vW-oXy`%
22
Apr 3, 2014 12:02:10.945976973 MESZ80103492.123.155.25192.168.1.10Data Raw: 86 01 19 fb 40 d3 2c fb 77 1f 25 a2 c4 f4 04 5e ca 7e 57 35 6f c1 fd a2 33 11 ec 75 ec 47 5d 8a bf 97 b1 c1 b8 14 10 c1 08 5d 6c 75 ef 09 6c 6c 61 bd 9a f6 c6 b9 be 7f bf fa 1a fb 2e 58 00 84 84 4c 82 2f c1 13 d2 9b 75 fa 8a ea 8d fd ad 69 38 4a
Data Ascii: @,w%^~W5o3uG]]lulla.XL/ui8JKe #>9"\>^c8&OfJcJ*2DeJ23RW[nF%XlpdKZX[v(Kw,*u-79C
24
Apr 3, 2014 12:02:10.946080923 MESZ80103492.123.155.25192.168.1.10Data Raw: 0e a3 a4 3f 84 bd f2 fd 00 3d 7f b4 d7 bc ba 75 2a 42 10 b0 1d cc fb 26 6d 95 57 64 f8 cc a3 5f 16 1a 20 99 94 28 0a c6 a1 60 83 df 19 57 a2 27 b4 3b 4f f9 0b b0 5f 28 a3 07 64 c9 1c fb 6a 7c 07 1f 84 e7 9f a6 99 68 b8 2b bc 29 51 ff ad df 80 72
Data Ascii: ?=u*B&mWd_ (`W';O_(dj|h+)Qr(TF\6Gi[[pt*S=6~XfU+Yak?k$qcRS[|Z%we[bUsfCL\M*ku@pL)@pV\}s0G@7ixI
24
Apr 3, 2014 12:02:10.958765030 MESZ80103492.123.155.25192.168.1.10Data Raw: 19 d2 93 3c 9d 75 5e c4 97 c2 73 05 31 07 95 09 4d d0 bb b2 e4 e1 91 98 96 27 9e 7f 60 22 c2 d1 e7 45 fd 77 5d 18 20 3f e7 08 49 ae 96 d8 c7 a6 8a ab ad d1 ea e0 63 22 bb 4f 7d e4 b0 f0 93 7c 3e 2b af 3a 8a 25 f8 e8 a2 a1 38 d0 26 10 93 a9 e7 86
Data Ascii: <u^s1M'`"Ew] ?Ic"O}|>+:%8&U8N7mBWDRQB&[CK-yJiUxQxBui%VukU %E(w:Q?\B3"\g!WWWNn:4!.XL`Va,
25
Apr 3, 2014 12:02:10.959160089 MESZ80103492.123.155.25192.168.1.10Data Raw: 11 be 16 7c cd 58 ca 2d 43 c7 47 c0 91 aa 27 41 97 49 4e 80 09 96 33 00 62 f5 e6 73 de 35 6e bb e9 9c 74 1a 82 4c f7 c3 55 20 2f 9d 44 e7 9b 1b 09 57 59 50 b5 cd 13 e5 11 f7 07 fd c4 8e 9c 03 51 cd e8 9f 3c 12 aa 3d 1b a6 ec e5 72 c0 b7 ad 18 87
Data Ascii: |X-CG'AIN3bs5ntLU /DWYPQ<=rLLRf{Oelf~+.>Rlk+ko8o[} v\w5IY^+O({:.g@ByA[Q}M1$:IBMds"#4]Q+jQ^c*6@
26
Apr 3, 2014 12:02:10.959167004 MESZ80103492.123.155.25192.168.1.10Data Raw: a1 b9 4b 62 a9 cf a7 43 fb 55 b9 5c e4 b8 4d 81 ff a4 f9 7b de c7 ba 13 8c b7 e7 3a e0 39 ff 28 a7 0b 6b a8 18 79 b2 76 2a ce 19 92 15 21 b5 9c 8b d7 c9 93 d2 15 bc ed 09 b8 a1 e2 cc 59 d4 48 89 f2 ec 98 bc 44 d0 9d 9e a3 cd 20 af 8e 90 f2 17 48
Data Ascii: KbCU\M{:9(kyv*!YHD H"'>58B \cG)##F_U'KSt_^b6P,5QkYZY`I\0)N2=Yo<.414Xm#q|\%M: 1>wUQCT3 H7gL*nk\
28
Apr 3, 2014 12:02:10.959269047 MESZ80103492.123.155.25192.168.1.10Data Raw: fb b8 9e e8 34 b2 66 08 58 2c f8 0c 8b 6d 78 24 4b 1e 12 2e 9d 2f 6c fd 89 47 3f cb a0 e9 27 c9 48 78 df 8b 84 91 b9 c1 de 71 89 51 35 69 5b 7d 5a 1b 81 ad aa ee f3 54 c5 44 d1 28 33 22 1f 0d 9d 38 0a 83 fb 23 60 d3 e5 db de b7 19 96 d9 be f6 42
Data Ascii: 4fX,mx$K./lG?'HxqQ5i[}ZTD(3"8#`BeubE&hvAaT1;ZPVbZ&)i@'S8C1C3Lg%o#11iJeD_R~(QoK:[;q1Lk[.
29
Apr 3, 2014 12:02:10.964056969 MESZ80103492.123.155.25192.168.1.10Data Raw: 65 63 ba 2a c3 a4 46 7d af d0 08 c1 81 08 79 c9 a7 9a 76 bf 3d 68 fc a2 1a d7 0a 67 92 07 24 11 4d 3f 96 e0 88 70 6e 3f 7f ed c5 5a 52 6d 47 73 fe 62 a3 70 90 1c 43 77 d4 e8 8d 73 12 7b 1d 90 2f 8e 11 8f 05 5c a4 1c ae ba 76 f3 2c 4b c6 6b 45 98
Data Ascii: ec*F}yv=hg$M?pn?ZRmGsbpCws{/\v,KkE] zM^~P3YB[yRB+]I52fwyp'8wJB&pA}C@*2xL \~);z<ynTX"@a,>\x
29
Apr 3, 2014 12:02:10.964610100 MESZ80103492.123.155.25192.168.1.10Data Raw: 6a c1 ec 11 10 e9 e0 45 27 d5 03 75 95 bd c6 37 d5 91 39 b4 c2 57 53 1b 2e f9 82 50 19 76 43 1e 7f ea 2d 58 59 62 d2 be c2 d5 20 a8 23 a3 ec a7 d2 52 cd e5 f1 36 7f 55 ef 46 52 88 fb dc 77 8f 1f 88 11 12 c8 f6 df f9 50 19 be f1 e2 e2 03 f5 c2 70
Data Ascii: jE'u79WS.PvC-XYb #R6UFRwPp,w]eKp"ZkxY3ysf/=nC,(^U1|'8[pUVO_;uS$O0[o'g5-,1Q{.w{+cw,vCa
31
Apr 3, 2014 12:02:10.964616060 MESZ80103492.123.155.25192.168.1.10Data Raw: 80 b8 6a 3d 68 7a 3f e4 42 98 2f 1c 93 3c b8 75 61 d7 dd cb 4a 0e 8f 81 b8 8e cf 8d 96 dd f4 15 95 37 90 f7 0b 38 c0 f2 c4 ba 7f bc 18 a3 ac 2f 52 9c cf 73 3c 0e f9 a6 d0 60 9d d0 a7 11 49 e8 53 8a dc 2a 30 c7 a8 52 73 52 d3 82 cf bb 01 fe f3 73
Data Ascii: j=hz?B/<uaJ78/Rs<`IS*0RsRs+(S6*7G!pM",@L1dDd)1D2d<92hj1&@)UF1L0UkaW9sWx^/lWl1q6fYg7Hd$
32
Apr 3, 2014 12:02:10.964706898 MESZ80103492.123.155.25192.168.1.10Data Raw: 36 93 92 5e 17 72 05 20 08 29 3e 29 1e 7a 06 d2 b3 03 23 1a 9a 4d a9 77 3f ed 46 01 3a af 1f 3b 15 6b a4 e0 1f ef f5 da 10 ec 77 91 73 72 5b dd 74 89 cf ac 04 39 c8 a8 bf a5 2d 29 c4 e3 75 43 55 5c 45 11
Data Ascii: 6^r )>)z#Mw?F:;kwsr[t9-)uCU\E
32
Apr 3, 2014 12:02:10.964823008 MESZ80103492.123.155.25192.168.1.10Data Raw: 68 5b 5d 4f 6e a9 52 5e 4f 30 22 a5 37 10 75 29 6b 5f 2f 10 c3 59 a7 79 ac 76 11 5a 8d ba 2b 54 7d 08 4e 57 72 a2 91 7e 2f 70 65 90 d2 98 72 27 a7 7a 24 5f ac 43 fc 04 b3 a9 d8 5f a0 12 c3 7e 38 fe 28 c6 a4 6e 3a 21 78 fc 1b e5 29 1f 54 be d1 b9
Data Ascii: h[]OnR^O0"7u)k_/YyvZ+T}NWr~/per'z$_C_~8(n:!x)T`;umu(.%jI_A@`]{=j~YbUvIc,%0U)k|nn)*ooxS{LV@H(gIgu6Km5TW9
34
Apr 3, 2014 12:02:10.964828968 MESZ80103492.123.155.25192.168.1.10Data Raw: 54 5c 42 df 90 20 51 45 2a 41 4f 0a d6 b4 5d 14 cf 0a 16 0a b2 2c 18 32 99 b5 25 66 4c 79 75 61 57 53 ed cc dd a3 76 23 60 c8 9f 87 e2 46 8f bf cc cf 62 45 68 ce 16 06 3b df b5 f6 d9 a7 0d 86 7c a5 ae 11 eb 4f c9 22 a9 28 ee 98 88 b3 5e fe 48 85
Data Ascii: T\B QE*AO],2%fLyuaWSv#`FbEh;|O"(^HOW7yGu+,kWm6_ok,7EL?E1\kQKYlhb&D"z%KQ@5gEOz>Ys%2G{>V"aU0&/t'fSw7
35
Apr 3, 2014 12:02:10.964831114 MESZ80103492.123.155.25192.168.1.10Data Raw: 02 43 fd b9 07 c7 66 ac bc bb 87 d5 75 15 80 35 4e 2c 55 17 ce 46 1a bb 7b fe d1 77 32 37 36 f1 30 97 4e 1e dc 75 10 0c f5 ba 9b 7b f3 31 7a c1 e9 97 9a b2 61 a4 a4 31 0e 10 25 b9 c1 f7 9d 57 dd ec 27 79 3e 8c 06 1b cb e8 f2 1c ba 7c f2 18 58 08
Data Ascii: Cfu5N,UF{w2760Nu{1za1%W'y>|XzQs:]|JNp7;l6r$O"@ifGG5Y/R&Y%HimEKNeL&=AOfr#_BeL*QT-yq,
36
Apr 3, 2014 12:02:10.965390921 MESZ80103492.123.155.25192.168.1.10Data Raw: 8c db 1d 23 2e 13 c8 f1 1b de cb e8 08 be 66 57 44 0b 83 d7 60 68 a0 d6 87 1e c6 ba fd aa 14 b4 78 0d 1d 35 d1 32 96 71 bd 43 52 7e a1 33 59 7d a2 d8 79 51 5a f0 90 49 2a 74 d4 f4 4c a6 f3 58 6c 55 d7 d0 05 6f 9c 3e f5 1a 33 18 44 b2 7d 90 45 36
Data Ascii: #.fWD`hx52qCR~3Y}yQZI*tLXlUo>3D}E6f]]0z{5Esn-#%f?g'p}h]L@ZGB2){?yBioTUl,n>MUm'3
37
Apr 3, 2014 12:02:10.965398073 MESZ80103492.123.155.25192.168.1.10Data Raw: 88 54 c5 be 58 14 34 52 97 1d 48 33 9a 85 a8 e8 a5 ab 9e 2a 21 69 c3 f5 df 1f e2 b5 72 f1 12 15 cb 8b 99 67 db 77 50 0a 38 fc ee 29 4b 61 93 45 67 73 6e 93 29 de 9f 8f 59 ed 3e 14 be 77 a4 08 92 4c e4 3b cf dc 31 75 1a ec 6e a2 82 da 7b 7f ee 2b
Data Ascii: TX4RH3*!irgwP8)KaEgsn)Y>wL;1un{+E/0\\UyQj@y1AHM9y:gFRciVn|sO:Gc3p~VUGup~Xan:oW<s9mdv~pf
39
Apr 3, 2014 12:02:10.965497971 MESZ80103492.123.155.25192.168.1.10Data Raw: 49 ad e9 93 6d 93 90 cc 89 75 10 7f 47 f2 41 2f a1 8c 41 9a 79 61 06 b6 96 c8 56 0a 63 b0 72 16 90 22 23 96 b7 e6 76 85 5d 76 b7 65 b7 45 84 b6 ab bf 4e 91 57 33 19 21 d1 9d 98 db 56 4b a1 71 2e 0a 40 7f 07 d5 31 f2 ed 48 85 7f 48 b9 73 bf ed 7a
Data Ascii: ImuGA/AyaVcr"#v]veENW3!VKq.@1HHszz]6UM^'A?pjvLfEGLv_9_ddRi^M5oVB{u79VxaII=Z=|}. 4(8L#
40
Apr 3, 2014 12:02:10.977912903 MESZ80103492.123.155.25192.168.1.10Data Raw: e3 04 61 2e 0b e0 f3 97 98 08 3e 42 d8 38 e3 8c 4c 24 0a 6d bc e2 53 c2 7f 74 fe 92 e0 30 ae 57 67 cb b1 ca 87 76 b6 b2 76 ef 87 7e ad 35 34 04 59 4a a5 15 bd 2e f9 68 af be b2 e2 6d 75 b2 a1 f3 84 ac b3 e7 8a 61 4a 25 29 5e 43 16 ef db 93 d3 9d
Data Ascii: a.>B8L$mSt0Wgvv~54YJ.hmuaJ%)^C~xDR11]&?f7Tub4W<^@R[yEa9G3o;T/.W23SqH(Ds<w.*{4tWc._?C6U@{b2|YHM&
41
Apr 3, 2014 12:02:10.984586000 MESZ80103492.123.155.25192.168.1.10Data Raw: 16 b0 19 95 c5 4d cd 64 36 7d 18 b2 df f6 a2 4d 6c 18 e7 3b 72 76 d9 ea dd b2 03 30 60 f8 fb f0 95 bd 6e 05 63 b4 d3 88 bf 9d be d0 bd 0e 9a 92 fb 9a 1a 3a 28 9a f4 10 28 3b b4 6f 86 69 61 93 3a 80 3f 52 31 75 9a b1 1c af c3 bd 0a bc 04 59 3e cd
Data Ascii: Md6}Ml;rv0`nc:((;oia:?R1uY>N1k3@_IA]J]td,^]/J@{k.`i#y[;z`CyjMNCA%V;9rnL$B*)LPd!s)HHBH$
42
Apr 3, 2014 12:02:10.984616995 MESZ80103492.123.155.25192.168.1.10Data Raw: 08 e3 75 fe 4c 6d d9 a6 b8 67 18 26 d1 40 ba aa 63 f0 36 52 b7 d2 5e 9f 57 87 e2 b9 36 9e 9e c0 3d f2 ca 1a 98 69 fc 6f 51 58 a6 af 6a 64 cc a0 8c 2d ab 6f d8 0c 51 15 bf 28 33 d0 20 f4 d1 1d 29 48 8b ec 5c bf e9 46 4d 40 f2 ea 35 5f 3b 75 96 fd
Data Ascii: uLmg&@c6R^W6=ioQXjd-oQ(3 )H\FM@5_;uJcj'Ho!d,{Y*Qk-7H.:JodDX3h|\o9U3&gr4P4M$*>Cu`<!PkmVI:vhbZjXI>U *JaP,-:Ni
44
Apr 3, 2014 12:02:10.984627962 MESZ80103492.123.155.25192.168.1.10Data Raw: 77 b7 08 76 4a 65 b5 48 1c 65 82 2f e1 87 93 d5 da 38 39 a4 86 17 40 df 59 35 bf a3 20 5d da a1 ce d1 3d 25 cc 9c f1 30 7d 97 39 12 56 c7 ee 76 92 eb de 42 cd 42 a3 66 be db ee 63 06 7e 30 62 e8 2a d2 a8 92 ba 57 96 3a 5a c6 59 e8 44 2a 4a a5 f7
Data Ascii: wvJeHe/89@Y5 ]=%0}9VvBBfc~0b*W:ZYD*J<\/_Xu2OE&T]x^XO:#<r=s^%A#%$pahPR"kI&/[esDfy$x{2df+b+#
45
Apr 3, 2014 12:02:10.985069990 MESZ80103492.123.155.25192.168.1.10Data Raw: 26 5b 1e 81 2f 56 36 39 ed 75 cd b6 26 95 85 54 f7 6e 4d 8c 07 2f 93 0a 2f 8f f0 7c 73 1c 8f 44 9a 8e 5f 88 c6 89 7b 14 cb 6a 3a 4c a0 52 fe 70 28 20 6a 57 8d cd 03 e5 b3 34 f7 b3 57 2a 94 02 e4 a0 95 18 b3 89 b5 0a cf 72 87 bb 93 94 3e eb bb 01
Data Ascii: &[/V69u&TnM//|sD_{j:LRp( jW4W*r>7i~(wGlv
45
Apr 3, 2014 12:02:10.985901117 MESZ80103492.123.155.25192.168.1.10Data Raw: be ef f0 ab fa 92 fa df 2b de 76 1e 40 d3 fd 5d 0b e5 5b e2 5f a5 56 f9 8f 89 d3 03 05 42 9a f0 ab 41 8c c2 a1 18 35 99 11 1f 4b 5d cd cf 3c e6 7f 34 c5 26 54 11 46 1e 61 f9 ad e3 17 a5 72 04 db ec a8 a9 1f 43 ec 4e 74 f0 8f 25 06 42 ef 38 f6 68
Data Ascii: +v@][_VBA5K]<4&TFarCNt%B8hItJ"^4P,`js(b@04>(/@XN/@p)=AIou5T\54ir9eB'I"5TE("6}yVHce
47
Apr 3, 2014 12:02:10.985907078 MESZ80103492.123.155.25192.168.1.10Data Raw: 81 f0 10 80 04 0c 47 77 71 24 a1 72 6b e9 83 83 d8 28 54 0d 58 c8 c7 0d e1 a7 b7 07 06 5d 21 4d 5f 1b cb 44 b1 f3 e2 cd b7 47 23 60 bc 9e c7 c5 c5 61 cf 5d 27 4b 6f a9 f2 78 df bc 7d bd 05 61 12 a7 09 85 e7 84 46 6f 47 fe 9a 5a 79 77 7b 7d 9b e8
Data Ascii: Gwq$rk(TX]!M_DG#`a]'Kox}aFoGZyw{}^y>uEY/6pQX4-M ,hsb%EBO5HY!~9ns$__<"dc:OC!wl449Ej&o(HwAW
48
Apr 3, 2014 12:02:10.986018896 MESZ80103492.123.155.25192.168.1.10Data Raw: cd 12 a7 7c 03 f7 a6 bf 14 e7 45 06 a3 d5 32 ec 33 45 e9 bd ba b8 9d 23 35 d7 77 5a 64 75 1b 5e 7c 72 1d 8c 86 4d 84 82 98 5c f5 c3 43 87 2a c8 05 0e 48 f8 9f ca d9 d4 f8 92 57 82 55 7e 5c 21 30 e1 73 7a df ad bf dd dc f5 67 be 3f 9d 88 f9 92 b5
Data Ascii: |E23E#5wZdu^|rM\C*HWU~\!0szg?tHyI/$pHID<x0"qZN9#IJsuH{f(f4%T8N>+CO:~*I]Oo-&!Q1\E_~`'<
49
Apr 3, 2014 12:02:10.987273932 MESZ80103492.123.155.25192.168.1.10Data Raw: a8 0a 1f 5c e2 65 ff 66 ff b8 74 6b dd c0 3b d2 63 38 1f 1b f3 f7 32 ef 86 87 a0 a8 1e ea a0 ed bb fb 89 86 59 2e 65 f2 9d 19 b9 2c 47 8d 51 bf 41 b5 5d 0c fa a8 1d 66 b4 5a c2 ff dc b2 ec 86 50 0f 84 09 82 74 99 aa ea ef 0d 2e c4 02 c8 d2 c2 ab
Data Ascii: \eftk;c82Y.e,GQA]fZPt.</uGvKW;b;M>MtywC`0J,&z>(R|_nW(J):"WL7_S$Eh*HX[n"ZD`E:>7+sU^9\
50
Apr 3, 2014 12:02:10.988744974 MESZ80103492.123.155.25192.168.1.10Data Raw: ef bf 5f f9 69 5e 5d ad df ac e8 69 16 87 db 63 2a 03 46 6a 3a 50 24 a3 dd b6 61 ae 96 33 e1 7c d9 47 24 d3 e2 9c 6f 38 9d a3 89 67 bf e5 b8 3b 61 bc 5f bf 28 72 3a f9 57 3b c3 7e ef 12 dc 01 20 65 94 dc 4d df 62 62 39 37 85 59 aa 70 c8 26 3d b4
Data Ascii: _i^]ic*Fj:P$a3|G$o8g;a_(r:W;~ eMbb97Yp&=$_~wxT^^j3~pep6#Ox;PX4`_o#K Smx_&BAW9s)O}#>&og3$PKO4qmhEIr5K^
51
Apr 3, 2014 12:02:10.988749981 MESZ80103492.123.155.25192.168.1.10Data Raw: 0a 1e 39 1f 18 06 9f b4 f9 36 e8 4d c7 b2 8b 62 9e 41 df 9f 4c 24 87 9d bb 87 fe d5 95 cf b4 f7 74 3f 55 9a 42 df 9f da 8d 42 6b 3d 8a e1 ed f3 c7 15 0e 91 a2 fe 3e 31 59 c7 ee fc 61 f3 d9 f7 95 42 40 a9 80 4a df b2 40 c4 6a a0 de 37 cb 60 4c 22
Data Ascii: 96MbAL$t?UBBk=>1YaB@J@j7`L"M:zk<Uc1#e$A3vZ2YJNcNZ%[FEn(e))}/KBn:-wrq>|>&]lz^0~|sbF )*r*e7EW:d
53
Apr 3, 2014 12:02:10.988862038 MESZ80103492.123.155.25192.168.1.10Data Raw: 5e 2c 55 8a 6c ca e6 77 e8 0c 30 de 67 fb ba ef ca 3d 16 91 ba 4e dc 31 7a 32 79 ce 91 76 10 cc 4f a9 be 3c fa 15 09 d5 5d 24 d3 74 5d aa af c7 fd 3c 51 ec ff a7 88 f9 a7 ae 46 41 d2 32 33 45 b7 6b 43 91 05 ea 7a b2 7d 6d 22 9f 26 43 fd da e2 50
Data Ascii: ^,Ulw0g=N1z2yvO<]$t]<QFA23EkCz}m"&CP35~2<6A`vf>@v]crH9J5oxytntm|s?5B${/u7qLjpUvNKT+_[uv2tmKL%4{.;'H
53
Apr 3, 2014 12:02:10.995527983 MESZ80103492.123.155.25192.168.1.10Data Raw: 38 6b 20 36 7e 3b da ff 03 18 9e 94 03 9e 81 0b a3 27 55 36 47 75 3f 0a 81 87 e8 42 28 f3 54 62 80 ac dc 51 ad 7c 19 fe b9 45 7e 51 a9 c6 bf 52 22 c0 f0 5c 09 df 6f 9b 31 24 c4 e7 8f bd 68 69 61 92 fa d4 01 15 e5 dd 91 7a 1c 16 7a 1e 6e e8 5c e6
Data Ascii: 8k 6~;'U6Gu?B(TbQ|E~QR"\o1$hiazzn\YDW\#&YJwzh;t|'I.Y9%-Rqo6g\z0xnl"S{H}M6i-nLaDR3pa!T)J?
54
Apr 3, 2014 12:02:10.997195959 MESZ80103492.123.155.25192.168.1.10Data Raw: 6b 4a 60 7b b2 a3 e7 bc 02 84 52 70 77 a4 c4 7a 36 d5 da d3 a9 5d 66 9a 62 ca 52 e1 99 b9 32 ce fd 53 a8 81 9a e1 57 b7 ba fd 4d 34 e4 b2 84 93 d8 12 5e ee cb 29 0f d7 25 7a 98 4f f8 7d aa de fb f4 bc ad ec e7 9d 64 92 1c e5 37 d3 7c b7 33 3a 51
Data Ascii: kJ`{Rpwz6]fbR2SWM4^)%zO}d7|3:QsZ&HW{>NJ:*kv~E<%!(D]\sTC&xi[F,7Hk%h^F+F'D]w&&:U1{6_yp'3 `Ks4
56
Apr 3, 2014 12:02:10.997203112 MESZ80103492.123.155.25192.168.1.10Data Raw: 38 78 f0 a0 b8 db 8a 95 88 db 79 b8 49 78 ba 38 49 d8 e1 5d 25 3c f1 1e f6 de 76 04 2f 09 92 11 91 ac 87 64 34 24 8b 21 19 b9 b5 24 00 28 88 01 d2 62 80 a4 38 e9 73 9f bf 89 f4 fb cf 7d 13 60 b9 e2 04 60 30 04 06 d8 05 e8 af 1c 03 94 c1 ea df bf
Data Ascii: 8xyIx8I]%<v/d4$!$(b8s}``0^upQS0){.x;{7"y8$*QXT>M}NGjj1^}3VsJa^Q%BVg+;7Lf'=BF;`g/<86e
57
Apr 3, 2014 12:02:10.997313976 MESZ80103492.123.155.25192.168.1.10Data Raw: ad e9 12 d6 01 55 58 18 ae ed c4 30 7b ad 8d c0 fd b2 a5 c2 7b 61 bb fc 37 ca cd 85 18 ba dc 43 ce 4b 43 12 66 e1 70 c7 1d f3 11 2b 39 38 16 42 50 7b c8 7b e2 9f 4e 04 a6 ff 33 24 f5 8f 8b 7b aa 43 e4 a2 f4 64 20 28 39 09 2e 70 84 10 e4 df 42 99
Data Ascii: UX0{{a7CKCfp+98BP{{N3${Cd (9.pBN=0tmv8=za=\U)gT|O)-<0xnY_oi{z&&b$x_aU0?,# ~ j7IE]>.(3H-
58
Apr 3, 2014 12:02:10.997545958 MESZ80103492.123.155.25192.168.1.10Data Raw: 17 01 c0 e1 df 9c 24 20 05 97 41 22 11 32 bf 3a c9 ef c3 ff 65 27 99 b2 ad 99 cf 2d 93 6f b7 d6 4b 56 bf 4e 2b ed d7 67 39 8e ae 6f ca 54 b6 57 73 f0 f4 8a f1 7a 73 d4 1b d1 ab 60 a1 3c 92 57 11 63 2c 1f aa ab 5a 15 56 c0 ce b4 58 ae cd a4 0f 4b
Data Ascii: $ A"2:e'-oKVN+g9oTWszs`<Wc,ZVXKs,\KHJlQHZPXn#(Pkh'ORn55'=Pid+xTa@J,EDnC_CXdCTWn
59
Apr 3, 2014 12:02:10.997554064 MESZ80103492.123.155.25192.168.1.10Data Raw: 58 46 17 93 f8 ca a5 30 90 e5 f6 7c 69 31 b9 e9 f2 b0 8a 32 e0 04 eb 78 f0 c4 7f e3 74 eb 0c 2e 06 1d 73 9f aa 85 f4 69 26 4c 6d e3 8b 5a 8d 1c 49 b8 40 cd ea 73 c5 9e e3 74 ed 9b cf 4f 81 17 d2 67 c2 51 59 df 50 e8 43 40 a1 17 c0 78 d0 f2 13 32
Data Ascii: XF0|i12xt.si&LmZI@stOgQYPC@x2HM/w4y")|EG+`uZ8zb!w9AHX"1%@t3)5@k%jDwg:*K2Xg(nu1X*7~B4I:
61
Apr 3, 2014 12:03:18.606722116 MESZ103580192.168.1.1050.116.4.71POST /write HTTP/1.1
Host: default
Accept-Encoding:
Connection: close
Content-Length: 328
X-ID: 1616
738
Apr 3, 2014 12:03:18.606894970 MESZ103580192.168.1.1050.116.4.71Data Raw: 62 69 ae c7 8e c7 ee 39 68 7b 5e cb 6e ef 83 1f a0 61 b3 e4 48 01 00 00 00 00 00 00 ce c4 fc bc 5e b0 00 d4 47 84 8f fa a5 91 a8 6e fc 6d db 32 65 00 00 00 00 00 00 00 27 00 00 00 27 00 00 00 5c f9 de cb 53 fa b8 bf 24 f8 a2 be 20 fb d7 cc 21 8c
Data Ascii: bi9h{^naH^Gnm2e''\S$ !S\U# fOaGx/1J>XgW&h!!ihhhhhhhhkj?kmk8
739
Apr 3, 2014 12:03:45.784476995 MESZ104080192.168.1.10173.194.65.105GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 1.0.3705)
Host: www.google.com
Connection: Close
741
Apr 3, 2014 12:03:46.289760113 MESZ801040173.194.65.105192.168.1.10HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: http://www.google.nl/?gfe_rd=cr&ei=AjI9U9XWCYmMOt6CgLAB
Content-Length: 256
Date: Thu, 03 Apr 2014 10:03:46 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic
Connection: close
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 6e 6c 2f 3f 67 66 65 5f 72 64 3d 63 72 26 61 6d 70 3b 65 69 3d 41 6a 49 39 55 39 58 57 43 59 6d 4d 4f 74 36
Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://www.google.nl/?gfe_rd=cr&amp;ei=AjI9U9XWCYmMOt6
741
Apr 3, 2014 12:04:02.342402935 MESZ104280192.168.1.1023.92.19.67POST /write HTTP/1.1
Host: default
Accept-Encoding:
Connection: close
Content-Length: 328
X-ID: 1616
744
Apr 3, 2014 12:04:02.342566967 MESZ104280192.168.1.1023.92.19.67Data Raw: 00 ce a9 c8 2c 33 90 72 f4 4c 84 5c f4 6d 40 e0 46 1b 93 69 48 01 00 00 00 00 00 00 6f 6f 3a 84 db e5 80 92 7a 30 fd 1c 1b fb ea 99 ce ab d7 67 65 00 00 00 00 00 00 00 27 00 00 00 27 00 00 00 5c 58 56 0d 53 5b 30 79 24 59 2a 78 20 5a 5f 0a 21 2d
Data Ascii: ,3rL\m@FiHoo:z0ge''\XVS[0y$Y*x Z_!-)S,Yy\+-U+V#-V V\f<r%6/G>TgW^_&:h!!iUo:hr{:hoo:hoo:hoo:hoo:hoo:hoo:hkj8kJs:kn18q:
744

Code Manipulation Behavior

SSDT
Function NameNew Address
NtOpenProcessFF7ECE2B
NtOpenThreadFF7ECF49
IRP Handler
Handler FunctionDriverAddressType
IRP_MJ_SET_VOLUME_INFORMATION\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_QUERY_QUOTA\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_PNP\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_CREATE_MAILSLOT\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_POWER\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_DEVICE_CONTROL\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_READ\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_DIRECTORY_CONTROL\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_QUERY_VOLUME_INFORMATION\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_SET_SECURITY\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_WRITE\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_LOCK_CONTROL\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_CLEANUP\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_CLOSE\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_INTERNAL_DEVICE_CONTROL\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_CREATE\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_CREATE_NAMED_PIPE\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_DEVICE_CHANGE\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_SET_INFORMATION\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_QUERY_EA\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_FILE_SYSTEM_CONTROL\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_FLUSH_BUFFERS\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_SET_EA\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_SYSTEM_CONTROL\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_QUERY_SECURITY\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_SET_QUOTA\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_QUERY_INFORMATION\Driver\2e19aac6887a7667FF7EC4A6new
IRP_MJ_SHUTDOWN\Driver\2e19aac6887a7667FF7EC4A6new
New Device
DriverDeviceAttached to (upper)Attached to (lower)
\Driver\2e19aac6887a7667(null)unknown(null)
\Driver\2e19aac6887a7667\Device\NtSecureSysunknownunknown
Kernel Callback Routines
NotifierAddress
LoadImageFF7EE1D9
RegistryFF7ECCDF
User Modules
Hook Summary
Function NameHook TypeActive in Processes
GetClipboardDataINLINEctfmon.exe, explorer.exe, wscntfy.exe
TranslateMessageINLINEctfmon.exe, explorer.exe, wscntfy.exe
UnsealMessageINLINEctfmon.exe, explorer.exe, wscntfy.exe
DeleteSecurityContextINLINEctfmon.exe, explorer.exe, wscntfy.exe
DecryptMessageINLINEctfmon.exe, explorer.exe, wscntfy.exe
EncryptMessageINLINEctfmon.exe, explorer.exe, wscntfy.exe
SealMessageINLINEctfmon.exe, explorer.exe, wscntfy.exe
ZwCreateThreadINLINEctfmon.exe, explorer.exe, wscntfy.exe
LdrLoadDllINLINEctfmon.exe, explorer.exe, wscntfy.exe
NtCreateThreadINLINEctfmon.exe, explorer.exe, wscntfy.exe
closesocketINLINEexplorer.exe
FreeAddrInfoWINLINEexplorer.exe
WSARecvINLINEexplorer.exe
WSAGetOverlappedResultINLINEexplorer.exe
GetAddrInfoWINLINEexplorer.exe
sendINLINEexplorer.exe
gethostbynameINLINEexplorer.exe
freeaddrinfoINLINEexplorer.exe
recvINLINEexplorer.exe
getaddrinfoINLINEexplorer.exe
WSASendINLINEexplorer.exe
PFXImportCertStoreINLINEexplorer.exe
InternetReadFileINLINEexplorer.exe
HttpSendRequestAINLINEexplorer.exe
HttpSendRequestWINLINEexplorer.exe
InternetQueryDataAvailableINLINEexplorer.exe
InternetReadFileExAINLINEexplorer.exe
HttpQueryInfoWINLINEexplorer.exe
HttpSendRequestExAINLINEexplorer.exe
HttpQueryInfoAINLINEexplorer.exe
InternetWriteFileINLINEexplorer.exe
HttpSendRequestExWINLINEexplorer.exe
InternetReadFileExWINLINEexplorer.exe
InternetCloseHandleINLINEexplorer.exe
Processes
Process: ctfmon.exe, Module: USER32.dll
Function NameHook TypeNew Data
GetClipboardDataINLINE0xE9 0x90 0x09 0x94 0x48 0x87
TranslateMessageINLINE0xE9 0x96 0x67 0x7C 0xC9 0x97
Process: ctfmon.exe, Module: Secur32.dll
Function NameHook TypeNew Data
UnsealMessageINLINE0xE9 0x9B 0xBD 0xDF 0xFF 0xFB
DeleteSecurityContextINLINE0xE9 0x9E 0xE5 0x57 0x78 0x8B
DecryptMessageINLINE0xE9 0x9B 0xBD 0xDF 0xFF 0xFB
EncryptMessageINLINE0xE9 0x9C 0xC8 0x8F 0xFF 0xFB
SealMessageINLINE0xE9 0x9C 0xC8 0x8F 0xFF 0xFB
Process: ctfmon.exe, Module: ntdll.dll
Function NameHook TypeNew Data
ZwCreateThreadINLINE0xE9 0x97 0x7A 0xA6 0x62 0x22
LdrLoadDllINLINE0xE9 0x9B 0xBB 0xBD 0xD3 0x32
NtCreateThreadINLINE0xE9 0x97 0x7A 0xA6 0x62 0x22
Process: explorer.exe, Module: USER32.dll
Function NameHook TypeNew Data
GetClipboardDataINLINE0xE9 0x90 0x09 0x94 0x48 0x82
TranslateMessageINLINE0xE9 0x96 0x67 0x7C 0xC9 0x92
Process: explorer.exe, Module: ntdll.dll
Function NameHook TypeNew Data
ZwCreateThreadINLINE0xE9 0x97 0x7A 0xA6 0x62 0x2D
LdrLoadDllINLINE0xE9 0x9B 0xBB 0xBD 0xD3 0x3D
NtCreateThreadINLINE0xE9 0x97 0x7A 0xA6 0x62 0x2D
Process: explorer.exe, Module: WS2_32.dll
Function NameHook TypeNew Data
closesocketINLINE0xE9 0x97 0x70 0x04 0x40 0x0B
FreeAddrInfoWINLINE0xE9 0x99 0x9B 0xB5 0x52 0x2B
WSARecvINLINE0xE9 0x99 0x95 0x53 0x32 0x2B
WSAGetOverlappedResultINLINE0xE9 0x96 0x6C 0xC7 0x74 0x4B
GetAddrInfoWINLINE0xE9 0x99 0x94 0x45 0x53 0x3B
sendINLINE0xE9 0x96 0x62 0x23 0x34 0x4B
gethostbynameINLINE0xE9 0x9D 0xD7 0x72 0x2A 0xAB
freeaddrinfoINLINE0xE9 0x99 0x9B 0xB5 0x52 0x2B
recvINLINE0xE9 0x98 0x83 0x31 0x17 0x7B
getaddrinfoINLINE0xE9 0x9B 0xBD 0xD5 0x52 0x2B
WSASendINLINE0xE9 0x9E 0xE1 0x11 0x17 0x7B
Process: explorer.exe, Module: CRYPT32.dll
Function NameHook TypeNew Data
PFXImportCertStoreINLINE0xE9 0x98 0x82 0x26 0x65 0x5B
Process: explorer.exe, Module: Secur32.dll
Function NameHook TypeNew Data
UnsealMessageINLINE0xE9 0x9B 0xBD 0xDF 0xFF 0xF6
DeleteSecurityContextINLINE0xE9 0x9E 0xE5 0x57 0x78 0x86
DecryptMessageINLINE0xE9 0x9B 0xBD 0xDF 0xFF 0xF6
EncryptMessageINLINE0xE9 0x9C 0xC8 0x8F 0xFF 0xF6
SealMessageINLINE0xE9 0x9C 0xC8 0x8F 0xFF 0xF6
Process: explorer.exe, Module: WININET.dll
Function NameHook TypeNew Data
InternetReadFileINLINE0xE9 0x9E 0xE0 0x09 0x91 0x1D
HttpSendRequestAINLINE0xE9 0x91 0x12 0x20 0x01 0x1D
HttpSendRequestWINLINE0xE9 0x90 0x00 0x0F 0xF5 0x5D
InternetQueryDataAvailableINLINE0xE9 0x91 0x1A 0xA3 0x38 0x8D
InternetReadFileExAINLINE0xE9 0x9D 0xD0 0x0C 0xC3 0x3D
HttpQueryInfoWINLINE0xE9 0x9C 0xC6 0x63 0x3A 0xAD
HttpSendRequestExAINLINE0xE9 0x97 0x7B 0xB4 0x49 0x9C
HttpQueryInfoAINLINE0xE9 0x9A 0xAD 0xD7 0x70 0x0D
InternetWriteFileINLINE0xE9 0x9F 0xF9 0x99 0x90 0x0C
HttpSendRequestExWINLINE0xE9 0x94 0x45 0x54 0x49 0x9C
InternetReadFileExWINLINE0xE9 0x92 0x2E 0xEC 0xC4 0x4D
InternetCloseHandleINLINE0xE9 0x94 0x4F 0xF5 0x54 0x4D
Process: wscntfy.exe, Module: Secur32.dll
Function NameHook TypeNew Data
UnsealMessageINLINE0xE9 0x9B 0xBD 0xDF 0xFF 0xFB
DeleteSecurityContextINLINE0xE9 0x9E 0xE5 0x57 0x78 0x8B
DecryptMessageINLINE0xE9 0x9B 0xBD 0xDF 0xFF 0xFB
EncryptMessageINLINE0xE9 0x9C 0xC8 0x8F 0xFF 0xFB
SealMessageINLINE0xE9 0x9C 0xC8 0x8F 0xFF 0xFB
Process: wscntfy.exe, Module: USER32.dll
Function NameHook TypeNew Data
GetClipboardDataINLINE0xE9 0x90 0x09 0x94 0x48 0x87
TranslateMessageINLINE0xE9 0x96 0x67 0x7C 0xC9 0x97
Process: wscntfy.exe, Module: ntdll.dll
Function NameHook TypeNew Data
ZwCreateThreadINLINE0xE9 0x97 0x7A 0xA6 0x62 0x22
LdrLoadDllINLINE0xE9 0x9B 0xBB 0xBD 0xD3 0x32
NtCreateThreadINLINE0xE9 0x97 0x7A 0xA6 0x62 0x22

System Behavior

Analysis Process: Internal.scr PID: 1988 Parent PID: 1368

General
Start time:12:01:16
Start date:03/04/2014
Path:C:\Internal.scr
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x400000
File size:25600 bytes
MD5 hash:C05D7F1CFF16C7AF9B9D3B6F79CE7A02

Chronological Activities

Analysis Process: update.exe PID: 1524 Parent PID: 1988

General
Start time:12:01:16
Start date:03/04/2014
Path:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\update.exe
Wow64 process (32bit):false
Commandline:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\update.exe
Imagebase:0x400000
File size:25634 bytes
MD5 hash:917E21271D4C01B35A881246D8116DEF

Chronological Activities

Analysis Process: winsec.exe PID: 496 Parent PID: 1524

General
Start time:12:01:23
Start date:03/04/2014
Path:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winsec.exe
Wow64 process (32bit):false
Commandline:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winsec.exe
Imagebase:0x400000
File size:644096 bytes
MD5 hash:25ECDFFA169BEC23946F99782C5455D8

Chronological Activities

Analysis Process: uqny.exe PID: 244 Parent PID: 496

General
Start time:12:01:24
Start date:03/04/2014
Path:C:\Documents and Settings\Administrator\Local Settings\Temp\Zekyn\uqny.exe
Wow64 process (32bit):false
Commandline:C:\Documents and Settings\Administrator\Local Settings\Temp\Zekyn\uqny.exe
Imagebase:0x7c900000
File size:644096 bytes
MD5 hash:3740968E82FE178B7A18C9673F42E870

Chronological Activities

Analysis Process: 10a0d.sys PID: 4 Parent PID: -1

General
Start time:12:01:25
Start date:03/04/2014
Path:C:\WINDOWS\system32\drivers\10a0d.sys
Wow64 process (32bit):
Commandline:unknown
Imagebase:
File size:56832 bytes
MD5 hash:A2F2B24BD6FA13095C319F7F61C21D2F

Chronological Activities

Analysis Process: 2e19aac6887a7667.sys PID: 4 Parent PID: -1

General
Start time:12:01:26
Start date:03/04/2014
Path:C:\WINDOWS\System32\Drivers\2e19aac6887a7667.sys
Wow64 process (32bit):
Commandline:unknown
Imagebase:
File size:56832 bytes
MD5 hash:A2F2B24BD6FA13095C319F7F61C21D2F

Chronological Activities

Analysis Process: explorer.exe PID: 1564 Parent PID: 244

General
Start time:12:01:26
Start date:03/04/2014
Path:C:\WINDOWS\explorer.exe
Wow64 process (32bit):false
Commandline:C:\WINDOWS\Explorer.EXE
Imagebase:0x1000000
File size:1033728 bytes
MD5 hash:12896823FB95BFB3DC9B46BCAEDC9923

Chronological Activities

Analysis Process: ctfmon.exe PID: 1768 Parent PID: 244

General
Start time:12:01:28
Start date:03/04/2014
Path:C:\WINDOWS\system32\ctfmon.exe
Wow64 process (32bit):false
Commandline:C:\WINDOWS\system32\ctfmon.exe
Imagebase:0x400000
File size:15360 bytes
MD5 hash:5F1D5F88303D4A4DBC8E5F97BA967CC3

Chronological Activities

Analysis Process: wscntfy.exe PID: 1796 Parent PID: 244

General
Start time:12:01:29
Start date:03/04/2014
Path:C:\WINDOWS\system32\wscntfy.exe
Wow64 process (32bit):false
Commandline:C:\WINDOWS\system32\wscntfy.exe
Imagebase:0x1000000
File size:13824 bytes
MD5 hash:F92E1076C42FCD6DB3D72D8CFE9816D5

Chronological Activities

Analysis Process: cmd.exe PID: 3600 Parent PID: 496

General
Start time:12:01:30
Start date:03/04/2014
Path:C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QSOFCB0.bat
Imagebase:0x4ad00000
File size:389120 bytes
MD5 hash:6D778E0F95447E6546553EEEA709D03C

Chronological Activities

Disassembly

Code Analysis

< >

    Analysis Process: Internal.scr PID: 1988 Parent PID: 1368

    Executed Functions
    Function 004021A0, Relevance: 16.6, APIs: 11, Instructions: 123
    APIs
    • __set_app_type.MSVCRT ref: 004021CF
    • __p__fmode.MSVCRT ref: 004021E4
    • __p__commode.MSVCRT ref: 004021F2
    • __setusermatherr.MSVCRT ref: 0040221E
      • Part of subcall function 00402332: _controlfp.MSVCRT ref: 0040233C
    • _initterm.MSVCRT ref: 00402234
    • __wgetmainargs.MSVCRT ref: 00402257
    • _initterm.MSVCRT ref: 00402267
    • GetStartupInfoW.KERNEL32 ref: 004022C9
    • GetModuleHandleW.KERNEL32(00000000), ref: 004022EF
      • Part of subcall function 0040159C: RegisterClassExW.USER32(00405654), ref: 004015DB
      • Part of subcall function 0040159C: CreateWindowExW.USER32 ref: 0040160D
    • exit.MSVCRT ref: 004022FF
    • _XcptFilter.MSVCRT ref: 00402311
    Memory Dump Source
    • Source File: 00000000.00000000.223424916.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.223420502.00400000.00000002.sdmp
    • Associated: 00000000.00000000.223430553.00403000.00000002.sdmp
    • Associated: 00000000.00000000.223435409.00404000.00000008.sdmp
    • Associated: 00000000.00000000.223440546.00406000.00000002.sdmp
    Function 00401164, Relevance: 12.2, APIs: 4, Strings: 2, Instructions: 49
    APIs
    • LoadLibraryW.KERNEL32(MsVfw32.dll), ref: 00401099
    • DefWindowProcW.USER32(?,?,?), ref: 00401178
    • GetModuleHandleW.KERNEL32(COMCTL32.dll), ref: 00401295
    • LoadLibraryW.KERNEL32(MsVfw32.dll), ref: 004016D9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.223424916.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.223420502.00400000.00000002.sdmp
    • Associated: 00000000.00000000.223430553.00403000.00000002.sdmp
    • Associated: 00000000.00000000.223435409.00404000.00000008.sdmp
    • Associated: 00000000.00000000.223440546.00406000.00000002.sdmp
    Function 0040159C, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 32
    APIs
    • RegisterClassExW.USER32(00405654), ref: 004015DB
    • CreateWindowExW.USER32 ref: 0040160D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.223424916.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.223420502.00400000.00000002.sdmp
    • Associated: 00000000.00000000.223430553.00403000.00000002.sdmp
    • Associated: 00000000.00000000.223435409.00404000.00000008.sdmp
    • Associated: 00000000.00000000.223440546.00406000.00000002.sdmp
    Function 00401092, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8
    APIs
    • LoadLibraryW.KERNEL32(MsVfw32.dll), ref: 00401099
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.223424916.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.223420502.00400000.00000002.sdmp
    • Associated: 00000000.00000000.223430553.00403000.00000002.sdmp
    • Associated: 00000000.00000000.223435409.00404000.00000008.sdmp
    • Associated: 00000000.00000000.223440546.00406000.00000002.sdmp
    Non-executed Functions
    Function 00402048, Relevance: 10.7, APIs: 7, Instructions: 214
    APIs
    • __set_app_type.MSVCRT ref: 004021CF
    • __p__fmode.MSVCRT ref: 004021E4
    • __p__commode.MSVCRT ref: 004021F2
    • __setusermatherr.MSVCRT ref: 0040221E
      • Part of subcall function 00402332: _controlfp.MSVCRT ref: 0040233C
    • _initterm.MSVCRT ref: 00402234
    • __wgetmainargs.MSVCRT ref: 00402257
    • _initterm.MSVCRT ref: 00402267
    • GetStartupInfoW.KERNEL32 ref: 004022C9
    • GetModuleHandleW.KERNEL32(00000000), ref: 004022EF
      • Part of subcall function 0040159C: RegisterClassExW.USER32(00405654), ref: 004015DB
      • Part of subcall function 0040159C: CreateWindowExW.USER32 ref: 0040160D
    • exit.MSVCRT ref: 004022FF
    • _XcptFilter.MSVCRT ref: 00402311
    Memory Dump Source
    • Source File: 00000000.00000000.223424916.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.223420502.00400000.00000002.sdmp
    • Associated: 00000000.00000000.223430553.00403000.00000002.sdmp
    • Associated: 00000000.00000000.223435409.00404000.00000008.sdmp
    • Associated: 00000000.00000000.223440546.00406000.00000002.sdmp
    Function 00401E86, Relevance: 10.7, APIs: 7, Instructions: 209
    APIs
    • __set_app_type.MSVCRT ref: 004021CF
    • __p__fmode.MSVCRT ref: 004021E4
    • __p__commode.MSVCRT ref: 004021F2
    • __setusermatherr.MSVCRT ref: 0040221E
      • Part of subcall function 00402332: _controlfp.MSVCRT ref: 0040233C
    • _initterm.MSVCRT ref: 00402234
    • __wgetmainargs.MSVCRT ref: 00402257
    • _initterm.MSVCRT ref: 00402267
    • GetStartupInfoW.KERNEL32 ref: 004022C9
    • GetModuleHandleW.KERNEL32(00000000), ref: 004022EF
      • Part of subcall function 0040159C: RegisterClassExW.USER32(00405654), ref: 004015DB
      • Part of subcall function 0040159C: CreateWindowExW.USER32 ref: 0040160D
    • exit.MSVCRT ref: 004022FF
    • _XcptFilter.MSVCRT ref: 00402311
    Memory Dump Source
    • Source File: 00000000.00000000.223424916.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.223420502.00400000.00000002.sdmp
    • Associated: 00000000.00000000.223430553.00403000.00000002.sdmp
    • Associated: 00000000.00000000.223435409.00404000.00000008.sdmp
    • Associated: 00000000.00000000.223440546.00406000.00000002.sdmp
    Function 004010F0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74
    APIs
    • ExitProcess.KERNEL32(5B34AE43,?,?,?,0040156F,004018E4,?,004012A7), ref: 0040158D
    • RegisterClassExW.USER32(00405654), ref: 004015DB
    • CreateWindowExW.USER32 ref: 0040160D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.223424916.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.223420502.00400000.00000002.sdmp
    • Associated: 00000000.00000000.223430553.00403000.00000002.sdmp
    • Associated: 00000000.00000000.223435409.00404000.00000008.sdmp
    • Associated: 00000000.00000000.223440546.00406000.00000002.sdmp
    Function 004018F0, Relevance: 10.3, APIs: 3, Strings: 2, Instructions: 58
    APIs
    • ExitProcess.KERNEL32(5B34AE43,?,?,?,0040156F,004018E4,?,004012A7), ref: 0040158D
    • RegisterClassExW.USER32(00405654), ref: 004015DB
    • CreateWindowExW.USER32 ref: 0040160D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.223424916.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.223420502.00400000.00000002.sdmp
    • Associated: 00000000.00000000.223430553.00403000.00000002.sdmp
    • Associated: 00000000.00000000.223435409.00404000.00000008.sdmp
    • Associated: 00000000.00000000.223440546.00406000.00000002.sdmp
    Function 00401055, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
    APIs
    • ExitProcess.KERNEL32(5B34AE43,?,?,?,0040156F,004018E4,?,004012A7), ref: 0040158D
    • RegisterClassExW.USER32(00405654), ref: 004015DB
    • CreateWindowExW.USER32 ref: 0040160D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.223424916.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.223420502.00400000.00000002.sdmp
    • Associated: 00000000.00000000.223430553.00403000.00000002.sdmp
    • Associated: 00000000.00000000.223435409.00404000.00000008.sdmp
    • Associated: 00000000.00000000.223440546.00406000.00000002.sdmp
    Function 00401584, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
    APIs
    • ExitProcess.KERNEL32(5B34AE43,?,?,?,0040156F,004018E4,?,004012A7), ref: 0040158D
    • RegisterClassExW.USER32(00405654), ref: 004015DB
    • CreateWindowExW.USER32 ref: 0040160D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.223424916.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.223420502.00400000.00000002.sdmp
    • Associated: 00000000.00000000.223430553.00403000.00000002.sdmp
    • Associated: 00000000.00000000.223435409.00404000.00000008.sdmp
    • Associated: 00000000.00000000.223440546.00406000.00000002.sdmp

    Analysis Process: update.exe PID: 1524 Parent PID: 1988

    Executed Functions
    Non-executed Functions

    Analysis Process: winsec.exe PID: 496 Parent PID: 1524

    Executed Functions
    Function 0045ACAD, Relevance: 28.4, APIs: 11, Strings: 3, Instructions: 166
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 0045ACF4
      • Part of subcall function 0045D1E0: InitializeCriticalSection.KERNEL32(00465AA4), ref: 0045D207
      • Part of subcall function 0045D1E0: InitializeCriticalSection.KERNEL32 ref: 0045D218
      • Part of subcall function 0045D1E0: memset.MSVCRT ref: 0045D229
      • Part of subcall function 0045D1E0: TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 0045D240
      • Part of subcall function 0045D1E0: GetModuleHandleW.KERNEL32(00000000), ref: 0045D25C
      • Part of subcall function 0045D1E0: GetModuleHandleW.KERNEL32 ref: 0045D272
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0045AD59
    • Process32FirstW.KERNEL32 ref: 0045AD74
    • PathFindFileNameW.SHLWAPI ref: 0045AD87
    • StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 0045AD99
    • Process32NextW.KERNEL32(?,?), ref: 0045ADA9
    • CloseHandle.KERNEL32 ref: 0045ADB4
    • WSAStartup.WS2_32(00000202), ref: 0045ADC4
    • CreateEventW.KERNEL32(004649B4,00000001,00000000,00000000), ref: 0045ADEC
      • Part of subcall function 0043AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 0043AEF5
      • Part of subcall function 0043AEE3: GetTokenInformation.ADVAPI32(?,0000000C,004649A8,00000004), ref: 0043AF1D
      • Part of subcall function 0043AEE3: CloseHandle.KERNEL32(?), ref: 0043AF33
    • GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 0045AE22
      • Part of subcall function 0045AA9A: GetTempPathW.KERNEL32(00000104), ref: 0045AAB7
      • Part of subcall function 0045AA9A: GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 0045AACF
      • Part of subcall function 0045AA9A: PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 0045AADA
      • Part of subcall function 0045AA9A: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 0045AB00
    • GetCurrentProcessId.KERNEL32 ref: 0045AE4D
      • Part of subcall function 0045AB23: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000), ref: 0045AB64
      • Part of subcall function 0045AB23: lstrcmpiW.KERNEL32 ref: 0045AB93
      • Part of subcall function 0045ABBF: lstrcatW.KERNEL32(?,.dat), ref: 0045AC32
      • Part of subcall function 0045ABBF: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0045AC57
      • Part of subcall function 0045ABBF: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 0045AC75
      • Part of subcall function 0045ABBF: CloseHandle.KERNEL32 ref: 0045AC82
      • Part of subcall function 0044C8A1: IsBadReadPtr.KERNEL32 ref: 0044C8E0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00441F4F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 65
    APIs
    • InitializeSecurityDescriptor.ADVAPI32(004649C0,00000001), ref: 00441F5F
    • SetSecurityDescriptorDacl.ADVAPI32(004649C0,00000001,00000000,00000000), ref: 00441F70
    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00441F86
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00441FA2
    • SetSecurityDescriptorSacl.ADVAPI32(004649C0,?,?,00000001), ref: 00441FB6
    • LocalFree.KERNEL32(?), ref: 00441FC8
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045B4AA, Relevance: 42.5, APIs: 19, Strings: 2, Instructions: 267
    APIs
      • Part of subcall function 00448432: CreateFileW.KERNEL32(009B1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0044844B
      • Part of subcall function 00448432: GetFileSizeEx.KERNEL32 ref: 0044845E
      • Part of subcall function 00448432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00448484
      • Part of subcall function 00448432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0044849C
      • Part of subcall function 00448432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 004484BA
      • Part of subcall function 00448432: CloseHandle.KERNEL32 ref: 004484C3
    • CreateMutexW.KERNEL32(004649B4,00000001), ref: 0045B550
    • GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,0045B8C7), ref: 0045B560
    • CloseHandle.KERNEL32 ref: 0045B56E
    • CloseHandle.KERNEL32 ref: 0045B697
      • Part of subcall function 0045AFE8: memcpy.MSVCRT ref: 0045AFF8
    • lstrlenW.KERNEL32 ref: 0045B5D0
      • Part of subcall function 00435B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00435BC1
      • Part of subcall function 00435B9B: Process32FirstW.KERNEL32 ref: 00435BE6
      • Part of subcall function 00435B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00435C3D
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32 ref: 00435C5B
      • Part of subcall function 00435B9B: GetLengthSid.ADVAPI32 ref: 00435C77
      • Part of subcall function 00435B9B: memcmp.MSVCRT ref: 00435C8F
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32(?), ref: 00435D07
      • Part of subcall function 00435B9B: Process32NextW.KERNEL32(?,?), ref: 00435D13
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32 ref: 00435D26
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0045B615
    • OpenEventW.KERNEL32(00000002,00000000), ref: 0045B63B
    • SetEvent.KERNEL32 ref: 0045B648
    • CloseHandle.KERNEL32 ref: 0045B64F
    • Sleep.KERNEL32(00007530), ref: 0045B674
      • Part of subcall function 0043AF99: GetCurrentThread.KERNEL32 ref: 0043AFAD
      • Part of subcall function 0043AF99: OpenThreadToken.ADVAPI32 ref: 0043AFB4
      • Part of subcall function 0043AF99: GetCurrentProcess.KERNEL32 ref: 0043AFC4
      • Part of subcall function 0043AF99: OpenProcessToken.ADVAPI32 ref: 0043AFCB
      • Part of subcall function 0043AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0043AFEC
      • Part of subcall function 0043AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0043B001
      • Part of subcall function 0043AF99: GetLastError.KERNEL32 ref: 0043B00B
      • Part of subcall function 0043AF99: CloseHandle.KERNEL32(00000001), ref: 0043B01C
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 0045B68C
    • Sleep.KERNEL32(000000FF), ref: 0045B694
    • IsWellKnownSid.ADVAPI32(009B1EC0,00000016), ref: 0045B6E5
    • CreateEventW.KERNEL32(004649B4,00000001,00000000), ref: 0045B7B4
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045B7CD
    • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 0045B7DF
    • CloseHandle.KERNEL32(00000000), ref: 0045B7F6
    • CloseHandle.KERNEL32(?), ref: 0045B7FC
    • CloseHandle.KERNEL32(?), ref: 0045B802
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
      • Part of subcall function 00441DFA: VirtualProtect.KERNEL32(004396C7,?,00000040), ref: 00441E12
      • Part of subcall function 00441DFA: VirtualProtect.KERNEL32(004396C7,?,?), ref: 00441E85
      • Part of subcall function 004396C7: lstrlenW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 00439782
      • Part of subcall function 004396C7: CloseHandle.KERNEL32 ref: 004397F8
      • Part of subcall function 004396C7: GetSystemTimeAsFileTime.KERNEL32 ref: 00439806
      • Part of subcall function 004396C7: memcpy.MSVCRT ref: 00439841
      • Part of subcall function 004396C7: lstrcpyW.KERNEL32(?), ref: 00439856
      • Part of subcall function 004396C7: CloseHandle.KERNEL32 ref: 0043986F
      • Part of subcall function 0045BC89: memcpy.MSVCRT ref: 0045BCA4
      • Part of subcall function 0045BC89: StringFromGUID2.OLE32 ref: 0045BD4A
      • Part of subcall function 00439931: LoadLibraryW.KERNEL32 ref: 00439953
      • Part of subcall function 00439931: GetProcAddress.KERNEL32 ref: 00439977
      • Part of subcall function 00439931: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 004399AF
      • Part of subcall function 00439931: lstrlenW.KERNEL32 ref: 004399C7
      • Part of subcall function 00439931: StrCmpNIW.SHLWAPI ref: 004399DB
      • Part of subcall function 00439931: lstrlenW.KERNEL32 ref: 004399F1
      • Part of subcall function 00439931: memcpy.MSVCRT ref: 004399FD
      • Part of subcall function 00439931: FreeLibrary.KERNEL32 ref: 00439A13
      • Part of subcall function 00439931: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00439A52
      • Part of subcall function 00439931: NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00439A8E
      • Part of subcall function 00439931: NetApiBufferFree.NETAPI32(?), ref: 00439B39
      • Part of subcall function 00439931: NetApiBufferFree.NETAPI32(00000000), ref: 00439B4B
      • Part of subcall function 00439931: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00439B6A
      • Part of subcall function 0043B314: CharToOemW.USER32(009B1EF0), ref: 0043B325
      • Part of subcall function 00462AC0: GetCommandLineW.KERNEL32 ref: 00462ADA
      • Part of subcall function 00462AC0: CommandLineToArgvW.SHELL32 ref: 00462AE1
      • Part of subcall function 00462AC0: StrCmpNW.SHLWAPI(?,0042CA4C,00000002), ref: 00462B07
      • Part of subcall function 00462AC0: LocalFree.KERNEL32 ref: 00462B33
      • Part of subcall function 00462AC0: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00462B70
      • Part of subcall function 00462AC0: memcpy.MSVCRT ref: 00462B83
      • Part of subcall function 00462AC0: UnmapViewOfFile.KERNEL32 ref: 00462BBC
      • Part of subcall function 00462AC0: memcpy.MSVCRT ref: 00462BDF
      • Part of subcall function 00462AC0: CloseHandle.KERNEL32 ref: 00462BF8
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 0045C09D: CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
      • Part of subcall function 0043987E: memcpy.MSVCRT ref: 00439894
      • Part of subcall function 0043987E: memcmp.MSVCRT ref: 004398B6
      • Part of subcall function 0043987E: lstrcmpiW.KERNEL32(00000000,000000FF), ref: 0043990F
      • Part of subcall function 004484D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 004484E4
      • Part of subcall function 004484D3: CloseHandle.KERNEL32 ref: 004484F3
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0045B779
    • SeShutdownPrivilege, xrefs: 0045B676
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0044D8FE, Relevance: 26.3, APIs: 11, Strings: 2, Instructions: 98
    APIs
    • ShowWindow.USER32(?,00000000), ref: 0044D8B2
    • lstrcpyA.KERNEL32(0049F200,?,00000000), ref: 0044D8C5
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0044D8DA
    • DispatchMessageW.USER32(?), ref: 0044D8E7
    • InitCommonControlsEx.COMCTL32(0049E8BF), ref: 0044D91D
    • GetCommandLineW.KERNEL32 ref: 0044D935
    • SetLastError.KERNEL32(00000000), ref: 0044D942
    • LoadIconW.USER32(00000000,00000020), ref: 0044D97B
    • LoadCursorW.USER32(00000000,00000020), ref: 0044D985
    • RegisterClassExW.USER32(00000030), ref: 0044D9A1
    • CreateWindowExW.USER32 ref: 0045B5F6
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 0043B365, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 110
    APIs
      • Part of subcall function 00455947: GetTempPathW.KERNEL32(00000104,?), ref: 00455962
      • Part of subcall function 00455947: PathAddBackslashW.SHLWAPI(?), ref: 0045598C
      • Part of subcall function 00455947: CreateDirectoryW.KERNEL32(?), ref: 00455A44
      • Part of subcall function 00455947: SetFileAttributesW.KERNEL32(?), ref: 00455A55
      • Part of subcall function 00455947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00455A6E
      • Part of subcall function 00455947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00455A7F
    • CharToOemW.USER32 ref: 0043B3AB
    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0043B3E2
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • CloseHandle.KERNEL32(000000FF), ref: 0043B40A
    • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 0043B44C
    • memset.MSVCRT ref: 0043B461
    • CloseHandle.KERNEL32(000000FF), ref: 0043B49C
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00432593, Relevance: 18.3, APIs: 6, Strings: 3, Instructions: 84
    APIs
    • SendMessageW.USER32(00000180,00000000,?,0@I), ref: 004325D8
    • SendMessageW.USER32(00000197,00000004,00000000,0@I), ref: 004325F5
      • Part of subcall function 0048471F: SendMessageW.USER32(0000018E,00000000,00000000,00432600), ref: 0048472E
    • CreateWindowExW.USER32 ref: 0043262B
    • CreateWindowExW.USER32 ref: 00432653
    • PostMessageW.USER32(?,00000111,?,000001F4,?,000001CC,000001D6,0000008C,00000028,?,00000005,44A7B82D,00000000), ref: 0043266C
    • PostQuitMessage.USER32(00000000), ref: 0043267D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A9985F, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 173
    APIs
    • memset.MSVCRT ref: 00A9990F
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00A99920
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00A99954
    • memset.MSVCRT ref: 00A99994
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00A999A5
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00A999E5
    • memset.MSVCRT ref: 00A99A50
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00438E53, Relevance: 14.9, APIs: 5, Strings: 2, Instructions: 95
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00438E6A
    • LeaveCriticalSection.KERNEL32(00465AA4,?,00000000), ref: 00438E9D
      • Part of subcall function 00441E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00441EA2
      • Part of subcall function 00441E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00441EAE
      • Part of subcall function 00441E94: SetLastError.KERNEL32(00000001,00438F04,004647C0,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00441EC6
    • CoTaskMemFree.OLE32(?), ref: 00438F36
    • PathRemoveBackslashW.SHLWAPI(00000006), ref: 00438F44
    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00438F5C
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00455D0E, Relevance: 14.7, APIs: 5, Strings: 2, Instructions: 89
    APIs
    • memcpy.MSVCRT ref: 00455D6C
    • memcpy.MSVCRT ref: 00455D81
    • memcpy.MSVCRT ref: 00455D96
    • memcpy.MSVCRT ref: 00455DA5
      • Part of subcall function 004558ED: EnterCriticalSection.KERNEL32(00465AA4,?,00455BB2,?,00455C0A,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 004558FD
      • Part of subcall function 004558ED: LeaveCriticalSection.KERNEL32(00465AA4,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,0045A856), ref: 0045592C
      • Part of subcall function 00441E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00441EA2
      • Part of subcall function 00441E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00441EAE
      • Part of subcall function 00441E94: SetLastError.KERNEL32(00000001,00438F04,004647C0,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00441EC6
    • SetFileTime.KERNEL32(?,?,?,?), ref: 00455E0A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A99BE6, Relevance: 14.3, APIs: 8, Instructions: 160
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00A99BEC
    • memcpy.MSVCRT ref: 00A99C39
    • GetThreadContext.KERNEL32(?,00000010), ref: 00A99CAF
    • SetThreadContext.KERNEL32(?,?), ref: 00A99D1A
    • GetCurrentProcess.KERNEL32 ref: 00A99D33
    • VirtualProtect.KERNEL32(?,0000007C,?), ref: 00A99D58
    • FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00A99D6A
      • Part of subcall function 00A99A67: memset.MSVCRT ref: 00A99A78
      • Part of subcall function 00A99821: GetCurrentProcess.KERNEL32 ref: 00A99824
      • Part of subcall function 00A99821: VirtualProtect.KERNEL32(6FFF0000,=::=::\,00000020), ref: 00A99845
      • Part of subcall function 00A99821: FlushInstructionCache.KERNEL32(?,6FFF0000,=::=::\), ref: 00A9984E
    • ResumeThread.KERNEL32(?), ref: 00A99DAB
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A99B45: GetCurrentThreadId.KERNEL32 ref: 00A99B46
      • Part of subcall function 00A99B45: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00A99B7D
      • Part of subcall function 00A99B45: ResumeThread.KERNEL32(?), ref: 00A99BBE
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A81F4F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 65
    APIs
    • InitializeSecurityDescriptor.ADVAPI32(00AA49C0,00000001), ref: 00A81F5F
    • SetSecurityDescriptorDacl.ADVAPI32(00AA49C0,00000001,00000000,00000000), ref: 00A81F70
    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00A81F86
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00A81FA2
    • SetSecurityDescriptorSacl.ADVAPI32(00AA49C0,?,?,00000001), ref: 00A81FB6
    • LocalFree.KERNEL32(?), ref: 00A81FC8
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045065A, Relevance: 12.3, APIs: 5, Strings: 1, Instructions: 91
    APIs
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    • PathIsDirectoryW.SHLWAPI ref: 00450690
    • CreateFileW.KERNEL32(02000000,40000000,00000007,00000000,00000003,02000000,00000000), ref: 004506B2
      • Part of subcall function 00450505: memcpy.MSVCRT ref: 00450638
    • GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 004506F8
      • Part of subcall function 00455D0E: memcpy.MSVCRT ref: 00455D6C
      • Part of subcall function 00455D0E: memcpy.MSVCRT ref: 00455D81
      • Part of subcall function 00455D0E: memcpy.MSVCRT ref: 00455D96
      • Part of subcall function 00455D0E: memcpy.MSVCRT ref: 00455DA5
      • Part of subcall function 00455D0E: SetFileTime.KERNEL32(?,?,?,?), ref: 00455E0A
    • CloseHandle.KERNEL32 ref: 00450717
    • PathRemoveFileSpecW.SHLWAPI ref: 00450724
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00450660
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9ABBF, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 79
    APIs
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
    • lstrcatW.KERNEL32(?,.dat), ref: 00A9AC32
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A9AC57
    • ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00A9AC75
    • CloseHandle.KERNEL32 ref: 00A9AC82
      • Part of subcall function 00A9D2D7: EnterCriticalSection.KERNEL32(00DD1E90,?), ref: 00A9D2EB
      • Part of subcall function 00A9D2D7: GetFileVersionInfoSizeW.VERSION(00DD1EF0), ref: 00A9D30C
      • Part of subcall function 00A9D2D7: GetFileVersionInfoW.VERSION(00DD1EF0,00000000), ref: 00A9D32A
      • Part of subcall function 00A9D2D7: LeaveCriticalSection.KERNEL32(00DD1E90,00000001,00000001,00000001,00000001), ref: 00A9D413
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    Strings
    • .dat, xrefs: 00A9AC26
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00A9ABF1
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045AA9A, Relevance: 12.2, APIs: 4, Strings: 2, Instructions: 49
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 0045AAB7
    • GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 0045AACF
    • PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 0045AADA
      • Part of subcall function 00438E53: EnterCriticalSection.KERNEL32(00465AA4,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00438E6A
      • Part of subcall function 00438E53: LeaveCriticalSection.KERNEL32(00465AA4,?,00000000), ref: 00438E9D
      • Part of subcall function 00438E53: CoTaskMemFree.OLE32(?), ref: 00438F36
      • Part of subcall function 00438E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00438F44
      • Part of subcall function 00438E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00438F5C
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 0045AB00
      • Part of subcall function 00439F5F: memcpy.MSVCRT ref: 00439F99
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0045AAC2, 0045AACD, 0045AAD9
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0045AAE0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00455947, Relevance: 11.3, APIs: 6, Instructions: 130
    APIs
    • GetTempPathW.KERNEL32(00000104,?), ref: 00455962
    • PathAddBackslashW.SHLWAPI(?), ref: 0045598C
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • CreateDirectoryW.KERNEL32(?), ref: 00455A44
    • SetFileAttributesW.KERNEL32(?), ref: 00455A55
    • CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00455A6E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00455A7F
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 009A0117, Relevance: 10.9, APIs: 7, Instructions: 419
    APIs
    • VirtualAlloc.KERNEL32 ref: 009A014E
    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 009A0275
    • VirtualAlloc.KERNEL32(?,00001000,00001000,00000004), ref: 009A029A
    • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 009A02EE
    • LoadLibraryA.KERNEL32(?), ref: 009A032F
    • VirtualProtect.KERNEL32(?,00001000,00000002), ref: 009A042A
    • VirtualProtect.KERNEL32(?,?,?,009A0008), ref: 009A0472
    Memory Dump Source
    • Source File: 00000002.00000002.277668743.009A0000.00000040.sdmp, Offset: 009A0000, based on PE: false
    Function 00448432, Relevance: 10.9, APIs: 6, Instructions: 66
    APIs
    • CreateFileW.KERNEL32(009B1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0044844B
    • GetFileSizeEx.KERNEL32 ref: 0044845E
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00448484
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0044849C
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004484BA
    • CloseHandle.KERNEL32 ref: 004484C3
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045BD59, Relevance: 10.9, APIs: 6, Instructions: 57
    APIs
      • Part of subcall function 00438E53: EnterCriticalSection.KERNEL32(00465AA4,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00438E6A
      • Part of subcall function 00438E53: LeaveCriticalSection.KERNEL32(00465AA4,?,00000000), ref: 00438E9D
      • Part of subcall function 00438E53: CoTaskMemFree.OLE32(?), ref: 00438F36
      • Part of subcall function 00438E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00438F44
      • Part of subcall function 00438E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00438F5C
    • PathRemoveBackslashW.SHLWAPI(-00000258), ref: 0045BD85
    • PathRemoveFileSpecW.SHLWAPI(-00000258), ref: 0045BD92
    • PathAddBackslashW.SHLWAPI(-00000258), ref: 0045BDA3
    • GetVolumeNameForVolumeMountPointW.KERNEL32(-00000258,-00000050,00000064), ref: 0045BDB6
    • CLSIDFromString.OLE32(-0000003C,00464DF4,?,00000000), ref: 0045BDD2
    • memset.MSVCRT ref: 0045BDE4
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0043B0E5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
    APIs
    • memset.MSVCRT ref: 0043B106
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,00000000), ref: 0043B13E
    • memcpy.MSVCRT ref: 0043B159
    • CloseHandle.KERNEL32(?), ref: 0043B16E
    • CloseHandle.KERNEL32(00000000), ref: 0043B174
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0044BA48, Relevance: 10.3, APIs: 4, Strings: 1, Instructions: 60
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 0044BA66
    • RegCreateKeyExW.ADVAPI32(?,00439771,00000000,00000000,00000000,00000103,00000000), ref: 0044BA9B
    • RegCloseKey.ADVAPI32(?), ref: 0044BAAA
    • RegCloseKey.ADVAPI32(?), ref: 0044BAC5
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0044BA70
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045038C, Relevance: 9.7, APIs: 5, Instructions: 89
    APIs
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    • NlsGetCacheUpdateCount.KERNEL32(?,00000000), ref: 00450405
    • SetFileAttributesW.KERNEL32(?), ref: 00450424
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0045043B
    • GetLastError.KERNEL32 ref: 00450448
    • CloseHandle.KERNEL32 ref: 00450481
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A99DDC, Relevance: 9.5, APIs: 4, Instructions: 217
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00A99DED
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
      • Part of subcall function 00A9985F: memset.MSVCRT ref: 00A9990F
      • Part of subcall function 00A9985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00A99920
      • Part of subcall function 00A9985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00A99954
      • Part of subcall function 00A9985F: memset.MSVCRT ref: 00A99994
      • Part of subcall function 00A9985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00A999A5
      • Part of subcall function 00A9985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00A999E5
      • Part of subcall function 00A9985F: memset.MSVCRT ref: 00A99A50
      • Part of subcall function 00A964A4: SetLastError.KERNEL32(0000000D), ref: 00A964DF
    • memcpy.MSVCRT ref: 00A99F56
    • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00A99FE2
    • GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00A99FEC
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A99A67: memset.MSVCRT ref: 00A99A78
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A9D5A0, Relevance: 9.2, APIs: 3, Strings: 1, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00AA5AA4,00000000,?,?,00A793C9), ref: 00A9D5B6
    • LeaveCriticalSection.KERNEL32(00AA5AA4,?,?,00A793C9), ref: 00A9D5DC
      • Part of subcall function 00A9D4EF: memset.MSVCRT ref: 00A9D506
    • CreateMutexW.KERNEL32(00AA49B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00A9D5EE
      • Part of subcall function 00A775E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A775ED
      • Part of subcall function 00A775E7: CloseHandle.KERNEL32 ref: 00A775FF
    Strings
    • Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00A9D5E3
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A9AEB1, Relevance: 9.2, APIs: 5, Instructions: 109
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00A9AECF
      • Part of subcall function 00A8C90D: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00A8C93C
      • Part of subcall function 00A8C90D: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00A8C97B
      • Part of subcall function 00A8C90D: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00A8C9A2
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00A9AF0A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A9AF4A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A9AF6D
      • Part of subcall function 00A9A976: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00A9A999
      • Part of subcall function 00A9A976: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A9A9B1
      • Part of subcall function 00A9A976: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00A9A9CC
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00A9AFBD
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045BDF6, Relevance: 9.1, APIs: 5, Instructions: 172
    APIs
    • memset.MSVCRT ref: 0045BE2B
    • GetComputerNameW.KERNEL32 ref: 0045BE5F
    • GetVersionExW.KERNEL32 ref: 0045BE88
    • memset.MSVCRT ref: 0045BEA7
      • Part of subcall function 00450775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0045079C
      • Part of subcall function 00450755: RegFlushKey.ADVAPI32 ref: 00450765
      • Part of subcall function 00450755: RegCloseKey.ADVAPI32 ref: 0045076D
      • Part of subcall function 004593C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00459433
      • Part of subcall function 004593C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00459458
    • memset.MSVCRT ref: 0045BFAC
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00459393: CryptDestroyHash.ADVAPI32 ref: 004593AB
      • Part of subcall function 00459393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 004593BC
      • Part of subcall function 0045946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 004594AA
      • Part of subcall function 00450A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00450A3A
      • Part of subcall function 004508A8: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00450903
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045B838, Relevance: 9.1, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 0045ACAD: GetModuleHandleW.KERNEL32(00000000), ref: 0045ACF4
      • Part of subcall function 0045ACAD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0045AD59
      • Part of subcall function 0045ACAD: Process32FirstW.KERNEL32 ref: 0045AD74
      • Part of subcall function 0045ACAD: PathFindFileNameW.SHLWAPI ref: 0045AD87
      • Part of subcall function 0045ACAD: StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 0045AD99
      • Part of subcall function 0045ACAD: Process32NextW.KERNEL32(?,?), ref: 0045ADA9
      • Part of subcall function 0045ACAD: CloseHandle.KERNEL32 ref: 0045ADB4
      • Part of subcall function 0045ACAD: WSAStartup.WS2_32(00000202), ref: 0045ADC4
      • Part of subcall function 0045ACAD: CreateEventW.KERNEL32(004649B4,00000001,00000000,00000000), ref: 0045ADEC
      • Part of subcall function 0045ACAD: GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 0045AE22
      • Part of subcall function 0045ACAD: GetCurrentProcessId.KERNEL32 ref: 0045AE4D
    • SetErrorMode.KERNEL32(00008007), ref: 0045B851
    • GetCommandLineW.KERNEL32 ref: 0045B85D
    • CommandLineToArgvW.SHELL32 ref: 0045B864
    • LocalFree.KERNEL32 ref: 0045B8A1
    • ExitProcess.KERNEL32(00000001), ref: 0045B8B2
      • Part of subcall function 0045B4AA: CreateMutexW.KERNEL32(004649B4,00000001), ref: 0045B550
      • Part of subcall function 0045B4AA: GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,0045B8C7), ref: 0045B560
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32 ref: 0045B56E
      • Part of subcall function 0045B4AA: lstrlenW.KERNEL32 ref: 0045B5D0
      • Part of subcall function 0045B4AA: ExitWindowsEx.USER32(00000014,80000000), ref: 0045B615
      • Part of subcall function 0045B4AA: OpenEventW.KERNEL32(00000002,00000000), ref: 0045B63B
      • Part of subcall function 0045B4AA: SetEvent.KERNEL32 ref: 0045B648
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32 ref: 0045B64F
      • Part of subcall function 0045B4AA: Sleep.KERNEL32(00007530), ref: 0045B674
      • Part of subcall function 0045B4AA: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 0045B68C
      • Part of subcall function 0045B4AA: Sleep.KERNEL32(000000FF), ref: 0045B694
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32 ref: 0045B697
      • Part of subcall function 0045B4AA: IsWellKnownSid.ADVAPI32(009B1EC0,00000016), ref: 0045B6E5
      • Part of subcall function 0045B4AA: CreateEventW.KERNEL32(004649B4,00000001,00000000), ref: 0045B7B4
      • Part of subcall function 0045B4AA: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045B7CD
      • Part of subcall function 0045B4AA: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 0045B7DF
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32(00000000), ref: 0045B7F6
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32(?), ref: 0045B7FC
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32(?), ref: 0045B802
    • Sleep.KERNEL32(000000FF), ref: 0045B8D8
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0046258D, Relevance: 8.7, APIs: 3, Strings: 1, Instructions: 83
    APIs
      • Part of subcall function 00457ED8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00457EEF
      • Part of subcall function 00457ED8: CloseHandle.KERNEL32 ref: 00457F0E
    • GetFileSizeEx.KERNEL32(?), ref: 004625C4
      • Part of subcall function 00457F3D: UnmapViewOfFile.KERNEL32 ref: 00457F49
      • Part of subcall function 00457F3D: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000001), ref: 00457F60
      • Part of subcall function 00455B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00455B25
    • SetEndOfFile.KERNEL32 ref: 0046263A
    • FlushFileBuffers.KERNEL32(?), ref: 00462645
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
      • Part of subcall function 00455B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00455B87
      • Part of subcall function 00462474: GetFileAttributesW.KERNEL32(00000000), ref: 00462485
      • Part of subcall function 00462474: PathRemoveFileSpecW.SHLWAPI ref: 004624BA
      • Part of subcall function 00462474: MoveFileExW.KERNEL32(00000000,?,00000001), ref: 00462501
      • Part of subcall function 00462474: CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0046251A
      • Part of subcall function 00462474: Sleep.KERNEL32(00001388), ref: 0046255D
      • Part of subcall function 00462474: FlushFileBuffers.KERNEL32 ref: 0046256B
      • Part of subcall function 00457E98: UnmapViewOfFile.KERNEL32 ref: 00457EA4
      • Part of subcall function 00457E98: CloseHandle.KERNEL32 ref: 00457EB7
      • Part of subcall function 00457E98: CloseHandle.KERNEL32 ref: 00457ECD
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00462595
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A99821, Relevance: 8.4, APIs: 3, Strings: 1, Instructions: 28
    APIs
    • GetCurrentProcess.KERNEL32 ref: 00A99824
    • VirtualProtect.KERNEL32(6FFF0000,=::=::\,00000020), ref: 00A99845
    • FlushInstructionCache.KERNEL32(?,6FFF0000,=::=::\), ref: 00A9984E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A7AF41, Relevance: 7.2, APIs: 4, Instructions: 39
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00A7AF51
    • Thread32First.KERNEL32 ref: 00A7AF6C
    • Thread32Next.KERNEL32(?,?), ref: 00A7AF7F
    • CloseHandle.KERNEL32 ref: 00A7AF8A
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00455CA4, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 48
    APIs
    • GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00455CB1
    • CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00455CD1
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
      • Part of subcall function 00455BE4: memcpy.MSVCRT ref: 00455C25
      • Part of subcall function 00455BE4: memcpy.MSVCRT ref: 00455C38
      • Part of subcall function 00455BE4: memcpy.MSVCRT ref: 00455C4B
      • Part of subcall function 00455BE4: memcpy.MSVCRT ref: 00455C56
      • Part of subcall function 00455BE4: GetFileTime.KERNEL32(?,?,?), ref: 00455C7A
      • Part of subcall function 00455BE4: memcpy.MSVCRT ref: 00455C90
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A99ADD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 34
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00A99AEE
    • VirtualProtect.KERNEL32(6FFF0000,00010000,00000040,?), ref: 00A99B34
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A9394D, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00053883,00000000), ref: 00A93964
    • WaitForSingleObject.KERNEL32(?,00003A98), ref: 00A93976
    • TerminateThread.KERNEL32(?,00000000), ref: 00A93982
    • CloseHandle.KERNEL32 ref: 00A93989
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A9A976, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00A9A999
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A9A9B1
    • DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00A9A9CC
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A9C012, Relevance: 5.6, APIs: 3, Instructions: 37
    APIs
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
      • Part of subcall function 00A9BC89: memcpy.MSVCRT ref: 00A9BCA4
      • Part of subcall function 00A9BC89: StringFromGUID2.OLE32 ref: 00A9BD4A
    • CreateMutexW.KERNEL32(00AA49B4,00000001), ref: 00A9C058
    • GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00A9C064
    • CloseHandle.KERNEL32 ref: 00A9C072
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A8C90D, Relevance: 5.5, APIs: 3, Instructions: 63
    APIs
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00A8C93C
      • Part of subcall function 00A825A7: memcpy.MSVCRT ref: 00A825C6
    • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00A8C97B
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00A8C9A2
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045931E, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 19
    APIs
    • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00459336
    Strings
    • Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0045932E
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00441DFA, Relevance: 3.9, APIs: 2, Instructions: 66
    APIs
    • VirtualProtect.KERNEL32(004396C7,?,00000040), ref: 00441E12
    • VirtualProtect.KERNEL32(004396C7,?,?), ref: 00441E85
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00455B15, Relevance: 3.9, APIs: 1, Instructions: 10
    APIs
    • SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00455B25
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00401E4F, Relevance: 3.7, APIs: 2, Instructions: 26
    APIs
    • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00401E60
      • Part of subcall function 00402689: HeapAlloc.KERNEL32(00000000,00000140,00401E88,000003F8,?,00491DB0,00000060), ref: 00402696
    • HeapDestroy.KERNEL32 ref: 00401E93
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00457F3D, Relevance: 3.7, APIs: 2, Instructions: 16
    APIs
    • UnmapViewOfFile.KERNEL32 ref: 00457F49
    • MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000001), ref: 00457F60
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8342D, Relevance: 3.1, APIs: 2, Instructions: 79
    APIs
      • Part of subcall function 00A76E1F: GetLastError.KERNEL32(6FFF0380,?,00A7652A), ref: 00A76E21
      • Part of subcall function 00A76E1F: TlsGetValue.KERNEL32(?,?,00A7652A), ref: 00A76E3E
      • Part of subcall function 00A76E1F: TlsSetValue.KERNEL32(00000001), ref: 00A76E50
      • Part of subcall function 00A76E1F: SetLastError.KERNEL32(?,?,00A7652A), ref: 00A76E60
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 00A83465
      • Part of subcall function 00A9C012: CreateMutexW.KERNEL32(00AA49B4,00000001), ref: 00A9C058
      • Part of subcall function 00A9C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00A9C064
      • Part of subcall function 00A9C012: CloseHandle.KERNEL32 ref: 00A9C072
      • Part of subcall function 00A7C5A8: TlsGetValue.KERNEL32(00000013,?,00A8349E), ref: 00A7C5B1
      • Part of subcall function 00A9AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00A9AECF
      • Part of subcall function 00A9AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00A9AF0A
      • Part of subcall function 00A9AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A9AF4A
      • Part of subcall function 00A9AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A9AF6D
      • Part of subcall function 00A9AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00A9AFBD
    • CloseHandle.KERNEL32 ref: 00A834DA
      • Part of subcall function 00A7AF41: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00A7AF51
      • Part of subcall function 00A7AF41: Thread32First.KERNEL32 ref: 00A7AF6C
      • Part of subcall function 00A7AF41: Thread32Next.KERNEL32(?,?), ref: 00A7AF7F
      • Part of subcall function 00A7AF41: CloseHandle.KERNEL32 ref: 00A7AF8A
      • Part of subcall function 00A76EA5: GetLastError.KERNEL32(?,00A76577), ref: 00A76EA6
      • Part of subcall function 00A76EA5: TlsSetValue.KERNEL32(00000000), ref: 00A76EB6
      • Part of subcall function 00A76EA5: SetLastError.KERNEL32(?,?,00A76577), ref: 00A76EBD
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044D86A, Relevance: 3.1, APIs: 2, Instructions: 51
    APIs
    • lstrlenA.KERNEL32(?,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044D87D
    • wvnsprintfA.SHLWAPI(00000080,?,?,?), ref: 0044D8AE
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045C09D, Relevance: 2.8, APIs: 1, Instructions: 25
    APIs
    • CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
      • Part of subcall function 004375E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004375ED
      • Part of subcall function 004375E7: CloseHandle.KERNEL32 ref: 004375FF
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00450A1D, Relevance: 2.3, APIs: 1, Instructions: 22
    APIs
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00450A3A
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A908A8, Relevance: 2.2, APIs: 1, Instructions: 69
    APIs
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
      • Part of subcall function 00A9083C: RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00A90850
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A90903
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00455B5F, Relevance: 2.1, APIs: 1, Instructions: 34
    APIs
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00455B87
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004508A8, Relevance: 2.0, APIs: 1, Instructions: 69
    APIs
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
      • Part of subcall function 0045083C: RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00450850
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00450903
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A82498, Relevance: 1.9, APIs: 1, Instructions: 9
    APIs
    • HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 00A824A1
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00442498, Relevance: 1.9, APIs: 1, Instructions: 9
    APIs
    • HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 004424A1
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9083C, Relevance: 1.9, APIs: 1, Instructions: 8
    APIs
    • RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00A90850
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045083C, Relevance: 1.9, APIs: 1, Instructions: 8
    APIs
    • RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00450850
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Non-executed Functions
    Function 00437FA8, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151
    APIs
    • LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00437FBA
    • GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00437FD2
    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00438011
    • CreateCompatibleDC.GDI32 ref: 00438022
    • LoadCursorW.USER32(00000000,00007F00), ref: 00438038
    • GetIconInfo.USER32 ref: 0043804C
    • GetCursorPos.USER32(?), ref: 0043805B
    • GetDeviceCaps.GDI32(?,00000008), ref: 00438072
    • GetDeviceCaps.GDI32(?,0000000A), ref: 0043807B
    • CreateCompatibleBitmap.GDI32(?,?), ref: 00438087
    • SelectObject.GDI32 ref: 00438095
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 004380B6
    • DrawIcon.USER32(?,?,?,?), ref: 004380E8
      • Part of subcall function 00451285: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 0045129A
      • Part of subcall function 00451285: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 004512A5
    • SelectObject.GDI32(?,?), ref: 00438104
    • DeleteObject.GDI32 ref: 0043810B
    • DeleteDC.GDI32 ref: 00438112
    • DeleteDC.GDI32 ref: 00438119
    • FreeLibrary.KERNEL32(?), ref: 00438129
    • GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0043813F
    • FreeLibrary.KERNEL32(?), ref: 00438153
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0043B1DE, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89
    APIs
    • LoadLibraryA.KERNEL32(userenv.dll), ref: 0043B1EE
    • GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0043B20C
    • GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0043B218
    • memset.MSVCRT ref: 0043B258
    • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 0043B2A5
    • CloseHandle.KERNEL32(?), ref: 0043B2B9
    • CloseHandle.KERNEL32(?), ref: 0043B2BF
    • FreeLibrary.KERNEL32 ref: 0043B2D3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0043AF99, Relevance: 18.7, APIs: 8, Strings: 1, Instructions: 61
    APIs
    • GetCurrentThread.KERNEL32 ref: 0043AFAD
    • OpenThreadToken.ADVAPI32 ref: 0043AFB4
    • GetCurrentProcess.KERNEL32 ref: 0043AFC4
    • OpenProcessToken.ADVAPI32 ref: 0043AFCB
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0043AFEC
    • AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0043B001
    • GetLastError.KERNEL32 ref: 0043B00B
    • CloseHandle.KERNEL32(00000001), ref: 0043B01C
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00445528, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184
    APIs
    • GetLogicalDrives.KERNEL32 ref: 0044553C
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000), ref: 00445581
    • PathGetDriveNumberW.SHLWAPI ref: 00445593
    • lstrcpyW.KERNEL32(?,0042AACC), ref: 004455A7
    • GetDriveTypeW.KERNEL32 ref: 00445610
    • GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000105), ref: 00445671
    • CharUpperW.USER32(00000000), ref: 0044568D
    • lstrcmpW.KERNEL32 ref: 004456B0
    • GetDiskFreeSpaceExW.KERNEL32(?,00000000), ref: 004456EE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0043C9BF, Relevance: 16.0, APIs: 9, Instructions: 113
    APIs
    • GetProcAddress.KERNEL32(?), ref: 0043C9E1
    • GetProcAddress.KERNEL32(?,?), ref: 0043CA03
    • GetProcAddress.KERNEL32(?,?), ref: 0043CA1E
    • GetProcAddress.KERNEL32(?,?), ref: 0043CA39
    • GetProcAddress.KERNEL32(?,?), ref: 0043CA54
    • GetProcAddress.KERNEL32(?), ref: 0043CA6F
    • GetProcAddress.KERNEL32(?), ref: 0043CA8E
    • GetProcAddress.KERNEL32(?), ref: 0043CAAD
    • GetProcAddress.KERNEL32(?), ref: 0043CACC
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045C592, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
    APIs
    • EnterCriticalSection.KERNEL32(00000000,?,00000000,?), ref: 0045C5BC
    • LeaveCriticalSection.KERNEL32(00000000,?,00000000,?), ref: 0045C66C
      • Part of subcall function 00437FA8: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00437FBA
      • Part of subcall function 00437FA8: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00437FD2
      • Part of subcall function 00437FA8: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00438011
      • Part of subcall function 00437FA8: CreateCompatibleDC.GDI32 ref: 00438022
      • Part of subcall function 00437FA8: LoadCursorW.USER32(00000000,00007F00), ref: 00438038
      • Part of subcall function 00437FA8: GetIconInfo.USER32 ref: 0043804C
      • Part of subcall function 00437FA8: GetCursorPos.USER32(?), ref: 0043805B
      • Part of subcall function 00437FA8: GetDeviceCaps.GDI32(?,00000008), ref: 00438072
      • Part of subcall function 00437FA8: GetDeviceCaps.GDI32(?,0000000A), ref: 0043807B
      • Part of subcall function 00437FA8: CreateCompatibleBitmap.GDI32(?,?), ref: 00438087
      • Part of subcall function 00437FA8: SelectObject.GDI32 ref: 00438095
      • Part of subcall function 00437FA8: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 004380B6
      • Part of subcall function 00437FA8: DrawIcon.USER32(?,?,?,?), ref: 004380E8
      • Part of subcall function 00437FA8: SelectObject.GDI32(?,?), ref: 00438104
      • Part of subcall function 00437FA8: DeleteObject.GDI32 ref: 0043810B
      • Part of subcall function 00437FA8: DeleteDC.GDI32 ref: 00438112
      • Part of subcall function 00437FA8: DeleteDC.GDI32 ref: 00438119
      • Part of subcall function 00437FA8: FreeLibrary.KERNEL32(?), ref: 00438129
      • Part of subcall function 00437FA8: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0043813F
      • Part of subcall function 00437FA8: FreeLibrary.KERNEL32(?), ref: 00438153
    • GetTickCount.KERNEL32 ref: 0045C616
    • GetCurrentProcessId.KERNEL32 ref: 0045C61D
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • GetKeyboardState.USER32 ref: 0045C688
    • ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 0045C6AB
      • Part of subcall function 0045C410: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,?,0045C6E4,?,?,?,?,?,00000009,00000000,?,?,00000000), ref: 0045C42A
      • Part of subcall function 0045C410: memcpy.MSVCRT ref: 0045C49B
      • Part of subcall function 0045C410: memcpy.MSVCRT ref: 0045C4BF
      • Part of subcall function 0045C410: memcpy.MSVCRT ref: 0045C4D6
      • Part of subcall function 0045C410: memcpy.MSVCRT ref: 0045C4F6
      • Part of subcall function 0045C410: LeaveCriticalSection.KERNEL32(00000000,?,00000000,?), ref: 0045C511
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004452AC, Relevance: 12.1, APIs: 8, Instructions: 147
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 004452E3
    • GetCommandLineW.KERNEL32 ref: 00445304
      • Part of subcall function 004511D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004511FF
      • Part of subcall function 004511D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00451234
    • GetUserNameExW.SECUR32(00000002,?,?,?,?,?,00000104), ref: 0044533C
    • GetProcessTimes.KERNEL32(000000FF), ref: 00445372
    • GetUserDefaultUILanguage.KERNEL32 ref: 004453E4
    • memcpy.MSVCRT ref: 00445418
    • memcpy.MSVCRT ref: 0044542D
    • memcpy.MSVCRT ref: 00445443
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A83BBE, Relevance: 10.9, APIs: 6, Instructions: 39
    APIs
    • socket.WS2_32(?,00000001,00000006), ref: 00A83BCA
    • bind.WS2_32 ref: 00A83BE7
    • listen.WS2_32(?,00000001), ref: 00A83BF4
    • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00A8EE5F,?,?,?), ref: 00A83BFE
    • closesocket.WS2_32 ref: 00A83C07
    • WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00A8EE5F,?,?,?), ref: 00A83C0E
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00443BBE, Relevance: 10.9, APIs: 6, Instructions: 39
    APIs
    • socket.WS2_32(?,00000001,00000006), ref: 00443BCA
    • bind.WS2_32 ref: 00443BE7
    • listen.WS2_32(?,00000001), ref: 00443BF4
    • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,0044EE5F,?,?,?), ref: 00443BFE
    • closesocket.WS2_32 ref: 00443C07
    • WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,0044EE5F,?,?,?), ref: 00443C0E
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00435B0B, Relevance: 10.7, APIs: 6, Instructions: 60
    APIs
    • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00435B19
      • Part of subcall function 0045AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045AECF
      • Part of subcall function 0045AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045AF0A
      • Part of subcall function 0045AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045AF4A
      • Part of subcall function 0045AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045AF6D
      • Part of subcall function 0045AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0045AFBD
    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00435B5A
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 00435B6C
    • CloseHandle.KERNEL32 ref: 00435B73
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00435B85
    • CloseHandle.KERNEL32 ref: 00435B8C
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00434B40, Relevance: 10.2, APIs: 4, Strings: 1, Instructions: 48
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004354F7
    • UnhandledExceptionFilter.KERNEL32(XCF), ref: 00435502
    • GetCurrentProcess.KERNEL32 ref: 0043550D
    • TerminateProcess.KERNEL32 ref: 00435514
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0043913F, Relevance: 9.5, APIs: 5, Instructions: 59
    APIs
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    • FindFirstFileW.KERNEL32(?), ref: 00439170
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
    • FindNextFileW.KERNEL32(?,?), ref: 004391C2
    • FindClose.KERNEL32 ref: 004391CD
    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 004391D9
    • RemoveDirectoryW.KERNEL32(00000000), ref: 004391E0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004586CC, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 115
    APIs
    • GetVersionExW.KERNEL32(00464858), ref: 004586E6
    • GetNativeSystemInfo.KERNEL32(000000FF), ref: 00458822
    • memset.MSVCRT ref: 00458857
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00443C1C, Relevance: 7.8, APIs: 4, Instructions: 68
    APIs
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00443C44
    • recv.WS2_32(?,?,00000400,00000000), ref: 00443C70
    • send.WS2_32(?,?,?,00000000), ref: 00443C92
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00443CBF
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00404214, Relevance: 7.6, APIs: 5, Instructions: 92
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040422E
    • GetSystemInfo.KERNEL32 ref: 0040423F
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00404285
    • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004042C3
    • VirtualProtect.KERNEL32(?,?,?,?), ref: 004042E9
    Memory Dump Source
    • Source File: 00000002.00000001.251360999.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000001.251344960.00400000.00000002.sdmp
    • Associated: 00000002.00000001.251446617.00487000.00000002.sdmp
    • Associated: 00000002.00000001.251482026.00494000.00000008.sdmp
    • Associated: 00000002.00000001.251496928.00498000.00000004.sdmp
    • Associated: 00000002.00000001.252081534.00499000.00000008.sdmp
    Function 00447AAA, Relevance: 7.5, APIs: 5, Instructions: 44
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00447AC3
    • CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00447AD4
    • CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00447ADF
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00447AE7
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00447AF5
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7BC0C, Relevance: 7.4, APIs: 4, Instructions: 54
    APIs
      • Part of subcall function 00A7B7D0: socket.WS2_32(?,?,00000006), ref: 00A7B804
    • bind.WS2_32(?,00A7BCEA), ref: 00A7BC53
    • listen.WS2_32(?,00000014), ref: 00A7BC68
    • WSAGetLastError.WS2_32(00000000,?,00A7BCEA,?,?,?,?,00000000), ref: 00A7BC76
      • Part of subcall function 00A7B979: shutdown.WS2_32(?,00000002), ref: 00A7B987
      • Part of subcall function 00A7B979: closesocket.WS2_32 ref: 00A7B990
      • Part of subcall function 00A7B979: WSACloseEvent.WS2_32 ref: 00A7B9A3
    • WSASetLastError.WS2_32(?,?,00A7BCEA,?,?,?,?,00000000), ref: 00A7BC86
      • Part of subcall function 00A7B928: WSACreateEvent.WS2_32(00000000,?,00A7BB6E,00000033,00000000,?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003), ref: 00A7B93E
      • Part of subcall function 00A7B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00A7B954
      • Part of subcall function 00A7B928: WSACloseEvent.WS2_32 ref: 00A7B968
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043BC0C, Relevance: 7.4, APIs: 4, Instructions: 54
    APIs
      • Part of subcall function 0043B7D0: socket.WS2_32(?,?,00000006), ref: 0043B804
    • bind.WS2_32(?,0043BCEA), ref: 0043BC53
    • listen.WS2_32(?,00000014), ref: 0043BC68
    • WSAGetLastError.WS2_32(00000000,?,0043BCEA,?,?,?,?,00000000), ref: 0043BC76
      • Part of subcall function 0043B979: shutdown.WS2_32(?,00000002), ref: 0043B987
      • Part of subcall function 0043B979: closesocket.WS2_32 ref: 0043B990
      • Part of subcall function 0043B979: WSACloseEvent.WS2_32 ref: 0043B9A3
    • WSASetLastError.WS2_32(?,?,0043BCEA,?,?,?,?,00000000), ref: 0043BC86
      • Part of subcall function 0043B928: WSACreateEvent.WS2_32(00000000,?,0043BB6E,00000033,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003), ref: 0043B93E
      • Part of subcall function 0043B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0043B954
      • Part of subcall function 0043B928: WSACloseEvent.WS2_32 ref: 0043B968
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0044A343, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133
    APIs
      • Part of subcall function 00439219: CharLowerW.USER32(?), ref: 004392D4
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0044A47D
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 0044A4BD
      • Part of subcall function 00439BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00439C2E
      • Part of subcall function 00439BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00439C75
      • Part of subcall function 00439BC4: SetEvent.KERNEL32 ref: 00439C84
      • Part of subcall function 00439BC4: WaitForSingleObject.KERNEL32 ref: 00439C95
      • Part of subcall function 00439BC4: CharToOemW.USER32 ref: 00439D26
      • Part of subcall function 00439BC4: CharToOemW.USER32 ref: 00439D36
      • Part of subcall function 00439BC4: ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00439D9A
      • Part of subcall function 0045D5A0: EnterCriticalSection.KERNEL32(00465AA4,00000000,?,?,004393C9), ref: 0045D5B6
      • Part of subcall function 0045D5A0: LeaveCriticalSection.KERNEL32(00465AA4,?,?,004393C9), ref: 0045D5DC
      • Part of subcall function 0045D5A0: CreateMutexW.KERNEL32(004649B4,00000000,00466016), ref: 0045D5EE
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0044A4D0
      • Part of subcall function 0043AF99: GetCurrentThread.KERNEL32 ref: 0043AFAD
      • Part of subcall function 0043AF99: OpenThreadToken.ADVAPI32 ref: 0043AFB4
      • Part of subcall function 0043AF99: GetCurrentProcess.KERNEL32 ref: 0043AFC4
      • Part of subcall function 0043AF99: OpenProcessToken.ADVAPI32 ref: 0043AFCB
      • Part of subcall function 0043AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0043AFEC
      • Part of subcall function 0043AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0043B001
      • Part of subcall function 0043AF99: GetLastError.KERNEL32 ref: 0043B00B
      • Part of subcall function 0043AF99: CloseHandle.KERNEL32(00000001), ref: 0043B01C
      • Part of subcall function 00439395: memcpy.MSVCRT ref: 004393B5
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0044512B, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • GetTickCount.KERNEL32 ref: 00445138
    • GetLastInputInfo.USER32(?), ref: 0044514B
    • GetLocalTime.KERNEL32 ref: 0044516F
      • Part of subcall function 00456891: SystemTimeToFileTime.KERNEL32 ref: 0045689B
    • GetTimeZoneInformation.KERNEL32 ref: 00445187
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A83DB8, Relevance: 5.6, APIs: 3, Instructions: 34
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00443DB8, Relevance: 5.6, APIs: 3, Instructions: 34
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0044C90D, Relevance: 5.5, APIs: 3, Instructions: 63
    APIs
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 0044C93C
      • Part of subcall function 004425A7: memcpy.MSVCRT ref: 004425C6
    • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0044C97B
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0044C9A2
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00456875, Relevance: 4.6, APIs: 1, Instructions: 11
    APIs
    • GetSystemTime.KERNEL32 ref: 0045687F
      • Part of subcall function 00456891: SystemTimeToFileTime.KERNEL32 ref: 0045689B
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0044342D, Relevance: 3.1, APIs: 2, Instructions: 79
    APIs
      • Part of subcall function 00436E1F: GetLastError.KERNEL32(00000000,?,0043652A), ref: 00436E21
      • Part of subcall function 00436E1F: TlsGetValue.KERNEL32(?,?,0043652A), ref: 00436E3E
      • Part of subcall function 00436E1F: TlsSetValue.KERNEL32(00000001), ref: 00436E50
      • Part of subcall function 00436E1F: SetLastError.KERNEL32(?,?,0043652A), ref: 00436E60
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 00443465
      • Part of subcall function 0045C012: CreateMutexW.KERNEL32(004649B4,00000001), ref: 0045C058
      • Part of subcall function 0045C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 0045C064
      • Part of subcall function 0045C012: CloseHandle.KERNEL32 ref: 0045C072
      • Part of subcall function 0043C5A8: TlsGetValue.KERNEL32(00000012,?,0044349E), ref: 0043C5B1
      • Part of subcall function 0045AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045AECF
      • Part of subcall function 0045AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045AF0A
      • Part of subcall function 0045AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045AF4A
      • Part of subcall function 0045AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045AF6D
      • Part of subcall function 0045AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0045AFBD
    • CloseHandle.KERNEL32 ref: 004434DA
      • Part of subcall function 0043AF41: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0043AF51
      • Part of subcall function 0043AF41: Thread32First.KERNEL32 ref: 0043AF6C
      • Part of subcall function 0043AF41: Thread32Next.KERNEL32(?,?), ref: 0043AF7F
      • Part of subcall function 0043AF41: CloseHandle.KERNEL32 ref: 0043AF8A
      • Part of subcall function 00436EA5: GetLastError.KERNEL32(?,00436577), ref: 00436EA6
      • Part of subcall function 00436EA5: TlsSetValue.KERNEL32(00000000), ref: 00436EB6
      • Part of subcall function 00436EA5: SetLastError.KERNEL32(?,?,00436577), ref: 00436EBD
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9C192, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103
    APIs
    • StrStrIW.SHLWAPI(tellerplus,00DD1E90), ref: 00A9C1A4
    • StrStrIW.SHLWAPI(bancline), ref: 00A9C1B9
    • StrStrIW.SHLWAPI(fidelity), ref: 00A9C1CE
    • StrStrIW.SHLWAPI(micrsolv), ref: 00A9C1E3
    • StrStrIW.SHLWAPI(bankman), ref: 00A9C1F8
    • StrStrIW.SHLWAPI(vantiv), ref: 00A9C20D
    • StrStrIW.SHLWAPI(episys), ref: 00A9C222
    • StrStrIW.SHLWAPI(jack henry), ref: 00A9C237
    • StrStrIW.SHLWAPI(cruisenet), ref: 00A9C24C
    • StrStrIW.SHLWAPI(gplusmain), ref: 00A9C261
    • StrStrIW.SHLWAPI(launchpadshell.exe), ref: 00A9C276
    • StrStrIW.SHLWAPI(dirclt32.exe), ref: 00A9C28B
    • StrStrIW.SHLWAPI(wtng.exe), ref: 00A9C29C
    • StrStrIW.SHLWAPI(prologue.exe), ref: 00A9C2AD
    • StrStrIW.SHLWAPI(silverlake), ref: 00A9C2BE
    • StrStrIW.SHLWAPI(pcsws.exe), ref: 00A9C2CF
    • StrStrIW.SHLWAPI(v48d0250s1), ref: 00A9C2E0
    • StrStrIW.SHLWAPI(fdmaster.exe), ref: 00A9C2F1
    • StrStrIW.SHLWAPI(fastdoc), ref: 00A9C302
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045C192, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103
    APIs
    • StrStrIW.SHLWAPI(tellerplus,009B1E90), ref: 0045C1A4
    • StrStrIW.SHLWAPI(bancline), ref: 0045C1B9
    • StrStrIW.SHLWAPI(fidelity), ref: 0045C1CE
    • StrStrIW.SHLWAPI(micrsolv), ref: 0045C1E3
    • StrStrIW.SHLWAPI(bankman), ref: 0045C1F8
    • StrStrIW.SHLWAPI(vantiv), ref: 0045C20D
    • StrStrIW.SHLWAPI(episys), ref: 0045C222
    • StrStrIW.SHLWAPI(jack henry), ref: 0045C237
    • StrStrIW.SHLWAPI(cruisenet), ref: 0045C24C
    • StrStrIW.SHLWAPI(gplusmain), ref: 0045C261
    • StrStrIW.SHLWAPI(launchpadshell.exe), ref: 0045C276
    • StrStrIW.SHLWAPI(dirclt32.exe), ref: 0045C28B
    • StrStrIW.SHLWAPI(wtng.exe), ref: 0045C29C
    • StrStrIW.SHLWAPI(prologue.exe), ref: 0045C2AD
    • StrStrIW.SHLWAPI(silverlake), ref: 0045C2BE
    • StrStrIW.SHLWAPI(pcsws.exe), ref: 0045C2CF
    • StrStrIW.SHLWAPI(v48d0250s1), ref: 0045C2E0
    • StrStrIW.SHLWAPI(fdmaster.exe), ref: 0045C2F1
    • StrStrIW.SHLWAPI(fastdoc), ref: 0045C302
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A77FA8, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151
    APIs
    • LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00A77FBA
    • GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00A77FD2
    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A78011
    • CreateCompatibleDC.GDI32 ref: 00A78022
    • LoadCursorW.USER32(00000000,00007F00), ref: 00A78038
    • GetIconInfo.USER32 ref: 00A7804C
    • GetCursorPos.USER32(?), ref: 00A7805B
    • GetDeviceCaps.GDI32(?,00000008), ref: 00A78072
    • GetDeviceCaps.GDI32(?,0000000A), ref: 00A7807B
    • CreateCompatibleBitmap.GDI32(?,?), ref: 00A78087
    • SelectObject.GDI32 ref: 00A78095
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 00A780B6
    • DrawIcon.USER32(?,?,?,?), ref: 00A780E8
      • Part of subcall function 00A91285: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00A9129A
      • Part of subcall function 00A91285: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00A912A5
    • SelectObject.GDI32(?,?), ref: 00A78104
    • DeleteObject.GDI32 ref: 00A7810B
    • DeleteDC.GDI32 ref: 00A78112
    • DeleteDC.GDI32 ref: 00A78119
    • FreeLibrary.KERNEL32(?), ref: 00A78129
    • GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00A7813F
    • FreeLibrary.KERNEL32(?), ref: 00A78153
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A9B4AA, Relevance: 42.5, APIs: 19, Strings: 2, Instructions: 267
    APIs
      • Part of subcall function 00A88432: CreateFileW.KERNEL32(00DD1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A8844B
      • Part of subcall function 00A88432: GetFileSizeEx.KERNEL32 ref: 00A8845E
      • Part of subcall function 00A88432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00A88484
      • Part of subcall function 00A88432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00A8849C
      • Part of subcall function 00A88432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A884BA
      • Part of subcall function 00A88432: CloseHandle.KERNEL32 ref: 00A884C3
    • CreateMutexW.KERNEL32(00AA49B4,00000001), ref: 00A9B550
    • GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,00A9B8C7), ref: 00A9B560
    • CloseHandle.KERNEL32 ref: 00A9B56E
    • CloseHandle.KERNEL32 ref: 00A9B697
      • Part of subcall function 00A9AFE8: memcpy.MSVCRT ref: 00A9AFF8
    • lstrlenW.KERNEL32 ref: 00A9B5D0
      • Part of subcall function 00A75B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A75BC1
      • Part of subcall function 00A75B9B: Process32FirstW.KERNEL32 ref: 00A75BE6
      • Part of subcall function 00A75B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00A75C3D
      • Part of subcall function 00A75B9B: CloseHandle.KERNEL32 ref: 00A75C5B
      • Part of subcall function 00A75B9B: GetLengthSid.ADVAPI32 ref: 00A75C77
      • Part of subcall function 00A75B9B: memcmp.MSVCRT ref: 00A75C8F
      • Part of subcall function 00A75B9B: CloseHandle.KERNEL32(?), ref: 00A75D07
      • Part of subcall function 00A75B9B: Process32NextW.KERNEL32(?,?), ref: 00A75D13
      • Part of subcall function 00A75B9B: CloseHandle.KERNEL32 ref: 00A75D26
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00A9B615
    • OpenEventW.KERNEL32(00000002,00000000), ref: 00A9B63B
    • SetEvent.KERNEL32 ref: 00A9B648
    • CloseHandle.KERNEL32 ref: 00A9B64F
    • Sleep.KERNEL32(00007530), ref: 00A9B674
      • Part of subcall function 00A7AF99: GetCurrentThread.KERNEL32 ref: 00A7AFAD
      • Part of subcall function 00A7AF99: OpenThreadToken.ADVAPI32 ref: 00A7AFB4
      • Part of subcall function 00A7AF99: GetCurrentProcess.KERNEL32 ref: 00A7AFC4
      • Part of subcall function 00A7AF99: OpenProcessToken.ADVAPI32 ref: 00A7AFCB
      • Part of subcall function 00A7AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00A7AFEC
      • Part of subcall function 00A7AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00A7B001
      • Part of subcall function 00A7AF99: GetLastError.KERNEL32 ref: 00A7B00B
      • Part of subcall function 00A7AF99: CloseHandle.KERNEL32(00000001), ref: 00A7B01C
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 00A9B68C
    • Sleep.KERNEL32(000000FF), ref: 00A9B694
    • IsWellKnownSid.ADVAPI32(00DD1EC0,00000016), ref: 00A9B6E5
    • CreateEventW.KERNEL32(00AA49B4,00000001,00000000), ref: 00A9B7B4
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A9B7CD
    • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 00A9B7DF
    • CloseHandle.KERNEL32(00000000), ref: 00A9B7F6
    • CloseHandle.KERNEL32(?), ref: 00A9B7FC
    • CloseHandle.KERNEL32(?), ref: 00A9B802
      • Part of subcall function 00A7766D: ReleaseMutex.KERNEL32 ref: 00A77671
      • Part of subcall function 00A7766D: CloseHandle.KERNEL32 ref: 00A77678
      • Part of subcall function 00A81DFA: VirtualProtect.KERNEL32(00A796C7,?,00000040), ref: 00A81E12
      • Part of subcall function 00A81DFA: VirtualProtect.KERNEL32(00A796C7,?,?), ref: 00A81E85
      • Part of subcall function 00A796C7: FreeLibrary.KERNEL32(00000003), ref: 00A796B9
      • Part of subcall function 00A9BC89: memcpy.MSVCRT ref: 00A9BCA4
      • Part of subcall function 00A9BC89: StringFromGUID2.OLE32 ref: 00A9BD4A
      • Part of subcall function 00A79931: LoadLibraryW.KERNEL32 ref: 00A79953
      • Part of subcall function 00A79931: GetProcAddress.KERNEL32 ref: 00A79977
      • Part of subcall function 00A79931: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 00A799AF
      • Part of subcall function 00A79931: lstrlenW.KERNEL32 ref: 00A799C7
      • Part of subcall function 00A79931: StrCmpNIW.SHLWAPI ref: 00A799DB
      • Part of subcall function 00A79931: lstrlenW.KERNEL32 ref: 00A799F1
      • Part of subcall function 00A79931: memcpy.MSVCRT ref: 00A799FD
      • Part of subcall function 00A79931: FreeLibrary.KERNEL32 ref: 00A79A13
      • Part of subcall function 00A79931: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00A79A52
      • Part of subcall function 00A79931: NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00A79A8E
      • Part of subcall function 00A79931: NetApiBufferFree.NETAPI32(?), ref: 00A79B39
      • Part of subcall function 00A79931: NetApiBufferFree.NETAPI32(00000000), ref: 00A79B4B
      • Part of subcall function 00A79931: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00A79B6A
      • Part of subcall function 00A7B314: CharToOemW.USER32(00DD1EF0), ref: 00A7B325
      • Part of subcall function 00AA2AC0: GetCommandLineW.KERNEL32 ref: 00AA2ADA
      • Part of subcall function 00AA2AC0: CommandLineToArgvW.SHELL32 ref: 00AA2AE1
      • Part of subcall function 00AA2AC0: StrCmpNW.SHLWAPI(?,00A6CA4C,00000002), ref: 00AA2B07
      • Part of subcall function 00AA2AC0: LocalFree.KERNEL32 ref: 00AA2B33
      • Part of subcall function 00AA2AC0: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00AA2B70
      • Part of subcall function 00AA2AC0: memcpy.MSVCRT ref: 00AA2B83
      • Part of subcall function 00AA2AC0: UnmapViewOfFile.KERNEL32 ref: 00AA2BBC
      • Part of subcall function 00AA2AC0: memcpy.MSVCRT ref: 00AA2BDF
      • Part of subcall function 00AA2AC0: CloseHandle.KERNEL32 ref: 00AA2BF8
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A9C09D: CreateMutexW.KERNEL32(00AA49B4,00000000), ref: 00A9C0BF
      • Part of subcall function 00A7987E: memcpy.MSVCRT ref: 00A79894
      • Part of subcall function 00A7987E: memcmp.MSVCRT ref: 00A798B6
      • Part of subcall function 00A7987E: lstrcmpiW.KERNEL32(00000000,000000FF), ref: 00A7990F
      • Part of subcall function 00A884D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A884E4
      • Part of subcall function 00A884D3: CloseHandle.KERNEL32 ref: 00A884F3
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00A9B779
    • SeShutdownPrivilege, xrefs: 00A9B676
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00403667, Relevance: 38.6, APIs: 12, Strings: 7, Instructions: 396
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004036E8
      • Part of subcall function 00402096: LoadLibraryA.KERNEL32(user32.dll), ref: 004020AE
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,MessageBoxA), ref: 004020CA
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 004020DB
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 004020E8
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetUserObjectInformationA), ref: 004020FE
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0040210F
    • LCMapStringW.KERNEL32(00000000,00000100,00492BE4,00000001,00000000,00000000), ref: 004037D6
    • GetLastError.KERNEL32 ref: 004037E8
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0040386F
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?), ref: 004038F0
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000), ref: 0040390A
    • LCMapStringW.KERNEL32(?,?,?,?,?,?), ref: 00403945
    • LCMapStringW.KERNEL32(?,?,?,?,?), ref: 004039B9
    • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 004039DC
      • Part of subcall function 00404008: GetLocaleInfoA.KERNEL32(00000038,00001004,?,00000006), ref: 00404028
    • LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000), ref: 00403A72
    • LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403AF3
    • LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403B4A
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 00404089
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 0040409C
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,?,?,00000000,00000000), ref: 004040E1
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,00000001,?,?,00000001), ref: 00404163
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00404184
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 004041A5
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004041CC
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A82593, Relevance: 35.1, APIs: 1, Instructions: 7
    APIs
    • HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00442593, Relevance: 34.7, APIs: 1, Instructions: 7
    APIs
    • HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A79931, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205
    APIs
    • LoadLibraryW.KERNEL32 ref: 00A79953
    • GetProcAddress.KERNEL32 ref: 00A79977
    • SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 00A799AF
    • lstrlenW.KERNEL32 ref: 00A799C7
    • StrCmpNIW.SHLWAPI ref: 00A799DB
    • lstrlenW.KERNEL32 ref: 00A799F1
    • memcpy.MSVCRT ref: 00A799FD
    • FreeLibrary.KERNEL32 ref: 00A79A13
    • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00A79A52
    • NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00A79A8E
      • Part of subcall function 00A9B31B: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00A9B32F
      • Part of subcall function 00A9B31B: PathUnquoteSpacesW.SHLWAPI ref: 00A9B394
      • Part of subcall function 00A9B31B: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00A9B3A3
      • Part of subcall function 00A9B31B: LocalFree.KERNEL32(00000001), ref: 00A9B3B7
    • NetApiBufferFree.NETAPI32(?), ref: 00A79B39
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
      • Part of subcall function 00A790A3: PathSkipRootW.SHLWAPI ref: 00A790CD
      • Part of subcall function 00A790A3: GetFileAttributesW.KERNEL32(00000000), ref: 00A790FA
      • Part of subcall function 00A790A3: CreateDirectoryW.KERNEL32(?,00000000), ref: 00A7910E
      • Part of subcall function 00A790A3: SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00A79131
      • Part of subcall function 00A79583: LoadLibraryW.KERNEL32 ref: 00A795A7
      • Part of subcall function 00A79583: GetProcAddress.KERNEL32 ref: 00A795D5
      • Part of subcall function 00A79583: GetProcAddress.KERNEL32 ref: 00A795EF
      • Part of subcall function 00A79583: GetProcAddress.KERNEL32 ref: 00A7960B
      • Part of subcall function 00A79583: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00A79638
      • Part of subcall function 00A79583: FreeLibrary.KERNEL32(00000003), ref: 00A796B9
    • NetApiBufferFree.NETAPI32(00000000), ref: 00A79B4B
    • SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00A79B6A
      • Part of subcall function 00A9038C: CreateDirectoryW.KERNEL32(?,00000000), ref: 00A90405
      • Part of subcall function 00A9038C: SetFileAttributesW.KERNEL32(?), ref: 00A90424
      • Part of subcall function 00A9038C: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00A9043B
      • Part of subcall function 00A9038C: GetLastError.KERNEL32 ref: 00A90448
      • Part of subcall function 00A9038C: CloseHandle.KERNEL32 ref: 00A90481
      • Part of subcall function 00AA258D: GetFileSizeEx.KERNEL32(00000000), ref: 00AA25C4
      • Part of subcall function 00AA258D: SetEndOfFile.KERNEL32 ref: 00AA263A
      • Part of subcall function 00AA258D: FlushFileBuffers.KERNEL32(?), ref: 00AA2645
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00439931, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205
    APIs
    • LoadLibraryW.KERNEL32 ref: 00439953
    • GetProcAddress.KERNEL32 ref: 00439977
    • SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 004399AF
    • lstrlenW.KERNEL32 ref: 004399C7
    • StrCmpNIW.SHLWAPI ref: 004399DB
    • lstrlenW.KERNEL32 ref: 004399F1
    • memcpy.MSVCRT ref: 004399FD
    • FreeLibrary.KERNEL32 ref: 00439A13
    • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00439A52
    • NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00439A8E
      • Part of subcall function 0045B31B: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0045B32F
      • Part of subcall function 0045B31B: PathUnquoteSpacesW.SHLWAPI ref: 0045B394
      • Part of subcall function 0045B31B: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0045B3A3
      • Part of subcall function 0045B31B: LocalFree.KERNEL32(00000001), ref: 0045B3B7
    • NetApiBufferFree.NETAPI32(?), ref: 00439B39
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
      • Part of subcall function 004390A3: PathSkipRootW.SHLWAPI ref: 004390CD
      • Part of subcall function 004390A3: GetFileAttributesW.KERNEL32(00000000), ref: 004390FA
      • Part of subcall function 004390A3: CreateDirectoryW.KERNEL32(?,00000000), ref: 0043910E
      • Part of subcall function 004390A3: SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00439131
      • Part of subcall function 00439583: LoadLibraryW.KERNEL32 ref: 004395A7
      • Part of subcall function 00439583: GetProcAddress.KERNEL32 ref: 004395D5
      • Part of subcall function 00439583: GetProcAddress.KERNEL32 ref: 004395EF
      • Part of subcall function 00439583: GetProcAddress.KERNEL32 ref: 0043960B
      • Part of subcall function 00439583: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00439638
      • Part of subcall function 00439583: FreeLibrary.KERNEL32 ref: 004396B9
    • NetApiBufferFree.NETAPI32(00000000), ref: 00439B4B
    • SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00439B6A
      • Part of subcall function 0045038C: NlsGetCacheUpdateCount.KERNEL32(?,00000000), ref: 00450405
      • Part of subcall function 0045038C: SetFileAttributesW.KERNEL32(?), ref: 00450424
      • Part of subcall function 0045038C: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0045043B
      • Part of subcall function 0045038C: GetLastError.KERNEL32 ref: 00450448
      • Part of subcall function 0045038C: CloseHandle.KERNEL32 ref: 00450481
      • Part of subcall function 0046258D: GetFileSizeEx.KERNEL32(?), ref: 004625C4
      • Part of subcall function 0046258D: SetEndOfFile.KERNEL32 ref: 0046263A
      • Part of subcall function 0046258D: FlushFileBuffers.KERNEL32(?), ref: 00462645
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9ACAD, Relevance: 28.4, APIs: 11, Strings: 3, Instructions: 166
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 00A9ACF4
      • Part of subcall function 00A9D1E0: InitializeCriticalSection.KERNEL32(00AA5AA4), ref: 00A9D207
      • Part of subcall function 00A9D1E0: InitializeCriticalSection.KERNEL32 ref: 00A9D218
      • Part of subcall function 00A9D1E0: memset.MSVCRT ref: 00A9D229
      • Part of subcall function 00A9D1E0: TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 00A9D240
      • Part of subcall function 00A9D1E0: GetModuleHandleW.KERNEL32(00000000), ref: 00A9D25C
      • Part of subcall function 00A9D1E0: GetModuleHandleW.KERNEL32 ref: 00A9D272
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A9AD59
    • Process32FirstW.KERNEL32 ref: 00A9AD74
    • PathFindFileNameW.SHLWAPI ref: 00A9AD87
    • StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 00A9AD99
    • Process32NextW.KERNEL32(?,?), ref: 00A9ADA9
    • CloseHandle.KERNEL32 ref: 00A9ADB4
    • WSAStartup.WS2_32(00000202), ref: 00A9ADC4
    • CreateEventW.KERNEL32(00AA49B4,00000001,00000000,00000000), ref: 00A9ADEC
      • Part of subcall function 00A7AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 00A7AEF5
      • Part of subcall function 00A7AEE3: GetTokenInformation.ADVAPI32(?,0000000C,00AA49A8,00000004), ref: 00A7AF1D
      • Part of subcall function 00A7AEE3: CloseHandle.KERNEL32(?), ref: 00A7AF33
    • GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 00A9AE22
      • Part of subcall function 00A9AA9A: GetTempPathW.KERNEL32(00000104), ref: 00A9AAB7
      • Part of subcall function 00A9AA9A: GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 00A9AACF
      • Part of subcall function 00A9AA9A: PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 00A9AADA
      • Part of subcall function 00A9AA9A: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00A9AB00
    • GetCurrentProcessId.KERNEL32 ref: 00A9AE4D
      • Part of subcall function 00A9AB23: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000), ref: 00A9AB64
      • Part of subcall function 00A9AB23: lstrcmpiW.KERNEL32 ref: 00A9AB93
      • Part of subcall function 00A9ABBF: lstrcatW.KERNEL32(?,.dat), ref: 00A9AC32
      • Part of subcall function 00A9ABBF: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A9AC57
      • Part of subcall function 00A9ABBF: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00A9AC75
      • Part of subcall function 00A9ABBF: CloseHandle.KERNEL32 ref: 00A9AC82
      • Part of subcall function 00A8C8A1: IsBadReadPtr.KERNEL32 ref: 00A8C8E0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A9F887, Relevance: 27.2, APIs: 18, Instructions: 215
    APIs
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F8AB
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F8CB
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F8E4
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F8FD
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F916
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F92F
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F94C
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F969
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F986
    • GetProcAddress.KERNEL32(00A9FEC7,?), ref: 00A9F9A3
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F9C0
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F9DD
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9F9FA
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9FA17
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9FA34
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9FA51
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9FA6E
    • GetProcAddress.KERNEL32(00A9FEC7), ref: 00A9FA8B
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045F887, Relevance: 27.2, APIs: 18, Instructions: 215
    APIs
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F8AB
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F8CB
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F8E4
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F8FD
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F916
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F92F
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F94C
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F969
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F986
    • GetProcAddress.KERNEL32(0045FEC7,?), ref: 0045F9A3
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F9C0
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F9DD
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F9FA
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045FA17
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045FA34
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045FA51
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045FA6E
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045FA8B
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00402096, Relevance: 26.5, APIs: 6, Strings: 7, Instructions: 90
    APIs
    • LoadLibraryA.KERNEL32(user32.dll), ref: 004020AE
    • GetProcAddress.KERNEL32(?,MessageBoxA), ref: 004020CA
    • GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 004020DB
    • GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 004020E8
    • GetProcAddress.KERNEL32(?,GetUserObjectInformationA), ref: 004020FE
    • GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0040210F
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A7B1DE, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89
    APIs
    • LoadLibraryA.KERNEL32(userenv.dll), ref: 00A7B1EE
    • GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00A7B20C
    • GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00A7B218
    • memset.MSVCRT ref: 00A7B258
    • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 00A7B2A5
    • CloseHandle.KERNEL32(?), ref: 00A7B2B9
    • CloseHandle.KERNEL32(?), ref: 00A7B2BF
    • FreeLibrary.KERNEL32 ref: 00A7B2D3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00401D46, Relevance: 24.3, APIs: 6, Strings: 6, Instructions: 71
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00401D5E
    • GetProcAddress.KERNEL32(?,FlsAlloc), ref: 00401D76
    • GetProcAddress.KERNEL32(?,FlsGetValue), ref: 00401D83
    • GetProcAddress.KERNEL32(?,FlsSetValue), ref: 00401D90
    • GetProcAddress.KERNEL32(?,FlsFree), ref: 00401D9D
    • GetCurrentThreadId.KERNEL32 ref: 00401E1B
      • Part of subcall function 00401B71: DeleteCriticalSection.KERNEL32(?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00401F04
      • Part of subcall function 00401B71: DeleteCriticalSection.KERNEL32(?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00401F2E
      • Part of subcall function 004024C3: HeapAlloc.KERNEL32(00000008,?,00492370,00000010,00401BB6,00000001,0000008C,?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?), ref: 00402545
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A7A01E, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 260
    APIs
      • Part of subcall function 00A8D189: lstrlenW.KERNEL32 ref: 00A8D190
      • Part of subcall function 00A8D189: memcpy.MSVCRT ref: 00A8D21E
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • getpeername.WS2_32 ref: 00A7A254
      • Part of subcall function 00A7C091: memcmp.MSVCRT ref: 00A7C0B3
      • Part of subcall function 00A79E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00A79E9D
      • Part of subcall function 00A79E88: StrCmpIW.SHLWAPI ref: 00A79EA7
      • Part of subcall function 00A7B764: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A7B826,?,00A9C86A,00A8C4AB,00A8C4AB,?,00A8C4AB,?,00000001), ref: 00A7B774
      • Part of subcall function 00A7B764: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A7B826,?,00A9C86A,00A8C4AB,00A8C4AB,?,00A8C4AB,?,00000001), ref: 00A7B79E
    • WSAAddressToStringW.WS2_32(?,?,00000000), ref: 00A7A2CC
    • lstrcpyW.KERNEL32(?,0:0), ref: 00A7A2E0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043A01E, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 260
    APIs
      • Part of subcall function 0044D189: lstrlenW.KERNEL32 ref: 0044D190
      • Part of subcall function 0044D189: memcpy.MSVCRT ref: 0044D21E
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • getpeername.WS2_32 ref: 0043A254
      • Part of subcall function 0043C091: memcmp.MSVCRT ref: 0043C0B3
      • Part of subcall function 00439E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00439E9D
      • Part of subcall function 00439E88: StrCmpIW.SHLWAPI ref: 00439EA7
      • Part of subcall function 0043B764: EnterCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B774
      • Part of subcall function 0043B764: LeaveCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B79E
    • WSAAddressToStringW.WS2_32(?,?,00000000), ref: 0043A2CC
    • lstrcpyW.KERNEL32(?,0:0), ref: 0043A2E0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7B365, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 110
    APIs
      • Part of subcall function 00A95947: GetTempPathW.KERNEL32(00000104,?), ref: 00A95962
      • Part of subcall function 00A95947: PathAddBackslashW.SHLWAPI(?), ref: 00A9598C
      • Part of subcall function 00A95947: CreateDirectoryW.KERNEL32(?), ref: 00A95A44
      • Part of subcall function 00A95947: SetFileAttributesW.KERNEL32(?), ref: 00A95A55
      • Part of subcall function 00A95947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00A95A6E
      • Part of subcall function 00A95947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00A95A7F
    • CharToOemW.USER32 ref: 00A7B3AB
    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00A7B3E2
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • CloseHandle.KERNEL32(000000FF), ref: 00A7B40A
    • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00A7B44C
    • memset.MSVCRT ref: 00A7B461
    • CloseHandle.KERNEL32(000000FF), ref: 00A7B49C
      • Part of subcall function 00A95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00A95E26
      • Part of subcall function 00A95E1D: DeleteFileW.KERNEL32 ref: 00A95E2D
      • Part of subcall function 00A95934: CloseHandle.KERNEL32 ref: 00A95940
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00401D46, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 71
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00401D5E
    • GetProcAddress.KERNEL32(?,FlsAlloc), ref: 00401D76
    • GetProcAddress.KERNEL32(?,FlsGetValue), ref: 00401D83
    • GetProcAddress.KERNEL32(?,FlsSetValue), ref: 00401D90
    • GetProcAddress.KERNEL32(?,FlsFree), ref: 00401D9D
    • GetCurrentThreadId.KERNEL32 ref: 00401E1B
      • Part of subcall function 00401B71: DeleteCriticalSection.KERNEL32(?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00401F04
      • Part of subcall function 00401B71: DeleteCriticalSection.KERNEL32(?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00401F2E
      • Part of subcall function 004024C3: HeapAlloc.KERNEL32(00000008,?,00492370,00000010,00401BB6,00000001,0000008C,?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?), ref: 00402545
    Strings
    Memory Dump Source
    • Source File: 00000002.00000001.251360999.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000001.251344960.00400000.00000002.sdmp
    • Associated: 00000002.00000001.251446617.00487000.00000002.sdmp
    • Associated: 00000002.00000001.251482026.00494000.00000008.sdmp
    • Associated: 00000002.00000001.251496928.00498000.00000004.sdmp
    • Associated: 00000002.00000001.252081534.00499000.00000008.sdmp
    Function 00A91A52, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60
    APIs
    • LoadLibraryW.KERNEL32(cabinet.dll), ref: 00A91A66
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    • GetProcAddress.KERNEL32(?,FCICreate), ref: 00A91A95
    • GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00A91AA4
    • GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00A91AB3
    • GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00A91AC2
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • FreeLibrary.KERNEL32 ref: 00A91AF7
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00451A52, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60
    APIs
    • LoadLibraryW.KERNEL32(cabinet.dll), ref: 00451A66
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • GetProcAddress.KERNEL32(?,FCICreate), ref: 00451A95
    • GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00451AA4
    • GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00451AB3
    • GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00451AC2
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • FreeLibrary.KERNEL32 ref: 00451AF7
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8BBB1, Relevance: 21.3, APIs: 12, Instructions: 150
    APIs
      • Part of subcall function 00A884FB: memchr.MSVCRT ref: 00A8853B
      • Part of subcall function 00A884FB: memcmp.MSVCRT ref: 00A8855A
    • VirtualProtect.KERNEL32(?,?,00000080,?), ref: 00A8BC21
    • VirtualProtect.KERNEL32(?,?,00000000,?), ref: 00A8BD99
      • Part of subcall function 00A82633: memcmp.MSVCRT ref: 00A82653
      • Part of subcall function 00A825A7: memcpy.MSVCRT ref: 00A825C6
    • GetCurrentThread.KERNEL32 ref: 00A8BCBE
    • GetThreadPriority.KERNEL32 ref: 00A8BCC7
    • SetThreadPriority.KERNEL32(?,0000000F), ref: 00A8BCD2
    • Sleep.KERNEL32(00000000), ref: 00A8BCDA
    • memcpy.MSVCRT ref: 00A8BCE9
    • FlushInstructionCache.KERNEL32(000000FF,?,?), ref: 00A8BCFA
    • SetThreadPriority.KERNEL32 ref: 00A8BD02
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • GetTickCount.KERNEL32 ref: 00A8BD3C
    • GetTickCount.KERNEL32 ref: 00A8BD4F
    • Sleep.KERNEL32(00000000), ref: 00A8BD61
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044BBB1, Relevance: 21.3, APIs: 12, Instructions: 150
    APIs
      • Part of subcall function 004484FB: memchr.MSVCRT ref: 0044853B
      • Part of subcall function 004484FB: memcmp.MSVCRT ref: 0044855A
    • VirtualProtect.KERNEL32(?,?,00000080,?), ref: 0044BC21
    • VirtualProtect.KERNEL32(?,?,00000000,?), ref: 0044BD99
      • Part of subcall function 00442633: memcmp.MSVCRT ref: 00442653
      • Part of subcall function 004425A7: memcpy.MSVCRT ref: 004425C6
    • GetCurrentThread.KERNEL32 ref: 0044BCBE
    • GetThreadPriority.KERNEL32 ref: 0044BCC7
    • SetThreadPriority.KERNEL32(?,0000000F), ref: 0044BCD2
    • Sleep.KERNEL32(00000000), ref: 0044BCDA
    • memcpy.MSVCRT ref: 0044BCE9
    • FlushInstructionCache.KERNEL32(000000FF,?,?), ref: 0044BCFA
    • SetThreadPriority.KERNEL32 ref: 0044BD02
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • GetTickCount.KERNEL32 ref: 0044BD3C
    • GetTickCount.KERNEL32 ref: 0044BD4F
    • Sleep.KERNEL32(00000000), ref: 0044BD61
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A89516, Relevance: 21.3, APIs: 14, Instructions: 290
    APIs
    • Sleep.KERNEL32(00003A98), ref: 00A8952D
      • Part of subcall function 00A78C74: InitializeCriticalSection.KERNEL32 ref: 00A78C7B
    • InitializeCriticalSection.KERNEL32 ref: 00A89591
    • memset.MSVCRT ref: 00A895A8
    • InitializeCriticalSection.KERNEL32 ref: 00A895C2
      • Part of subcall function 00A8AAA2: memset.MSVCRT ref: 00A8AAB9
      • Part of subcall function 00A8AAA2: memset.MSVCRT ref: 00A8AB8D
    • InitializeCriticalSection.KERNEL32 ref: 00A8961C
    • memset.MSVCRT ref: 00A89627
    • memset.MSVCRT ref: 00A89635
      • Part of subcall function 00A86431: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00A86531
      • Part of subcall function 00A86431: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00A86572
      • Part of subcall function 00A86431: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A86581
      • Part of subcall function 00A86431: SetEvent.KERNEL32 ref: 00A86591
      • Part of subcall function 00A86431: GetExitCodeThread.KERNEL32 ref: 00A865A5
      • Part of subcall function 00A86431: CloseHandle.KERNEL32 ref: 00A865BB
      • Part of subcall function 00A88626: getsockopt.WS2_32(?,0000FFFF,00001008,00A69417,00A69417), ref: 00A886B2
      • Part of subcall function 00A88626: GetHandleInformation.KERNEL32 ref: 00A886C4
      • Part of subcall function 00A88626: socket.WS2_32(?,00000001,00000006), ref: 00A886F7
      • Part of subcall function 00A88626: socket.WS2_32(?,00000002,00000011), ref: 00A88708
      • Part of subcall function 00A88626: closesocket.WS2_32(?), ref: 00A88727
      • Part of subcall function 00A88626: closesocket.WS2_32 ref: 00A8872E
      • Part of subcall function 00A88626: memset.MSVCRT ref: 00A887F2
      • Part of subcall function 00A88626: memcpy.MSVCRT ref: 00A88902
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 00A896AB
      • Part of subcall function 00A78CBF: EnterCriticalSection.KERNEL32(?,?,?,00A82B51,00000005,00007530,?,00000000,00000000), ref: 00A78CC7
      • Part of subcall function 00A78CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00A78CEB
      • Part of subcall function 00A78CBF: CloseHandle.KERNEL32 ref: 00A78CFB
      • Part of subcall function 00A78CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00A82B51,00000005,00007530,?,00000000,00000000), ref: 00A78D2B
      • Part of subcall function 00A88A6A: EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00A88A9B
      • Part of subcall function 00A88A6A: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00A88B2D
      • Part of subcall function 00A88A6A: SetEvent.KERNEL32 ref: 00A88B80
      • Part of subcall function 00A88A6A: SetEvent.KERNEL32 ref: 00A88BB9
      • Part of subcall function 00A88A6A: LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00A88C3E
      • Part of subcall function 00A77D03: EnterCriticalSection.KERNEL32(?,?,?,?,?,00A8979E,?,?,?,00000001), ref: 00A77D24
      • Part of subcall function 00A77D03: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00A8979E,?,?,?,00000001), ref: 00A77D40
      • Part of subcall function 00A758AE: memset.MSVCRT ref: 00A759CD
      • Part of subcall function 00A758AE: memcpy.MSVCRT ref: 00A759E0
      • Part of subcall function 00A758AE: memcpy.MSVCRT ref: 00A759F6
      • Part of subcall function 00A7BD24: accept.WS2_32(?,?), ref: 00A7BD45
      • Part of subcall function 00A7BD24: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00A7BD57
      • Part of subcall function 00A7BD24: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 00A7BD88
      • Part of subcall function 00A7BD24: shutdown.WS2_32(?,00000002), ref: 00A7BDA0
      • Part of subcall function 00A7BD24: closesocket.WS2_32 ref: 00A7BDA7
      • Part of subcall function 00A7BD24: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 00A7BDAE
      • Part of subcall function 00A88C4C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00A8984D,?,?,00000000,?,?,00000590), ref: 00A88C7F
      • Part of subcall function 00A88C4C: memcmp.MSVCRT ref: 00A88CCD
      • Part of subcall function 00A88C4C: SetEvent.KERNEL32 ref: 00A88D0E
      • Part of subcall function 00A88C4C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00A8984D,?,?,00000000,?,?,00000590), ref: 00A88D3B
      • Part of subcall function 00A78DE6: EnterCriticalSection.KERNEL32(00DD201C,?,?,?,00A9B2F2,?,?,00000001), ref: 00A78DEF
      • Part of subcall function 00A78DE6: LeaveCriticalSection.KERNEL32(00DD201C,?,?,?,00A9B2F2,?,?,00000001), ref: 00A78DF9
      • Part of subcall function 00A78DE6: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00A78E1F
      • Part of subcall function 00A78DE6: EnterCriticalSection.KERNEL32(00DD201C,?,?,?,00A9B2F2,?,?,00000001), ref: 00A78E37
      • Part of subcall function 00A78DE6: LeaveCriticalSection.KERNEL32(00DD201C,?,?,?,00A9B2F2,?,?,00000001), ref: 00A78E41
    • CloseHandle.KERNEL32(00000000), ref: 00A898AA
    • CloseHandle.KERNEL32(00000000), ref: 00A898B7
      • Part of subcall function 00A86865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00A86B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00A8686E
      • Part of subcall function 00A86865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00A86B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00A868A5
    • DeleteCriticalSection.KERNEL32 ref: 00A898CD
      • Part of subcall function 00A8ABB8: memset.MSVCRT ref: 00A8ABC8
    • DeleteCriticalSection.KERNEL32 ref: 00A898EC
    • CloseHandle.KERNEL32(00000000), ref: 00A898F9
    • DeleteCriticalSection.KERNEL32 ref: 00A89903
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A78C8F: CloseHandle.KERNEL32 ref: 00A78C9F
      • Part of subcall function 00A78C8F: DeleteCriticalSection.KERNEL32(?,?,00DD2010,00A9B303,?,?,00000001), ref: 00A78CB6
      • Part of subcall function 00A894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00A89503
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00449516, Relevance: 21.3, APIs: 14, Instructions: 290
    APIs
    • Sleep.KERNEL32(00003A98), ref: 0044952D
      • Part of subcall function 00438C74: InitializeCriticalSection.KERNEL32 ref: 00438C7B
    • InitializeCriticalSection.KERNEL32 ref: 00449591
    • memset.MSVCRT ref: 004495A8
    • InitializeCriticalSection.KERNEL32 ref: 004495C2
      • Part of subcall function 0044AAA2: memset.MSVCRT ref: 0044AAB9
      • Part of subcall function 0044AAA2: memset.MSVCRT ref: 0044AB8D
    • InitializeCriticalSection.KERNEL32 ref: 0044961C
    • memset.MSVCRT ref: 00449627
    • memset.MSVCRT ref: 00449635
      • Part of subcall function 00446431: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00446531
      • Part of subcall function 00446431: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00446572
      • Part of subcall function 00446431: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00446581
      • Part of subcall function 00446431: SetEvent.KERNEL32 ref: 00446591
      • Part of subcall function 00446431: GetExitCodeThread.KERNEL32 ref: 004465A5
      • Part of subcall function 00446431: CloseHandle.KERNEL32 ref: 004465BB
      • Part of subcall function 00448626: getsockopt.WS2_32(?,0000FFFF,00001008,00429417,00429417), ref: 004486B2
      • Part of subcall function 00448626: GetHandleInformation.KERNEL32 ref: 004486C4
      • Part of subcall function 00448626: socket.WS2_32(?,00000001,00000006), ref: 004486F7
      • Part of subcall function 00448626: socket.WS2_32(?,00000002,00000011), ref: 00448708
      • Part of subcall function 00448626: closesocket.WS2_32(?), ref: 00448727
      • Part of subcall function 00448626: closesocket.WS2_32 ref: 0044872E
      • Part of subcall function 00448626: memset.MSVCRT ref: 004487F2
      • Part of subcall function 00448626: memcpy.MSVCRT ref: 00448902
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 004496AB
      • Part of subcall function 00438CBF: EnterCriticalSection.KERNEL32(?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438CC7
      • Part of subcall function 00438CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00438CEB
      • Part of subcall function 00438CBF: CloseHandle.KERNEL32 ref: 00438CFB
      • Part of subcall function 00438CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438D2B
      • Part of subcall function 00448A6A: EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00448A9B
      • Part of subcall function 00448A6A: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00448B2D
      • Part of subcall function 00448A6A: SetEvent.KERNEL32 ref: 00448B80
      • Part of subcall function 00448A6A: SetEvent.KERNEL32 ref: 00448BB9
      • Part of subcall function 00448A6A: LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00448C3E
      • Part of subcall function 00437D03: EnterCriticalSection.KERNEL32(?,?,?,?,?,0044979E,?,?,?,00000001), ref: 00437D24
      • Part of subcall function 00437D03: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,0044979E,?,?,?,00000001), ref: 00437D40
      • Part of subcall function 004358AE: memset.MSVCRT ref: 004359CD
      • Part of subcall function 004358AE: memcpy.MSVCRT ref: 004359E0
      • Part of subcall function 004358AE: memcpy.MSVCRT ref: 004359F6
      • Part of subcall function 0043BD24: accept.WS2_32(?,?), ref: 0043BD45
      • Part of subcall function 0043BD24: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 0043BD57
      • Part of subcall function 0043BD24: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 0043BD88
      • Part of subcall function 0043BD24: shutdown.WS2_32(?,00000002), ref: 0043BDA0
      • Part of subcall function 0043BD24: closesocket.WS2_32 ref: 0043BDA7
      • Part of subcall function 0043BD24: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 0043BDAE
      • Part of subcall function 00448C4C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0044984D,?,?,00000000,?,?,00000590), ref: 00448C7F
      • Part of subcall function 00448C4C: memcmp.MSVCRT ref: 00448CCD
      • Part of subcall function 00448C4C: SetEvent.KERNEL32 ref: 00448D0E
      • Part of subcall function 00448C4C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0044984D,?,?,00000000,?,?,00000590), ref: 00448D3B
      • Part of subcall function 00438DE6: EnterCriticalSection.KERNEL32(0000000C,?,?,?,0045B2F2,?,?,00000001), ref: 00438DEF
      • Part of subcall function 00438DE6: LeaveCriticalSection.KERNEL32(0000000C,?,?,?,0045B2F2,?,?,00000001), ref: 00438DF9
      • Part of subcall function 00438DE6: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00438E1F
      • Part of subcall function 00438DE6: EnterCriticalSection.KERNEL32(0000000C,?,?,?,0045B2F2,?,?,00000001), ref: 00438E37
      • Part of subcall function 00438DE6: LeaveCriticalSection.KERNEL32(0000000C,?,?,?,0045B2F2,?,?,00000001), ref: 00438E41
    • CloseHandle.KERNEL32(00000000), ref: 004498AA
    • CloseHandle.KERNEL32(00000000), ref: 004498B7
      • Part of subcall function 00446865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00446B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 0044686E
      • Part of subcall function 00446865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00446B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 004468A5
    • DeleteCriticalSection.KERNEL32 ref: 004498CD
      • Part of subcall function 0044ABB8: memset.MSVCRT ref: 0044ABC8
    • DeleteCriticalSection.KERNEL32 ref: 004498EC
    • CloseHandle.KERNEL32(00000000), ref: 004498F9
    • DeleteCriticalSection.KERNEL32 ref: 00449903
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00438C8F: CloseHandle.KERNEL32 ref: 00438C9F
      • Part of subcall function 00438C8F: DeleteCriticalSection.KERNEL32(?,?,00000000,0045B303,?,?,00000001), ref: 00438CB6
      • Part of subcall function 004494FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00449503
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A912E6, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 140
    APIs
    • GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00A91304
    • GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00A9130F
    • GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00A9131A
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    • lstrcmpiW.KERNEL32(?), ref: 00A913A7
    • memcpy.MSVCRT ref: 00A913CA
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 00A913F5
    • memcpy.MSVCRT ref: 00A91423
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004512E6, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 140
    APIs
    • GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00451304
    • GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 0045130F
    • GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 0045131A
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • lstrcmpiW.KERNEL32(?), ref: 004513A7
    • memcpy.MSVCRT ref: 004513CA
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 004513F5
    • memcpy.MSVCRT ref: 00451423
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00AA2D17, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107
    APIs
    • memcpy.MSVCRT ref: 00AA2D3D
    • CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 00AA2D5E
    • MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 00AA2D76
      • Part of subcall function 00AA2922: UnmapViewOfFile.KERNEL32 ref: 00AA292E
      • Part of subcall function 00AA2922: CloseHandle.KERNEL32 ref: 00AA293F
    • memset.MSVCRT ref: 00AA2DCB
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000004,00000000,00000000,00000000,00000000), ref: 00AA2E04
      • Part of subcall function 00AA294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00AA3210), ref: 00AA297C
      • Part of subcall function 00AA294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00AA299C
      • Part of subcall function 00AA294A: memset.MSVCRT ref: 00AA2A39
      • Part of subcall function 00AA294A: memcpy.MSVCRT ref: 00AA2A4B
    • ResumeThread.KERNEL32(?), ref: 00AA2E27
    • CloseHandle.KERNEL32(?), ref: 00AA2E3E
    • CloseHandle.KERNEL32(?), ref: 00AA2E44
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00462D17, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107
    APIs
    • memcpy.MSVCRT ref: 00462D3D
    • CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 00462D5E
    • MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 00462D76
      • Part of subcall function 00462922: UnmapViewOfFile.KERNEL32 ref: 0046292E
      • Part of subcall function 00462922: CloseHandle.KERNEL32 ref: 0046293F
    • memset.MSVCRT ref: 00462DCB
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000004,00000000,00000000,00000000,00000000), ref: 00462E04
      • Part of subcall function 0046294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00463210), ref: 0046297C
      • Part of subcall function 0046294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 0046299C
      • Part of subcall function 0046294A: memset.MSVCRT ref: 00462A39
      • Part of subcall function 0046294A: memcpy.MSVCRT ref: 00462A4B
    • ResumeThread.KERNEL32(?), ref: 00462E27
    • CloseHandle.KERNEL32(?), ref: 00462E3E
    • CloseHandle.KERNEL32(?), ref: 00462E44
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7AF99, Relevance: 18.7, APIs: 8, Strings: 1, Instructions: 61
    APIs
    • GetCurrentThread.KERNEL32 ref: 00A7AFAD
    • OpenThreadToken.ADVAPI32 ref: 00A7AFB4
    • GetCurrentProcess.KERNEL32 ref: 00A7AFC4
    • OpenProcessToken.ADVAPI32 ref: 00A7AFCB
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00A7AFEC
    • AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00A7B001
    • GetLastError.KERNEL32 ref: 00A7B00B
    • CloseHandle.KERNEL32(00000001), ref: 00A7B01C
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A79BC4, Relevance: 18.3, APIs: 7, Strings: 2, Instructions: 147
    APIs
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00A79C2E
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00A79C75
    • SetEvent.KERNEL32 ref: 00A79C84
    • WaitForSingleObject.KERNEL32 ref: 00A79C95
      • Part of subcall function 00A8A9C2: Sleep.KERNEL32(000001F4), ref: 00A8AA6D
      • Part of subcall function 00A7913F: FindFirstFileW.KERNEL32(?), ref: 00A79170
      • Part of subcall function 00A7913F: FindNextFileW.KERNEL32(?,?), ref: 00A791C2
      • Part of subcall function 00A7913F: FindClose.KERNEL32 ref: 00A791CD
      • Part of subcall function 00A7913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 00A791D9
      • Part of subcall function 00A7913F: RemoveDirectoryW.KERNEL32 ref: 00A791E0
      • Part of subcall function 00A90B2C: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A90B87
      • Part of subcall function 00A90B2C: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00A90BF1
      • Part of subcall function 00A90B2C: RegFlushKey.ADVAPI32(?), ref: 00A90C1F
      • Part of subcall function 00A90B2C: RegCloseKey.ADVAPI32(?), ref: 00A90C26
    • CharToOemW.USER32 ref: 00A79D26
    • CharToOemW.USER32 ref: 00A79D36
    • ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00A79D9A
      • Part of subcall function 00A7B365: CharToOemW.USER32 ref: 00A7B3AB
      • Part of subcall function 00A7B365: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00A7B3E2
      • Part of subcall function 00A7B365: CloseHandle.KERNEL32(000000FF), ref: 00A7B40A
      • Part of subcall function 00A7B365: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00A7B44C
      • Part of subcall function 00A7B365: memset.MSVCRT ref: 00A7B461
      • Part of subcall function 00A7B365: CloseHandle.KERNEL32(000000FF), ref: 00A7B49C
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00A79C4B
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00A79BFE
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00439BC4, Relevance: 18.3, APIs: 7, Strings: 2, Instructions: 147
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00439C2E
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00439C75
    • SetEvent.KERNEL32 ref: 00439C84
    • WaitForSingleObject.KERNEL32 ref: 00439C95
      • Part of subcall function 0044A9C2: Sleep.KERNEL32(000001F4), ref: 0044AA6D
      • Part of subcall function 0043913F: FindFirstFileW.KERNEL32(?), ref: 00439170
      • Part of subcall function 0043913F: FindNextFileW.KERNEL32(?,?), ref: 004391C2
      • Part of subcall function 0043913F: FindClose.KERNEL32 ref: 004391CD
      • Part of subcall function 0043913F: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 004391D9
      • Part of subcall function 0043913F: RemoveDirectoryW.KERNEL32(00000000), ref: 004391E0
      • Part of subcall function 00450B2C: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00450B87
      • Part of subcall function 00450B2C: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00450BF1
      • Part of subcall function 00450B2C: RegFlushKey.ADVAPI32(?), ref: 00450C1F
      • Part of subcall function 00450B2C: RegCloseKey.ADVAPI32(?), ref: 00450C26
    • CharToOemW.USER32 ref: 00439D26
    • CharToOemW.USER32 ref: 00439D36
    • ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00439D9A
      • Part of subcall function 0043B365: CharToOemW.USER32 ref: 0043B3AB
      • Part of subcall function 0043B365: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0043B3E2
      • Part of subcall function 0043B365: CloseHandle.KERNEL32(000000FF), ref: 0043B40A
      • Part of subcall function 0043B365: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 0043B44C
      • Part of subcall function 0043B365: memset.MSVCRT ref: 0043B461
      • Part of subcall function 0043B365: CloseHandle.KERNEL32(000000FF), ref: 0043B49C
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00439BFE
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00439C4B
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A85528, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184
    APIs
    • GetLogicalDrives.KERNEL32 ref: 00A8553C
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    • SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000), ref: 00A85581
    • PathGetDriveNumberW.SHLWAPI ref: 00A85593
    • lstrcpyW.KERNEL32(?,00A6AACC), ref: 00A855A7
    • GetDriveTypeW.KERNEL32 ref: 00A85610
    • GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000105), ref: 00A85671
    • CharUpperW.USER32(00000000), ref: 00A8568D
    • lstrcmpW.KERNEL32 ref: 00A856B0
    • GetDiskFreeSpaceExW.KERNEL32(?,00000000), ref: 00A856EE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004396C7, Relevance: 16.5, APIs: 6, Strings: 2, Instructions: 138
    APIs
      • Part of subcall function 00462A7B: memset.MSVCRT ref: 00462AA4
      • Part of subcall function 0045038C: NlsGetCacheUpdateCount.KERNEL32(?,00000000), ref: 00450405
      • Part of subcall function 0045038C: SetFileAttributesW.KERNEL32(?), ref: 00450424
      • Part of subcall function 0045038C: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0045043B
      • Part of subcall function 0045038C: GetLastError.KERNEL32 ref: 00450448
      • Part of subcall function 0045038C: CloseHandle.KERNEL32 ref: 00450481
      • Part of subcall function 0044BA48: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 0044BA66
      • Part of subcall function 0044BA48: RegCreateKeyExW.ADVAPI32(?,00439771,00000000,00000000,00000000,00000103,00000000), ref: 0044BA9B
      • Part of subcall function 0044BA48: RegCloseKey.ADVAPI32(?), ref: 0044BAAA
      • Part of subcall function 0044BA48: RegCloseKey.ADVAPI32(?), ref: 0044BAC5
    • lstrlenW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 00439782
      • Part of subcall function 00442070: memset.MSVCRT ref: 00442084
      • Part of subcall function 004423AA: memcpy.MSVCRT ref: 004423D8
      • Part of subcall function 00455649: WideCharToMultiByte.KERNEL32(00000000,00000000,00000002,00000002,00000002,000000FF,00000000,00000000), ref: 00455678
      • Part of subcall function 0045A7D7: memset.MSVCRT ref: 0045A862
      • Part of subcall function 0046258D: GetFileSizeEx.KERNEL32(?), ref: 004625C4
      • Part of subcall function 0046258D: SetEndOfFile.KERNEL32 ref: 0046263A
      • Part of subcall function 0046258D: FlushFileBuffers.KERNEL32(?), ref: 00462645
    • CloseHandle.KERNEL32 ref: 004397F8
    • GetSystemTimeAsFileTime.KERNEL32 ref: 00439806
      • Part of subcall function 00455CA4: GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00455CB1
      • Part of subcall function 00455CA4: CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00455CD1
    • lstrcpyW.KERNEL32(?), ref: 00439856
      • Part of subcall function 0045065A: PathIsDirectoryW.SHLWAPI ref: 00450690
      • Part of subcall function 0045065A: CreateFileW.KERNEL32(02000000,40000000,00000007,00000000,00000003,02000000,00000000), ref: 004506B2
      • Part of subcall function 0045065A: GetFileTime.KERNEL32(?,?,00000000,00000000), ref: 004506F8
      • Part of subcall function 0045065A: CloseHandle.KERNEL32 ref: 00450717
      • Part of subcall function 0045065A: PathRemoveFileSpecW.SHLWAPI ref: 00450724
    • memcpy.MSVCRT ref: 00439841
    • CloseHandle.KERNEL32 ref: 0043986F
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045985F, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 173
    APIs
    • memset.MSVCRT ref: 0045990F
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00459920
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00459954
    • memset.MSVCRT ref: 00459994
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 004599A5
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 004599E5
    • memset.MSVCRT ref: 00459A50
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9621D, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00A96283
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    • FindFirstFileW.KERNEL32 ref: 00A962F1
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00A9634A
    • FindClose.KERNEL32 ref: 00A96453
      • Part of subcall function 00A95AB0: GetFileSizeEx.KERNEL32 ref: 00A95ABB
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    • SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00A963BB
      • Part of subcall function 00A95B34: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00A95B46
    • CloseHandle.KERNEL32 ref: 00A963F5
      • Part of subcall function 00A95934: CloseHandle.KERNEL32 ref: 00A95940
    • FindNextFileW.KERNEL32 ref: 00A96429
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00A95E26
      • Part of subcall function 00A95E1D: DeleteFileW.KERNEL32 ref: 00A95E2D
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00A96256
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045621D, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00456283
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    • FindFirstFileW.KERNEL32 ref: 004562F1
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0045634A
    • FindClose.KERNEL32 ref: 00456453
      • Part of subcall function 00455AB0: GetFileSizeEx.KERNEL32(?,?), ref: 00455ABB
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 004563BB
      • Part of subcall function 00455B34: ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00455B46
    • CloseHandle.KERNEL32 ref: 004563F5
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
    • FindNextFileW.KERNEL32 ref: 00456429
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00456256
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9CCA8, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 76
    APIs
      • Part of subcall function 00A9CB85: InternetCloseHandle.WININET ref: 00A9CB99
    • HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,00A6C9E0,?,00000000), ref: 00A9CCE9
    • HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 00A9CD0C
    • HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 00A9CD4E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045CCA8, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 76
    APIs
      • Part of subcall function 0045CB85: InternetCloseHandle.WININET ref: 0045CB99
    • HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,0042C9E0,?,00000000), ref: 0045CCE9
    • HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 0045CD0C
    • HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 0045CD4E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A75B9B, Relevance: 16.2, APIs: 9, Instructions: 132
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A75BC1
    • Process32FirstW.KERNEL32 ref: 00A75BE6
      • Part of subcall function 00A9C012: CreateMutexW.KERNEL32(00AA49B4,00000001), ref: 00A9C058
      • Part of subcall function 00A9C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00A9C064
      • Part of subcall function 00A9C012: CloseHandle.KERNEL32 ref: 00A9C072
    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00A75C3D
    • CloseHandle.KERNEL32(?), ref: 00A75D07
      • Part of subcall function 00A7AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 00A7AEF5
      • Part of subcall function 00A7AEE3: GetTokenInformation.ADVAPI32(?,0000000C,00AA49A8,00000004), ref: 00A7AF1D
      • Part of subcall function 00A7AEE3: CloseHandle.KERNEL32(?), ref: 00A7AF33
    • CloseHandle.KERNEL32 ref: 00A75C5B
    • GetLengthSid.ADVAPI32 ref: 00A75C77
    • memcmp.MSVCRT ref: 00A75C8F
      • Part of subcall function 00A82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7,?,@echo off%sdel /F "%s"), ref: 00A8256D
      • Part of subcall function 00A82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7), ref: 00A82580
      • Part of subcall function 00A75B0B: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00A75B19
      • Part of subcall function 00A75B0B: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00A75B5A
      • Part of subcall function 00A75B0B: WaitForSingleObject.KERNEL32(?,00002710), ref: 00A75B6C
      • Part of subcall function 00A75B0B: CloseHandle.KERNEL32 ref: 00A75B73
      • Part of subcall function 00A75B0B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00A75B85
      • Part of subcall function 00A75B0B: CloseHandle.KERNEL32 ref: 00A75B8C
    • Process32NextW.KERNEL32(?,?), ref: 00A75D13
    • CloseHandle.KERNEL32 ref: 00A75D26
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00435B9B, Relevance: 16.2, APIs: 9, Instructions: 132
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00435BC1
    • Process32FirstW.KERNEL32 ref: 00435BE6
      • Part of subcall function 0045C012: CreateMutexW.KERNEL32(004649B4,00000001), ref: 0045C058
      • Part of subcall function 0045C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 0045C064
      • Part of subcall function 0045C012: CloseHandle.KERNEL32 ref: 0045C072
    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00435C3D
    • CloseHandle.KERNEL32(?), ref: 00435D07
      • Part of subcall function 0043AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 0043AEF5
      • Part of subcall function 0043AEE3: GetTokenInformation.ADVAPI32(?,0000000C,004649A8,00000004), ref: 0043AF1D
      • Part of subcall function 0043AEE3: CloseHandle.KERNEL32(?), ref: 0043AF33
    • CloseHandle.KERNEL32 ref: 00435C5B
    • GetLengthSid.ADVAPI32 ref: 00435C77
    • memcmp.MSVCRT ref: 00435C8F
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
      • Part of subcall function 00435B0B: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00435B19
      • Part of subcall function 00435B0B: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00435B5A
      • Part of subcall function 00435B0B: WaitForSingleObject.KERNEL32(?,00002710), ref: 00435B6C
      • Part of subcall function 00435B0B: CloseHandle.KERNEL32 ref: 00435B73
      • Part of subcall function 00435B0B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00435B85
      • Part of subcall function 00435B0B: CloseHandle.KERNEL32 ref: 00435B8C
    • Process32NextW.KERNEL32(?,?), ref: 00435D13
    • CloseHandle.KERNEL32 ref: 00435D26
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00461CCA, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 193
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,?,?,?,?,?,?,?,?,?,?), ref: 00461CE8
    • LeaveCriticalSection.KERNEL32(00465AA4,?,?,?,?,?,?,?,?,?), ref: 00461D12
      • Part of subcall function 0045FEDF: memset.MSVCRT ref: 0045FEF5
      • Part of subcall function 0045FEDF: InitializeCriticalSection.KERNEL32(00465050), ref: 0045FF05
      • Part of subcall function 0045FEDF: memset.MSVCRT ref: 0045FF34
      • Part of subcall function 0045FEDF: InitializeCriticalSection.KERNEL32(00465030), ref: 0045FF3E
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
      • Part of subcall function 00439FB3: memcpy.MSVCRT ref: 00439FE9
    • memcmp.MSVCRT ref: 00461E03
    • memcmp.MSVCRT ref: 00461E34
      • Part of subcall function 00439F5F: memcpy.MSVCRT ref: 00439F99
    • EnterCriticalSection.KERNEL32(00465050), ref: 00461EA7
      • Part of subcall function 0045FFD8: GetTickCount.KERNEL32 ref: 0045FFDF
      • Part of subcall function 004603D0: EnterCriticalSection.KERNEL32(00465030,0046506C,?,?,00465050), ref: 004603E3
      • Part of subcall function 004603D0: LeaveCriticalSection.KERNEL32(00465030,?,?,00465050), ref: 00460559
      • Part of subcall function 0046061B: EnterCriticalSection.KERNEL32(00000000,?,?,?,?,00465050), ref: 004606F5
      • Part of subcall function 0046061B: LeaveCriticalSection.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00465050), ref: 0046071D
    • LeaveCriticalSection.KERNEL32(00465050,0046506C,0046506C,0046506C), ref: 00461EF7
      • Part of subcall function 0045DD3E: lstrlenA.KERNEL32(?,?,?,?,?,?,0046506C,?,?,00465050), ref: 0045DD52
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7C9BF, Relevance: 16.0, APIs: 9, Instructions: 113
    APIs
    • GetProcAddress.KERNEL32(?), ref: 00A7C9E1
    • GetProcAddress.KERNEL32(?,?), ref: 00A7CA03
    • GetProcAddress.KERNEL32(?,?), ref: 00A7CA1E
    • GetProcAddress.KERNEL32(?,?), ref: 00A7CA39
    • GetProcAddress.KERNEL32(?,?), ref: 00A7CA54
    • GetProcAddress.KERNEL32(?), ref: 00A7CA6F
    • GetProcAddress.KERNEL32(?), ref: 00A7CA8E
    • GetProcAddress.KERNEL32(?), ref: 00A7CAAD
    • GetProcAddress.KERNEL32(?), ref: 00A7CACC
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00AA2AC0, Relevance: 16.0, APIs: 9, Instructions: 103
    APIs
    • GetCommandLineW.KERNEL32 ref: 00AA2ADA
    • CommandLineToArgvW.SHELL32 ref: 00AA2AE1
    • StrCmpNW.SHLWAPI(?,00A6CA4C,00000002), ref: 00AA2B07
    • LocalFree.KERNEL32 ref: 00AA2B33
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00AA2B70
    • memcpy.MSVCRT ref: 00AA2B83
      • Part of subcall function 00A8E043: memcpy.MSVCRT ref: 00A8E070
    • UnmapViewOfFile.KERNEL32 ref: 00AA2BBC
    • CloseHandle.KERNEL32 ref: 00AA2BF8
      • Part of subcall function 00AA2F3B: memset.MSVCRT ref: 00AA2F5F
      • Part of subcall function 00AA2F3B: memcpy.MSVCRT ref: 00AA2FBF
      • Part of subcall function 00AA2F3B: memcpy.MSVCRT ref: 00AA2FD7
      • Part of subcall function 00AA2F3B: memcpy.MSVCRT ref: 00AA304D
    • memcpy.MSVCRT ref: 00AA2BDF
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00462AC0, Relevance: 16.0, APIs: 9, Instructions: 103
    APIs
    • GetCommandLineW.KERNEL32 ref: 00462ADA
    • CommandLineToArgvW.SHELL32 ref: 00462AE1
    • StrCmpNW.SHLWAPI(?,0042CA4C,00000002), ref: 00462B07
    • LocalFree.KERNEL32 ref: 00462B33
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00462B70
    • memcpy.MSVCRT ref: 00462B83
      • Part of subcall function 0044E043: memcpy.MSVCRT ref: 0044E070
    • UnmapViewOfFile.KERNEL32 ref: 00462BBC
    • CloseHandle.KERNEL32 ref: 00462BF8
      • Part of subcall function 00462F3B: memset.MSVCRT ref: 00462F5F
      • Part of subcall function 00462F3B: memcpy.MSVCRT ref: 00462FBF
      • Part of subcall function 00462F3B: memcpy.MSVCRT ref: 00462FD7
      • Part of subcall function 00462F3B: memcpy.MSVCRT ref: 0046304D
    • memcpy.MSVCRT ref: 00462BDF
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9CE98, Relevance: 16.0, APIs: 9, Instructions: 98
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00A9CEB9
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • CloseHandle.KERNEL32 ref: 00A9CEDE
    • SetLastError.KERNEL32(00000008,?,?,?,?,00A879D8,?,?,?,?), ref: 00A9CEE6
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00A9CF03
    • InternetReadFile.WININET(?,?,00001000), ref: 00A9CF21
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00A9CF56
    • FlushFileBuffers.KERNEL32 ref: 00A9CF6F
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • CloseHandle.KERNEL32 ref: 00A9CF82
    • SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,00A879D8,?,?,?,?), ref: 00A9CF9D
      • Part of subcall function 00A95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00A95E26
      • Part of subcall function 00A95E1D: DeleteFileW.KERNEL32 ref: 00A95E2D
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045CE98, Relevance: 16.0, APIs: 9, Instructions: 98
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0045CEB9
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • CloseHandle.KERNEL32 ref: 0045CEDE
    • SetLastError.KERNEL32(00000008,?,?,?,?,004479D8,?,?,?,?), ref: 0045CEE6
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0045CF03
    • InternetReadFile.WININET(?,?,00001000), ref: 0045CF21
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0045CF56
    • FlushFileBuffers.KERNEL32 ref: 0045CF6F
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • CloseHandle.KERNEL32 ref: 0045CF82
    • SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,004479D8,?,?,?,?), ref: 0045CF9D
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A85AC1, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230
    APIs
      • Part of subcall function 00A841F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00A84206
      • Part of subcall function 00A7645E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00A85B49), ref: 00A76470
      • Part of subcall function 00A7645E: #2.OLEAUT32(?,00000000,?,?,?,00A85B49), ref: 00A764A4
      • Part of subcall function 00A7645E: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A85B49), ref: 00A764D9
      • Part of subcall function 00A7645E: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00A764F9
    • #2.OLEAUT32(WQL), ref: 00A85BAF
    • #2.OLEAUT32 ref: 00A85BCB
    • #6.OLEAUT32(?,?,00000030,00000000), ref: 00A85BFB
    • #9.OLEAUT32(?,?,00000000,00000000), ref: 00A85C6C
      • Part of subcall function 00A76433: #6.OLEAUT32(?,00000000,00A85CA3), ref: 00A76450
      • Part of subcall function 00A76433: CoUninitialize.OLE32 ref: 00A84244
    • memcpy.MSVCRT ref: 00A85D45
    • memcpy.MSVCRT ref: 00A85D57
    • memcpy.MSVCRT ref: 00A85D69
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00445AC1, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230
    APIs
      • Part of subcall function 004441F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00444206
      • Part of subcall function 0043645E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00445B49), ref: 00436470
      • Part of subcall function 0043645E: #2.OLEAUT32(?,00000000,?,?,?,00445B49), ref: 004364A4
      • Part of subcall function 0043645E: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00445B49), ref: 004364D9
      • Part of subcall function 0043645E: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004364F9
    • #2.OLEAUT32(WQL), ref: 00445BAF
    • #2.OLEAUT32 ref: 00445BCB
    • #6.OLEAUT32(?,?,00000030,00000000), ref: 00445BFB
    • #9.OLEAUT32(?,?,00000000,00000000), ref: 00445C6C
      • Part of subcall function 00436433: #6.OLEAUT32(?,00000000,00445CA3), ref: 00436450
      • Part of subcall function 00436433: CoUninitialize.OLE32 ref: 00444244
    • memcpy.MSVCRT ref: 00445D45
    • memcpy.MSVCRT ref: 00445D57
    • memcpy.MSVCRT ref: 00445D69
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A88626, Relevance: 15.0, APIs: 8, Instructions: 327
    APIs
      • Part of subcall function 00A9D9E1: memset.MSVCRT ref: 00A9D9F0
      • Part of subcall function 00A9D9E1: memcpy.MSVCRT ref: 00A9DA17
      • Part of subcall function 00A841F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00A84206
    • getsockopt.WS2_32(?,0000FFFF,00001008,00A69417,00A69417), ref: 00A886B2
    • GetHandleInformation.KERNEL32 ref: 00A886C4
      • Part of subcall function 00A7B764: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A7B826,?,00A9C86A,00A8C4AB,00A8C4AB,?,00A8C4AB,?,00000001), ref: 00A7B774
      • Part of subcall function 00A7B764: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A7B826,?,00A9C86A,00A8C4AB,00A8C4AB,?,00A8C4AB,?,00000001), ref: 00A7B79E
    • socket.WS2_32(?,00000001,00000006), ref: 00A886F7
    • socket.WS2_32(?,00000002,00000011), ref: 00A88708
    • closesocket.WS2_32(?), ref: 00A88727
    • closesocket.WS2_32 ref: 00A8872E
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • memset.MSVCRT ref: 00A887F2
      • Part of subcall function 00A7BC0C: bind.WS2_32(?,00A7BCEA), ref: 00A7BC53
      • Part of subcall function 00A7BC0C: listen.WS2_32(?,00000014), ref: 00A7BC68
      • Part of subcall function 00A7BC0C: WSAGetLastError.WS2_32(00000000,?,00A7BCEA,?,?,?,?,00000000), ref: 00A7BC76
      • Part of subcall function 00A7BC0C: WSASetLastError.WS2_32(?,?,00A7BCEA,?,?,?,?,00000000), ref: 00A7BC86
      • Part of subcall function 00A7BC93: memset.MSVCRT ref: 00A7BCA9
      • Part of subcall function 00A7BC93: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 00A7BCEE
      • Part of subcall function 00A88A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A88A52
    • memcpy.MSVCRT ref: 00A88902
      • Part of subcall function 00A7BAC9: memset.MSVCRT ref: 00A7BADE
      • Part of subcall function 00A7BAC9: getsockname.WS2_32(?,00A77C25), ref: 00A7BAF1
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00448626, Relevance: 15.0, APIs: 8, Instructions: 327
    APIs
      • Part of subcall function 0045D9E1: memset.MSVCRT ref: 0045D9F0
      • Part of subcall function 0045D9E1: memcpy.MSVCRT ref: 0045DA17
      • Part of subcall function 004441F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00444206
    • getsockopt.WS2_32(?,0000FFFF,00001008,00429417,00429417), ref: 004486B2
    • GetHandleInformation.KERNEL32 ref: 004486C4
      • Part of subcall function 0043B764: EnterCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B774
      • Part of subcall function 0043B764: LeaveCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B79E
    • socket.WS2_32(?,00000001,00000006), ref: 004486F7
    • socket.WS2_32(?,00000002,00000011), ref: 00448708
    • closesocket.WS2_32(?), ref: 00448727
    • closesocket.WS2_32 ref: 0044872E
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • memset.MSVCRT ref: 004487F2
      • Part of subcall function 0043BC0C: bind.WS2_32(?,0043BCEA), ref: 0043BC53
      • Part of subcall function 0043BC0C: listen.WS2_32(?,00000014), ref: 0043BC68
      • Part of subcall function 0043BC0C: WSAGetLastError.WS2_32(00000000,?,0043BCEA,?,?,?,?,00000000), ref: 0043BC76
      • Part of subcall function 0043BC0C: WSASetLastError.WS2_32(?,?,0043BCEA,?,?,?,?,00000000), ref: 0043BC86
      • Part of subcall function 0043BC93: memset.MSVCRT ref: 0043BCA9
      • Part of subcall function 0043BC93: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 0043BCEE
      • Part of subcall function 00448A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00448A52
    • memcpy.MSVCRT ref: 00448902
      • Part of subcall function 0043BAC9: memset.MSVCRT ref: 0043BADE
      • Part of subcall function 0043BAC9: getsockname.WS2_32(?,00437C25), ref: 0043BAF1
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8E133, Relevance: 15.0, APIs: 8, Instructions: 103
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044E133, Relevance: 15.0, APIs: 8, Instructions: 103
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A78E53, Relevance: 14.9, APIs: 5, Strings: 2, Instructions: 95
    APIs
    • EnterCriticalSection.KERNEL32(00AA5AA4,?,00AA4DF4,00000000,00000006,00A9BD7A,00AA4DF4,-00000258,?,00000000), ref: 00A78E6A
    • LeaveCriticalSection.KERNEL32(00AA5AA4,?,00000000), ref: 00A78E9D
      • Part of subcall function 00A81E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00A81EA2
      • Part of subcall function 00A81E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00A81EAE
      • Part of subcall function 00A81E94: SetLastError.KERNEL32(00000001,00A78F04,00AA47C0,?,00AA4DF4,00000000,00000006,00A9BD7A,00AA4DF4,-00000258,?,00000000), ref: 00A81EC6
    • CoTaskMemFree.OLE32(?), ref: 00A78F36
    • PathRemoveBackslashW.SHLWAPI(00000006), ref: 00A78F44
    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00A78F5C
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A78D34, Relevance: 14.8, APIs: 8, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(00DD201C,00DD2010,?,?,00A8A99B,00000000,00A8A6E2,00000000,?,00000000,?,?,?,00A9B2E2,?,00000001), ref: 00A78D3D
    • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A78D76
    • DuplicateHandle.KERNEL32(000000FF,?,000000FF,00A8A99B,00000000,00000000,00000002), ref: 00A78D95
    • GetLastError.KERNEL32(?,000000FF,00A8A99B,00000000,00000000,00000002,?,?,00A8A99B,00000000,00A8A6E2,00000000,?,00000000), ref: 00A78D9F
    • TerminateThread.KERNEL32 ref: 00A78DA7
    • CloseHandle.KERNEL32 ref: 00A78DAE
      • Part of subcall function 00A824F3: HeapAlloc.KERNEL32(00000000,?,?,?,00A76328,?,?,00A98D10,?,?,?,?,0000FFFF), ref: 00A8251D
      • Part of subcall function 00A824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00A76328,?,?,00A98D10,?,?,?,?,0000FFFF), ref: 00A82530
    • LeaveCriticalSection.KERNEL32(00DD201C,?,00A8A99B,00000000,00A8A6E2,00000000,?,00000000,?,?,?,00A9B2E2,?,00000001), ref: 00A78DC3
    • ResumeThread.KERNEL32 ref: 00A78DDC
      • Part of subcall function 00A82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7,?,@echo off%sdel /F "%s"), ref: 00A8256D
      • Part of subcall function 00A82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7), ref: 00A82580
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00438D34, Relevance: 14.8, APIs: 8, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(0000000C,00000000,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438D3D
    • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00438D76
    • DuplicateHandle.KERNEL32(000000FF,?,000000FF,0044A99B,00000000,00000000,00000002), ref: 00438D95
    • GetLastError.KERNEL32(?,000000FF,0044A99B,00000000,00000000,00000002,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000), ref: 00438D9F
    • TerminateThread.KERNEL32 ref: 00438DA7
    • CloseHandle.KERNEL32 ref: 00438DAE
      • Part of subcall function 004424F3: HeapAlloc.KERNEL32(00000000,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 0044251D
      • Part of subcall function 004424F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 00442530
    • LeaveCriticalSection.KERNEL32(0000000C,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438DC3
    • ResumeThread.KERNEL32 ref: 00438DDC
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00438F6F, Relevance: 14.6, APIs: 5, Instructions: 98
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00455BE4, Relevance: 14.5, APIs: 6, Strings: 1, Instructions: 83
    APIs
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00455BEB
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A78F6F, Relevance: 14.4, APIs: 5, Instructions: 98
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00459BE6, Relevance: 14.3, APIs: 8, Instructions: 160
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00459BEC
    • memcpy.MSVCRT ref: 00459C39
    • GetThreadContext.KERNEL32(?,00000010), ref: 00459CAF
    • SetThreadContext.KERNEL32(?,?), ref: 00459D1A
    • GetCurrentProcess.KERNEL32 ref: 00459D33
    • VirtualProtect.KERNEL32(?,0000007C,?), ref: 00459D58
    • FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00459D6A
      • Part of subcall function 00459A67: memset.MSVCRT ref: 00459A78
      • Part of subcall function 00459821: GetCurrentProcess.KERNEL32 ref: 00459824
      • Part of subcall function 00459821: VirtualProtect.KERNEL32(00000000,=::=::\,00000020), ref: 00459845
      • Part of subcall function 00459821: FlushInstructionCache.KERNEL32(?,00000000,=::=::\), ref: 0045984E
    • ResumeThread.KERNEL32(?), ref: 00459DAB
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00459B45: GetCurrentThreadId.KERNEL32 ref: 00459B46
      • Part of subcall function 00459B45: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00459B7D
      • Part of subcall function 00459B45: ResumeThread.KERNEL32(?), ref: 00459BBE
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A96067, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 134
    APIs
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
      • Part of subcall function 00A825A7: memcpy.MSVCRT ref: 00A825C6
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00A96103
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00A9617B
    • GetLastError.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000,?,?,?,?,00000000,3D94878D), ref: 00A96188
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00A961B2
    • FlushFileBuffers.KERNEL32 ref: 00A961CC
    • CloseHandle.KERNEL32 ref: 00A961D3
      • Part of subcall function 00A95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00A95E26
      • Part of subcall function 00A95E1D: DeleteFileW.KERNEL32 ref: 00A95E2D
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00A960D6
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00456067, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 134
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 004425A7: memcpy.MSVCRT ref: 004425C6
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00456103
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 0045617B
    • GetLastError.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000,?,?,?,?,00000000,3D94878D), ref: 00456188
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004561B2
    • FlushFileBuffers.KERNEL32 ref: 004561CC
    • CloseHandle.KERNEL32 ref: 004561D3
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 004560D6
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A79583, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107
    APIs
    • LoadLibraryW.KERNEL32 ref: 00A795A7
    • GetProcAddress.KERNEL32 ref: 00A795D5
    • GetProcAddress.KERNEL32 ref: 00A795EF
    • GetProcAddress.KERNEL32 ref: 00A7960B
    • FreeLibrary.KERNEL32(00000003), ref: 00A796B9
      • Part of subcall function 00A7AF99: GetCurrentThread.KERNEL32 ref: 00A7AFAD
      • Part of subcall function 00A7AF99: OpenThreadToken.ADVAPI32 ref: 00A7AFB4
      • Part of subcall function 00A7AF99: GetCurrentProcess.KERNEL32 ref: 00A7AFC4
      • Part of subcall function 00A7AF99: OpenProcessToken.ADVAPI32 ref: 00A7AFCB
      • Part of subcall function 00A7AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00A7AFEC
      • Part of subcall function 00A7AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00A7B001
      • Part of subcall function 00A7AF99: GetLastError.KERNEL32 ref: 00A7B00B
      • Part of subcall function 00A7AF99: CloseHandle.KERNEL32(00000001), ref: 00A7B01C
    • WTSGetActiveConsoleSessionId.KERNEL32 ref: 00A79638
      • Part of subcall function 00A7950C: EqualSid.ADVAPI32(?,5B867A00), ref: 00A7952F
      • Part of subcall function 00A7950C: CloseHandle.KERNEL32(00000001), ref: 00A79576
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00439583, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107
    APIs
    • LoadLibraryW.KERNEL32 ref: 004395A7
    • GetProcAddress.KERNEL32 ref: 004395D5
    • GetProcAddress.KERNEL32 ref: 004395EF
    • GetProcAddress.KERNEL32 ref: 0043960B
    • FreeLibrary.KERNEL32 ref: 004396B9
      • Part of subcall function 0043AF99: GetCurrentThread.KERNEL32 ref: 0043AFAD
      • Part of subcall function 0043AF99: OpenThreadToken.ADVAPI32 ref: 0043AFB4
      • Part of subcall function 0043AF99: GetCurrentProcess.KERNEL32 ref: 0043AFC4
      • Part of subcall function 0043AF99: OpenProcessToken.ADVAPI32 ref: 0043AFCB
      • Part of subcall function 0043AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0043AFEC
      • Part of subcall function 0043AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0043B001
      • Part of subcall function 0043AF99: GetLastError.KERNEL32 ref: 0043B00B
      • Part of subcall function 0043AF99: CloseHandle.KERNEL32(00000001), ref: 0043B01C
    • WTSGetActiveConsoleSessionId.KERNEL32 ref: 00439638
      • Part of subcall function 0043950C: EqualSid.ADVAPI32(?,5B867A00), ref: 0043952F
      • Part of subcall function 0043950C: CloseHandle.KERNEL32(00000001), ref: 00439576
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004017C0, Relevance: 14.3, APIs: 8, Instructions: 131
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 004017DC
    • GetLastError.KERNEL32(?,?,?,?,0040113A,?,00491DB0,00000060), ref: 004017F0
    • GetEnvironmentStringsW.KERNEL32 ref: 00401812
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401846
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00401868
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
    • FreeEnvironmentStringsW.KERNEL32 ref: 00401881
    • GetEnvironmentStrings.KERNEL32(00093156,00000000,?,?,?,?,0040113A,?,00491DB0,00000060), ref: 00401897
    • FreeEnvironmentStringsA.KERNEL32 ref: 004018D3
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A95D0E, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 89
    APIs
    • memcpy.MSVCRT ref: 00A95D6C
    • memcpy.MSVCRT ref: 00A95D81
    • memcpy.MSVCRT ref: 00A95D96
    • memcpy.MSVCRT ref: 00A95DA5
      • Part of subcall function 00A958ED: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A95BB2,?,00A95C0A,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 00A958FD
      • Part of subcall function 00A958ED: LeaveCriticalSection.KERNEL32(00AA5AA4,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,00A9A856), ref: 00A9592C
      • Part of subcall function 00A81E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00A81EA2
      • Part of subcall function 00A81E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00A81EAE
      • Part of subcall function 00A81E94: SetLastError.KERNEL32(00000001,00A78F04,00AA47C0,?,00AA4DF4,00000000,00000006,00A9BD7A,00AA4DF4,-00000258,?,00000000), ref: 00A81EC6
    • SetFileTime.KERNEL32(?,?,?,?), ref: 00A95E0A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00AA2474, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88
    APIs
    • GetFileAttributesW.KERNEL32 ref: 00AA2485
    • FlushFileBuffers.KERNEL32 ref: 00AA256B
      • Part of subcall function 00A7913F: FindFirstFileW.KERNEL32(?), ref: 00A79170
      • Part of subcall function 00A7913F: FindNextFileW.KERNEL32(?,?), ref: 00A791C2
      • Part of subcall function 00A7913F: FindClose.KERNEL32 ref: 00A791CD
      • Part of subcall function 00A7913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 00A791D9
      • Part of subcall function 00A7913F: RemoveDirectoryW.KERNEL32 ref: 00A791E0
      • Part of subcall function 00A95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00A95E26
      • Part of subcall function 00A95E1D: DeleteFileW.KERNEL32 ref: 00A95E2D
    • PathRemoveFileSpecW.SHLWAPI(?), ref: 00AA24BA
      • Part of subcall function 00A95947: GetTempPathW.KERNEL32(00000104,?), ref: 00A95962
      • Part of subcall function 00A95947: PathAddBackslashW.SHLWAPI(?), ref: 00A9598C
      • Part of subcall function 00A95947: CreateDirectoryW.KERNEL32(?), ref: 00A95A44
      • Part of subcall function 00A95947: SetFileAttributesW.KERNEL32(?), ref: 00A95A55
      • Part of subcall function 00A95947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00A95A6E
      • Part of subcall function 00A95947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00A95A7F
    • MoveFileExW.KERNEL32(?,?,00000001), ref: 00AA2501
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00AA251A
      • Part of subcall function 00A95B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00A95B87
      • Part of subcall function 00A95934: CloseHandle.KERNEL32 ref: 00A95940
    • Sleep.KERNEL32(00001388), ref: 00AA255D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00462474, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88
    APIs
    • GetFileAttributesW.KERNEL32(00000000), ref: 00462485
    • FlushFileBuffers.KERNEL32 ref: 0046256B
      • Part of subcall function 0043913F: FindFirstFileW.KERNEL32(?), ref: 00439170
      • Part of subcall function 0043913F: FindNextFileW.KERNEL32(?,?), ref: 004391C2
      • Part of subcall function 0043913F: FindClose.KERNEL32 ref: 004391CD
      • Part of subcall function 0043913F: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 004391D9
      • Part of subcall function 0043913F: RemoveDirectoryW.KERNEL32(00000000), ref: 004391E0
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
    • PathRemoveFileSpecW.SHLWAPI ref: 004624BA
      • Part of subcall function 00455947: GetTempPathW.KERNEL32(00000104,?), ref: 00455962
      • Part of subcall function 00455947: PathAddBackslashW.SHLWAPI(?), ref: 0045598C
      • Part of subcall function 00455947: CreateDirectoryW.KERNEL32(?), ref: 00455A44
      • Part of subcall function 00455947: SetFileAttributesW.KERNEL32(?), ref: 00455A55
      • Part of subcall function 00455947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00455A6E
      • Part of subcall function 00455947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00455A7F
    • MoveFileExW.KERNEL32(00000000,?,00000001), ref: 00462501
    • CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0046251A
      • Part of subcall function 00455B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00455B87
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
    • Sleep.KERNEL32(00001388), ref: 0046255D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A95BE4, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 83
    APIs
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00A95BEB
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A90A9D, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(00AA5AA4,?,?,?,00A90C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00A90AB3
    • LeaveCriticalSection.KERNEL32(00AA5AA4,?,?,?,00A90C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00A90ADB
    • GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00A90AF7
    • GetProcAddress.KERNEL32 ref: 00A90AFE
    • RegDeleteKeyW.ADVAPI32(?), ref: 00A90B20
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00450A9D, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,?,?,?,00450C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00450AB3
    • LeaveCriticalSection.KERNEL32(00465AA4,?,?,?,00450C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00450ADB
    • GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00450AF7
    • GetProcAddress.KERNEL32 ref: 00450AFE
    • RegDeleteKeyW.ADVAPI32(?), ref: 00450B20
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8A782, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145
    APIs
      • Part of subcall function 00A76A4D: TlsSetValue.KERNEL32(00000001,00A8A796), ref: 00A76A5A
    • GetCurrentThread.KERNEL32 ref: 00A8A799
    • SetThreadPriority.KERNEL32 ref: 00A8A7A0
      • Part of subcall function 00A9C09D: CreateMutexW.KERNEL32(00AA49B4,00000000), ref: 00A9C0BF
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
      • Part of subcall function 00A8A755: PathFindFileNameW.SHLWAPI(000001ED), ref: 00A8A759
      • Part of subcall function 00A8A755: PathRemoveExtensionW.SHLWAPI ref: 00A8A76D
      • Part of subcall function 00A8A755: CharUpperW.USER32 ref: 00A8A777
    • PathQuoteSpacesW.SHLWAPI ref: 00A8A83E
      • Part of subcall function 00A9AFD3: WaitForSingleObject.KERNEL32(00000000,00A8A849), ref: 00A9AFDB
    • WaitForSingleObject.KERNEL32 ref: 00A8A879
    • StrCmpW.SHLWAPI ref: 00A8A8D7
      • Part of subcall function 00A907B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00A907D8
    • RegSetValueExW.ADVAPI32(000000FF,?,00000000,00000001), ref: 00A8A938
      • Part of subcall function 00A90755: RegFlushKey.ADVAPI32 ref: 00A90765
      • Part of subcall function 00A90755: RegCloseKey.ADVAPI32 ref: 00A9076D
    • WaitForSingleObject.KERNEL32 ref: 00A8A959
      • Part of subcall function 00A7766D: ReleaseMutex.KERNEL32 ref: 00A77671
      • Part of subcall function 00A7766D: CloseHandle.KERNEL32 ref: 00A77678
      • Part of subcall function 00A8B7FF: EnterCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B80C
      • Part of subcall function 00A8B7FF: LeaveCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B81A
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00A8A7EC
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044A782, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145
    APIs
      • Part of subcall function 00436A4D: TlsSetValue.KERNEL32(00000001,0044A796), ref: 00436A5A
    • GetCurrentThread.KERNEL32 ref: 0044A799
    • SetThreadPriority.KERNEL32 ref: 0044A7A0
      • Part of subcall function 0045C09D: CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
      • Part of subcall function 0044A755: PathFindFileNameW.SHLWAPI(000001ED), ref: 0044A759
      • Part of subcall function 0044A755: PathRemoveExtensionW.SHLWAPI ref: 0044A76D
      • Part of subcall function 0044A755: CharUpperW.USER32 ref: 0044A777
    • PathQuoteSpacesW.SHLWAPI ref: 0044A83E
      • Part of subcall function 0045AFD3: WaitForSingleObject.KERNEL32(00000000,0044A849), ref: 0045AFDB
    • WaitForSingleObject.KERNEL32 ref: 0044A879
    • StrCmpW.SHLWAPI ref: 0044A8D7
      • Part of subcall function 004507B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 004507D8
    • RegSetValueExW.ADVAPI32(000000FF,?,00000000,00000001), ref: 0044A938
      • Part of subcall function 00450755: RegFlushKey.ADVAPI32 ref: 00450765
      • Part of subcall function 00450755: RegCloseKey.ADVAPI32 ref: 0045076D
    • WaitForSingleObject.KERNEL32 ref: 0044A959
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0044A7EC
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A89EBF, Relevance: 13.8, APIs: 9, Instructions: 261
    APIs
    • GetTickCount.KERNEL32 ref: 00A89ECE
    • EnterCriticalSection.KERNEL32 ref: 00A89EE3
    • WaitForSingleObject.KERNEL32(?,000927C0), ref: 00A89F28
    • GetTickCount.KERNEL32 ref: 00A89F3B
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A96875: GetSystemTime.KERNEL32 ref: 00A9687F
      • Part of subcall function 00A894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00A89503
    • GetTickCount.KERNEL32 ref: 00A8A135
      • Part of subcall function 00A81B5D: memcmp.MSVCRT ref: 00A81B69
      • Part of subcall function 00A893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00A8A111), ref: 00A893BE
      • Part of subcall function 00A893A8: memcpy.MSVCRT ref: 00A89419
      • Part of subcall function 00A893A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00A8A111,?,00000002), ref: 00A89429
      • Part of subcall function 00A893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00A8945D
      • Part of subcall function 00A893A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00A8A111), ref: 00A894E9
      • Part of subcall function 00A89A6F: memset.MSVCRT ref: 00A89B47
      • Part of subcall function 00A89A6F: memcpy.MSVCRT ref: 00A89BA2
      • Part of subcall function 00A89A6F: memcmp.MSVCRT ref: 00A89C1B
      • Part of subcall function 00A89A6F: memcpy.MSVCRT ref: 00A89C6F
      • Part of subcall function 00A89A6F: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00A89D42
      • Part of subcall function 00A89A6F: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00A89D60
    • GetTickCount.KERNEL32 ref: 00A8A16E
    • LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 00A8A191
      • Part of subcall function 00A8B7FF: EnterCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B80C
      • Part of subcall function 00A8B7FF: LeaveCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B81A
    • WaitForSingleObject.KERNEL32(?,-001B7740), ref: 00A8A1B6
    • LeaveCriticalSection.KERNEL32 ref: 00A8A1CC
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00449EBF, Relevance: 13.8, APIs: 9, Instructions: 261
    APIs
    • GetTickCount.KERNEL32 ref: 00449ECE
    • EnterCriticalSection.KERNEL32 ref: 00449EE3
    • WaitForSingleObject.KERNEL32(?,000927C0), ref: 00449F28
    • GetTickCount.KERNEL32 ref: 00449F3B
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00456875: GetSystemTime.KERNEL32 ref: 0045687F
      • Part of subcall function 004494FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00449503
    • GetTickCount.KERNEL32 ref: 0044A135
      • Part of subcall function 00441B5D: memcmp.MSVCRT ref: 00441B69
      • Part of subcall function 004493A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004493BE
      • Part of subcall function 004493A8: memcpy.MSVCRT ref: 00449419
      • Part of subcall function 004493A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111,?,00000002), ref: 00449429
      • Part of subcall function 004493A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0044945D
      • Part of subcall function 004493A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004494E9
      • Part of subcall function 00449A6F: memset.MSVCRT ref: 00449B47
      • Part of subcall function 00449A6F: memcpy.MSVCRT ref: 00449BA2
      • Part of subcall function 00449A6F: memcmp.MSVCRT ref: 00449C1B
      • Part of subcall function 00449A6F: memcpy.MSVCRT ref: 00449C6F
      • Part of subcall function 00449A6F: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00449D42
      • Part of subcall function 00449A6F: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00449D60
    • GetTickCount.KERNEL32 ref: 0044A16E
    • LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 0044A191
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • WaitForSingleObject.KERNEL32(?,-001B7740), ref: 0044A1B6
    • LeaveCriticalSection.KERNEL32 ref: 0044A1CC
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A89A6F, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326
    APIs
      • Part of subcall function 00A8CAF1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00A8CB1D
      • Part of subcall function 00A8CAF1: GetSystemTime.KERNEL32(?), ref: 00A8CB54
      • Part of subcall function 00A8CAF1: Sleep.KERNEL32(000005DC), ref: 00A8CB6D
      • Part of subcall function 00A8CAF1: WaitForSingleObject.KERNEL32(?,000005DC), ref: 00A8CB76
      • Part of subcall function 00A8CAF1: lstrcpyA.KERNEL32 ref: 00A8CBD4
      • Part of subcall function 00A8163A: memcmp.MSVCRT ref: 00A81698
      • Part of subcall function 00A8163A: memcpy.MSVCRT ref: 00A816D6
      • Part of subcall function 00A9AFE8: memcpy.MSVCRT ref: 00A9AFF8
      • Part of subcall function 00A81781: memset.MSVCRT ref: 00A81794
      • Part of subcall function 00A81781: memcpy.MSVCRT ref: 00A817AF
      • Part of subcall function 00A81781: memcpy.MSVCRT ref: 00A817D7
      • Part of subcall function 00A81781: memcpy.MSVCRT ref: 00A817FB
    • memset.MSVCRT ref: 00A89B47
      • Part of subcall function 00A893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00A8A111), ref: 00A893BE
      • Part of subcall function 00A893A8: memcpy.MSVCRT ref: 00A89419
      • Part of subcall function 00A893A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00A8A111,?,00000002), ref: 00A89429
      • Part of subcall function 00A893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00A8945D
      • Part of subcall function 00A893A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00A8A111), ref: 00A894E9
      • Part of subcall function 00A81B16: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A88DDC,?,?,?,?,00A9B233,?,00000001), ref: 00A81B26
      • Part of subcall function 00A81B16: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A88DDC,?,?,?,?,00A9B233,?,00000001), ref: 00A81B50
    • memcpy.MSVCRT ref: 00A89BA2
      • Part of subcall function 00A894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00A89503
    • memcmp.MSVCRT ref: 00A89C1B
      • Part of subcall function 00A82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7,?,@echo off%sdel /F "%s"), ref: 00A8256D
      • Part of subcall function 00A82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7), ref: 00A82580
    • memcpy.MSVCRT ref: 00A89C6F
      • Part of subcall function 00A81A4F: memcmp.MSVCRT ref: 00A81A6B
      • Part of subcall function 00A81B5D: memcmp.MSVCRT ref: 00A81B69
      • Part of subcall function 00A8B7FF: EnterCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B80C
      • Part of subcall function 00A8B7FF: LeaveCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B81A
      • Part of subcall function 00A77E58: memcpy.MSVCRT ref: 00A77E70
    • EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00A89D42
    • LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00A89D60
      • Part of subcall function 00A81821: memcpy.MSVCRT ref: 00A81848
      • Part of subcall function 00A81728: memcpy.MSVCRT ref: 00A81771
      • Part of subcall function 00A819AE: memcmp.MSVCRT ref: 00A81A24
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A74C10: _errno.MSVCRT ref: 00A74C2B
      • Part of subcall function 00A74C10: _errno.MSVCRT ref: 00A74C5D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00449A6F, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326
    APIs
      • Part of subcall function 0044CAF1: WaitForSingleObject.KERNEL32(?,00000000), ref: 0044CB1D
      • Part of subcall function 0044CAF1: GetSystemTime.KERNEL32(?), ref: 0044CB54
      • Part of subcall function 0044CAF1: Sleep.KERNEL32(000005DC), ref: 0044CB6D
      • Part of subcall function 0044CAF1: WaitForSingleObject.KERNEL32(?,000005DC), ref: 0044CB76
      • Part of subcall function 0044CAF1: lstrcpyA.KERNEL32 ref: 0044CBD4
      • Part of subcall function 0044163A: memcmp.MSVCRT ref: 00441698
      • Part of subcall function 0044163A: memcpy.MSVCRT ref: 004416D6
      • Part of subcall function 0045AFE8: memcpy.MSVCRT ref: 0045AFF8
      • Part of subcall function 00441781: memset.MSVCRT ref: 00441794
      • Part of subcall function 00441781: memcpy.MSVCRT ref: 004417AF
      • Part of subcall function 00441781: memcpy.MSVCRT ref: 004417D7
      • Part of subcall function 00441781: memcpy.MSVCRT ref: 004417FB
    • memset.MSVCRT ref: 00449B47
      • Part of subcall function 004493A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004493BE
      • Part of subcall function 004493A8: memcpy.MSVCRT ref: 00449419
      • Part of subcall function 004493A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111,?,00000002), ref: 00449429
      • Part of subcall function 004493A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0044945D
      • Part of subcall function 004493A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004494E9
      • Part of subcall function 00441B16: EnterCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B26
      • Part of subcall function 00441B16: LeaveCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B50
    • memcpy.MSVCRT ref: 00449BA2
      • Part of subcall function 004494FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00449503
    • memcmp.MSVCRT ref: 00449C1B
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • memcpy.MSVCRT ref: 00449C6F
      • Part of subcall function 00441A4F: memcmp.MSVCRT ref: 00441A6B
      • Part of subcall function 00441B5D: memcmp.MSVCRT ref: 00441B69
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
      • Part of subcall function 00437E58: memcpy.MSVCRT ref: 00437E70
    • EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00449D42
    • LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00449D60
      • Part of subcall function 00441821: memcpy.MSVCRT ref: 00441848
      • Part of subcall function 00441728: memcpy.MSVCRT ref: 00441771
      • Part of subcall function 004419AE: memcmp.MSVCRT ref: 00441A24
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00434C10: _errno.MSVCRT ref: 00434C2B
      • Part of subcall function 00434C10: _errno.MSVCRT ref: 00434C5D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0040404B, Relevance: 12.9, APIs: 7, Instructions: 169
    APIs
    • GetCPInfo.KERNEL32(?,?), ref: 00404089
    • GetCPInfo.KERNEL32(?,?), ref: 0040409C
    • MultiByteToWideChar.KERNEL32(00000008,00000001,?,?,00000000,00000000), ref: 004040E1
    • MultiByteToWideChar.KERNEL32(00000008,00000001,00000001,?,?,00000001), ref: 00404163
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00404184
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 004041A5
      • Part of subcall function 004024C3: HeapAlloc.KERNEL32(00000008,?,00492370,00000010,00401BB6,00000001,0000008C,?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?), ref: 00402545
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004041CC
      • Part of subcall function 00484FDC: ExitProcess.KERNEL32(00000003,004922F8,00000008,00401452), ref: 00484FD5
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00AA1CCA, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 193
    APIs
    • EnterCriticalSection.KERNEL32(00AA5AA4,?,?,?,?,?,?,?,?,?,?), ref: 00AA1CE8
    • LeaveCriticalSection.KERNEL32(00AA5AA4,?,?,?,?,?,?,?,?,?), ref: 00AA1D12
      • Part of subcall function 00A9FEDF: memset.MSVCRT ref: 00A9FEF5
      • Part of subcall function 00A9FEDF: InitializeCriticalSection.KERNEL32(00AA5050), ref: 00A9FF05
      • Part of subcall function 00A9FEDF: memset.MSVCRT ref: 00A9FF34
      • Part of subcall function 00A9FEDF: InitializeCriticalSection.KERNEL32(00AA5030), ref: 00A9FF3E
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
      • Part of subcall function 00A79FB3: memcpy.MSVCRT ref: 00A79FE9
    • memcmp.MSVCRT ref: 00AA1E03
    • memcmp.MSVCRT ref: 00AA1E34
      • Part of subcall function 00A79F5F: memcpy.MSVCRT ref: 00A79F99
    • EnterCriticalSection.KERNEL32(00AA5050), ref: 00AA1EA7
      • Part of subcall function 00A9FFD8: GetTickCount.KERNEL32 ref: 00A9FFDF
      • Part of subcall function 00AA03D0: EnterCriticalSection.KERNEL32(00AA5030,00AA506C,?,?,00AA5050), ref: 00AA03E3
      • Part of subcall function 00AA03D0: LeaveCriticalSection.KERNEL32(00AA5030,?,?,00AA5050), ref: 00AA0559
      • Part of subcall function 00AA061B: EnterCriticalSection.KERNEL32(00DD1F88,?,?,?,?,00AA5050), ref: 00AA06F5
      • Part of subcall function 00AA061B: LeaveCriticalSection.KERNEL32(00DD1F88,000000FF,00000000,?,?,?,?,00AA5050), ref: 00AA071D
    • LeaveCriticalSection.KERNEL32(00AA5050,00AA506C,00AA506C,00AA506C), ref: 00AA1EF7
      • Part of subcall function 00A9DD3E: lstrlenA.KERNEL32(?,?,?,?,?,?,00AA506C,?,?,00AA5050), ref: 00A9DD52
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A7B02B, Relevance: 12.5, APIs: 7, Instructions: 73
    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000008), ref: 00A7B03B
    • GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000), ref: 00A7B054
    • GetLastError.KERNEL32(?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5,?,?,?,00000001), ref: 00A7B05E
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    • GetTokenInformation.ADVAPI32(?,00000019,?,?), ref: 00A7B089
    • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A7B095
    • GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A7B0AC
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • CloseHandle.KERNEL32(?), ref: 00A7B0D8
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043B02B, Relevance: 12.5, APIs: 7, Instructions: 73
    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000008), ref: 0043B03B
    • GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000), ref: 0043B054
    • GetLastError.KERNEL32(?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5,?,?,?,00000001), ref: 0043B05E
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • GetTokenInformation.ADVAPI32(?,00000019,?,?), ref: 0043B089
    • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 0043B095
    • GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 0043B0AC
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • CloseHandle.KERNEL32(?), ref: 0043B0D8
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0044B286, Relevance: 12.5, APIs: 4, Strings: 2, Instructions: 295
    APIs
      • Part of subcall function 0045C09D: CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 00448432: CreateFileW.KERNEL32(009B1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0044844B
      • Part of subcall function 00448432: GetFileSizeEx.KERNEL32 ref: 0044845E
      • Part of subcall function 00448432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00448484
      • Part of subcall function 00448432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0044849C
      • Part of subcall function 00448432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 004484BA
      • Part of subcall function 00448432: CloseHandle.KERNEL32 ref: 004484C3
    • memset.MSVCRT ref: 0044B42B
    • memcpy.MSVCRT ref: 0044B457
      • Part of subcall function 00456875: GetSystemTime.KERNEL32 ref: 0045687F
      • Part of subcall function 004424F3: HeapAlloc.KERNEL32(00000000,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 0044251D
      • Part of subcall function 004424F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 00442530
      • Part of subcall function 004371D5: memcpy.MSVCRT ref: 004372E6
    • CreateFileW.KERNEL32(0042AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0044B55C
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0044B578
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 0044B161: memset.MSVCRT ref: 0044B170
      • Part of subcall function 0044B161: memset.MSVCRT ref: 0044B1B3
      • Part of subcall function 0044B161: memset.MSVCRT ref: 0044B1E9
      • Part of subcall function 00450370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0045037F
      • Part of subcall function 0044FE5C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0044FEC2
      • Part of subcall function 0044FE5C: memcpy.MSVCRT ref: 0044FEDC
      • Part of subcall function 0044FE5C: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 0044FEEF
      • Part of subcall function 0044FE5C: memset.MSVCRT ref: 0044FF46
      • Part of subcall function 0044FE5C: memcpy.MSVCRT ref: 0044FF5A
      • Part of subcall function 0044FE5C: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00450049
      • Part of subcall function 004373E0: memcmp.MSVCRT ref: 00437489
      • Part of subcall function 004484D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 004484E4
      • Part of subcall function 004484D3: CloseHandle.KERNEL32 ref: 004484F3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7C39C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001), ref: 00A7C3C0
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 00A7C40C
      • Part of subcall function 00A7BEC0: WSAGetLastError.WS2_32 ref: 00A7BEF6
      • Part of subcall function 00A7BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 00A7BF3E
    • WSAGetLastError.WS2_32(?,00000800,?,00000000,?), ref: 00A7C4EC
    • shutdown.WS2_32(?,00000001), ref: 00A7C517
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00A7C540
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 00A7C594
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043C39C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001), ref: 0043C3C0
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 0043C40C
      • Part of subcall function 0043BEC0: WSAGetLastError.WS2_32 ref: 0043BEF6
      • Part of subcall function 0043BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 0043BF3E
    • WSAGetLastError.WS2_32(?,00000800,?,00000000,?), ref: 0043C4EC
    • shutdown.WS2_32(?,00000001), ref: 0043C517
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 0043C540
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 0043C594
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004012E6, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00401367
      • Part of subcall function 00402096: LoadLibraryA.KERNEL32(user32.dll), ref: 004020AE
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,MessageBoxA), ref: 004020CA
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 004020DB
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 004020E8
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetUserObjectInformationA), ref: 004020FE
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0040210F
    • GetStdHandle.KERNEL32(000000F4), ref: 00401434
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040143B
      • Part of subcall function 00484FDC: ExitProcess.KERNEL32(00000003,004922F8,00000008,00401452), ref: 00484FD5
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A9C592, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
    APIs
    • EnterCriticalSection.KERNEL32(00DD1F88,?,6FFF0300,?), ref: 00A9C5BC
    • LeaveCriticalSection.KERNEL32(00DD1F88,?,6FFF0300,?), ref: 00A9C66C
      • Part of subcall function 00A77FA8: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00A77FBA
      • Part of subcall function 00A77FA8: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00A77FD2
      • Part of subcall function 00A77FA8: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A78011
      • Part of subcall function 00A77FA8: CreateCompatibleDC.GDI32 ref: 00A78022
      • Part of subcall function 00A77FA8: LoadCursorW.USER32(00000000,00007F00), ref: 00A78038
      • Part of subcall function 00A77FA8: GetIconInfo.USER32 ref: 00A7804C
      • Part of subcall function 00A77FA8: GetCursorPos.USER32(?), ref: 00A7805B
      • Part of subcall function 00A77FA8: GetDeviceCaps.GDI32(?,00000008), ref: 00A78072
      • Part of subcall function 00A77FA8: GetDeviceCaps.GDI32(?,0000000A), ref: 00A7807B
      • Part of subcall function 00A77FA8: CreateCompatibleBitmap.GDI32(?,?), ref: 00A78087
      • Part of subcall function 00A77FA8: SelectObject.GDI32 ref: 00A78095
      • Part of subcall function 00A77FA8: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 00A780B6
      • Part of subcall function 00A77FA8: DrawIcon.USER32(?,?,?,?), ref: 00A780E8
      • Part of subcall function 00A77FA8: SelectObject.GDI32(?,?), ref: 00A78104
      • Part of subcall function 00A77FA8: DeleteObject.GDI32 ref: 00A7810B
      • Part of subcall function 00A77FA8: DeleteDC.GDI32 ref: 00A78112
      • Part of subcall function 00A77FA8: DeleteDC.GDI32 ref: 00A78119
      • Part of subcall function 00A77FA8: FreeLibrary.KERNEL32(?), ref: 00A78129
      • Part of subcall function 00A77FA8: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00A7813F
      • Part of subcall function 00A77FA8: FreeLibrary.KERNEL32(?), ref: 00A78153
    • GetTickCount.KERNEL32 ref: 00A9C616
    • GetCurrentProcessId.KERNEL32 ref: 00A9C61D
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • GetKeyboardState.USER32 ref: 00A9C688
    • ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 00A9C6AB
      • Part of subcall function 00A9C410: EnterCriticalSection.KERNEL32(00DD1F88,00DD1F88,?,?,?,00A9C6E4,?,?,?,?,?,00000009,00000000,?,?,6FFF0300), ref: 00A9C42A
      • Part of subcall function 00A9C410: memcpy.MSVCRT ref: 00A9C49B
      • Part of subcall function 00A9C410: memcpy.MSVCRT ref: 00A9C4BF
      • Part of subcall function 00A9C410: memcpy.MSVCRT ref: 00A9C4D6
      • Part of subcall function 00A9C410: memcpy.MSVCRT ref: 00A9C4F6
      • Part of subcall function 00A9C410: LeaveCriticalSection.KERNEL32(00DD1F88,?,6FFF0300,?), ref: 00A9C511
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A859B7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95
    APIs
    • memset.MSVCRT ref: 00A859C8
    • GlobalMemoryStatusEx.KERNEL32 ref: 00A859DF
    • GetNativeSystemInfo.KERNEL32 ref: 00A85A10
      • Part of subcall function 00A90775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A9079C
    • GetSystemMetrics.USER32(0000004F), ref: 00A85A9D
      • Part of subcall function 00A90A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00A90A3A
      • Part of subcall function 00A90755: RegFlushKey.ADVAPI32 ref: 00A90765
      • Part of subcall function 00A90755: RegCloseKey.ADVAPI32 ref: 00A9076D
    • GetSystemMetrics.USER32(00000050), ref: 00A85A90
    • GetSystemMetrics.USER32(0000004E), ref: 00A85A97
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004459B7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95
    APIs
    • memset.MSVCRT ref: 004459C8
    • GlobalMemoryStatusEx.KERNEL32 ref: 004459DF
    • GetNativeSystemInfo.KERNEL32 ref: 00445A10
      • Part of subcall function 00450775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0045079C
    • GetSystemMetrics.USER32(0000004F), ref: 00445A9D
      • Part of subcall function 00450A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00450A3A
      • Part of subcall function 00450755: RegFlushKey.ADVAPI32 ref: 00450765
      • Part of subcall function 00450755: RegCloseKey.ADVAPI32 ref: 0045076D
    • GetSystemMetrics.USER32(00000050), ref: 00445A90
    • GetSystemMetrics.USER32(0000004E), ref: 00445A97
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045ABBF, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 79
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • lstrcatW.KERNEL32(?,.dat), ref: 0045AC32
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0045AC57
    • ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 0045AC75
    • CloseHandle.KERNEL32 ref: 0045AC82
      • Part of subcall function 0045D2D7: EnterCriticalSection.KERNEL32(009B1E90,?), ref: 0045D2EB
      • Part of subcall function 0045D2D7: GetFileVersionInfoSizeW.VERSION(009B1EF0), ref: 0045D30C
      • Part of subcall function 0045D2D7: GetFileVersionInfoW.VERSION(009B1EF0,00000000), ref: 0045D32A
      • Part of subcall function 0045D2D7: LeaveCriticalSection.KERNEL32(009B1E90,00000001,00000001,00000001,00000001), ref: 0045D413
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • .dat, xrefs: 0045AC26
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0045ABF1
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9B31B, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 61
    APIs
    • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00A9B32F
    • PathUnquoteSpacesW.SHLWAPI ref: 00A9B394
    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00A9B3A3
    • LocalFree.KERNEL32(00000001), ref: 00A9B3B7
    Strings
    • ProfileImagePath, xrefs: 00A9B378
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 00A9B34C
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045B31B, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 61
    APIs
    • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0045B32F
    • PathUnquoteSpacesW.SHLWAPI ref: 0045B394
    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0045B3A3
    • LocalFree.KERNEL32(00000001), ref: 0045B3B7
    Strings
    • ProfileImagePath, xrefs: 0045B378
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 0045B34C
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9AA9A, Relevance: 12.2, APIs: 4, Strings: 2, Instructions: 49
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 00A9AAB7
    • GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 00A9AACF
    • PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 00A9AADA
      • Part of subcall function 00A78E53: EnterCriticalSection.KERNEL32(00AA5AA4,?,00AA4DF4,00000000,00000006,00A9BD7A,00AA4DF4,-00000258,?,00000000), ref: 00A78E6A
      • Part of subcall function 00A78E53: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00000000), ref: 00A78E9D
      • Part of subcall function 00A78E53: CoTaskMemFree.OLE32(?), ref: 00A78F36
      • Part of subcall function 00A78E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00A78F44
      • Part of subcall function 00A78E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00A78F5C
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00A9AB00
      • Part of subcall function 00A79F5F: memcpy.MSVCRT ref: 00A79F99
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00A9AAE0
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00A9AAC2, 00A9AACD, 00A9AAD9
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004011FA, Relevance: 12.2, APIs: 3, Strings: 3, Instructions: 18
    APIs
    • GetModuleHandleA.KERNEL32(mscoree.dll), ref: 004011FF
    • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0040120F
    • ExitProcess.KERNEL32(?), ref: 00401223
      • Part of subcall function 00401FF3: EnterCriticalSection.KERNEL32(?,?,?,00402331,00000004,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0), ref: 0040201B
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A852AC, Relevance: 12.1, APIs: 8, Instructions: 147
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00A852E3
    • GetCommandLineW.KERNEL32 ref: 00A85304
      • Part of subcall function 00A911D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00A911FF
      • Part of subcall function 00A911D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00A91234
    • GetUserNameExW.SECUR32(00000002,?,?,?,?,?,00000104), ref: 00A8533C
    • GetProcessTimes.KERNEL32(000000FF), ref: 00A85372
    • GetUserDefaultUILanguage.KERNEL32 ref: 00A853E4
    • memcpy.MSVCRT ref: 00A85418
    • memcpy.MSVCRT ref: 00A8542D
    • memcpy.MSVCRT ref: 00A85443
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A8AEA2, Relevance: 12.1, APIs: 8, Instructions: 119
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00A77E45,?,?,?,00000000), ref: 00A8AEAE
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00A8AEE7
    • CloseHandle.KERNEL32 ref: 00A8AEFA
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • memcpy.MSVCRT ref: 00A8AF1D
    • memset.MSVCRT ref: 00A8AF37
    • memcpy.MSVCRT ref: 00A8AF7D
    • memset.MSVCRT ref: 00A8AF9B
      • Part of subcall function 00A78CBF: EnterCriticalSection.KERNEL32(?,?,?,00A82B51,00000005,00007530,?,00000000,00000000), ref: 00A78CC7
      • Part of subcall function 00A78CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00A78CEB
      • Part of subcall function 00A78CBF: CloseHandle.KERNEL32 ref: 00A78CFB
      • Part of subcall function 00A78CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00A82B51,00000005,00007530,?,00000000,00000000), ref: 00A78D2B
      • Part of subcall function 00A78D34: EnterCriticalSection.KERNEL32(00DD201C,00DD2010,?,?,00A8A99B,00000000,00A8A6E2,00000000,?,00000000,?,?,?,00A9B2E2,?,00000001), ref: 00A78D3D
      • Part of subcall function 00A78D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A78D76
      • Part of subcall function 00A78D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00A8A99B,00000000,00000000,00000002), ref: 00A78D95
      • Part of subcall function 00A78D34: GetLastError.KERNEL32(?,000000FF,00A8A99B,00000000,00000000,00000002,?,?,00A8A99B,00000000,00A8A6E2,00000000,?,00000000), ref: 00A78D9F
      • Part of subcall function 00A78D34: TerminateThread.KERNEL32 ref: 00A78DA7
      • Part of subcall function 00A78D34: CloseHandle.KERNEL32 ref: 00A78DAE
      • Part of subcall function 00A78D34: LeaveCriticalSection.KERNEL32(00DD201C,?,00A8A99B,00000000,00A8A6E2,00000000,?,00000000,?,?,?,00A9B2E2,?,00000001), ref: 00A78DC3
      • Part of subcall function 00A78D34: ResumeThread.KERNEL32 ref: 00A78DDC
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00A77E45,?,?,?,00000000), ref: 00A8AFEF
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044AEA2, Relevance: 12.1, APIs: 8, Instructions: 119
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00437E45,?,?,?,00000000), ref: 0044AEAE
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0044AEE7
    • CloseHandle.KERNEL32 ref: 0044AEFA
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • memcpy.MSVCRT ref: 0044AF1D
    • memset.MSVCRT ref: 0044AF37
    • memcpy.MSVCRT ref: 0044AF7D
    • memset.MSVCRT ref: 0044AF9B
      • Part of subcall function 00438CBF: EnterCriticalSection.KERNEL32(?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438CC7
      • Part of subcall function 00438CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00438CEB
      • Part of subcall function 00438CBF: CloseHandle.KERNEL32 ref: 00438CFB
      • Part of subcall function 00438CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438D2B
      • Part of subcall function 00438D34: EnterCriticalSection.KERNEL32(0000000C,00000000,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438D3D
      • Part of subcall function 00438D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00438D76
      • Part of subcall function 00438D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0044A99B,00000000,00000000,00000002), ref: 00438D95
      • Part of subcall function 00438D34: GetLastError.KERNEL32(?,000000FF,0044A99B,00000000,00000000,00000002,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000), ref: 00438D9F
      • Part of subcall function 00438D34: TerminateThread.KERNEL32 ref: 00438DA7
      • Part of subcall function 00438D34: CloseHandle.KERNEL32 ref: 00438DAE
      • Part of subcall function 00438D34: LeaveCriticalSection.KERNEL32(0000000C,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438DC3
      • Part of subcall function 00438D34: ResumeThread.KERNEL32 ref: 00438DDC
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00437E45,?,?,?,00000000), ref: 0044AFEF
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A95947, Relevance: 11.3, APIs: 6, Instructions: 130
    APIs
    • GetTempPathW.KERNEL32(00000104,?), ref: 00A95962
    • PathAddBackslashW.SHLWAPI(?), ref: 00A9598C
      • Part of subcall function 00A8B7FF: EnterCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B80C
      • Part of subcall function 00A8B7FF: LeaveCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B81A
    • CreateDirectoryW.KERNEL32(?), ref: 00A95A44
    • SetFileAttributesW.KERNEL32(?), ref: 00A95A55
    • CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00A95A6E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00A95A7F
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A82BE5, Relevance: 11.0, APIs: 6, Instructions: 115
    APIs
    • lstrlenA.KERNEL32(?,?), ref: 00A82C1E
    • CreateMutexW.KERNEL32(00AA49B4,00000001), ref: 00A82C76
    • GetLastError.KERNEL32(?,?,?,?,?), ref: 00A82C86
    • CloseHandle.KERNEL32 ref: 00A82C94
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    • memcpy.MSVCRT ref: 00A82CBE
    • memcpy.MSVCRT ref: 00A82CD2
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A7B2E5: CreateThread.KERNEL32(00000000,00000000,00A79DBA,?), ref: 00A7B2F6
      • Part of subcall function 00A7B2E5: CloseHandle.KERNEL32 ref: 00A7B301
      • Part of subcall function 00A7766D: ReleaseMutex.KERNEL32 ref: 00A77671
      • Part of subcall function 00A7766D: CloseHandle.KERNEL32 ref: 00A77678
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00442BE5, Relevance: 11.0, APIs: 6, Instructions: 115
    APIs
    • lstrlenA.KERNEL32(?,?), ref: 00442C1E
    • CreateMutexW.KERNEL32(004649B4,00000001), ref: 00442C76
    • GetLastError.KERNEL32(?,?,?,?,?), ref: 00442C86
    • CloseHandle.KERNEL32 ref: 00442C94
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • memcpy.MSVCRT ref: 00442CBE
    • memcpy.MSVCRT ref: 00442CD2
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 0043B2E5: CreateThread.KERNEL32(00000000,00000000,00439DBA,?), ref: 0043B2F6
      • Part of subcall function 0043B2E5: CloseHandle.KERNEL32 ref: 0043B301
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A88432, Relevance: 10.9, APIs: 6, Instructions: 66
    APIs
    • CreateFileW.KERNEL32(00DD1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A8844B
    • GetFileSizeEx.KERNEL32 ref: 00A8845E
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00A88484
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00A8849C
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A884BA
    • CloseHandle.KERNEL32 ref: 00A884C3
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A9BD59, Relevance: 10.9, APIs: 6, Instructions: 57
    APIs
      • Part of subcall function 00A78E53: EnterCriticalSection.KERNEL32(00AA5AA4,?,00AA4DF4,00000000,00000006,00A9BD7A,00AA4DF4,-00000258,?,00000000), ref: 00A78E6A
      • Part of subcall function 00A78E53: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00000000), ref: 00A78E9D
      • Part of subcall function 00A78E53: CoTaskMemFree.OLE32(?), ref: 00A78F36
      • Part of subcall function 00A78E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00A78F44
      • Part of subcall function 00A78E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00A78F5C
    • PathRemoveBackslashW.SHLWAPI(-00000258), ref: 00A9BD85
    • PathRemoveFileSpecW.SHLWAPI(-00000258), ref: 00A9BD92
    • PathAddBackslashW.SHLWAPI(-00000258), ref: 00A9BDA3
    • GetVolumeNameForVolumeMountPointW.KERNEL32(-00000258,-00000050,00000064), ref: 00A9BDB6
    • CLSIDFromString.OLE32(-0000003C,00AA4DF4,?,00000000), ref: 00A9BDD2
    • memset.MSVCRT ref: 00A9BDE4
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A8FE5C, Relevance: 10.9, APIs: 6, Instructions: 197
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00A8FEC2
    • memcpy.MSVCRT ref: 00A8FEDC
    • VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00A8FEEF
    • memset.MSVCRT ref: 00A8FF46
    • memcpy.MSVCRT ref: 00A8FF5A
    • VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00A90049
      • Part of subcall function 00A90370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A9037F
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044FE5C, Relevance: 10.9, APIs: 6, Instructions: 197
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0044FEC2
    • memcpy.MSVCRT ref: 0044FEDC
    • VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 0044FEEF
    • memset.MSVCRT ref: 0044FF46
    • memcpy.MSVCRT ref: 0044FF5A
    • VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00450049
      • Part of subcall function 00450370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0045037F
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A86431, Relevance: 10.8, APIs: 6, Instructions: 160
    APIs
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00A86531
      • Part of subcall function 00A86865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00A86B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00A8686E
      • Part of subcall function 00A86865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00A86B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00A868A5
      • Part of subcall function 00A8B7FF: EnterCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B80C
      • Part of subcall function 00A8B7FF: LeaveCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B81A
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00A86572
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A86581
    • SetEvent.KERNEL32 ref: 00A86591
    • GetExitCodeThread.KERNEL32 ref: 00A865A5
    • CloseHandle.KERNEL32 ref: 00A865BB
      • Part of subcall function 00A78D34: EnterCriticalSection.KERNEL32(00DD201C,00DD2010,?,?,00A8A99B,00000000,00A8A6E2,00000000,?,00000000,?,?,?,00A9B2E2,?,00000001), ref: 00A78D3D
      • Part of subcall function 00A78D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A78D76
      • Part of subcall function 00A78D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00A8A99B,00000000,00000000,00000002), ref: 00A78D95
      • Part of subcall function 00A78D34: GetLastError.KERNEL32(?,000000FF,00A8A99B,00000000,00000000,00000002,?,?,00A8A99B,00000000,00A8A6E2,00000000,?,00000000), ref: 00A78D9F
      • Part of subcall function 00A78D34: TerminateThread.KERNEL32 ref: 00A78DA7
      • Part of subcall function 00A78D34: CloseHandle.KERNEL32 ref: 00A78DAE
      • Part of subcall function 00A78D34: LeaveCriticalSection.KERNEL32(00DD201C,?,00A8A99B,00000000,00A8A6E2,00000000,?,00000000,?,?,?,00A9B2E2,?,00000001), ref: 00A78DC3
      • Part of subcall function 00A78D34: ResumeThread.KERNEL32 ref: 00A78DDC
      • Part of subcall function 00A86BD0: memcmp.MSVCRT ref: 00A86BE9
      • Part of subcall function 00A86BD0: memcmp.MSVCRT ref: 00A86C45
      • Part of subcall function 00A86BD0: memcmp.MSVCRT ref: 00A86CAB
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A9B0EA: memcpy.MSVCRT ref: 00A9B110
      • Part of subcall function 00A9B0EA: memset.MSVCRT ref: 00A9B1B3
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00446431, Relevance: 10.8, APIs: 6, Instructions: 160
    APIs
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00446531
      • Part of subcall function 00446865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00446B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 0044686E
      • Part of subcall function 00446865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00446B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 004468A5
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00446572
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00446581
    • SetEvent.KERNEL32 ref: 00446591
    • GetExitCodeThread.KERNEL32 ref: 004465A5
    • CloseHandle.KERNEL32 ref: 004465BB
      • Part of subcall function 00438D34: EnterCriticalSection.KERNEL32(0000000C,00000000,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438D3D
      • Part of subcall function 00438D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00438D76
      • Part of subcall function 00438D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0044A99B,00000000,00000000,00000002), ref: 00438D95
      • Part of subcall function 00438D34: GetLastError.KERNEL32(?,000000FF,0044A99B,00000000,00000000,00000002,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000), ref: 00438D9F
      • Part of subcall function 00438D34: TerminateThread.KERNEL32 ref: 00438DA7
      • Part of subcall function 00438D34: CloseHandle.KERNEL32 ref: 00438DAE
      • Part of subcall function 00438D34: LeaveCriticalSection.KERNEL32(0000000C,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438DC3
      • Part of subcall function 00438D34: ResumeThread.KERNEL32 ref: 00438DDC
      • Part of subcall function 00446BD0: memcmp.MSVCRT ref: 00446BE9
      • Part of subcall function 00446BD0: memcmp.MSVCRT ref: 00446C45
      • Part of subcall function 00446BD0: memcmp.MSVCRT ref: 00446CAB
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 0045B0EA: memcpy.MSVCRT ref: 0045B110
      • Part of subcall function 0045B0EA: memset.MSVCRT ref: 0045B1B3
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00403B6B, Relevance: 10.8, APIs: 6, Instructions: 145
    APIs
    • GetStringTypeW.KERNEL32(00000001,00492BE4,00000001), ref: 00403B8F
    • GetLastError.KERNEL32(?,00492C10,0000001C,004043E4,00000001,?,00000001,00000008,?,?,00000001,?,?,00404326), ref: 00403BA1
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00403C03
    • GetStringTypeW.KERNEL32(00000008,?,?,?), ref: 00403C93
      • Part of subcall function 004024C3: HeapAlloc.KERNEL32(00000008,?,00492370,00000010,00401BB6,00000001,0000008C,?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?), ref: 00402545
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?), ref: 00403C81
      • Part of subcall function 00404008: GetLocaleInfoA.KERNEL32(00000038,00001004,?,00000006), ref: 00404028
    • GetStringTypeA.KERNEL32(?,00000008,?,?,00404326), ref: 00403D07
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 00404089
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 0040409C
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,?,?,00000000,00000000), ref: 004040E1
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,00000001,?,?,00000001), ref: 00404163
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00404184
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 004041A5
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004041CC
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A831F3, Relevance: 10.8, APIs: 6, Instructions: 91
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00A83205
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00A83223
    • CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00A83230
    • PFXExportCertStoreEx.CRYPT32(?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00A83264
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00A83296
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A832D5: GetUserNameExW.SECUR32(00000002), ref: 00A83303
      • Part of subcall function 00A832D5: GetSystemTime.KERNEL32 ref: 00A83356
      • Part of subcall function 00A832D5: CharLowerW.USER32(?), ref: 00A833A6
      • Part of subcall function 00A832D5: PathRenameExtensionW.SHLWAPI(?), ref: 00A833D6
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00A832C5
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A9D1E0, Relevance: 10.7, APIs: 6, Instructions: 74
    APIs
    • InitializeCriticalSection.KERNEL32(00AA5AA4), ref: 00A9D207
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • InitializeCriticalSection.KERNEL32 ref: 00A9D218
    • memset.MSVCRT ref: 00A9D229
    • TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 00A9D240
    • GetModuleHandleW.KERNEL32(00000000), ref: 00A9D25C
    • GetModuleHandleW.KERNEL32 ref: 00A9D272
      • Part of subcall function 00A9CAF0: EnterCriticalSection.KERNEL32(00AA5AA4,7C80E4DD,00A9D280,?,?,?,00000000,?,?,00000001), ref: 00A9CB00
      • Part of subcall function 00A9CAF0: LeaveCriticalSection.KERNEL32(00AA5AA4,?,?,?,00000000,?,?,00000001), ref: 00A9CB28
      • Part of subcall function 00A9D2B1: TlsFree.KERNEL32(00000013), ref: 00A9D2BD
      • Part of subcall function 00A9D2B1: DeleteCriticalSection.KERNEL32(00DD1E90,00000000,00A9D2A8,00DD1E90,?,?,00000000,?,?,00000001), ref: 00A9D2C4
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045D1E0, Relevance: 10.7, APIs: 6, Instructions: 74
    APIs
    • InitializeCriticalSection.KERNEL32(00465AA4), ref: 0045D207
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • InitializeCriticalSection.KERNEL32 ref: 0045D218
    • memset.MSVCRT ref: 0045D229
    • TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 0045D240
    • GetModuleHandleW.KERNEL32(00000000), ref: 0045D25C
    • GetModuleHandleW.KERNEL32 ref: 0045D272
      • Part of subcall function 0045CAF0: EnterCriticalSection.KERNEL32(00465AA4,7C80E4DD,0045D280,?,?,?,00000000,?,?,00000001), ref: 0045CB00
      • Part of subcall function 0045CAF0: LeaveCriticalSection.KERNEL32(00465AA4,?,?,?,00000000,?,?,00000001), ref: 0045CB28
      • Part of subcall function 0045D2B1: TlsFree.KERNEL32(00000012), ref: 0045D2BD
      • Part of subcall function 0045D2B1: DeleteCriticalSection.KERNEL32(009B1E90,00000000,0045D2A8,009B1E90,?,?,00000000,?,?,00000001), ref: 0045D2C4
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7BD24, Relevance: 10.7, APIs: 6, Instructions: 65
    APIs
    • accept.WS2_32(?,?), ref: 00A7BD45
    • WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00A7BD57
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 00A7BDAE
      • Part of subcall function 00A7B928: WSACreateEvent.WS2_32(00000000,?,00A7BB6E,00000033,00000000,?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003), ref: 00A7B93E
      • Part of subcall function 00A7B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00A7B954
      • Part of subcall function 00A7B928: WSACloseEvent.WS2_32 ref: 00A7B968
      • Part of subcall function 00A7B864: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 00A7B89E
      • Part of subcall function 00A7B864: memset.MSVCRT ref: 00A7B8B2
    • WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 00A7BD88
    • shutdown.WS2_32(?,00000002), ref: 00A7BDA0
    • closesocket.WS2_32 ref: 00A7BDA7
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043BD24, Relevance: 10.7, APIs: 6, Instructions: 65
    APIs
    • accept.WS2_32(?,?), ref: 0043BD45
    • WSAEventSelect.WS2_32(?,00000000,00000000), ref: 0043BD57
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 0043BDAE
      • Part of subcall function 0043B928: WSACreateEvent.WS2_32(00000000,?,0043BB6E,00000033,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003), ref: 0043B93E
      • Part of subcall function 0043B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0043B954
      • Part of subcall function 0043B928: WSACloseEvent.WS2_32 ref: 0043B968
      • Part of subcall function 0043B864: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 0043B89E
      • Part of subcall function 0043B864: memset.MSVCRT ref: 0043B8B2
    • WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 0043BD88
    • shutdown.WS2_32(?,00000002), ref: 0043BDA0
    • closesocket.WS2_32 ref: 0043BDA7
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A75B0B, Relevance: 10.7, APIs: 6, Instructions: 60
    APIs
    • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00A75B19
      • Part of subcall function 00A9AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00A9AECF
      • Part of subcall function 00A9AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00A9AF0A
      • Part of subcall function 00A9AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A9AF4A
      • Part of subcall function 00A9AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A9AF6D
      • Part of subcall function 00A9AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00A9AFBD
    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00A75B5A
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 00A75B6C
    • CloseHandle.KERNEL32 ref: 00A75B73
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00A75B85
    • CloseHandle.KERNEL32 ref: 00A75B8C
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045FEDF, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 39
    APIs
    • memset.MSVCRT ref: 0045FEF5
    • InitializeCriticalSection.KERNEL32(00465050), ref: 0045FF05
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
    • memset.MSVCRT ref: 0045FF34
    • InitializeCriticalSection.KERNEL32(00465030), ref: 0045FF3E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A82D1D, Relevance: 10.6, APIs: 7, Instructions: 146
    APIs
      • Part of subcall function 00A76A4D: TlsSetValue.KERNEL32(00000001,00A8A796), ref: 00A76A5A
      • Part of subcall function 00A9C09D: CreateMutexW.KERNEL32(00AA49B4,00000000), ref: 00A9C0BF
    • GetCurrentThread.KERNEL32 ref: 00A82D49
    • SetThreadPriority.KERNEL32 ref: 00A82D50
      • Part of subcall function 00A9AFD3: WaitForSingleObject.KERNEL32(00000000,00A8A849), ref: 00A9AFDB
    • memset.MSVCRT ref: 00A82D92
    • lstrlenA.KERNEL32(00000000), ref: 00A82DA9
      • Part of subcall function 00A826C5: memset.MSVCRT ref: 00A826D5
      • Part of subcall function 00A9621D: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00A96283
      • Part of subcall function 00A9621D: FindFirstFileW.KERNEL32 ref: 00A962F1
      • Part of subcall function 00A9621D: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00A9634A
      • Part of subcall function 00A9621D: SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00A963BB
      • Part of subcall function 00A9621D: CloseHandle.KERNEL32 ref: 00A963F5
      • Part of subcall function 00A9621D: FindNextFileW.KERNEL32 ref: 00A96429
      • Part of subcall function 00A9621D: FindClose.KERNEL32 ref: 00A96453
    • memset.MSVCRT ref: 00A82E6F
    • memcpy.MSVCRT ref: 00A82E7F
      • Part of subcall function 00A82BE5: lstrlenA.KERNEL32(?,?), ref: 00A82C1E
      • Part of subcall function 00A82BE5: CreateMutexW.KERNEL32(00AA49B4,00000001), ref: 00A82C76
      • Part of subcall function 00A82BE5: GetLastError.KERNEL32(?,?,?,?,?), ref: 00A82C86
      • Part of subcall function 00A82BE5: CloseHandle.KERNEL32 ref: 00A82C94
      • Part of subcall function 00A82BE5: memcpy.MSVCRT ref: 00A82CBE
      • Part of subcall function 00A82BE5: memcpy.MSVCRT ref: 00A82CD2
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • WaitForSingleObject.KERNEL32(00007530), ref: 00A82EA9
      • Part of subcall function 00A7766D: ReleaseMutex.KERNEL32 ref: 00A77671
      • Part of subcall function 00A7766D: CloseHandle.KERNEL32 ref: 00A77678
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00442D1D, Relevance: 10.6, APIs: 7, Instructions: 146
    APIs
      • Part of subcall function 00436A4D: TlsSetValue.KERNEL32(00000001,0044A796), ref: 00436A5A
      • Part of subcall function 0045C09D: CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
    • GetCurrentThread.KERNEL32 ref: 00442D49
    • SetThreadPriority.KERNEL32 ref: 00442D50
      • Part of subcall function 0045AFD3: WaitForSingleObject.KERNEL32(00000000,0044A849), ref: 0045AFDB
    • memset.MSVCRT ref: 00442D92
    • lstrlenA.KERNEL32(00000000), ref: 00442DA9
      • Part of subcall function 004426C5: memset.MSVCRT ref: 004426D5
      • Part of subcall function 0045621D: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00456283
      • Part of subcall function 0045621D: FindFirstFileW.KERNEL32 ref: 004562F1
      • Part of subcall function 0045621D: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0045634A
      • Part of subcall function 0045621D: SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 004563BB
      • Part of subcall function 0045621D: CloseHandle.KERNEL32 ref: 004563F5
      • Part of subcall function 0045621D: FindNextFileW.KERNEL32 ref: 00456429
      • Part of subcall function 0045621D: FindClose.KERNEL32 ref: 00456453
    • memset.MSVCRT ref: 00442E6F
    • memcpy.MSVCRT ref: 00442E7F
      • Part of subcall function 00442BE5: lstrlenA.KERNEL32(?,?), ref: 00442C1E
      • Part of subcall function 00442BE5: CreateMutexW.KERNEL32(004649B4,00000001), ref: 00442C76
      • Part of subcall function 00442BE5: GetLastError.KERNEL32(?,?,?,?,?), ref: 00442C86
      • Part of subcall function 00442BE5: CloseHandle.KERNEL32 ref: 00442C94
      • Part of subcall function 00442BE5: memcpy.MSVCRT ref: 00442CBE
      • Part of subcall function 00442BE5: memcpy.MSVCRT ref: 00442CD2
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • WaitForSingleObject.KERNEL32(00007530), ref: 00442EA9
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00401025, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134
    APIs
    • GetVersionExA.KERNEL32 ref: 00401045
    • GetModuleHandleA.KERNEL32(00000000), ref: 00401098
      • Part of subcall function 00401E4F: HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00401E60
      • Part of subcall function 00401E4F: HeapDestroy.KERNEL32 ref: 00401E93
      • Part of subcall function 00401D46: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00401D5E
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsAlloc), ref: 00401D76
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsGetValue), ref: 00401D83
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsSetValue), ref: 00401D90
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsFree), ref: 00401D9D
      • Part of subcall function 00401D46: GetCurrentThreadId.KERNEL32 ref: 00401E1B
      • Part of subcall function 004018E2: GetStartupInfoA.KERNEL32 ref: 0040193F
      • Part of subcall function 004018E2: GetFileType.KERNEL32 ref: 004019E9
      • Part of subcall function 004018E2: GetStdHandle.KERNEL32(000000F6), ref: 00401A6A
      • Part of subcall function 004018E2: GetFileType.KERNEL32 ref: 00401A78
      • Part of subcall function 004018E2: SetHandleCount.KERNEL32 ref: 00401AD0
    • GetCommandLineA.KERNEL32 ref: 0040112A
      • Part of subcall function 004017C0: GetEnvironmentStringsW.KERNEL32 ref: 004017DC
      • Part of subcall function 004017C0: GetLastError.KERNEL32(?,?,?,?,0040113A,?,00491DB0,00000060), ref: 004017F0
      • Part of subcall function 004017C0: GetEnvironmentStringsW.KERNEL32 ref: 00401812
      • Part of subcall function 004017C0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401846
      • Part of subcall function 004017C0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00401868
      • Part of subcall function 004017C0: FreeEnvironmentStringsW.KERNEL32 ref: 00401881
      • Part of subcall function 004017C0: GetEnvironmentStrings.KERNEL32(00093156,00000000,?,?,?,?,0040113A,?,00491DB0,00000060), ref: 00401897
      • Part of subcall function 004017C0: FreeEnvironmentStringsA.KERNEL32 ref: 004018D3
      • Part of subcall function 0040171E: GetModuleFileNameA.KERNEL32(00000000,0049FA28,00000104), ref: 00401748
    • GetStartupInfoA.KERNEL32 ref: 0040117E
    • GetModuleHandleA.KERNEL32(00000000), ref: 004011A1
      • Part of subcall function 0044D8FE: ShowWindow.USER32(?,00000000), ref: 0044D8B2
      • Part of subcall function 0044D8FE: lstrcpyA.KERNEL32(0049F200,?,00000000), ref: 0044D8C5
      • Part of subcall function 0044D8FE: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0044D8DA
      • Part of subcall function 0044D8FE: DispatchMessageW.USER32(?), ref: 0044D8E7
      • Part of subcall function 0044D8FE: InitCommonControlsEx.COMCTL32(0049E8BF), ref: 0044D91D
      • Part of subcall function 0044D8FE: GetCommandLineW.KERNEL32 ref: 0044D935
      • Part of subcall function 0044D8FE: SetLastError.KERNEL32(00000000), ref: 0044D942
      • Part of subcall function 0044D8FE: LoadIconW.USER32(00000000,00000020), ref: 0044D97B
      • Part of subcall function 0044D8FE: LoadCursorW.USER32(00000000,00000020), ref: 0044D985
      • Part of subcall function 0044D8FE: RegisterClassExW.USER32(00000030), ref: 0044D9A1
      • Part of subcall function 0044D8FE: CreateWindowExW.USER32 ref: 0045B5F6
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A81E94, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27
    APIs
    • GetModuleHandleW.KERNEL32(shell32.dll), ref: 00A81EA2
    • GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00A81EAE
    • SetLastError.KERNEL32(00000001,00A78F04,00AA47C0,?,00AA4DF4,00000000,00000006,00A9BD7A,00AA4DF4,-00000258,?,00000000), ref: 00A81EC6
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00441E94, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27
    APIs
    • GetModuleHandleW.KERNEL32(shell32.dll), ref: 00441EA2
    • GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00441EAE
    • SetLastError.KERNEL32(00000001,00438F04,004647C0,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00441EC6
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A98000, Relevance: 10.6, APIs: 7, Instructions: 126
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00A98037
    • WSASetLastError.WS2_32(00000008), ref: 00A98046
    • memcpy.MSVCRT ref: 00A98063
    • memcpy.MSVCRT ref: 00A98075
    • WSASetLastError.WS2_32(00000008,?,?,?), ref: 00A980DF
    • WSAGetLastError.WS2_32(?,?,?), ref: 00A980FB
      • Part of subcall function 00A98325: RegisterWaitForSingleObject.KERNEL32(?,?,00A98164,?,000000FF,00000004), ref: 00A9838A
    • WSASetLastError.WS2_32(00000008,?,00000000,?,?,?,?,?), ref: 00A98124
      • Part of subcall function 00A8CC4F: memcpy.MSVCRT ref: 00A8CC64
      • Part of subcall function 00A8CC4F: SetEvent.KERNEL32 ref: 00A8CC74
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00458000, Relevance: 10.6, APIs: 7, Instructions: 126
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00458037
    • WSASetLastError.WS2_32(00000008), ref: 00458046
    • memcpy.MSVCRT ref: 00458063
    • memcpy.MSVCRT ref: 00458075
    • WSASetLastError.WS2_32(00000008,?,?,?), ref: 004580DF
    • WSAGetLastError.WS2_32(?,?,?), ref: 004580FB
      • Part of subcall function 00458325: RegisterWaitForSingleObject.KERNEL32(?,?,00458164,?,000000FF,00000004), ref: 0045838A
    • WSASetLastError.WS2_32(00000008,?,00000000,?,?,?,?,?), ref: 00458124
      • Part of subcall function 0044CC4F: memcpy.MSVCRT ref: 0044CC64
      • Part of subcall function 0044CC4F: SetEvent.KERNEL32 ref: 0044CC74
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7B0E5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
    APIs
    • memset.MSVCRT ref: 00A7B106
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,00000000), ref: 00A7B13E
    • memcpy.MSVCRT ref: 00A7B159
    • CloseHandle.KERNEL32(?), ref: 00A7B16E
    • CloseHandle.KERNEL32(00000000), ref: 00A7B174
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A8B286, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 295
    APIs
      • Part of subcall function 00A9C09D: CreateMutexW.KERNEL32(00AA49B4,00000000), ref: 00A9C0BF
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
      • Part of subcall function 00A88432: CreateFileW.KERNEL32(00DD1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A8844B
      • Part of subcall function 00A88432: GetFileSizeEx.KERNEL32 ref: 00A8845E
      • Part of subcall function 00A88432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00A88484
      • Part of subcall function 00A88432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00A8849C
      • Part of subcall function 00A88432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A884BA
      • Part of subcall function 00A88432: CloseHandle.KERNEL32 ref: 00A884C3
    • memset.MSVCRT ref: 00A8B42B
    • memcpy.MSVCRT ref: 00A8B457
      • Part of subcall function 00A96875: GetSystemTime.KERNEL32 ref: 00A9687F
      • Part of subcall function 00A824F3: HeapAlloc.KERNEL32(00000000,?,?,?,00A76328,?,?,00A98D10,?,?,?,?,0000FFFF), ref: 00A8251D
      • Part of subcall function 00A824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00A76328,?,?,00A98D10,?,?,?,?,0000FFFF), ref: 00A82530
      • Part of subcall function 00A771D5: memcpy.MSVCRT ref: 00A772E6
    • CreateFileW.KERNEL32(00A6AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00A8B55C
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00A8B578
      • Part of subcall function 00A95934: CloseHandle.KERNEL32 ref: 00A95940
      • Part of subcall function 00A7766D: ReleaseMutex.KERNEL32 ref: 00A77671
      • Part of subcall function 00A7766D: CloseHandle.KERNEL32 ref: 00A77678
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A8B161: memset.MSVCRT ref: 00A8B170
      • Part of subcall function 00A8B161: memset.MSVCRT ref: 00A8B1B3
      • Part of subcall function 00A8B161: memset.MSVCRT ref: 00A8B1E9
      • Part of subcall function 00A90370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A9037F
      • Part of subcall function 00A8FE5C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00A8FEC2
      • Part of subcall function 00A8FE5C: memcpy.MSVCRT ref: 00A8FEDC
      • Part of subcall function 00A8FE5C: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00A8FEEF
      • Part of subcall function 00A8FE5C: memset.MSVCRT ref: 00A8FF46
      • Part of subcall function 00A8FE5C: memcpy.MSVCRT ref: 00A8FF5A
      • Part of subcall function 00A8FE5C: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00A90049
      • Part of subcall function 00A773E0: memcmp.MSVCRT ref: 00A77489
      • Part of subcall function 00A884D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A884E4
      • Part of subcall function 00A884D3: CloseHandle.KERNEL32 ref: 00A884F3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00402438, Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 29
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040245B
    • GetProcAddress.KERNEL32(?,InitializeCriticalSectionAndSpinCount), ref: 0040246B
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A7C8CD, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46
    APIs
    • LoadLibraryW.KERNEL32(urlmon.dll), ref: 00A7C8D4
    • GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 00A7C8EA
    • FreeLibrary.KERNEL32 ref: 00A7C935
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043C8CD, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46
    APIs
    • LoadLibraryW.KERNEL32(urlmon.dll), ref: 0043C8D4
    • GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 0043C8EA
    • FreeLibrary.KERNEL32 ref: 0043C935
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A81ED5, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00AA5AA4,?,?,00A9AA21,?,00A9ADD5,?,?,?,00000001), ref: 00A81EE6
    • LeaveCriticalSection.KERNEL32(00AA5AA4,?,?,00A9AA21,?,00A9ADD5,?,?,?,00000001), ref: 00A81F0E
      • Part of subcall function 00A81E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00A81EA2
      • Part of subcall function 00A81E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00A81EAE
      • Part of subcall function 00A81E94: SetLastError.KERNEL32(00000001,00A78F04,00AA47C0,?,00AA4DF4,00000000,00000006,00A9BD7A,00AA4DF4,-00000258,?,00000000), ref: 00A81EC6
    • IsWow64Process.KERNEL32(000000FF), ref: 00A81F37
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00441ED5, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,?,?,0045AA21,?,0045ADD5,?,?,?,00000001), ref: 00441EE6
    • LeaveCriticalSection.KERNEL32(00465AA4,?,?,0045AA21,?,0045ADD5,?,?,?,00000001), ref: 00441F0E
      • Part of subcall function 00441E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00441EA2
      • Part of subcall function 00441E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00441EAE
      • Part of subcall function 00441E94: SetLastError.KERNEL32(00000001,00438F04,004647C0,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00441EC6
    • IsWow64Process.KERNEL32(000000FF), ref: 00441F37
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004011FA, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 18
    APIs
    • GetModuleHandleA.KERNEL32(mscoree.dll), ref: 004011FF
    • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0040120F
    • ExitProcess.KERNEL32(?), ref: 00401223
      • Part of subcall function 00401FF3: EnterCriticalSection.KERNEL32(?,?,?,00402331,00000004,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0), ref: 0040201B
    Strings
    Memory Dump Source
    • Source File: 00000002.00000001.251360999.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000001.251344960.00400000.00000002.sdmp
    • Associated: 00000002.00000001.251446617.00487000.00000002.sdmp
    • Associated: 00000002.00000001.251482026.00494000.00000008.sdmp
    • Associated: 00000002.00000001.251496928.00498000.00000004.sdmp
    • Associated: 00000002.00000001.252081534.00499000.00000008.sdmp
    Function 00A824C1, Relevance: 9.9, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00A82456: EnterCriticalSection.KERNEL32(00AA5AA4,00000028,00A824C9,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A82466
      • Part of subcall function 00A82456: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A82490
    • HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004424C1, Relevance: 9.9, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00442456: EnterCriticalSection.KERNEL32(00465AA4,00000028,004424C9,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442466
      • Part of subcall function 00442456: LeaveCriticalSection.KERNEL32(00465AA4,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442490
    • HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A99516, Relevance: 9.6, APIs: 5, Instructions: 138
    APIs
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    • FindFirstFileW.KERNEL32 ref: 00A99555
    • SetLastError.KERNEL32(?,?,?,?,?,?,00A6AB64), ref: 00A99680
      • Part of subcall function 00A996F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00A99722
      • Part of subcall function 00A996F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00A99741
    • FindNextFileW.KERNEL32(?,?), ref: 00A9964A
    • GetLastError.KERNEL32(?,?,?,?,00A6AB64), ref: 00A99663
    • FindClose.KERNEL32 ref: 00A99679
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00459516, Relevance: 9.6, APIs: 5, Instructions: 138
    APIs
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    • FindFirstFileW.KERNEL32 ref: 00459555
    • SetLastError.KERNEL32(?,?,?,?,?,?,0042AB64), ref: 00459680
      • Part of subcall function 004596F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00459722
      • Part of subcall function 004596F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00459741
    • FindNextFileW.KERNEL32(?,?), ref: 0045964A
    • GetLastError.KERNEL32(?,?,?,?,0042AB64), ref: 00459663
    • FindClose.KERNEL32 ref: 00459679
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7C0C5, Relevance: 9.5, APIs: 5, Instructions: 71
    APIs
      • Part of subcall function 00A7B764: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A7B826,?,00A9C86A,00A8C4AB,00A8C4AB,?,00A8C4AB,?,00000001), ref: 00A7B774
      • Part of subcall function 00A7B764: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A7B826,?,00A9C86A,00A8C4AB,00A8C4AB,?,00A8C4AB,?,00000001), ref: 00A7B79E
    • socket.WS2_32(?,00000002,00000000), ref: 00A7C0DF
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00A7C112
    • WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,00000000,?,?), ref: 00A7C119
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 00A7C14D
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • closesocket.WS2_32 ref: 00A7C15D
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043C0C5, Relevance: 9.5, APIs: 5, Instructions: 71
    APIs
      • Part of subcall function 0043B764: EnterCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B774
      • Part of subcall function 0043B764: LeaveCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B79E
    • socket.WS2_32(?,00000002,00000000), ref: 0043C0DF
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0043C112
    • WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,00000000,?,?), ref: 0043C119
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 0043C14D
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • closesocket.WS2_32 ref: 0043C15D
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7913F, Relevance: 9.5, APIs: 5, Instructions: 59
    APIs
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    • FindFirstFileW.KERNEL32(?), ref: 00A79170
      • Part of subcall function 00A95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00A95E26
      • Part of subcall function 00A95E1D: DeleteFileW.KERNEL32 ref: 00A95E2D
    • FindNextFileW.KERNEL32(?,?), ref: 00A791C2
    • FindClose.KERNEL32 ref: 00A791CD
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 00A791D9
    • RemoveDirectoryW.KERNEL32 ref: 00A791E0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00459DDC, Relevance: 9.5, APIs: 4, Instructions: 217
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00459DED
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
      • Part of subcall function 0045985F: memset.MSVCRT ref: 0045990F
      • Part of subcall function 0045985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00459920
      • Part of subcall function 0045985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00459954
      • Part of subcall function 0045985F: memset.MSVCRT ref: 00459994
      • Part of subcall function 0045985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 004599A5
      • Part of subcall function 0045985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 004599E5
      • Part of subcall function 0045985F: memset.MSVCRT ref: 00459A50
      • Part of subcall function 004564A4: SetLastError.KERNEL32(0000000D), ref: 004564DF
    • memcpy.MSVCRT ref: 00459F56
    • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00459FE2
    • GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00459FEC
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00459A67: memset.MSVCRT ref: 00459A78
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9038C, Relevance: 9.4, APIs: 5, Instructions: 89
    APIs
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A90405
    • SetFileAttributesW.KERNEL32(?), ref: 00A90424
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00A9043B
    • GetLastError.KERNEL32 ref: 00A90448
    • CloseHandle.KERNEL32 ref: 00A90481
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A9C410, Relevance: 9.2, APIs: 6, Instructions: 88
    APIs
    • EnterCriticalSection.KERNEL32(00DD1F88,00DD1F88,?,?,?,00A9C6E4,?,?,?,?,?,00000009,00000000,?,?,6FFF0300), ref: 00A9C42A
    • LeaveCriticalSection.KERNEL32(00DD1F88,?,6FFF0300,?), ref: 00A9C511
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • memcpy.MSVCRT ref: 00A9C49B
    • memcpy.MSVCRT ref: 00A9C4BF
    • memcpy.MSVCRT ref: 00A9C4D6
    • memcpy.MSVCRT ref: 00A9C4F6
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045C410, Relevance: 9.2, APIs: 6, Instructions: 88
    APIs
    • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,?,0045C6E4,?,?,?,?,?,00000009,00000000,?,?,00000000), ref: 0045C42A
    • LeaveCriticalSection.KERNEL32(00000000,?,00000000,?), ref: 0045C511
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • memcpy.MSVCRT ref: 0045C49B
    • memcpy.MSVCRT ref: 0045C4BF
    • memcpy.MSVCRT ref: 0045C4D6
    • memcpy.MSVCRT ref: 0045C4F6
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A84BDB, Relevance: 9.2, APIs: 6, Instructions: 229
    APIs
    • PathFindFileNameW.SHLWAPI(?), ref: 00A84C02
      • Part of subcall function 00A79E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00A79E9D
      • Part of subcall function 00A79E88: StrCmpIW.SHLWAPI ref: 00A79EA7
    • CreateFileW.KERNEL32(?,80000000,00000007,?,00000003,00000080), ref: 00A84C31
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • SetLastError.KERNEL32(00000057,?,?,00000003,00000080), ref: 00A84C96
      • Part of subcall function 00A95B34: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00A95B46
      • Part of subcall function 00A95934: CloseHandle.KERNEL32 ref: 00A95940
    • CharLowerW.USER32 ref: 00A84CF6
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
      • Part of subcall function 00A9868E: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A9AA5B,?,00A9ADD5,?,?,?,00000001), ref: 00A9869E
      • Part of subcall function 00A9868E: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A9AA5B,?,00A9ADD5,?,?,?,00000001), ref: 00A986C4
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    • memcmp.MSVCRT ref: 00A84E48
    • GetTickCount.KERNEL32 ref: 00A84E55
      • Part of subcall function 00A907EE: RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00A90823
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A95AB0: GetFileSizeEx.KERNEL32 ref: 00A95ABB
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00444BDB, Relevance: 9.2, APIs: 6, Instructions: 229
    APIs
    • PathFindFileNameW.SHLWAPI(?), ref: 00444C02
      • Part of subcall function 00439E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00439E9D
      • Part of subcall function 00439E88: StrCmpIW.SHLWAPI ref: 00439EA7
    • CreateFileW.KERNEL32(?,80000000,00000007,?,00000003,00000080), ref: 00444C31
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • SetLastError.KERNEL32(00000057,?,?,00000003,00000080), ref: 00444C96
      • Part of subcall function 00455B34: ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00455B46
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
    • CharLowerW.USER32 ref: 00444CF6
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045868E: EnterCriticalSection.KERNEL32(00465AA4,?,0045AA5B,?,0045ADD5,?,?,?,00000001), ref: 0045869E
      • Part of subcall function 0045868E: LeaveCriticalSection.KERNEL32(00465AA4,?,0045AA5B,?,0045ADD5,?,?,?,00000001), ref: 004586C4
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    • memcmp.MSVCRT ref: 00444E48
    • GetTickCount.KERNEL32 ref: 00444E55
      • Part of subcall function 004507EE: RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00450823
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00455AB0: GetFileSizeEx.KERNEL32(?,?), ref: 00455ABB
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045AEB1, Relevance: 9.2, APIs: 5, Instructions: 109
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045AECF
      • Part of subcall function 0044C90D: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 0044C93C
      • Part of subcall function 0044C90D: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0044C97B
      • Part of subcall function 0044C90D: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0044C9A2
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045AF0A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045AF4A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045AF6D
      • Part of subcall function 0045A976: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045A999
      • Part of subcall function 0045A976: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045A9B1
      • Part of subcall function 0045A976: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 0045A9CC
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0045AFBD
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8CAF1, Relevance: 9.2, APIs: 5, Instructions: 88
    APIs
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00A8CB1D
      • Part of subcall function 00A7C830: HttpQueryInfoA.WININET(00A8CB41,40000009,?,?,00000000), ref: 00A7C897
      • Part of subcall function 00A7C830: memset.MSVCRT ref: 00A7C8AD
    • GetSystemTime.KERNEL32(?), ref: 00A8CB54
      • Part of subcall function 00A8B7FF: EnterCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B80C
      • Part of subcall function 00A8B7FF: LeaveCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B81A
    • Sleep.KERNEL32(000005DC), ref: 00A8CB6D
    • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00A8CB76
    • lstrcpyA.KERNEL32 ref: 00A8CBD4
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044CAF1, Relevance: 9.2, APIs: 5, Instructions: 88
    APIs
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0044CB1D
      • Part of subcall function 0043C830: HttpQueryInfoA.WININET(0044CB41,40000009,?,?,00000000), ref: 0043C897
      • Part of subcall function 0043C830: memset.MSVCRT ref: 0043C8AD
    • GetSystemTime.KERNEL32(?), ref: 0044CB54
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • Sleep.KERNEL32(000005DC), ref: 0044CB6D
    • WaitForSingleObject.KERNEL32(?,000005DC), ref: 0044CB76
    • lstrcpyA.KERNEL32 ref: 0044CBD4
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7BB55, Relevance: 9.2, APIs: 5, Instructions: 69
    APIs
      • Part of subcall function 00A7B7D0: socket.WS2_32(?,?,00000006), ref: 00A7B804
    • connect.WS2_32(?,?), ref: 00A7BB93
    • WSAGetLastError.WS2_32(?,00000000,?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00A7BBA2
    • WSASetLastError.WS2_32(00000000), ref: 00A7BC00
      • Part of subcall function 00A7B979: shutdown.WS2_32(?,00000002), ref: 00A7B987
      • Part of subcall function 00A7B979: closesocket.WS2_32 ref: 00A7B990
      • Part of subcall function 00A7B979: WSACloseEvent.WS2_32 ref: 00A7B9A3
      • Part of subcall function 00A7B928: WSACreateEvent.WS2_32(00000000,?,00A7BB6E,00000033,00000000,?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003), ref: 00A7B93E
      • Part of subcall function 00A7B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00A7B954
      • Part of subcall function 00A7B928: WSACloseEvent.WS2_32 ref: 00A7B968
    • WSASetLastError.WS2_32(?,?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00A7BBC0
    • WSAGetLastError.WS2_32(?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00A7BBC2
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043BB55, Relevance: 9.2, APIs: 5, Instructions: 69
    APIs
      • Part of subcall function 0043B7D0: socket.WS2_32(?,?,00000006), ref: 0043B804
    • connect.WS2_32(?,?), ref: 0043BB93
    • WSAGetLastError.WS2_32(?,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBA2
    • WSASetLastError.WS2_32(00000000), ref: 0043BC00
      • Part of subcall function 0043B979: shutdown.WS2_32(?,00000002), ref: 0043B987
      • Part of subcall function 0043B979: closesocket.WS2_32 ref: 0043B990
      • Part of subcall function 0043B979: WSACloseEvent.WS2_32 ref: 0043B9A3
      • Part of subcall function 0043B928: WSACreateEvent.WS2_32(00000000,?,0043BB6E,00000033,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003), ref: 0043B93E
      • Part of subcall function 0043B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0043B954
      • Part of subcall function 0043B928: WSACloseEvent.WS2_32 ref: 0043B968
    • WSASetLastError.WS2_32(?,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC0
    • WSAGetLastError.WS2_32(?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC2
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A78DE6, Relevance: 9.1, APIs: 5, Instructions: 49
    APIs
    • EnterCriticalSection.KERNEL32(00DD201C,?,?,?,00A9B2F2,?,?,00000001), ref: 00A78DEF
    • LeaveCriticalSection.KERNEL32(00DD201C,?,?,?,00A9B2F2,?,?,00000001), ref: 00A78DF9
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00A78E1F
    • EnterCriticalSection.KERNEL32(00DD201C,?,?,?,00A9B2F2,?,?,00000001), ref: 00A78E37
    • LeaveCriticalSection.KERNEL32(00DD201C,?,?,?,00A9B2F2,?,?,00000001), ref: 00A78E41
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00438DE6, Relevance: 9.1, APIs: 5, Instructions: 49
    APIs
    • EnterCriticalSection.KERNEL32(0000000C,?,?,?,0045B2F2,?,?,00000001), ref: 00438DEF
    • LeaveCriticalSection.KERNEL32(0000000C,?,?,?,0045B2F2,?,?,00000001), ref: 00438DF9
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00438E1F
    • EnterCriticalSection.KERNEL32(0000000C,?,?,?,0045B2F2,?,?,00000001), ref: 00438E37
    • LeaveCriticalSection.KERNEL32(0000000C,?,?,?,0045B2F2,?,?,00000001), ref: 00438E41
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7861E, Relevance: 9.1, APIs: 6, Instructions: 145
    APIs
    • memset.MSVCRT ref: 00A7865F
      • Part of subcall function 00A79F5F: memcpy.MSVCRT ref: 00A79F99
    • CharLowerW.USER32 ref: 00A786A3
    • CharUpperW.USER32(?,?,00000001), ref: 00A786B4
    • CharLowerW.USER32 ref: 00A786C8
    • CharUpperW.USER32(?,00000001), ref: 00A786D2
    • memcmp.MSVCRT ref: 00A786E7
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043861E, Relevance: 9.1, APIs: 6, Instructions: 145
    APIs
    • memset.MSVCRT ref: 0043865F
      • Part of subcall function 00439F5F: memcpy.MSVCRT ref: 00439F99
    • CharLowerW.USER32 ref: 004386A3
    • CharUpperW.USER32(?,?,00000001), ref: 004386B4
    • CharLowerW.USER32 ref: 004386C8
    • CharUpperW.USER32(?,00000001), ref: 004386D2
    • memcmp.MSVCRT ref: 004386E7
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A98164, Relevance: 9.1, APIs: 6, Instructions: 141
    APIs
      • Part of subcall function 00A76A4D: TlsSetValue.KERNEL32(00000001,00A8A796), ref: 00A76A5A
      • Part of subcall function 00A8CC26: ResetEvent.KERNEL32 ref: 00A8CC42
    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000), ref: 00A981AA
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00A981B4
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00A982BD
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00A982C6
    • UnregisterWait.KERNEL32(?), ref: 00A982EB
    • TlsSetValue.KERNEL32(00000000), ref: 00A98316
      • Part of subcall function 00A8CC4F: memcpy.MSVCRT ref: 00A8CC64
      • Part of subcall function 00A8CC4F: SetEvent.KERNEL32 ref: 00A8CC74
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00458164, Relevance: 9.1, APIs: 6, Instructions: 141
    APIs
      • Part of subcall function 00436A4D: TlsSetValue.KERNEL32(00000001,0044A796), ref: 00436A5A
      • Part of subcall function 0044CC26: ResetEvent.KERNEL32 ref: 0044CC42
    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000), ref: 004581AA
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 004581B4
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 004582BD
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 004582C6
    • UnregisterWait.KERNEL32(?), ref: 004582EB
    • TlsSetValue.KERNEL32(00000000), ref: 00458316
      • Part of subcall function 0044CC4F: memcpy.MSVCRT ref: 0044CC64
      • Part of subcall function 0044CC4F: SetEvent.KERNEL32 ref: 0044CC74
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004018E2, Relevance: 9.1, APIs: 5, Instructions: 172
    APIs
    • GetStartupInfoA.KERNEL32 ref: 0040193F
    • GetFileType.KERNEL32 ref: 004019E9
    • GetStdHandle.KERNEL32(000000F6), ref: 00401A6A
    • GetFileType.KERNEL32 ref: 00401A78
      • Part of subcall function 00402438: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040245B
      • Part of subcall function 00402438: GetProcAddress.KERNEL32(?,InitializeCriticalSectionAndSpinCount), ref: 0040246B
    • SetHandleCount.KERNEL32 ref: 00401AD0
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A9BDF6, Relevance: 9.1, APIs: 5, Instructions: 172
    APIs
    • memset.MSVCRT ref: 00A9BE2B
    • GetComputerNameW.KERNEL32 ref: 00A9BE5F
    • GetVersionExW.KERNEL32 ref: 00A9BE88
    • memset.MSVCRT ref: 00A9BEA7
      • Part of subcall function 00A90775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A9079C
      • Part of subcall function 00A90755: RegFlushKey.ADVAPI32 ref: 00A90765
      • Part of subcall function 00A90755: RegCloseKey.ADVAPI32 ref: 00A9076D
      • Part of subcall function 00A993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00A99433
      • Part of subcall function 00A993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00A99458
    • memset.MSVCRT ref: 00A9BFAC
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A99393: CryptDestroyHash.ADVAPI32 ref: 00A993AB
      • Part of subcall function 00A99393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A993BC
      • Part of subcall function 00A9946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00A994AA
      • Part of subcall function 00A90A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00A90A3A
      • Part of subcall function 00A908A8: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A90903
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004431F3, Relevance: 9.1, APIs: 6, Instructions: 91
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00443205
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00443223
    • CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00443230
    • PFXExportCertStoreEx.CRYPT32(?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00443264
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00443296
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004432D5: GetUserNameExW.SECUR32(00000002), ref: 00443303
      • Part of subcall function 004432D5: GetSystemTime.KERNEL32 ref: 00443356
      • Part of subcall function 004432D5: CharLowerW.USER32(?), ref: 004433A6
      • Part of subcall function 004432D5: PathRenameExtensionW.SHLWAPI(?), ref: 004433D6
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 004432C5
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9FC6E, Relevance: 9.1, APIs: 6, Instructions: 79
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000004,00A9FD90,00000000,?,?,?,?,?,?,?,00A9EA72), ref: 00A9FC78
    • HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 00A9FCB2
    • HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,00A9FD90,00000000), ref: 00A9FCCF
    • HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,00A9FD90,00000000), ref: 00A9FCF7
    • memcpy.MSVCRT ref: 00A9FD07
      • Part of subcall function 00A76D72: EnterCriticalSection.KERNEL32(00AA468C,00000000,00A84F6E,?,000000FF), ref: 00A76D7E
      • Part of subcall function 00A76D72: LeaveCriticalSection.KERNEL32(00AA468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00A76D8E
      • Part of subcall function 00A99DDC: GetCurrentThreadId.KERNEL32 ref: 00A99DED
      • Part of subcall function 00A99DDC: memcpy.MSVCRT ref: 00A99F56
      • Part of subcall function 00A99DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00A99FE2
      • Part of subcall function 00A99DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00A99FEC
      • Part of subcall function 00A76D9C: LeaveCriticalSection.KERNEL32(00AA468C,00A76E01,00000001,00000000,00000000,?,00A84F82,00000001,00000000,?,000000FF), ref: 00A76DA6
      • Part of subcall function 00A76DAD: LeaveCriticalSection.KERNEL32(00AA468C,?,00A76E13,00000001,00000000,00000000,?,00A84F82,00000001,00000000,?,000000FF), ref: 00A76DBA
    • LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,00A9FD90,00000000), ref: 00A9FD4B
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045FC6E, Relevance: 9.1, APIs: 6, Instructions: 79
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000004,0045FD90,00000000,?,?,?,?,?,?,?,0045EA72), ref: 0045FC78
    • HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 0045FCB2
    • HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,0045FD90,00000000), ref: 0045FCCF
    • HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,0045FD90,00000000), ref: 0045FCF7
    • memcpy.MSVCRT ref: 0045FD07
      • Part of subcall function 00436D72: EnterCriticalSection.KERNEL32(0046468C,00000000,00444F6E,?,000000FF), ref: 00436D7E
      • Part of subcall function 00436D72: LeaveCriticalSection.KERNEL32(0046468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00436D8E
      • Part of subcall function 00459DDC: GetCurrentThreadId.KERNEL32 ref: 00459DED
      • Part of subcall function 00459DDC: memcpy.MSVCRT ref: 00459F56
      • Part of subcall function 00459DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00459FE2
      • Part of subcall function 00459DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00459FEC
      • Part of subcall function 00436D9C: LeaveCriticalSection.KERNEL32(0046468C,00436E01,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DA6
      • Part of subcall function 00436DAD: LeaveCriticalSection.KERNEL32(0046468C,?,00436E13,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DBA
    • LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,0045FD90,00000000), ref: 0045FD4B
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A88A6A, Relevance: 9.1, APIs: 5, Instructions: 137
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00A88A9B
      • Part of subcall function 00A97CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00A97CF8
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00A88B2D
      • Part of subcall function 00A88626: getsockopt.WS2_32(?,0000FFFF,00001008,00A69417,00A69417), ref: 00A886B2
      • Part of subcall function 00A88626: GetHandleInformation.KERNEL32 ref: 00A886C4
      • Part of subcall function 00A88626: socket.WS2_32(?,00000001,00000006), ref: 00A886F7
      • Part of subcall function 00A88626: socket.WS2_32(?,00000002,00000011), ref: 00A88708
      • Part of subcall function 00A88626: closesocket.WS2_32(?), ref: 00A88727
      • Part of subcall function 00A88626: closesocket.WS2_32 ref: 00A8872E
      • Part of subcall function 00A88626: memset.MSVCRT ref: 00A887F2
      • Part of subcall function 00A88626: memcpy.MSVCRT ref: 00A88902
    • SetEvent.KERNEL32 ref: 00A88B80
    • SetEvent.KERNEL32 ref: 00A88BB9
      • Part of subcall function 00A97CD3: SetEvent.KERNEL32 ref: 00A97CE3
    • LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00A88C3E
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00448A6A, Relevance: 9.1, APIs: 5, Instructions: 137
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00448A9B
      • Part of subcall function 00457CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00457CF8
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00448B2D
      • Part of subcall function 00448626: getsockopt.WS2_32(?,0000FFFF,00001008,00429417,00429417), ref: 004486B2
      • Part of subcall function 00448626: GetHandleInformation.KERNEL32 ref: 004486C4
      • Part of subcall function 00448626: socket.WS2_32(?,00000001,00000006), ref: 004486F7
      • Part of subcall function 00448626: socket.WS2_32(?,00000002,00000011), ref: 00448708
      • Part of subcall function 00448626: closesocket.WS2_32(?), ref: 00448727
      • Part of subcall function 00448626: closesocket.WS2_32 ref: 0044872E
      • Part of subcall function 00448626: memset.MSVCRT ref: 004487F2
      • Part of subcall function 00448626: memcpy.MSVCRT ref: 00448902
    • SetEvent.KERNEL32 ref: 00448B80
    • SetEvent.KERNEL32 ref: 00448BB9
      • Part of subcall function 00457CD3: SetEvent.KERNEL32 ref: 00457CE3
    • LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00448C3E
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9B838, Relevance: 9.1, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 00A9ACAD: GetModuleHandleW.KERNEL32(00000000), ref: 00A9ACF4
      • Part of subcall function 00A9ACAD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A9AD59
      • Part of subcall function 00A9ACAD: Process32FirstW.KERNEL32 ref: 00A9AD74
      • Part of subcall function 00A9ACAD: PathFindFileNameW.SHLWAPI ref: 00A9AD87
      • Part of subcall function 00A9ACAD: StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 00A9AD99
      • Part of subcall function 00A9ACAD: Process32NextW.KERNEL32(?,?), ref: 00A9ADA9
      • Part of subcall function 00A9ACAD: CloseHandle.KERNEL32 ref: 00A9ADB4
      • Part of subcall function 00A9ACAD: WSAStartup.WS2_32(00000202), ref: 00A9ADC4
      • Part of subcall function 00A9ACAD: CreateEventW.KERNEL32(00AA49B4,00000001,00000000,00000000), ref: 00A9ADEC
      • Part of subcall function 00A9ACAD: GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 00A9AE22
      • Part of subcall function 00A9ACAD: GetCurrentProcessId.KERNEL32 ref: 00A9AE4D
    • SetErrorMode.KERNEL32(00008007), ref: 00A9B851
    • GetCommandLineW.KERNEL32 ref: 00A9B85D
    • CommandLineToArgvW.SHELL32 ref: 00A9B864
    • LocalFree.KERNEL32 ref: 00A9B8A1
    • ExitProcess.KERNEL32(00000001), ref: 00A9B8B2
      • Part of subcall function 00A9B4AA: CreateMutexW.KERNEL32(00AA49B4,00000001), ref: 00A9B550
      • Part of subcall function 00A9B4AA: GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,00A9B8C7), ref: 00A9B560
      • Part of subcall function 00A9B4AA: CloseHandle.KERNEL32 ref: 00A9B56E
      • Part of subcall function 00A9B4AA: lstrlenW.KERNEL32 ref: 00A9B5D0
      • Part of subcall function 00A9B4AA: ExitWindowsEx.USER32(00000014,80000000), ref: 00A9B615
      • Part of subcall function 00A9B4AA: OpenEventW.KERNEL32(00000002,00000000), ref: 00A9B63B
      • Part of subcall function 00A9B4AA: SetEvent.KERNEL32 ref: 00A9B648
      • Part of subcall function 00A9B4AA: CloseHandle.KERNEL32 ref: 00A9B64F
      • Part of subcall function 00A9B4AA: Sleep.KERNEL32(00007530), ref: 00A9B674
      • Part of subcall function 00A9B4AA: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 00A9B68C
      • Part of subcall function 00A9B4AA: Sleep.KERNEL32(000000FF), ref: 00A9B694
      • Part of subcall function 00A9B4AA: CloseHandle.KERNEL32 ref: 00A9B697
      • Part of subcall function 00A9B4AA: IsWellKnownSid.ADVAPI32(00DD1EC0,00000016), ref: 00A9B6E5
      • Part of subcall function 00A9B4AA: CreateEventW.KERNEL32(00AA49B4,00000001,00000000), ref: 00A9B7B4
      • Part of subcall function 00A9B4AA: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A9B7CD
      • Part of subcall function 00A9B4AA: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 00A9B7DF
      • Part of subcall function 00A9B4AA: CloseHandle.KERNEL32(00000000), ref: 00A9B7F6
      • Part of subcall function 00A9B4AA: CloseHandle.KERNEL32(?), ref: 00A9B7FC
      • Part of subcall function 00A9B4AA: CloseHandle.KERNEL32(?), ref: 00A9B802
    • Sleep.KERNEL32(000000FF), ref: 00A9B8D8
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A8ECD7, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 223
    APIs
      • Part of subcall function 00A7BA34: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 00A7BA5A
      • Part of subcall function 00A83A22: select.WS2_32(00000000,?,00000000,00000000), ref: 00A83A81
      • Part of subcall function 00A83A22: recv.WS2_32(?,?,?,00000000), ref: 00A83A91
    • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00A8EDB2
    • memcpy.MSVCRT ref: 00A8EDEA
    • FreeAddrInfoW.WS2_32(?), ref: 00A8EDF8
    • memset.MSVCRT ref: 00A8EE13
      • Part of subcall function 00A8EC55: getpeername.WS2_32(?,?,?), ref: 00A8EC79
      • Part of subcall function 00A8EC55: getsockname.WS2_32(?,?,?), ref: 00A8EC91
      • Part of subcall function 00A8EC55: send.WS2_32(00000000,00000000,00000008,00000000), ref: 00A8ECC2
      • Part of subcall function 00A83BBE: socket.WS2_32(?,00000001,00000006), ref: 00A83BCA
      • Part of subcall function 00A83BBE: bind.WS2_32 ref: 00A83BE7
      • Part of subcall function 00A83BBE: listen.WS2_32(?,00000001), ref: 00A83BF4
      • Part of subcall function 00A83BBE: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00A8EE5F,?,?,?), ref: 00A83BFE
      • Part of subcall function 00A83BBE: closesocket.WS2_32 ref: 00A83C07
      • Part of subcall function 00A83BBE: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00A8EE5F,?,?,?), ref: 00A83C0E
      • Part of subcall function 00A83D73: accept.WS2_32(?,00000000), ref: 00A83D94
      • Part of subcall function 00A83AD3: socket.WS2_32(?,00000001,00000006), ref: 00A83ADF
      • Part of subcall function 00A83AD3: connect.WS2_32 ref: 00A83AFC
      • Part of subcall function 00A83AD3: closesocket.WS2_32 ref: 00A83B07
      • Part of subcall function 00A7C06E: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00A7C082
      • Part of subcall function 00A83C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00A83C44
      • Part of subcall function 00A83C1C: recv.WS2_32(?,?,00000400,00000000), ref: 00A83C70
      • Part of subcall function 00A83C1C: send.WS2_32(?,?,?,00000000), ref: 00A83C92
      • Part of subcall function 00A83C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00A83CBF
      • Part of subcall function 00A83D9E: shutdown.WS2_32(?,00000002), ref: 00A83DA9
      • Part of subcall function 00A83D9E: closesocket.WS2_32 ref: 00A83DB0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044ECD7, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 223
    APIs
      • Part of subcall function 0043BA34: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 0043BA5A
      • Part of subcall function 00443A22: select.WS2_32(00000000,?,00000000,00000000), ref: 00443A81
      • Part of subcall function 00443A22: recv.WS2_32(?,?,?,00000000), ref: 00443A91
    • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0044EDB2
    • memcpy.MSVCRT ref: 0044EDEA
    • FreeAddrInfoW.WS2_32(?), ref: 0044EDF8
    • memset.MSVCRT ref: 0044EE13
      • Part of subcall function 0044EC55: getpeername.WS2_32(?,?,?), ref: 0044EC79
      • Part of subcall function 0044EC55: getsockname.WS2_32(?,?,?), ref: 0044EC91
      • Part of subcall function 0044EC55: send.WS2_32(00000000,00000000,00000008,00000000), ref: 0044ECC2
      • Part of subcall function 00443BBE: socket.WS2_32(?,00000001,00000006), ref: 00443BCA
      • Part of subcall function 00443BBE: bind.WS2_32 ref: 00443BE7
      • Part of subcall function 00443BBE: listen.WS2_32(?,00000001), ref: 00443BF4
      • Part of subcall function 00443BBE: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,0044EE5F,?,?,?), ref: 00443BFE
      • Part of subcall function 00443BBE: closesocket.WS2_32 ref: 00443C07
      • Part of subcall function 00443BBE: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,0044EE5F,?,?,?), ref: 00443C0E
      • Part of subcall function 00443D73: accept.WS2_32(?,00000000), ref: 00443D94
      • Part of subcall function 00443AD3: socket.WS2_32(?,00000001,00000006), ref: 00443ADF
      • Part of subcall function 00443AD3: connect.WS2_32 ref: 00443AFC
      • Part of subcall function 00443AD3: closesocket.WS2_32 ref: 00443B07
      • Part of subcall function 0043C06E: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0043C082
      • Part of subcall function 00443C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00443C44
      • Part of subcall function 00443C1C: recv.WS2_32(?,?,00000400,00000000), ref: 00443C70
      • Part of subcall function 00443C1C: send.WS2_32(?,?,?,00000000), ref: 00443C92
      • Part of subcall function 00443C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00443CBF
      • Part of subcall function 00443D9E: shutdown.WS2_32(?,00000002), ref: 00443DA9
      • Part of subcall function 00443D9E: closesocket.WS2_32 ref: 00443DB0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8547E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
    APIs
      • Part of subcall function 00A9868E: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A9AA5B,?,00A9ADD5,?,?,?,00000001), ref: 00A9869E
      • Part of subcall function 00A9868E: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A9AA5B,?,00A9ADD5,?,?,?,00000001), ref: 00A986C4
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A854CE
    • GetProcAddress.KERNEL32(?,GetProductInfo), ref: 00A854DE
    • GetSystemDefaultUILanguage.KERNEL32(?,?,?,00A851C2), ref: 00A85519
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044547E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
    APIs
      • Part of subcall function 0045868E: EnterCriticalSection.KERNEL32(00465AA4,?,0045AA5B,?,0045ADD5,?,?,?,00000001), ref: 0045869E
      • Part of subcall function 0045868E: LeaveCriticalSection.KERNEL32(00465AA4,?,0045AA5B,?,0045ADD5,?,?,?,00000001), ref: 004586C4
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004454CE
    • GetProcAddress.KERNEL32(?,GetProductInfo), ref: 004454DE
    • GetSystemDefaultUILanguage.KERNEL32(?,?,?,004451C2), ref: 00445519
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00402438, Relevance: 8.4, APIs: 2, Strings: 2, Instructions: 29
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040245B
    • GetProcAddress.KERNEL32(?,InitializeCriticalSectionAndSpinCount), ref: 0040246B
    Strings
    • kernel32.dll, xrefs: 00402456
    • InitializeCriticalSectionAndSpinCount, xrefs: 00402465
    Memory Dump Source
    • Source File: 00000002.00000001.251360999.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000001.251344960.00400000.00000002.sdmp
    • Associated: 00000002.00000001.251446617.00487000.00000002.sdmp
    • Associated: 00000002.00000001.251482026.00494000.00000008.sdmp
    • Associated: 00000002.00000001.251496928.00498000.00000004.sdmp
    • Associated: 00000002.00000001.252081534.00499000.00000008.sdmp
    Function 00459821, Relevance: 8.4, APIs: 3, Strings: 1, Instructions: 28
    APIs
    • GetCurrentProcess.KERNEL32 ref: 00459824
    • VirtualProtect.KERNEL32(00000000,=::=::\,00000020), ref: 00459845
    • FlushInstructionCache.KERNEL32(?,00000000,=::=::\), ref: 0045984E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A91B04, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 00A91B17
    • lstrcpyA.KERNEL32(?,00A6C28A,00000000,00A91DA8,?,?,?,00A91DA8,?,?,?,?,?,?,?,00A9A7AA), ref: 00A91BAE
    • lstrcpynA.KERNEL32(?,?\C,00000003,?,00A6C28A,00000000,00A91DA8,?,?,?,00A91DA8), ref: 00A91BC4
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00451B04, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 00451B17
    • lstrcpyA.KERNEL32(?,0042C28A,00000000,00451DA8,?,?,?,00451DA8,?,?,?,?,?,?,?,0045A7AA), ref: 00451BAE
    • lstrcpynA.KERNEL32(?,?\C,00000003,?,0042C28A,00000000,00451DA8,?,?,?,00451DA8), ref: 00451BC4
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A84FD0, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77
    APIs
    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00A84FEE
    • VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 00A8505B
      • Part of subcall function 00A79E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00A79E9D
      • Part of subcall function 00A79E88: StrCmpIW.SHLWAPI ref: 00A79EA7
    Strings
    • \VarFileInfo\Translation, xrefs: 00A84FE7
    • \StringFileInfo\%04x%04x\%s, xrefs: 00A85030
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00444FD0, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77
    APIs
    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00444FEE
    • VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 0044505B
      • Part of subcall function 00439E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00439E9D
      • Part of subcall function 00439E88: StrCmpIW.SHLWAPI ref: 00439EA7
    Strings
    • \StringFileInfo\%04x%04x\%s, xrefs: 00445030
    • \VarFileInfo\Translation, xrefs: 00444FE7
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A91285, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44
    APIs
    • GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00A9129A
    • GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00A912A5
      • Part of subcall function 00A912E6: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00A91304
      • Part of subcall function 00A912E6: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00A9130F
      • Part of subcall function 00A912E6: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00A9131A
      • Part of subcall function 00A912E6: lstrcmpiW.KERNEL32(?), ref: 00A913A7
      • Part of subcall function 00A912E6: memcpy.MSVCRT ref: 00A913CA
      • Part of subcall function 00A912E6: CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 00A913F5
      • Part of subcall function 00A912E6: memcpy.MSVCRT ref: 00A91423
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00451285, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44
    APIs
    • GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 0045129A
    • GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 004512A5
      • Part of subcall function 004512E6: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00451304
      • Part of subcall function 004512E6: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 0045130F
      • Part of subcall function 004512E6: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 0045131A
      • Part of subcall function 004512E6: lstrcmpiW.KERNEL32(?), ref: 004513A7
      • Part of subcall function 004512E6: memcpy.MSVCRT ref: 004513CA
      • Part of subcall function 004512E6: CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 004513F5
      • Part of subcall function 004512E6: memcpy.MSVCRT ref: 00451423
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A893A8, Relevance: 7.9, APIs: 5, Instructions: 107
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00A8A111), ref: 00A893BE
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00A8A111), ref: 00A894E9
      • Part of subcall function 00A81A4F: memcmp.MSVCRT ref: 00A81A6B
    • memcpy.MSVCRT ref: 00A89419
    • LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00A8A111,?,00000002), ref: 00A89429
      • Part of subcall function 00A8B7FF: EnterCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B80C
      • Part of subcall function 00A8B7FF: LeaveCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B81A
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00A8945D
      • Part of subcall function 00A96875: GetSystemTime.KERNEL32 ref: 00A9687F
      • Part of subcall function 00A81728: memcpy.MSVCRT ref: 00A81771
      • Part of subcall function 00A81858: memcpy.MSVCRT ref: 00A81935
      • Part of subcall function 00A81858: memcpy.MSVCRT ref: 00A81956
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004493A8, Relevance: 7.9, APIs: 5, Instructions: 107
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004493BE
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004494E9
      • Part of subcall function 00441A4F: memcmp.MSVCRT ref: 00441A6B
    • memcpy.MSVCRT ref: 00449419
    • LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111,?,00000002), ref: 00449429
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0044945D
      • Part of subcall function 00456875: GetSystemTime.KERNEL32 ref: 0045687F
      • Part of subcall function 00441728: memcpy.MSVCRT ref: 00441771
      • Part of subcall function 00441858: memcpy.MSVCRT ref: 00441935
      • Part of subcall function 00441858: memcpy.MSVCRT ref: 00441956
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004026FC, Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 261
    APIs
    • VirtualFree.KERNEL32(0000000C,00008000,00004000), ref: 00402943
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040299E
    • HeapFree.KERNEL32(00000000,?), ref: 004029B0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A83C1C, Relevance: 7.8, APIs: 4, Instructions: 68
    APIs
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00A83C44
    • recv.WS2_32(?,?,00000400,00000000), ref: 00A83C70
    • send.WS2_32(?,?,?,00000000), ref: 00A83C92
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00A83CBF
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A78CBF, Relevance: 7.7, APIs: 4, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,00A82B51,00000005,00007530,?,00000000,00000000), ref: 00A78CC7
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00A78CEB
    • CloseHandle.KERNEL32 ref: 00A78CFB
      • Part of subcall function 00A824F3: HeapAlloc.KERNEL32(00000000,?,?,?,00A76328,?,?,00A98D10,?,?,?,?,0000FFFF), ref: 00A8251D
      • Part of subcall function 00A824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00A76328,?,?,00A98D10,?,?,?,?,0000FFFF), ref: 00A82530
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00A82B51,00000005,00007530,?,00000000,00000000), ref: 00A78D2B
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00438CBF, Relevance: 7.7, APIs: 4, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438CC7
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00438CEB
    • CloseHandle.KERNEL32 ref: 00438CFB
      • Part of subcall function 004424F3: HeapAlloc.KERNEL32(00000000,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 0044251D
      • Part of subcall function 004424F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 00442530
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438D2B
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7A64B, Relevance: 7.7, APIs: 5, Instructions: 86
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00A77F4D,00000001,?,00000001,?), ref: 00A7A655
    • memcpy.MSVCRT ref: 00A7A6D1
    • memcpy.MSVCRT ref: 00A7A6E5
    • memcpy.MSVCRT ref: 00A7A70F
    • LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00A77F4D,00000001,?,00000001,?), ref: 00A7A735
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043A64B, Relevance: 7.7, APIs: 5, Instructions: 86
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00437F4D,00000001,?,00000001,?), ref: 0043A655
    • memcpy.MSVCRT ref: 0043A6D1
    • memcpy.MSVCRT ref: 0043A6E5
    • memcpy.MSVCRT ref: 0043A70F
    • LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00437F4D,00000001,?,00000001,?), ref: 0043A735
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A827B5, Relevance: 7.7, APIs: 5, Instructions: 69
    APIs
    • EnterCriticalSection.KERNEL32(00AA5AA4), ref: 00A827D6
    • LeaveCriticalSection.KERNEL32(00AA5AA4), ref: 00A827FC
      • Part of subcall function 00A8275F: InitializeCriticalSection.KERNEL32(00AA50C8), ref: 00A82764
      • Part of subcall function 00A8275F: memset.MSVCRT ref: 00A82773
    • EnterCriticalSection.KERNEL32(00AA50C8), ref: 00A82807
    • LeaveCriticalSection.KERNEL32(00AA50C8), ref: 00A8287F
      • Part of subcall function 00A8B1FD: PathRenameExtensionW.SHLWAPI ref: 00A8B26F
      • Part of subcall function 00A8B286: memset.MSVCRT ref: 00A8B42B
      • Part of subcall function 00A8B286: memcpy.MSVCRT ref: 00A8B457
      • Part of subcall function 00A8B286: CreateFileW.KERNEL32(00A6AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00A8B55C
      • Part of subcall function 00A8B286: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00A8B578
    • Sleep.KERNEL32(000007D0), ref: 00A82872
      • Part of subcall function 00A8B61E: memset.MSVCRT ref: 00A8B640
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004427B5, Relevance: 7.7, APIs: 5, Instructions: 69
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4), ref: 004427D6
    • LeaveCriticalSection.KERNEL32(00465AA4), ref: 004427FC
      • Part of subcall function 0044275F: InitializeCriticalSection.KERNEL32(004650C8), ref: 00442764
      • Part of subcall function 0044275F: memset.MSVCRT ref: 00442773
    • EnterCriticalSection.KERNEL32(004650C8), ref: 00442807
    • LeaveCriticalSection.KERNEL32(004650C8), ref: 0044287F
      • Part of subcall function 0044B1FD: PathRenameExtensionW.SHLWAPI ref: 0044B26F
      • Part of subcall function 0044B286: memset.MSVCRT ref: 0044B42B
      • Part of subcall function 0044B286: memcpy.MSVCRT ref: 0044B457
      • Part of subcall function 0044B286: CreateFileW.KERNEL32(0042AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0044B55C
      • Part of subcall function 0044B286: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0044B578
    • Sleep.KERNEL32(000007D0), ref: 00442872
      • Part of subcall function 0044B61E: memset.MSVCRT ref: 0044B640
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A946D9, Relevance: 7.7, APIs: 5, Instructions: 217
    APIs
    • LoadLibraryW.KERNEL32 ref: 00A94736
    • GetProcAddress.KERNEL32 ref: 00A9475E
    • StrChrA.SHLWAPI(?,00000040), ref: 00A94885
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • StrChrW.SHLWAPI(?,00000040,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,00000000), ref: 00A94866
      • Part of subcall function 00A8D12D: lstrlenW.KERNEL32(00A6C448), ref: 00A8D149
      • Part of subcall function 00A8D12D: lstrlenW.KERNEL32 ref: 00A8D14F
      • Part of subcall function 00A8D12D: memcpy.MSVCRT ref: 00A8D173
    • FreeLibrary.KERNEL32 ref: 00A9496B
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004546D9, Relevance: 7.7, APIs: 5, Instructions: 217
    APIs
    • LoadLibraryW.KERNEL32 ref: 00454736
    • GetProcAddress.KERNEL32 ref: 0045475E
    • StrChrA.SHLWAPI(?,00000040), ref: 00454885
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • StrChrW.SHLWAPI(?,00000040,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,00000000), ref: 00454866
      • Part of subcall function 0044D12D: lstrlenW.KERNEL32(0042C448), ref: 0044D149
      • Part of subcall function 0044D12D: lstrlenW.KERNEL32 ref: 0044D14F
      • Part of subcall function 0044D12D: memcpy.MSVCRT ref: 0044D173
    • FreeLibrary.KERNEL32 ref: 0045496B
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8D8E8, Relevance: 7.7, APIs: 4, Instructions: 179
    APIs
    • memcpy.MSVCRT ref: 00A8DA9F
      • Part of subcall function 00A8D8E8: memcpy.MSVCRT ref: 00A8D8FF
      • Part of subcall function 00A8D8E8: CharLowerA.USER32 ref: 00A8D9CA
      • Part of subcall function 00A8D8E8: CharLowerA.USER32(?), ref: 00A8D9DA
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044D8E8, Relevance: 7.7, APIs: 4, Instructions: 179
    APIs
    • memcpy.MSVCRT ref: 0044DA9F
      • Part of subcall function 0044D8E8: memcpy.MSVCRT ref: 0044D8FF
      • Part of subcall function 0044D8E8: CharLowerA.USER32 ref: 0044D9CA
      • Part of subcall function 0044D8E8: CharLowerA.USER32(?), ref: 0044D9DA
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004031AC, Relevance: 7.7, APIs: 5, Instructions: 184
    APIs
    • VirtualQuery.KERNEL32(?,00000000,0000001C), ref: 0040325F
    • InterlockedExchange.KERNEL32(0049FD08,00000001), ref: 004032DD
    • InterlockedExchange.KERNEL32(0049FD08,00000000), ref: 00403342
    • InterlockedExchange.KERNEL32(0049FD08,00000001), ref: 00403366
    • InterlockedExchange.KERNEL32(0049FD08,00000000), ref: 004033C6
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A77A78, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 167
    APIs
      • Part of subcall function 00A7BDD5: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00A77A9F,?,00000005), ref: 00A7BE0B
      • Part of subcall function 00A7BDD5: WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00A77A9F,?,00000005), ref: 00A7BE6F
    • memcmp.MSVCRT ref: 00A77AB8
    • memcmp.MSVCRT ref: 00A77AD0
    • memcpy.MSVCRT ref: 00A77B05
      • Part of subcall function 00A8DE94: memcpy.MSVCRT ref: 00A8DEA1
      • Part of subcall function 00A8E043: memcpy.MSVCRT ref: 00A8E070
      • Part of subcall function 00A8ADFE: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00A77BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00A8AE37
      • Part of subcall function 00A8ADFE: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00A77BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00A8AE5B
      • Part of subcall function 00A77A05: GetTickCount.KERNEL32 ref: 00A77A12
      • Part of subcall function 00A7BAC9: memset.MSVCRT ref: 00A7BADE
      • Part of subcall function 00A7BAC9: getsockname.WS2_32(?,00A77C25), ref: 00A7BAF1
      • Part of subcall function 00A7C091: memcmp.MSVCRT ref: 00A7C0B3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00437A78, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 167
    APIs
      • Part of subcall function 0043BDD5: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00437A9F,?,00000005), ref: 0043BE0B
      • Part of subcall function 0043BDD5: WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00437A9F,?,00000005), ref: 0043BE6F
    • memcmp.MSVCRT ref: 00437AB8
    • memcmp.MSVCRT ref: 00437AD0
    • memcpy.MSVCRT ref: 00437B05
      • Part of subcall function 0044DE94: memcpy.MSVCRT ref: 0044DEA1
      • Part of subcall function 0044E043: memcpy.MSVCRT ref: 0044E070
      • Part of subcall function 0044ADFE: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00437BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0044AE37
      • Part of subcall function 0044ADFE: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00437BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0044AE5B
      • Part of subcall function 00437A05: GetTickCount.KERNEL32 ref: 00437A12
      • Part of subcall function 0043BAC9: memset.MSVCRT ref: 0043BADE
      • Part of subcall function 0043BAC9: getsockname.WS2_32(?,00437C25), ref: 0043BAF1
      • Part of subcall function 0043C091: memcmp.MSVCRT ref: 0043C0B3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004036A3, Relevance: 7.6, APIs: 5, Instructions: 139
    APIs
      • Part of subcall function 00404008: GetLocaleInfoA.KERNEL32(00000038,00001004,?,00000006), ref: 00404028
    • LCMapStringW.KERNEL32(00000000,00000100,00492BE4,00000001,00000000,00000000), ref: 004037D6
    • GetLastError.KERNEL32 ref: 004037E8
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0040386F
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?), ref: 004038F0
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000), ref: 0040390A
    • LCMapStringW.KERNEL32(?,?,?,?,?,?), ref: 00403945
    • LCMapStringW.KERNEL32(?,?,?,?,?), ref: 004039B9
    • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 004039DC
    • LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403B4A
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 00404089
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 0040409C
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,?,?,00000000,00000000), ref: 004040E1
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,00000001,?,?,00000001), ref: 00404163
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00404184
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 004041A5
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004041CC
    • LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000), ref: 00403A72
    • LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403AF3
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00401025, Relevance: 7.6, APIs: 5, Instructions: 134
    APIs
    • GetVersionExA.KERNEL32 ref: 00401045
    • GetModuleHandleA.KERNEL32(00000000), ref: 00401098
      • Part of subcall function 00401E4F: HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00401E60
      • Part of subcall function 00401E4F: HeapDestroy.KERNEL32 ref: 00401E93
      • Part of subcall function 00401D46: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00401D5E
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsAlloc), ref: 00401D76
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsGetValue), ref: 00401D83
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsSetValue), ref: 00401D90
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsFree), ref: 00401D9D
      • Part of subcall function 00401D46: GetCurrentThreadId.KERNEL32 ref: 00401E1B
      • Part of subcall function 004018E2: GetStartupInfoA.KERNEL32 ref: 0040193F
      • Part of subcall function 004018E2: GetFileType.KERNEL32 ref: 004019E9
      • Part of subcall function 004018E2: GetStdHandle.KERNEL32(000000F6), ref: 00401A6A
      • Part of subcall function 004018E2: GetFileType.KERNEL32 ref: 00401A78
      • Part of subcall function 004018E2: SetHandleCount.KERNEL32 ref: 00401AD0
    • GetCommandLineA.KERNEL32 ref: 0040112A
      • Part of subcall function 004017C0: GetEnvironmentStringsW.KERNEL32 ref: 004017DC
      • Part of subcall function 004017C0: GetLastError.KERNEL32(?,?,?,?,0040113A,?,00491DB0,00000060), ref: 004017F0
      • Part of subcall function 004017C0: GetEnvironmentStringsW.KERNEL32 ref: 00401812
      • Part of subcall function 004017C0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401846
      • Part of subcall function 004017C0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00401868
      • Part of subcall function 004017C0: FreeEnvironmentStringsW.KERNEL32 ref: 00401881
      • Part of subcall function 004017C0: GetEnvironmentStrings.KERNEL32(7C80B741,00000000,?,?,?,?,0040113A,?,00491DB0,00000060), ref: 00401897
      • Part of subcall function 004017C0: FreeEnvironmentStringsA.KERNEL32 ref: 004018D3
      • Part of subcall function 0040171E: GetModuleFileNameA.KERNEL32(00000000,0049FA28,00000104), ref: 00401748
    • GetStartupInfoA.KERNEL32 ref: 0040117E
    • GetModuleHandleA.KERNEL32(00000000), ref: 004011A1
      • Part of subcall function 0044D8FE: ShowWindow.USER32(?,00000000), ref: 0044D8B2
      • Part of subcall function 0044D8FE: lstrcpyA.KERNEL32(0049F200,?,00000000), ref: 0044D8C5
      • Part of subcall function 0044D8FE: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0044D8DA
      • Part of subcall function 0044D8FE: DispatchMessageW.USER32(?), ref: 0044D8E7
      • Part of subcall function 0044D8FE: InitCommonControlsEx.COMCTL32(0049E8BF), ref: 0044D91D
      • Part of subcall function 0044D8FE: GetCommandLineW.KERNEL32 ref: 0044D935
      • Part of subcall function 0044D8FE: SetLastError.KERNEL32(00000000), ref: 0044D942
      • Part of subcall function 0044D8FE: LoadIconW.USER32(00000000,00000020), ref: 0044D97B
      • Part of subcall function 0044D8FE: LoadCursorW.USER32(00000000,00000020), ref: 0044D985
      • Part of subcall function 0044D8FE: RegisterClassExW.USER32(00000030), ref: 0044D9A1
      • Part of subcall function 0044D8FE: CreateWindowExW.USER32 ref: 0045B5F6
    Memory Dump Source
    • Source File: 00000002.00000001.251360999.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000001.251344960.00400000.00000002.sdmp
    • Associated: 00000002.00000001.251446617.00487000.00000002.sdmp
    • Associated: 00000002.00000001.251482026.00494000.00000008.sdmp
    • Associated: 00000002.00000001.251496928.00498000.00000004.sdmp
    • Associated: 00000002.00000001.252081534.00499000.00000008.sdmp
    Function 00A88DC8, Relevance: 7.6, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 00A81B16: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A88DDC,?,?,?,?,00A9B233,?,00000001), ref: 00A81B26
      • Part of subcall function 00A81B16: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A88DDC,?,?,?,?,00A9B233,?,00000001), ref: 00A81B50
    • memset.MSVCRT ref: 00A88E0A
    • memset.MSVCRT ref: 00A88E16
    • memset.MSVCRT ref: 00A88E22
    • InitializeCriticalSection.KERNEL32 ref: 00A88E3A
    • InitializeCriticalSection.KERNEL32 ref: 00A88E55
    • InitializeCriticalSection.KERNEL32 ref: 00A88E92
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00448DC8, Relevance: 7.6, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 00441B16: EnterCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B26
      • Part of subcall function 00441B16: LeaveCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B50
    • memset.MSVCRT ref: 00448E0A
    • memset.MSVCRT ref: 00448E16
    • memset.MSVCRT ref: 00448E22
    • InitializeCriticalSection.KERNEL32 ref: 00448E3A
    • InitializeCriticalSection.KERNEL32 ref: 00448E55
    • InitializeCriticalSection.KERNEL32 ref: 00448E92
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A96CDC, Relevance: 7.6, APIs: 4, Instructions: 207
    APIs
    • EnterCriticalSection.KERNEL32(00DD1FCC,6FFF0400), ref: 00A96D43
      • Part of subcall function 00A96A55: GetTickCount.KERNEL32 ref: 00A96A5D
    • LeaveCriticalSection.KERNEL32(00DD1FCC), ref: 00A96F22
      • Part of subcall function 00A96BBC: IsBadReadPtr.KERNEL32 ref: 00A96C88
      • Part of subcall function 00A96BBC: IsBadReadPtr.KERNEL32 ref: 00A96CA7
    • getservbyname.WS2_32(?,00000000), ref: 00A96DBD
      • Part of subcall function 00A972A6: memcpy.MSVCRT ref: 00A9747A
      • Part of subcall function 00A972A6: memcpy.MSVCRT ref: 00A9757A
      • Part of subcall function 00A96F86: memcpy.MSVCRT ref: 00A9715A
      • Part of subcall function 00A96F86: memcpy.MSVCRT ref: 00A9725A
    • memcpy.MSVCRT ref: 00A96E9C
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A969E1: TlsAlloc.KERNEL32(00DD1FCC,00A96EB9,?,?,?,?,00DD1FC0), ref: 00A969EA
      • Part of subcall function 00A969E1: TlsGetValue.KERNEL32(?,00000001,00DD1FCC), ref: 00A969FC
      • Part of subcall function 00A969E1: TlsSetValue.KERNEL32(?,?), ref: 00A96A41
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00456CDC, Relevance: 7.6, APIs: 4, Instructions: 207
    APIs
    • EnterCriticalSection.KERNEL32(0000000C,00000000), ref: 00456D43
      • Part of subcall function 00456A55: GetTickCount.KERNEL32 ref: 00456A5D
    • LeaveCriticalSection.KERNEL32(0000000C), ref: 00456F22
      • Part of subcall function 00456BBC: IsBadReadPtr.KERNEL32 ref: 00456C88
      • Part of subcall function 00456BBC: IsBadReadPtr.KERNEL32 ref: 00456CA7
    • getservbyname.WS2_32(?,00000000), ref: 00456DBD
      • Part of subcall function 004572A6: memcpy.MSVCRT ref: 0045747A
      • Part of subcall function 004572A6: memcpy.MSVCRT ref: 0045757A
      • Part of subcall function 00456F86: memcpy.MSVCRT ref: 0045715A
      • Part of subcall function 00456F86: memcpy.MSVCRT ref: 0045725A
    • memcpy.MSVCRT ref: 00456E9C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004569E1: TlsAlloc.KERNEL32(0000000C,00456EB9,?,?,?,?,00000000), ref: 004569EA
      • Part of subcall function 004569E1: TlsGetValue.KERNEL32(?,00000001,0000000C), ref: 004569FC
      • Part of subcall function 004569E1: TlsSetValue.KERNEL32(?,?), ref: 00456A41
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A919B0, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 56
    APIs
    • lstrcmpA.KERNEL32(?,?\C), ref: 00A919C6
    • lstrcpyW.KERNEL32(00A917B0), ref: 00A919DC
    • lstrcmpA.KERNEL32(?,00A6C28C), ref: 00A919EC
    • StrCmpNA.SHLWAPI(?,00A6C284,00000002), ref: 00A91A06
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004519B0, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 56
    APIs
    • lstrcmpA.KERNEL32(?,?\C), ref: 004519C6
    • lstrcpyW.KERNEL32(004517B0), ref: 004519DC
    • lstrcmpA.KERNEL32(?,0042C28C), ref: 004519EC
    • StrCmpNA.SHLWAPI(?,0042C284,00000002), ref: 00451A06
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A87AAA, Relevance: 7.5, APIs: 5, Instructions: 44
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00A87AC3
    • CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00A87AD4
    • CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00A87ADF
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00A87AE7
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00A87AF5
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00403601, Relevance: 7.5, APIs: 5, Instructions: 32
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(BB40E64E), ref: 0040361C
    • GetCurrentProcessId.KERNEL32 ref: 00403628
    • GetCurrentThreadId.KERNEL32 ref: 00403630
    • GetTickCount.KERNEL32 ref: 00403638
    • QueryPerformanceCounter.KERNEL32 ref: 00403644
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A90B2C, Relevance: 7.5, APIs: 4, Instructions: 113
    APIs
      • Part of subcall function 00A90775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A9079C
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A90B87
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00A90BF1
    • RegFlushKey.ADVAPI32(?), ref: 00A90C1F
    • RegCloseKey.ADVAPI32(?), ref: 00A90C26
      • Part of subcall function 00A90A9D: EnterCriticalSection.KERNEL32(00AA5AA4,?,?,?,00A90C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00A90AB3
      • Part of subcall function 00A90A9D: LeaveCriticalSection.KERNEL32(00AA5AA4,?,?,?,00A90C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00A90ADB
      • Part of subcall function 00A90A9D: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00A90AF7
      • Part of subcall function 00A90A9D: GetProcAddress.KERNEL32 ref: 00A90AFE
      • Part of subcall function 00A90A9D: RegDeleteKeyW.ADVAPI32(?), ref: 00A90B20
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
      • Part of subcall function 00A90755: RegFlushKey.ADVAPI32 ref: 00A90765
      • Part of subcall function 00A90755: RegCloseKey.ADVAPI32 ref: 00A9076D
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00450B2C, Relevance: 7.5, APIs: 4, Instructions: 113
    APIs
      • Part of subcall function 00450775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0045079C
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00450B87
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00450BF1
    • RegFlushKey.ADVAPI32(?), ref: 00450C1F
    • RegCloseKey.ADVAPI32(?), ref: 00450C26
      • Part of subcall function 00450A9D: EnterCriticalSection.KERNEL32(00465AA4,?,?,?,00450C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00450AB3
      • Part of subcall function 00450A9D: LeaveCriticalSection.KERNEL32(00465AA4,?,?,?,00450C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00450ADB
      • Part of subcall function 00450A9D: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00450AF7
      • Part of subcall function 00450A9D: GetProcAddress.KERNEL32 ref: 00450AFE
      • Part of subcall function 00450A9D: RegDeleteKeyW.ADVAPI32(?), ref: 00450B20
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
      • Part of subcall function 00450755: RegFlushKey.ADVAPI32 ref: 00450765
      • Part of subcall function 00450755: RegCloseKey.ADVAPI32 ref: 0045076D
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7645E, Relevance: 7.4, APIs: 4, Instructions: 87
    APIs
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00A85B49), ref: 00A76470
      • Part of subcall function 00A84269: CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 00A8427E
    • #2.OLEAUT32(?,00000000,?,?,?,00A85B49), ref: 00A764A4
    • #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A85B49), ref: 00A764D9
    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00A764F9
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043645E, Relevance: 7.4, APIs: 4, Instructions: 87
    APIs
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00445B49), ref: 00436470
      • Part of subcall function 00444269: CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 0044427E
    • #2.OLEAUT32(?,00000000,?,?,?,00445B49), ref: 004364A4
    • #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00445B49), ref: 004364D9
    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004364F9
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A83CD5, Relevance: 7.4, APIs: 4, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00A83CFD
    • memcpy.MSVCRT ref: 00A83D1A
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00A83D30
    • WSASetLastError.WS2_32(0000274C,?,00000000,00000000,00000000), ref: 00A83D3F
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00443CD5, Relevance: 7.4, APIs: 4, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00443CFD
    • memcpy.MSVCRT ref: 00443D1A
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00443D30
    • WSASetLastError.WS2_32(0000274C,?,00000000,00000000,00000000), ref: 00443D3F
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8920C, Relevance: 7.3, APIs: 4, Instructions: 138
    APIs
      • Part of subcall function 00A81B5D: memcmp.MSVCRT ref: 00A81B69
      • Part of subcall function 00A81B79: memset.MSVCRT ref: 00A81B87
      • Part of subcall function 00A81B79: memcpy.MSVCRT ref: 00A81BA8
      • Part of subcall function 00A81B79: memcpy.MSVCRT ref: 00A81BCE
      • Part of subcall function 00A81B79: memcpy.MSVCRT ref: 00A81BF2
    • TryEnterCriticalSection.KERNEL32 ref: 00A89289
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • LeaveCriticalSection.KERNEL32 ref: 00A89303
    • EnterCriticalSection.KERNEL32 ref: 00A89322
      • Part of subcall function 00A81A4F: memcmp.MSVCRT ref: 00A81A6B
    • LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 00A8936E
      • Part of subcall function 00A81858: memcpy.MSVCRT ref: 00A81935
      • Part of subcall function 00A81858: memcpy.MSVCRT ref: 00A81956
      • Part of subcall function 00A96875: GetSystemTime.KERNEL32 ref: 00A9687F
      • Part of subcall function 00A81728: memcpy.MSVCRT ref: 00A81771
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044920C, Relevance: 7.3, APIs: 4, Instructions: 138
    APIs
      • Part of subcall function 00441B5D: memcmp.MSVCRT ref: 00441B69
      • Part of subcall function 00441B79: memset.MSVCRT ref: 00441B87
      • Part of subcall function 00441B79: memcpy.MSVCRT ref: 00441BA8
      • Part of subcall function 00441B79: memcpy.MSVCRT ref: 00441BCE
      • Part of subcall function 00441B79: memcpy.MSVCRT ref: 00441BF2
    • TryEnterCriticalSection.KERNEL32 ref: 00449289
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • LeaveCriticalSection.KERNEL32 ref: 00449303
    • EnterCriticalSection.KERNEL32 ref: 00449322
      • Part of subcall function 00441A4F: memcmp.MSVCRT ref: 00441A6B
    • LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 0044936E
      • Part of subcall function 00441858: memcpy.MSVCRT ref: 00441935
      • Part of subcall function 00441858: memcpy.MSVCRT ref: 00441956
      • Part of subcall function 00456875: GetSystemTime.KERNEL32 ref: 0045687F
      • Part of subcall function 00441728: memcpy.MSVCRT ref: 00441771
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A832D5, Relevance: 7.3, APIs: 4, Instructions: 120
    APIs
    • GetUserNameExW.SECUR32(00000002), ref: 00A83303
    • GetSystemTime.KERNEL32 ref: 00A83356
    • CharLowerW.USER32(?), ref: 00A833A6
    • PathRenameExtensionW.SHLWAPI(?), ref: 00A833D6
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004432D5, Relevance: 7.3, APIs: 4, Instructions: 120
    APIs
    • GetUserNameExW.SECUR32(00000002), ref: 00443303
    • GetSystemTime.KERNEL32 ref: 00443356
    • CharLowerW.USER32(?), ref: 004433A6
    • PathRenameExtensionW.SHLWAPI(?), ref: 004433D6
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9D2D7, Relevance: 7.3, APIs: 4, Instructions: 113
    APIs
    • EnterCriticalSection.KERNEL32(00DD1E90,?), ref: 00A9D2EB
      • Part of subcall function 00A8BDA7: GetModuleHandleW.KERNEL32 ref: 00A8BDC3
      • Part of subcall function 00A8BDA7: GetModuleHandleW.KERNEL32 ref: 00A8BDFE
    • GetFileVersionInfoSizeW.VERSION(00DD1EF0), ref: 00A9D30C
    • GetFileVersionInfoW.VERSION(00DD1EF0,00000000), ref: 00A9D32A
      • Part of subcall function 00A84EC0: PathFindFileNameW.SHLWAPI(00DD1E90), ref: 00A84ED2
      • Part of subcall function 00A84EC0: InitializeCriticalSection.KERNEL32 ref: 00A84F44
      • Part of subcall function 00A84EC0: DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00A84FBB
      • Part of subcall function 00A7A90A: InitializeCriticalSection.KERNEL32 ref: 00A7A938
      • Part of subcall function 00A7A90A: GetModuleHandleW.KERNEL32 ref: 00A7A976
      • Part of subcall function 00A9C7B5: InitializeCriticalSection.KERNEL32 ref: 00A9C7CA
      • Part of subcall function 00A968C4: EnterCriticalSection.KERNEL32(00AA5AA4,00DD1E90,00A9D364,00000001,00000001), ref: 00A968D4
      • Part of subcall function 00A968C4: LeaveCriticalSection.KERNEL32(00AA5AA4), ref: 00A968FC
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
      • Part of subcall function 00A98AD4: GetCommandLineW.KERNEL32 ref: 00A98B5E
      • Part of subcall function 00A98AD4: CommandLineToArgvW.SHELL32 ref: 00A98B65
      • Part of subcall function 00A98AD4: LocalFree.KERNEL32 ref: 00A98BA5
      • Part of subcall function 00A98AD4: GetModuleHandleW.KERNEL32(?), ref: 00A98BE7
      • Part of subcall function 00A7CE23: VerQueryValueW.VERSION(?,00A6AE74,?,?,00DD1E90,00A9D393), ref: 00A7CE44
      • Part of subcall function 00A7CE23: GetModuleHandleW.KERNEL32(?), ref: 00A7CE85
      • Part of subcall function 00A9FE99: GetModuleHandleW.KERNEL32 ref: 00A9FEB6
      • Part of subcall function 00A8B000: EnterCriticalSection.KERNEL32(00AA5AA4,00DD1E90,00A9D39D), ref: 00A8B010
      • Part of subcall function 00A8B000: LeaveCriticalSection.KERNEL32(00AA5AA4), ref: 00A8B038
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • LeaveCriticalSection.KERNEL32(00DD1E90,00000001,00000001,00000001,00000001), ref: 00A9D413
      • Part of subcall function 00A76D72: EnterCriticalSection.KERNEL32(00AA468C,00000000,00A84F6E,?,000000FF), ref: 00A76D7E
      • Part of subcall function 00A76D72: LeaveCriticalSection.KERNEL32(00AA468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00A76D8E
      • Part of subcall function 00A76D9C: LeaveCriticalSection.KERNEL32(00AA468C,00A76E01,00000001,00000000,00000000,?,00A84F82,00000001,00000000,?,000000FF), ref: 00A76DA6
      • Part of subcall function 00A76DAD: LeaveCriticalSection.KERNEL32(00AA468C,?,00A76E13,00000001,00000000,00000000,?,00A84F82,00000001,00000000,?,000000FF), ref: 00A76DBA
      • Part of subcall function 00A9699E: memset.MSVCRT ref: 00A969C6
      • Part of subcall function 00A9699E: InitializeCriticalSection.KERNEL32 ref: 00A969D3
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045D2D7, Relevance: 7.3, APIs: 4, Instructions: 113
    APIs
    • EnterCriticalSection.KERNEL32(009B1E90,?), ref: 0045D2EB
      • Part of subcall function 0044BDA7: GetModuleHandleW.KERNEL32 ref: 0044BDC3
      • Part of subcall function 0044BDA7: GetModuleHandleW.KERNEL32 ref: 0044BDFE
    • GetFileVersionInfoSizeW.VERSION(009B1EF0), ref: 0045D30C
    • GetFileVersionInfoW.VERSION(009B1EF0,00000000), ref: 0045D32A
      • Part of subcall function 00444EC0: PathFindFileNameW.SHLWAPI(009B1E90), ref: 00444ED2
      • Part of subcall function 00444EC0: InitializeCriticalSection.KERNEL32 ref: 00444F44
      • Part of subcall function 00444EC0: DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00444FBB
      • Part of subcall function 0043A90A: InitializeCriticalSection.KERNEL32 ref: 0043A938
      • Part of subcall function 0043A90A: GetModuleHandleW.KERNEL32 ref: 0043A976
      • Part of subcall function 0045C7B5: InitializeCriticalSection.KERNEL32 ref: 0045C7CA
      • Part of subcall function 004568C4: EnterCriticalSection.KERNEL32(00465AA4,009B1E90,0045D364,00000001,00000001), ref: 004568D4
      • Part of subcall function 004568C4: LeaveCriticalSection.KERNEL32(00465AA4), ref: 004568FC
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
      • Part of subcall function 00458AD4: GetCommandLineW.KERNEL32 ref: 00458B5E
      • Part of subcall function 00458AD4: CommandLineToArgvW.SHELL32 ref: 00458B65
      • Part of subcall function 00458AD4: LocalFree.KERNEL32 ref: 00458BA5
      • Part of subcall function 00458AD4: GetModuleHandleW.KERNEL32(?), ref: 00458BE7
      • Part of subcall function 0043CE23: VerQueryValueW.VERSION(?,0042AE74,?,?,009B1E90,0045D393), ref: 0043CE44
      • Part of subcall function 0043CE23: GetModuleHandleW.KERNEL32(?), ref: 0043CE85
      • Part of subcall function 0045FE99: GetModuleHandleW.KERNEL32 ref: 0045FEB6
      • Part of subcall function 0044B000: EnterCriticalSection.KERNEL32(00465AA4,009B1E90,0045D39D), ref: 0044B010
      • Part of subcall function 0044B000: LeaveCriticalSection.KERNEL32(00465AA4), ref: 0044B038
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • LeaveCriticalSection.KERNEL32(009B1E90,00000001,00000001,00000001,00000001), ref: 0045D413
      • Part of subcall function 00436D72: EnterCriticalSection.KERNEL32(0046468C,00000000,00444F6E,?,000000FF), ref: 00436D7E
      • Part of subcall function 00436D72: LeaveCriticalSection.KERNEL32(0046468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00436D8E
      • Part of subcall function 00436D9C: LeaveCriticalSection.KERNEL32(0046468C,00436E01,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DA6
      • Part of subcall function 00436DAD: LeaveCriticalSection.KERNEL32(0046468C,?,00436E13,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DBA
      • Part of subcall function 0045699E: memset.MSVCRT ref: 004569C6
      • Part of subcall function 0045699E: InitializeCriticalSection.KERNEL32 ref: 004569D3
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A98AD4, Relevance: 7.3, APIs: 4, Instructions: 112
    APIs
      • Part of subcall function 00A98867: EnterCriticalSection.KERNEL32(00AA5AA4,00DD1E90,00A98AE4,?,00DD1E90), ref: 00A98877
      • Part of subcall function 00A98867: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00DD1E90), ref: 00A988A6
      • Part of subcall function 00A84FD0: VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00A84FEE
      • Part of subcall function 00A84FD0: VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 00A8505B
    • GetCommandLineW.KERNEL32 ref: 00A98B5E
    • CommandLineToArgvW.SHELL32 ref: 00A98B65
    • LocalFree.KERNEL32 ref: 00A98BA5
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • GetModuleHandleW.KERNEL32(?), ref: 00A98BE7
      • Part of subcall function 00A98DFE: PathFindFileNameW.SHLWAPI(00000000), ref: 00A98E3F
      • Part of subcall function 00A983AF: InitializeCriticalSection.KERNEL32 ref: 00A983CF
      • Part of subcall function 00A79E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00A79E9D
      • Part of subcall function 00A79E88: StrCmpIW.SHLWAPI ref: 00A79EA7
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00458AD4, Relevance: 7.3, APIs: 4, Instructions: 112
    APIs
      • Part of subcall function 00458867: EnterCriticalSection.KERNEL32(00465AA4,009B1E90,00458AE4,?,009B1E90), ref: 00458877
      • Part of subcall function 00458867: LeaveCriticalSection.KERNEL32(00465AA4,?,009B1E90), ref: 004588A6
      • Part of subcall function 00444FD0: VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00444FEE
      • Part of subcall function 00444FD0: VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 0044505B
    • GetCommandLineW.KERNEL32 ref: 00458B5E
    • CommandLineToArgvW.SHELL32 ref: 00458B65
    • LocalFree.KERNEL32 ref: 00458BA5
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • GetModuleHandleW.KERNEL32(?), ref: 00458BE7
      • Part of subcall function 00458DFE: PathFindFileNameW.SHLWAPI(00000000), ref: 00458E3F
      • Part of subcall function 004583AF: InitializeCriticalSection.KERNEL32 ref: 004583CF
      • Part of subcall function 00439E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00439E9D
      • Part of subcall function 00439E88: StrCmpIW.SHLWAPI ref: 00439EA7
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A88C4C, Relevance: 7.3, APIs: 4, Instructions: 104
    APIs
    • EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00A8984D,?,?,00000000,?,?,00000590), ref: 00A88C7F
      • Part of subcall function 00A97CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00A97CF8
    • memcmp.MSVCRT ref: 00A88CCD
      • Part of subcall function 00A75A03: memcpy.MSVCRT ref: 00A75A39
      • Part of subcall function 00A75A03: memcpy.MSVCRT ref: 00A75A4D
      • Part of subcall function 00A75A03: memset.MSVCRT ref: 00A75A5B
    • SetEvent.KERNEL32 ref: 00A88D0E
    • LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00A8984D,?,?,00000000,?,?,00000590), ref: 00A88D3B
      • Part of subcall function 00A99175: EnterCriticalSection.KERNEL32(?,?,?,?,00A89116,?), ref: 00A9917B
      • Part of subcall function 00A99175: memcmp.MSVCRT ref: 00A991A7
      • Part of subcall function 00A99175: memcpy.MSVCRT ref: 00A991F2
      • Part of subcall function 00A99175: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00A991FE
      • Part of subcall function 00A8920C: TryEnterCriticalSection.KERNEL32 ref: 00A89289
      • Part of subcall function 00A8920C: LeaveCriticalSection.KERNEL32 ref: 00A89303
      • Part of subcall function 00A8920C: EnterCriticalSection.KERNEL32 ref: 00A89322
      • Part of subcall function 00A8920C: LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 00A8936E
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00448C4C, Relevance: 7.3, APIs: 4, Instructions: 104
    APIs
    • EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0044984D,?,?,00000000,?,?,00000590), ref: 00448C7F
      • Part of subcall function 00457CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00457CF8
    • memcmp.MSVCRT ref: 00448CCD
      • Part of subcall function 00435A03: memcpy.MSVCRT ref: 00435A39
      • Part of subcall function 00435A03: memcpy.MSVCRT ref: 00435A4D
      • Part of subcall function 00435A03: memset.MSVCRT ref: 00435A5B
    • SetEvent.KERNEL32 ref: 00448D0E
    • LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0044984D,?,?,00000000,?,?,00000590), ref: 00448D3B
      • Part of subcall function 00459175: EnterCriticalSection.KERNEL32(?,?,?,?,00449116,?), ref: 0045917B
      • Part of subcall function 00459175: memcmp.MSVCRT ref: 004591A7
      • Part of subcall function 00459175: memcpy.MSVCRT ref: 004591F2
      • Part of subcall function 00459175: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 004591FE
      • Part of subcall function 0044920C: TryEnterCriticalSection.KERNEL32 ref: 00449289
      • Part of subcall function 0044920C: LeaveCriticalSection.KERNEL32 ref: 00449303
      • Part of subcall function 0044920C: EnterCriticalSection.KERNEL32 ref: 00449322
      • Part of subcall function 0044920C: LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 0044936E
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00AA294A, Relevance: 7.3, APIs: 4, Instructions: 91
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00AA3210), ref: 00AA297C
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00AA299C
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
      • Part of subcall function 00A9D990: memset.MSVCRT ref: 00A9D9D3
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
      • Part of subcall function 00A8222C: memcpy.MSVCRT ref: 00A82268
      • Part of subcall function 00A8222C: memcpy.MSVCRT ref: 00A8227D
      • Part of subcall function 00A8222C: memcpy.MSVCRT ref: 00A822BA
      • Part of subcall function 00A8222C: memcpy.MSVCRT ref: 00A822F2
    • memset.MSVCRT ref: 00AA2A39
    • memcpy.MSVCRT ref: 00AA2A4B
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0046294A, Relevance: 7.3, APIs: 4, Instructions: 91
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00463210), ref: 0046297C
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 0046299C
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
      • Part of subcall function 0045D990: memset.MSVCRT ref: 0045D9D3
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0044222C: memcpy.MSVCRT ref: 00442268
      • Part of subcall function 0044222C: memcpy.MSVCRT ref: 0044227D
      • Part of subcall function 0044222C: memcpy.MSVCRT ref: 004422BA
      • Part of subcall function 0044222C: memcpy.MSVCRT ref: 004422F2
    • memset.MSVCRT ref: 00462A39
    • memcpy.MSVCRT ref: 00462A4B
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9D090, Relevance: 7.2, APIs: 4, Instructions: 65
    APIs
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00A9D0BF
    • GetLastError.KERNEL32(?,?,?,00000000,3D94878D,00000000,3D94878D,00A979EF,?,?,?,?,00000000,?,?,0000203A), ref: 00A9D0C5
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    • memcpy.MSVCRT ref: 00A9D0F0
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00A9D109
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045D090, Relevance: 7.2, APIs: 4, Instructions: 65
    APIs
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 0045D0BF
    • GetLastError.KERNEL32(?,?,?,00000000,3D94878D,00000000,3D94878D,004579EF,?,?,?,?,00000000,?,?,0000203A), ref: 0045D0C5
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • memcpy.MSVCRT ref: 0045D0F0
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 0045D109
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00441276, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 64
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
    • lstrlenW.KERNEL32 ref: 0044129F
      • Part of subcall function 004593C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00459433
      • Part of subcall function 004593C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00459458
    • memset.MSVCRT ref: 004412EA
    • memcpy.MSVCRT ref: 004412FE
      • Part of subcall function 00459393: CryptDestroyHash.ADVAPI32 ref: 004593AB
      • Part of subcall function 00459393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 004593BC
      • Part of subcall function 0045946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 004594AA
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A97D1D, Relevance: 7.2, APIs: 4, Instructions: 62
    APIs
      • Part of subcall function 00A8B7FF: EnterCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B80C
      • Part of subcall function 00A8B7FF: LeaveCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B81A
    • QueryPerformanceCounter.KERNEL32 ref: 00A97D3C
    • GetTickCount.KERNEL32 ref: 00A97D49
      • Part of subcall function 00A81B16: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A88DDC,?,?,?,?,00A9B233,?,00000001), ref: 00A81B26
      • Part of subcall function 00A81B16: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A88DDC,?,?,?,?,00A9B233,?,00000001), ref: 00A81B50
      • Part of subcall function 00A993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00A99433
      • Part of subcall function 00A993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00A99458
    • memset.MSVCRT ref: 00A97D9D
    • memcpy.MSVCRT ref: 00A97DAD
      • Part of subcall function 00A99393: CryptDestroyHash.ADVAPI32 ref: 00A993AB
      • Part of subcall function 00A99393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A993BC
      • Part of subcall function 00A9946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00A994AA
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00457D1D, Relevance: 7.2, APIs: 4, Instructions: 62
    APIs
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • QueryPerformanceCounter.KERNEL32 ref: 00457D3C
    • GetTickCount.KERNEL32 ref: 00457D49
      • Part of subcall function 00441B16: EnterCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B26
      • Part of subcall function 00441B16: LeaveCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B50
      • Part of subcall function 004593C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00459433
      • Part of subcall function 004593C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00459458
    • memset.MSVCRT ref: 00457D9D
    • memcpy.MSVCRT ref: 00457DAD
      • Part of subcall function 00459393: CryptDestroyHash.ADVAPI32 ref: 004593AB
      • Part of subcall function 00459393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 004593BC
      • Part of subcall function 0045946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 004594AA
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7987E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00A79894
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
    • memcmp.MSVCRT ref: 00A798B6
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
    • lstrcmpiW.KERNEL32(00000000,000000FF), ref: 00A7990F
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00A798DF
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043987E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00439894
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
    • memcmp.MSVCRT ref: 004398B6
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • lstrcmpiW.KERNEL32(00000000,000000FF), ref: 0043990F
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 004398DF
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A790A3, Relevance: 7.2, APIs: 4, Instructions: 56
    APIs
    • PathSkipRootW.SHLWAPI ref: 00A790CD
    • GetFileAttributesW.KERNEL32(00000000), ref: 00A790FA
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A7910E
    • SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00A79131
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004390A3, Relevance: 7.2, APIs: 4, Instructions: 56
    APIs
    • PathSkipRootW.SHLWAPI ref: 004390CD
    • GetFileAttributesW.KERNEL32(00000000), ref: 004390FA
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043910E
    • SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00439131
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8B161, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044B161, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A74B40, Relevance: 7.2, APIs: 4, Instructions: 48
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A754F7
    • UnhandledExceptionFilter.KERNEL32(00A46DB4), ref: 00A75502
    • GetCurrentProcess.KERNEL32 ref: 00A7550D
    • TerminateProcess.KERNEL32 ref: 00A75514
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043AF41, Relevance: 7.2, APIs: 4, Instructions: 39
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0043AF51
    • Thread32First.KERNEL32 ref: 0043AF6C
    • Thread32Next.KERNEL32(?,?), ref: 0043AF7F
    • CloseHandle.KERNEL32 ref: 0043AF8A
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045497C, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
    APIs
      • Part of subcall function 00444269: CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 0044427E
    • StrChrW.SHLWAPI(?,00000040,?,00000000,?,00000064), ref: 00454A95
      • Part of subcall function 0044D12D: lstrlenW.KERNEL32(0042C448), ref: 0044D149
      • Part of subcall function 0044D12D: lstrlenW.KERNEL32 ref: 0044D14F
      • Part of subcall function 0044D12D: memcpy.MSVCRT ref: 0044D173
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8A343, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133
    APIs
      • Part of subcall function 00A79219: CharLowerW.USER32(?), ref: 00A792D4
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00A8A47D
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 00A8A4BD
      • Part of subcall function 00A79BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00A79C2E
      • Part of subcall function 00A79BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00A79C75
      • Part of subcall function 00A79BC4: SetEvent.KERNEL32 ref: 00A79C84
      • Part of subcall function 00A79BC4: WaitForSingleObject.KERNEL32 ref: 00A79C95
      • Part of subcall function 00A79BC4: CharToOemW.USER32 ref: 00A79D26
      • Part of subcall function 00A79BC4: CharToOemW.USER32 ref: 00A79D36
      • Part of subcall function 00A79BC4: ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00A79D9A
      • Part of subcall function 00A9D5A0: EnterCriticalSection.KERNEL32(00AA5AA4,00000000,?,?,00A793C9), ref: 00A9D5B6
      • Part of subcall function 00A9D5A0: LeaveCriticalSection.KERNEL32(00AA5AA4,?,?,00A793C9), ref: 00A9D5DC
      • Part of subcall function 00A9D5A0: CreateMutexW.KERNEL32(00AA49B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00A9D5EE
      • Part of subcall function 00A7766D: ReleaseMutex.KERNEL32 ref: 00A77671
      • Part of subcall function 00A7766D: CloseHandle.KERNEL32 ref: 00A77678
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00A8A4D0
      • Part of subcall function 00A7AF99: GetCurrentThread.KERNEL32 ref: 00A7AFAD
      • Part of subcall function 00A7AF99: OpenThreadToken.ADVAPI32 ref: 00A7AFB4
      • Part of subcall function 00A7AF99: GetCurrentProcess.KERNEL32 ref: 00A7AFC4
      • Part of subcall function 00A7AF99: OpenProcessToken.ADVAPI32 ref: 00A7AFCB
      • Part of subcall function 00A7AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00A7AFEC
      • Part of subcall function 00A7AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00A7B001
      • Part of subcall function 00A7AF99: GetLastError.KERNEL32 ref: 00A7B00B
      • Part of subcall function 00A7AF99: CloseHandle.KERNEL32(00000001), ref: 00A7B01C
      • Part of subcall function 00A79395: memcpy.MSVCRT ref: 00A793B5
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A76E1F, Relevance: 7.1, APIs: 4, Instructions: 27
    APIs
    • GetLastError.KERNEL32(6FFF0380,?,00A7652A), ref: 00A76E21
      • Part of subcall function 00A9AFD3: WaitForSingleObject.KERNEL32(00000000,00A8A849), ref: 00A9AFDB
    • TlsGetValue.KERNEL32(?,?,00A7652A), ref: 00A76E3E
    • TlsSetValue.KERNEL32(00000001), ref: 00A76E50
    • SetLastError.KERNEL32(?,?,00A7652A), ref: 00A76E60
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00436E1F, Relevance: 7.1, APIs: 4, Instructions: 27
    APIs
    • GetLastError.KERNEL32(00000000,?,0043652A), ref: 00436E21
      • Part of subcall function 0045AFD3: WaitForSingleObject.KERNEL32(00000000,0044A849), ref: 0045AFDB
    • TlsGetValue.KERNEL32(?,?,0043652A), ref: 00436E3E
    • TlsSetValue.KERNEL32(00000001), ref: 00436E50
    • SetLastError.KERNEL32(?,?,0043652A), ref: 00436E60
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A87B2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
    APIs
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
    • lstrcatW.KERNEL32(?,.dat), ref: 00A87BA0
    • lstrlenW.KERNEL32 ref: 00A87BB5
      • Part of subcall function 00A883CA: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00A883E6
      • Part of subcall function 00A883CA: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00A88409
      • Part of subcall function 00A883CA: CloseHandle.KERNEL32 ref: 00A88416
      • Part of subcall function 00A95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00A95E26
      • Part of subcall function 00A95E1D: DeleteFileW.KERNEL32 ref: 00A95E2D
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    Strings
    • .dat, xrefs: 00A87B94
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00A87B5E
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00447B2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • lstrcatW.KERNEL32(?,.dat), ref: 00447BA0
    • lstrlenW.KERNEL32 ref: 00447BB5
      • Part of subcall function 004483CA: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 004483E6
      • Part of subcall function 004483CA: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00448409
      • Part of subcall function 004483CA: CloseHandle.KERNEL32 ref: 00448416
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • .dat, xrefs: 00447B94
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00447B5E
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7B9AF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
    APIs
    • shutdown.WS2_32(?,00000001), ref: 00A7B9BD
    • WSAGetLastError.WS2_32(?,00000020,?,00000001,?,?,?,?,?,?,?,00A86970,?,?,?,00002710), ref: 00A7B9DE
    • WSASetLastError.WS2_32(00000000,?,00002710,?,?,00000020,?,00000001), ref: 00A7BA23
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043B9AF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
    APIs
    • shutdown.WS2_32(?,00000001), ref: 0043B9BD
    • WSAGetLastError.WS2_32(?,00000020,?,00000001,?,?,?,?,?,?,?,00446970,?,?,?,00002710), ref: 0043B9DE
    • WSASetLastError.WS2_32(00000000,?,00002710,?,?,00000020,?,00000001), ref: 0043BA23
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7C208, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
    APIs
      • Part of subcall function 00A7B764: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A7B826,?,00A9C86A,00A8C4AB,00A8C4AB,?,00A8C4AB,?,00000001), ref: 00A7B774
      • Part of subcall function 00A7B764: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A7B826,?,00A9C86A,00A8C4AB,00A8C4AB,?,00A8C4AB,?,00000001), ref: 00A7B79E
    • WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 00A7C22E
    • lstrcpyA.KERNEL32(?,0:0,?,?,00000000,?,?,?,?,?,?,00A86A4A), ref: 00A7C23E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043C208, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
    APIs
      • Part of subcall function 0043B764: EnterCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B774
      • Part of subcall function 0043B764: LeaveCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B79E
    • WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 0043C22E
    • lstrcpyA.KERNEL32(?,0:0,?,?,00000000,?,?,?,?,?,?,00446A4A), ref: 0043C23E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7BDD5, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63
    APIs
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00A77A9F,?,00000005), ref: 00A7BE0B
    • WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00A77A9F,?,00000005), ref: 00A7BE6F
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043BDD5, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63
    APIs
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00437A9F,?,00000005), ref: 0043BE0B
    • WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00437A9F,?,00000005), ref: 0043BE6F
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00441B16, Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 18
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B26
    • LeaveCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B50
      • Part of subcall function 00441276: lstrlenW.KERNEL32 ref: 0044129F
      • Part of subcall function 00441276: memset.MSVCRT ref: 004412EA
      • Part of subcall function 00441276: memcpy.MSVCRT ref: 004412FE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8C318, Relevance: 6.5, APIs: 5, Instructions: 249
    APIs
    • memcmp.MSVCRT ref: 00A8C385
    • memcpy.MSVCRT ref: 00A8C486
      • Part of subcall function 00A7BB55: connect.WS2_32(?,?), ref: 00A7BB93
      • Part of subcall function 00A7BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00A7BBA2
      • Part of subcall function 00A7BB55: WSASetLastError.WS2_32(?,?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00A7BBC0
      • Part of subcall function 00A7BB55: WSAGetLastError.WS2_32(?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00A7BBC2
      • Part of subcall function 00A7BB55: WSASetLastError.WS2_32(00000000), ref: 00A7BC00
    • memcmp.MSVCRT ref: 00A8C583
      • Part of subcall function 00A7BEC0: WSAGetLastError.WS2_32 ref: 00A7BEF6
      • Part of subcall function 00A7BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 00A7BF3E
      • Part of subcall function 00A8C0DA: memcmp.MSVCRT ref: 00A8C11A
      • Part of subcall function 00A9DABF: memset.MSVCRT ref: 00A9DACF
      • Part of subcall function 00A9DABF: memcpy.MSVCRT ref: 00A9DAF8
    • memset.MSVCRT ref: 00A8C5E0
    • memcpy.MSVCRT ref: 00A8C5F1
      • Part of subcall function 00A9DB11: memcpy.MSVCRT ref: 00A9DB22
      • Part of subcall function 00A8C02F: memcmp.MSVCRT ref: 00A8C06B
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044C318, Relevance: 6.5, APIs: 5, Instructions: 249
    APIs
    • memcmp.MSVCRT ref: 0044C385
    • memcpy.MSVCRT ref: 0044C486
      • Part of subcall function 0043BB55: connect.WS2_32(?,?), ref: 0043BB93
      • Part of subcall function 0043BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBA2
      • Part of subcall function 0043BB55: WSASetLastError.WS2_32(?,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC0
      • Part of subcall function 0043BB55: WSAGetLastError.WS2_32(?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC2
      • Part of subcall function 0043BB55: WSASetLastError.WS2_32(00000000), ref: 0043BC00
    • memcmp.MSVCRT ref: 0044C583
      • Part of subcall function 0043BEC0: WSAGetLastError.WS2_32 ref: 0043BEF6
      • Part of subcall function 0043BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 0043BF3E
      • Part of subcall function 0044C0DA: memcmp.MSVCRT ref: 0044C11A
      • Part of subcall function 0045DABF: memset.MSVCRT ref: 0045DACF
      • Part of subcall function 0045DABF: memcpy.MSVCRT ref: 0045DAF8
    • memset.MSVCRT ref: 0044C5E0
    • memcpy.MSVCRT ref: 0044C5F1
      • Part of subcall function 0045DB11: memcpy.MSVCRT ref: 0045DB22
      • Part of subcall function 0044C02F: memcmp.MSVCRT ref: 0044C06B
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A777BB, Relevance: 6.5, APIs: 5, Instructions: 207
    APIs
    • memset.MSVCRT ref: 00A7785D
      • Part of subcall function 00A81B5D: memcmp.MSVCRT ref: 00A81B69
      • Part of subcall function 00A819AE: memcmp.MSVCRT ref: 00A81A24
      • Part of subcall function 00A81821: memcpy.MSVCRT ref: 00A81848
      • Part of subcall function 00A81728: memcpy.MSVCRT ref: 00A81771
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • memset.MSVCRT ref: 00A778F1
    • memcpy.MSVCRT ref: 00A77904
    • memcpy.MSVCRT ref: 00A77926
    • memcpy.MSVCRT ref: 00A77946
      • Part of subcall function 00A8B7FF: EnterCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B80C
      • Part of subcall function 00A8B7FF: LeaveCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B81A
      • Part of subcall function 00A88F55: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,00A8914A,?,?,?,?,?,?,00000000,?), ref: 00A88FAF
      • Part of subcall function 00A88F55: SetEvent.KERNEL32 ref: 00A8900A
      • Part of subcall function 00A88F55: LeaveCriticalSection.KERNEL32 ref: 00A89017
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004377BB, Relevance: 6.5, APIs: 5, Instructions: 207
    APIs
    • memset.MSVCRT ref: 0043785D
      • Part of subcall function 00441B5D: memcmp.MSVCRT ref: 00441B69
      • Part of subcall function 004419AE: memcmp.MSVCRT ref: 00441A24
      • Part of subcall function 00441821: memcpy.MSVCRT ref: 00441848
      • Part of subcall function 00441728: memcpy.MSVCRT ref: 00441771
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • memset.MSVCRT ref: 004378F1
    • memcpy.MSVCRT ref: 00437904
    • memcpy.MSVCRT ref: 00437926
    • memcpy.MSVCRT ref: 00437946
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
      • Part of subcall function 00448F55: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,0044914A,?,?,?,?,?,?,00000000,?), ref: 00448FAF
      • Part of subcall function 00448F55: SetEvent.KERNEL32 ref: 0044900A
      • Part of subcall function 00448F55: LeaveCriticalSection.KERNEL32 ref: 00449017
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9D027, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47
    APIs
    • memset.MSVCRT ref: 00A9D03A
    • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00A9D05C
      • Part of subcall function 00A9D133: SetLastError.KERNEL32(00000008,?,?,00000000,00A9D06E,?,?,00000000), ref: 00A9D15C
      • Part of subcall function 00A9D133: memcpy.MSVCRT ref: 00A9D17C
      • Part of subcall function 00A9D133: memcpy.MSVCRT ref: 00A9D1B4
      • Part of subcall function 00A9D133: memcpy.MSVCRT ref: 00A9D1CC
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045D027, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47
    APIs
    • memset.MSVCRT ref: 0045D03A
    • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0045D05C
      • Part of subcall function 0045D133: SetLastError.KERNEL32(00000008,?,?,00000000,0045D06E,?,?,00000000), ref: 0045D15C
      • Part of subcall function 0045D133: memcpy.MSVCRT ref: 0045D17C
      • Part of subcall function 0045D133: memcpy.MSVCRT ref: 0045D1B4
      • Part of subcall function 0045D133: memcpy.MSVCRT ref: 0045D1CC
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7950C, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46
    APIs
      • Part of subcall function 00A81FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00A81FFF
      • Part of subcall function 00A81FEC: GetLastError.KERNEL32(?,00AA49A8,00000000,?,?,00A7AF07,?,00000008,?,?,?,?,?,00000000,00A9AE13), ref: 00A82009
      • Part of subcall function 00A81FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00A82031
    • EqualSid.ADVAPI32(?,5B867A00), ref: 00A7952F
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A7B1DE: LoadLibraryA.KERNEL32(userenv.dll), ref: 00A7B1EE
      • Part of subcall function 00A7B1DE: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00A7B20C
      • Part of subcall function 00A7B1DE: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00A7B218
      • Part of subcall function 00A7B1DE: memset.MSVCRT ref: 00A7B258
      • Part of subcall function 00A7B1DE: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 00A7B2A5
      • Part of subcall function 00A7B1DE: CloseHandle.KERNEL32(?), ref: 00A7B2B9
      • Part of subcall function 00A7B1DE: CloseHandle.KERNEL32(?), ref: 00A7B2BF
      • Part of subcall function 00A7B1DE: FreeLibrary.KERNEL32 ref: 00A7B2D3
    • CloseHandle.KERNEL32(00000001), ref: 00A79576
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043950C, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46
    APIs
      • Part of subcall function 00441FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00441FFF
      • Part of subcall function 00441FEC: GetLastError.KERNEL32(?,004649A8,00000000,?,?,0043AF07,?,00000008,?,?,?,?,?,00000000,0045AE13), ref: 00442009
      • Part of subcall function 00441FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00442031
    • EqualSid.ADVAPI32(?,5B867A00), ref: 0043952F
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 0043B1DE: LoadLibraryA.KERNEL32(userenv.dll), ref: 0043B1EE
      • Part of subcall function 0043B1DE: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0043B20C
      • Part of subcall function 0043B1DE: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0043B218
      • Part of subcall function 0043B1DE: memset.MSVCRT ref: 0043B258
      • Part of subcall function 0043B1DE: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 0043B2A5
      • Part of subcall function 0043B1DE: CloseHandle.KERNEL32(?), ref: 0043B2B9
      • Part of subcall function 0043B1DE: CloseHandle.KERNEL32(?), ref: 0043B2BF
      • Part of subcall function 0043B1DE: FreeLibrary.KERNEL32 ref: 0043B2D3
    • CloseHandle.KERNEL32(00000001), ref: 00439576
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00401B71, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 41
    APIs
    • DeleteCriticalSection.KERNEL32(?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00401F04
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
    • DeleteCriticalSection.KERNEL32(?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00401F2E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A8BE6E, Relevance: 6.4, APIs: 5, Instructions: 154
    APIs
      • Part of subcall function 00A81B16: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A88DDC,?,?,?,?,00A9B233,?,00000001), ref: 00A81B26
      • Part of subcall function 00A81B16: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A88DDC,?,?,?,?,00A9B233,?,00000001), ref: 00A81B50
    • memcmp.MSVCRT ref: 00A8BE99
      • Part of subcall function 00A96875: GetSystemTime.KERNEL32 ref: 00A9687F
    • memcmp.MSVCRT ref: 00A8BEF8
      • Part of subcall function 00A82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7,?,@echo off%sdel /F "%s"), ref: 00A8256D
      • Part of subcall function 00A82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7), ref: 00A82580
    • memset.MSVCRT ref: 00A8BF8A
    • memcpy.MSVCRT ref: 00A8BFB7
    • memcmp.MSVCRT ref: 00A8BFEE
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044BE6E, Relevance: 6.4, APIs: 5, Instructions: 154
    APIs
      • Part of subcall function 00441B16: EnterCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B26
      • Part of subcall function 00441B16: LeaveCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B50
    • memcmp.MSVCRT ref: 0044BE99
      • Part of subcall function 00456875: GetSystemTime.KERNEL32 ref: 0045687F
    • memcmp.MSVCRT ref: 0044BEF8
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • memset.MSVCRT ref: 0044BF8A
    • memcpy.MSVCRT ref: 0044BFB7
    • memcmp.MSVCRT ref: 0044BFEE
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A81781, Relevance: 6.4, APIs: 4, Instructions: 62
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00441781, Relevance: 6.4, APIs: 4, Instructions: 62
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00485075, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 124
    APIs
    • GetCPInfo.KERNEL32(BB40E64E), ref: 00485091
      • Part of subcall function 00403B6B: GetStringTypeW.KERNEL32(00000001,00492BE4,00000001), ref: 00403B8F
      • Part of subcall function 00403B6B: GetLastError.KERNEL32(?,00492C10,0000001C,004043E4,00000001,?,00000001,00000008,?,?,00000001,?,?,00404326), ref: 00403BA1
      • Part of subcall function 00403B6B: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00403C03
      • Part of subcall function 00403B6B: MultiByteToWideChar.KERNEL32(?,00000001,?,?), ref: 00403C81
      • Part of subcall function 00403B6B: GetStringTypeW.KERNEL32(00000008,?,?,?), ref: 00403C93
      • Part of subcall function 00403B6B: GetStringTypeA.KERNEL32(?,00000008,?,?,00404326), ref: 00403D07
      • Part of subcall function 00403667: LCMapStringW.KERNEL32(00000000,00000100,00492BE4,00000001,00000000,00000000), ref: 004037D6
      • Part of subcall function 00403667: GetLastError.KERNEL32 ref: 004037E8
      • Part of subcall function 00403667: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0040386F
      • Part of subcall function 00403667: MultiByteToWideChar.KERNEL32(?,00000001,?,?,?), ref: 004038F0
      • Part of subcall function 00403667: LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000), ref: 0040390A
      • Part of subcall function 00403667: LCMapStringW.KERNEL32(?,?,?,?,?,?), ref: 00403945
      • Part of subcall function 00403667: LCMapStringW.KERNEL32(?,?,?,?,?), ref: 004039B9
      • Part of subcall function 00403667: WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 004039DC
      • Part of subcall function 00403667: LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000), ref: 00403A72
      • Part of subcall function 00403667: LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403AF3
      • Part of subcall function 00403667: LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403B4A
      • Part of subcall function 00484FDC: ExitProcess.KERNEL32(00000003,004922F8,00000008,00401452), ref: 00484FD5
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A90FB2, Relevance: 6.3, APIs: 4, Instructions: 168
    APIs
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
      • Part of subcall function 00A97C35: memset.MSVCRT ref: 00A97C5D
    • memcpy.MSVCRT ref: 00A91167
      • Part of subcall function 00A97CAE: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00A97CBE
    • memcpy.MSVCRT ref: 00A910E2
    • memcpy.MSVCRT ref: 00A910FA
      • Part of subcall function 00A97DC3: memcpy.MSVCRT ref: 00A97DE3
      • Part of subcall function 00A97DC3: memcpy.MSVCRT ref: 00A97E0F
    • memcpy.MSVCRT ref: 00A91156
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00450FB2, Relevance: 6.3, APIs: 4, Instructions: 168
    APIs
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
      • Part of subcall function 00457C35: memset.MSVCRT ref: 00457C5D
    • memcpy.MSVCRT ref: 00451167
      • Part of subcall function 00457CAE: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00457CBE
    • memcpy.MSVCRT ref: 004510E2
    • memcpy.MSVCRT ref: 004510FA
      • Part of subcall function 00457DC3: memcpy.MSVCRT ref: 00457DE3
      • Part of subcall function 00457DC3: memcpy.MSVCRT ref: 00457E0F
    • memcpy.MSVCRT ref: 00451156
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A95465, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91
    APIs
      • Part of subcall function 00A79F04: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00A79F19
      • Part of subcall function 00A79F04: lstrcmpA.KERNEL32(Basic ,?,00A954A4,00000006,Authorization,?,?,?), ref: 00A79F23
    • StrChrA.SHLWAPI(?,0000003A), ref: 00A954F6
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00455465, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91
    APIs
      • Part of subcall function 00439F04: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00439F19
      • Part of subcall function 00439F04: lstrcmpA.KERNEL32(Basic ,?,004554A4,00000006,Authorization,?,?,?), ref: 00439F23
    • StrChrA.SHLWAPI(?,0000003A), ref: 004554F6
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00AA2F3B, Relevance: 6.3, APIs: 4, Instructions: 118
    APIs
    • memset.MSVCRT ref: 00AA2F5F
    • memcpy.MSVCRT ref: 00AA2FBF
    • memcpy.MSVCRT ref: 00AA2FD7
      • Part of subcall function 00A82070: memset.MSVCRT ref: 00A82084
      • Part of subcall function 00A9A7D7: memset.MSVCRT ref: 00A9A862
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
    • memcpy.MSVCRT ref: 00AA304D
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00462F3B, Relevance: 6.3, APIs: 4, Instructions: 118
    APIs
    • memset.MSVCRT ref: 00462F5F
    • memcpy.MSVCRT ref: 00462FBF
    • memcpy.MSVCRT ref: 00462FD7
      • Part of subcall function 00442070: memset.MSVCRT ref: 00442084
      • Part of subcall function 0045A7D7: memset.MSVCRT ref: 0045A862
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • memcpy.MSVCRT ref: 0046304D
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A95CA4, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 48
    APIs
    • GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00A95CB1
    • CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00A95CD1
      • Part of subcall function 00A95934: CloseHandle.KERNEL32 ref: 00A95940
      • Part of subcall function 00A95BE4: memcpy.MSVCRT ref: 00A95C25
      • Part of subcall function 00A95BE4: memcpy.MSVCRT ref: 00A95C38
      • Part of subcall function 00A95BE4: memcpy.MSVCRT ref: 00A95C4B
      • Part of subcall function 00A95BE4: memcpy.MSVCRT ref: 00A95C56
      • Part of subcall function 00A95BE4: GetFileTime.KERNEL32(?,?,?), ref: 00A95C7A
      • Part of subcall function 00A95BE4: memcpy.MSVCRT ref: 00A95C90
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A7CE23, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 47
    APIs
      • Part of subcall function 00A7C942: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A7CE31,00DD1E90,00A9D393), ref: 00A7C952
      • Part of subcall function 00A7C942: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A7CE31,00DD1E90,00A9D393), ref: 00A7C987
    • VerQueryValueW.VERSION(?,00A6AE74,?,?,00DD1E90,00A9D393), ref: 00A7CE44
    • GetModuleHandleW.KERNEL32(?), ref: 00A7CE85
      • Part of subcall function 00A7CE9F: PathFindFileNameW.SHLWAPI(00000000), ref: 00A7CEE3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043CE23, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 47
    APIs
      • Part of subcall function 0043C942: EnterCriticalSection.KERNEL32(00465AA4,?,0043CE31,009B1E90,0045D393), ref: 0043C952
      • Part of subcall function 0043C942: LeaveCriticalSection.KERNEL32(00465AA4,?,0043CE31,009B1E90,0045D393), ref: 0043C987
    • VerQueryValueW.VERSION(?,0042AE74,?,?,009B1E90,0045D393), ref: 0043CE44
    • GetModuleHandleW.KERNEL32(?), ref: 0043CE85
      • Part of subcall function 0043CE9F: PathFindFileNameW.SHLWAPI(00000000), ref: 0043CEE3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00459ADD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 34
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00459AEE
    • VirtualProtect.KERNEL32(00000000,00010000,00000040,?), ref: 00459B34
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8222C, Relevance: 6.2, APIs: 4, Instructions: 77
    APIs
    • memcpy.MSVCRT ref: 00A82268
    • memcpy.MSVCRT ref: 00A8227D
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
    • memcpy.MSVCRT ref: 00A822BA
    • memcpy.MSVCRT ref: 00A822F2
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044222C, Relevance: 6.2, APIs: 4, Instructions: 77
    APIs
    • memcpy.MSVCRT ref: 00442268
    • memcpy.MSVCRT ref: 0044227D
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • memcpy.MSVCRT ref: 004422BA
    • memcpy.MSVCRT ref: 004422F2
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9D133, Relevance: 6.2, APIs: 4, Instructions: 70
    APIs
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    • SetLastError.KERNEL32(00000008,?,?,00000000,00A9D06E,?,?,00000000), ref: 00A9D15C
    • memcpy.MSVCRT ref: 00A9D17C
    • memcpy.MSVCRT ref: 00A9D1B4
    • memcpy.MSVCRT ref: 00A9D1CC
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045D133, Relevance: 6.2, APIs: 4, Instructions: 70
    APIs
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • SetLastError.KERNEL32(00000008,?,?,00000000,0045D06E,?,?,00000000), ref: 0045D15C
    • memcpy.MSVCRT ref: 0045D17C
    • memcpy.MSVCRT ref: 0045D1B4
    • memcpy.MSVCRT ref: 0045D1CC
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A81B79, Relevance: 6.2, APIs: 4, Instructions: 63
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00441B79, Relevance: 6.2, APIs: 4, Instructions: 63
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A99175, Relevance: 6.2, APIs: 4, Instructions: 60
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00A89116,?), ref: 00A9917B
    • memcmp.MSVCRT ref: 00A991A7
    • memcpy.MSVCRT ref: 00A991F2
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00A991FE
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00459175, Relevance: 6.2, APIs: 4, Instructions: 60
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00449116,?), ref: 0045917B
    • memcmp.MSVCRT ref: 004591A7
    • memcpy.MSVCRT ref: 004591F2
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 004591FE
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9FEDF, Relevance: 6.2, APIs: 4, Instructions: 39
    APIs
    • memset.MSVCRT ref: 00A9FEF5
    • InitializeCriticalSection.KERNEL32(00AA5050), ref: 00A9FF05
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
    • memset.MSVCRT ref: 00A9FF34
    • InitializeCriticalSection.KERNEL32(00AA5030), ref: 00A9FF3E
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045D5A0, Relevance: 6.2, APIs: 3, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,00000000,?,?,004393C9), ref: 0045D5B6
    • LeaveCriticalSection.KERNEL32(00465AA4,?,?,004393C9), ref: 0045D5DC
      • Part of subcall function 0045D4EF: memset.MSVCRT ref: 0045D506
    • CreateMutexW.KERNEL32(004649B4,00000000,00466016), ref: 0045D5EE
      • Part of subcall function 004375E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004375ED
      • Part of subcall function 004375E7: CloseHandle.KERNEL32 ref: 004375FF
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A6CAB0, Relevance: 6.1, APIs: 4, Instructions: 130
    APIs
    • VirtualAlloc.KERNEL32(00000000,00006000,00003000,00000040), ref: 00A6CAC5
    • LoadLibraryA.KERNEL32 ref: 00A6CBAE
    • GetProcAddress.KERNEL32(00000000), ref: 00A6CBD8
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A6CC0A
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0042CAB0, Relevance: 6.1, APIs: 4, Instructions: 130
    APIs
    • VirtualAlloc.KERNEL32(00000000,00006000,00003000,00000040), ref: 0042CAC5
    • LoadLibraryA.KERNEL32 ref: 0042CBAE
    • GetProcAddress.KERNEL32(00000000), ref: 0042CBD8
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042CC0A
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A82F98, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 111
    APIs
      • Part of subcall function 00A826C5: memset.MSVCRT ref: 00A826D5
    • lstrlenA.KERNEL32(?), ref: 00A8304D
    • lstrlenA.KERNEL32 ref: 00A8305C
      • Part of subcall function 00A8D8E8: memcpy.MSVCRT ref: 00A8D8FF
      • Part of subcall function 00A8D8E8: CharLowerA.USER32 ref: 00A8D9CA
      • Part of subcall function 00A8D8E8: CharLowerA.USER32(?), ref: 00A8D9DA
      • Part of subcall function 00A8D8E8: memcpy.MSVCRT ref: 00A8DA9F
      • Part of subcall function 00A8260E: memcpy.MSVCRT ref: 00A82621
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00442F98, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 111
    APIs
      • Part of subcall function 004426C5: memset.MSVCRT ref: 004426D5
    • lstrlenA.KERNEL32(?), ref: 0044304D
    • lstrlenA.KERNEL32 ref: 0044305C
      • Part of subcall function 0044D8E8: memcpy.MSVCRT ref: 0044D8FF
      • Part of subcall function 0044D8E8: CharLowerA.USER32 ref: 0044D9CA
      • Part of subcall function 0044D8E8: CharLowerA.USER32(?), ref: 0044D9DA
      • Part of subcall function 0044D8E8: memcpy.MSVCRT ref: 0044DA9F
      • Part of subcall function 0044260E: memcpy.MSVCRT ref: 00442621
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8C63D, Relevance: 6.1, APIs: 4, Instructions: 108
    APIs
      • Part of subcall function 00A9601D: FreeAddrInfoW.WS2_32 ref: 00A9602C
      • Part of subcall function 00A9601D: memset.MSVCRT ref: 00A96042
    • getaddrinfo.WS2_32(?,00000000), ref: 00A8C675
    • memset.MSVCRT ref: 00A8C6BB
    • memcpy.MSVCRT ref: 00A8C6CE
      • Part of subcall function 00A7BB55: connect.WS2_32(?,?), ref: 00A7BB93
      • Part of subcall function 00A7BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00A7BBA2
      • Part of subcall function 00A7BB55: WSASetLastError.WS2_32(?,?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00A7BBC0
      • Part of subcall function 00A7BB55: WSAGetLastError.WS2_32(?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00A7BBC2
      • Part of subcall function 00A7BB55: WSASetLastError.WS2_32(00000000), ref: 00A7BC00
      • Part of subcall function 00A7B979: shutdown.WS2_32(?,00000002), ref: 00A7B987
      • Part of subcall function 00A7B979: closesocket.WS2_32 ref: 00A7B990
      • Part of subcall function 00A7B979: WSACloseEvent.WS2_32 ref: 00A7B9A3
    • FreeAddrInfoW.WS2_32(00000000), ref: 00A8C778
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044C63D, Relevance: 6.1, APIs: 4, Instructions: 108
    APIs
      • Part of subcall function 0045601D: FreeAddrInfoW.WS2_32 ref: 0045602C
      • Part of subcall function 0045601D: memset.MSVCRT ref: 00456042
    • getaddrinfo.WS2_32(?,00000000), ref: 0044C675
    • memset.MSVCRT ref: 0044C6BB
    • memcpy.MSVCRT ref: 0044C6CE
      • Part of subcall function 0043BB55: connect.WS2_32(?,?), ref: 0043BB93
      • Part of subcall function 0043BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBA2
      • Part of subcall function 0043BB55: WSASetLastError.WS2_32(?,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC0
      • Part of subcall function 0043BB55: WSAGetLastError.WS2_32(?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC2
      • Part of subcall function 0043BB55: WSASetLastError.WS2_32(00000000), ref: 0043BC00
      • Part of subcall function 0043B979: shutdown.WS2_32(?,00000002), ref: 0043B987
      • Part of subcall function 0043B979: closesocket.WS2_32 ref: 0043B990
      • Part of subcall function 0043B979: WSACloseEvent.WS2_32 ref: 0043B9A3
    • FreeAddrInfoW.WS2_32(00000000), ref: 0044C778
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9CDAD, Relevance: 6.1, APIs: 4, Instructions: 89
    APIs
    • memset.MSVCRT ref: 00A9CDD2
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • InternetReadFile.WININET(00A899F7,?,00001000,?), ref: 00A9CE24
    • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00A9CE01
      • Part of subcall function 00A825D5: memcpy.MSVCRT ref: 00A825FB
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,00A899F7,?,00000CCA,?,?,00000001), ref: 00A9CE78
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045CDAD, Relevance: 6.1, APIs: 4, Instructions: 89
    APIs
    • memset.MSVCRT ref: 0045CDD2
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • InternetReadFile.WININET(004499F7,?,00001000,?), ref: 0045CE24
    • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0045CE01
      • Part of subcall function 004425D5: memcpy.MSVCRT ref: 004425FB
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,004499F7,?,00000CCA,?,?,00000001), ref: 0045CE78
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A86E45, Relevance: 6.1, APIs: 4, Instructions: 86
    APIs
      • Part of subcall function 00A771D5: memcpy.MSVCRT ref: 00A772E6
      • Part of subcall function 00A95B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00A95B25
    • WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00A86EB2
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00A86ECA
    • FlushFileBuffers.KERNEL32(?), ref: 00A86EE4
    • SetEndOfFile.KERNEL32 ref: 00A86EFE
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A95ADF: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00A95AF1
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00446E45, Relevance: 6.1, APIs: 4, Instructions: 86
    APIs
      • Part of subcall function 004371D5: memcpy.MSVCRT ref: 004372E6
      • Part of subcall function 00455B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00455B25
    • WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00446EB2
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00446ECA
    • FlushFileBuffers.KERNEL32(?), ref: 00446EE4
    • SetEndOfFile.KERNEL32 ref: 00446EFE
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00455ADF: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00455AF1
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8669D, Relevance: 6.1, APIs: 4, Instructions: 77
    APIs
    • GetTickCount.KERNEL32 ref: 00A866A8
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 00A866BA
    • memcmp.MSVCRT ref: 00A866F4
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00A86760
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044669D, Relevance: 6.1, APIs: 4, Instructions: 77
    APIs
    • GetTickCount.KERNEL32 ref: 004466A8
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 004466BA
    • memcmp.MSVCRT ref: 004466F4
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00446760
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7BF70, Relevance: 6.1, APIs: 4, Instructions: 75
    APIs
    • WSAEventSelect.WS2_32(?,?,?), ref: 00A7BF85
    • WaitForMultipleObjects.KERNEL32(?,00000001,00000000,?), ref: 00A7BFBA
    • WSAEventSelect.WS2_32 ref: 00A7C008
    • WSASetLastError.WS2_32(?,?,?,?,?,00000001,00000000,?,?,?,?), ref: 00A7C01B
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043BF70, Relevance: 6.1, APIs: 4, Instructions: 75
    APIs
    • WSAEventSelect.WS2_32(?,?,?), ref: 0043BF85
    • WaitForMultipleObjects.KERNEL32(?,00000001,00000000,?), ref: 0043BFBA
    • WSAEventSelect.WS2_32 ref: 0043C008
    • WSASetLastError.WS2_32(?,?,?,?,?,00000001,00000000,?,?,?,?), ref: 0043C01B
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8BA48, Relevance: 6.1, APIs: 4, Instructions: 60
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 00A8BA66
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000), ref: 00A8BA9B
    • RegCloseKey.ADVAPI32(?), ref: 00A8BAAA
    • RegCloseKey.ADVAPI32(?), ref: 00A8BAC5
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A8660E, Relevance: 6.1, APIs: 4, Instructions: 55
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,00A868D1,?,?,?,?,00000002), ref: 00A86619
    • GetTickCount.KERNEL32 ref: 00A8664A
    • memcpy.MSVCRT ref: 00A86681
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00A868D1,?,?,?,?,00000002), ref: 00A8668D
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044660E, Relevance: 6.1, APIs: 4, Instructions: 55
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,004468D1,?,?,?,?,00000002), ref: 00446619
    • GetTickCount.KERNEL32 ref: 0044664A
    • memcpy.MSVCRT ref: 00446681
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,004468D1,?,?,?,?,00000002), ref: 0044668D
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00460588, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 49
    APIs
    • EnterCriticalSection.KERNEL32(00465030,?,?,?,004618E8), ref: 00460594
    • LeaveCriticalSection.KERNEL32(00465030,?,?,?,004618E8), ref: 0046060A
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • memcpy.MSVCRT ref: 004605EA
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8512B, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • GetTickCount.KERNEL32 ref: 00A85138
    • GetLastInputInfo.USER32(?), ref: 00A8514B
    • GetLocalTime.KERNEL32 ref: 00A8516F
      • Part of subcall function 00A96891: SystemTimeToFileTime.KERNEL32 ref: 00A9689B
    • GetTimeZoneInformation.KERNEL32 ref: 00A85187
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A7760D, Relevance: 6.0, APIs: 4, Instructions: 39
    APIs
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00A77622
    • TranslateMessage.USER32 ref: 00A77646
    • DispatchMessageW.USER32 ref: 00A77651
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A77661
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043760D, Relevance: 6.0, APIs: 4, Instructions: 39
    APIs
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00437622
    • TranslateMessage.USER32 ref: 00437646
    • DispatchMessageW.USER32 ref: 00437651
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00437661
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8A6E2, Relevance: 6.0, APIs: 4, Instructions: 38
    APIs
      • Part of subcall function 00A76A4D: TlsSetValue.KERNEL32(00000001,00A8A796), ref: 00A76A5A
      • Part of subcall function 00A9C09D: CreateMutexW.KERNEL32(00AA49B4,00000000), ref: 00A9C0BF
      • Part of subcall function 00A9AFD3: WaitForSingleObject.KERNEL32(00000000,00A8A849), ref: 00A9AFDB
    • GetCurrentThread.KERNEL32 ref: 00A8A70A
    • SetThreadPriority.KERNEL32 ref: 00A8A711
    • WaitForSingleObject.KERNEL32(00001388), ref: 00A8A723
      • Part of subcall function 00A75B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A75BC1
      • Part of subcall function 00A75B9B: Process32FirstW.KERNEL32 ref: 00A75BE6
      • Part of subcall function 00A75B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00A75C3D
      • Part of subcall function 00A75B9B: CloseHandle.KERNEL32 ref: 00A75C5B
      • Part of subcall function 00A75B9B: GetLengthSid.ADVAPI32 ref: 00A75C77
      • Part of subcall function 00A75B9B: memcmp.MSVCRT ref: 00A75C8F
      • Part of subcall function 00A75B9B: CloseHandle.KERNEL32(?), ref: 00A75D07
      • Part of subcall function 00A75B9B: Process32NextW.KERNEL32(?,?), ref: 00A75D13
      • Part of subcall function 00A75B9B: CloseHandle.KERNEL32 ref: 00A75D26
    • WaitForSingleObject.KERNEL32(00001388), ref: 00A8A73C
      • Part of subcall function 00A7766D: ReleaseMutex.KERNEL32 ref: 00A77671
      • Part of subcall function 00A7766D: CloseHandle.KERNEL32 ref: 00A77678
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044A6E2, Relevance: 6.0, APIs: 4, Instructions: 38
    APIs
      • Part of subcall function 00436A4D: TlsSetValue.KERNEL32(00000001,0044A796), ref: 00436A5A
      • Part of subcall function 0045C09D: CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
      • Part of subcall function 0045AFD3: WaitForSingleObject.KERNEL32(00000000,0044A849), ref: 0045AFDB
    • GetCurrentThread.KERNEL32 ref: 0044A70A
    • SetThreadPriority.KERNEL32 ref: 0044A711
    • WaitForSingleObject.KERNEL32(00001388), ref: 0044A723
      • Part of subcall function 00435B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00435BC1
      • Part of subcall function 00435B9B: Process32FirstW.KERNEL32 ref: 00435BE6
      • Part of subcall function 00435B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00435C3D
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32 ref: 00435C5B
      • Part of subcall function 00435B9B: GetLengthSid.ADVAPI32 ref: 00435C77
      • Part of subcall function 00435B9B: memcmp.MSVCRT ref: 00435C8F
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32(?), ref: 00435D07
      • Part of subcall function 00435B9B: Process32NextW.KERNEL32(?,?), ref: 00435D13
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32 ref: 00435D26
    • WaitForSingleObject.KERNEL32(00001388), ref: 0044A73C
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9C3C1, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 00A9C3D1
    • EnterCriticalSection.KERNEL32(?,?,00007530), ref: 00A9C3DF
    • LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 00A9C3F4
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 00A9C3FE
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0045394D, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00053883,00000000), ref: 00453964
    • WaitForSingleObject.KERNEL32(?,00003A98), ref: 00453976
    • TerminateThread.KERNEL32(?,00000000), ref: 00453982
    • CloseHandle.KERNEL32 ref: 00453989
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045C3C1, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 0045C3D1
    • EnterCriticalSection.KERNEL32(?,?,00007530), ref: 0045C3DF
    • LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 0045C3F4
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 0045C3FE
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A88F55, Relevance: 6.0, APIs: 3, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,00A8914A,?,?,?,?,?,?,00000000,?), ref: 00A88FAF
    • LeaveCriticalSection.KERNEL32 ref: 00A89017
      • Part of subcall function 00A88A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A88A52
      • Part of subcall function 00A82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7,?,@echo off%sdel /F "%s"), ref: 00A8256D
      • Part of subcall function 00A82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7), ref: 00A82580
    • SetEvent.KERNEL32 ref: 00A8900A
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00448F55, Relevance: 6.0, APIs: 3, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,0044914A,?,?,?,?,?,?,00000000,?), ref: 00448FAF
    • LeaveCriticalSection.KERNEL32 ref: 00449017
      • Part of subcall function 00448A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00448A52
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • SetEvent.KERNEL32 ref: 0044900A
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8EC55, Relevance: 6.0, APIs: 3, Instructions: 51
    APIs
    • getpeername.WS2_32(?,?,?), ref: 00A8EC79
    • getsockname.WS2_32(?,?,?), ref: 00A8EC91
    • send.WS2_32(00000000,00000000,00000008,00000000), ref: 00A8ECC2
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044EC55, Relevance: 6.0, APIs: 3, Instructions: 51
    APIs
    • getpeername.WS2_32(?,?,?), ref: 0044EC79
    • getsockname.WS2_32(?,?,?), ref: 0044EC91
    • send.WS2_32(00000000,00000000,00000008,00000000), ref: 0044ECC2
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A83AD3, Relevance: 6.0, APIs: 3, Instructions: 30
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00443AD3, Relevance: 6.0, APIs: 3, Instructions: 30
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7B979, Relevance: 6.0, APIs: 3, Instructions: 17
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043B979, Relevance: 6.0, APIs: 3, Instructions: 17
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7B928, Relevance: 5.8, APIs: 3, Instructions: 30
    APIs
    • WSACreateEvent.WS2_32(00000000,?,00A7BB6E,00000033,00000000,?,?,?,00A8C4F0,?,00003A98,?,00000000,?,00000003), ref: 00A7B93E
    • WSAEventSelect.WS2_32(?,?,00000033), ref: 00A7B954
    • WSACloseEvent.WS2_32 ref: 00A7B968
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043B928, Relevance: 5.8, APIs: 3, Instructions: 30
    APIs
    • WSACreateEvent.WS2_32(00000000,?,0043BB6E,00000033,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003), ref: 0043B93E
    • WSAEventSelect.WS2_32(?,?,00000033), ref: 0043B954
    • WSACloseEvent.WS2_32 ref: 0043B968
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A94C13, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138
    APIs
      • Part of subcall function 00A94BC8: StrCmpNIA.SHLWAPI ref: 00A94BDF
    • StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00A94D7B
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00454C13, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138
    APIs
      • Part of subcall function 00454BC8: StrCmpNIA.SHLWAPI ref: 00454BDF
    • StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00454D7B
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00AA258D, Relevance: 5.7, APIs: 3, Instructions: 83
    APIs
      • Part of subcall function 00A97ED8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00A97EEF
      • Part of subcall function 00A97ED8: CloseHandle.KERNEL32 ref: 00A97F0E
    • GetFileSizeEx.KERNEL32(00000000), ref: 00AA25C4
      • Part of subcall function 00A97F3D: UnmapViewOfFile.KERNEL32 ref: 00A97F49
      • Part of subcall function 00A97F3D: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000001), ref: 00A97F60
      • Part of subcall function 00A95B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00A95B25
    • SetEndOfFile.KERNEL32 ref: 00AA263A
    • FlushFileBuffers.KERNEL32(?), ref: 00AA2645
      • Part of subcall function 00A95934: CloseHandle.KERNEL32 ref: 00A95940
      • Part of subcall function 00A95B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00A95B87
      • Part of subcall function 00AA2474: GetFileAttributesW.KERNEL32 ref: 00AA2485
      • Part of subcall function 00AA2474: PathRemoveFileSpecW.SHLWAPI(?), ref: 00AA24BA
      • Part of subcall function 00AA2474: MoveFileExW.KERNEL32(?,?,00000001), ref: 00AA2501
      • Part of subcall function 00AA2474: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00AA251A
      • Part of subcall function 00AA2474: Sleep.KERNEL32(00001388), ref: 00AA255D
      • Part of subcall function 00AA2474: FlushFileBuffers.KERNEL32 ref: 00AA256B
      • Part of subcall function 00A97E98: UnmapViewOfFile.KERNEL32 ref: 00A97EA4
      • Part of subcall function 00A97E98: CloseHandle.KERNEL32 ref: 00A97EB7
      • Part of subcall function 00A97E98: CloseHandle.KERNEL32 ref: 00A97ECD
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00461F21, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 75
    APIs
    • EnterCriticalSection.KERNEL32(00465050,?,?,00000000,?,0044F3D7,00000000), ref: 00461F47
    • LeaveCriticalSection.KERNEL32(00465050,00465068,?,?,00000000,?,0044F3D7,00000000), ref: 00461F86
      • Part of subcall function 00460F60: memcmp.MSVCRT ref: 00460FF5
      • Part of subcall function 00460F60: memcpy.MSVCRT ref: 00461025
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A83A22, Relevance: 5.7, APIs: 2, Instructions: 57
    APIs
    • select.WS2_32(00000000,?,00000000,00000000), ref: 00A83A81
    • recv.WS2_32(?,?,?,00000000), ref: 00A83A91
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00443A22, Relevance: 5.7, APIs: 2, Instructions: 57
    APIs
    • select.WS2_32(00000000,?,00000000,00000000), ref: 00443A81
    • recv.WS2_32(?,?,?,00000000), ref: 00443A91
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A99B45, Relevance: 5.7, APIs: 3, Instructions: 56
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00A99B46
    • VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00A99B7D
      • Part of subcall function 00A99A67: memset.MSVCRT ref: 00A99A78
      • Part of subcall function 00A99821: GetCurrentProcess.KERNEL32 ref: 00A99824
      • Part of subcall function 00A99821: VirtualProtect.KERNEL32(6FFF0000,=::=::\,00000020), ref: 00A99845
      • Part of subcall function 00A99821: FlushInstructionCache.KERNEL32(?,6FFF0000,=::=::\), ref: 00A9984E
    • ResumeThread.KERNEL32(?), ref: 00A99BBE
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00459B45, Relevance: 5.7, APIs: 3, Instructions: 56
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00459B46
    • VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00459B7D
      • Part of subcall function 00459A67: memset.MSVCRT ref: 00459A78
      • Part of subcall function 00459821: GetCurrentProcess.KERNEL32 ref: 00459824
      • Part of subcall function 00459821: VirtualProtect.KERNEL32(00000000,=::=::\,00000020), ref: 00459845
      • Part of subcall function 00459821: FlushInstructionCache.KERNEL32(?,00000000,=::=::\), ref: 0045984E
    • ResumeThread.KERNEL32(?), ref: 00459BBE
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9D4EF, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 52
    APIs
    • memset.MSVCRT ref: 00A9D506
      • Part of subcall function 00A9BC89: memcpy.MSVCRT ref: 00A9BCA4
      • Part of subcall function 00A9BC89: StringFromGUID2.OLE32 ref: 00A9BD4A
      • Part of subcall function 00A8204E: memcpy.MSVCRT ref: 00A8205C
      • Part of subcall function 00A9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00A9ABEA,00A9ABEA), ref: 00A9573C
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A78FE0
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A78FEA
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79033
      • Part of subcall function 00A78F6F: memcpy.MSVCRT ref: 00A79060
      • Part of subcall function 00A78F6F: PathRemoveBackslashW.SHLWAPI ref: 00A7906A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A97B26, Relevance: 5.6, APIs: 3, Instructions: 48
    APIs
    • CloseHandle.KERNEL32(?), ref: 00A97B37
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00A97B77
    • InternetCloseHandle.WININET(?), ref: 00A97B82
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00457B26, Relevance: 5.6, APIs: 3, Instructions: 48
    APIs
    • CloseHandle.KERNEL32(?), ref: 00457B37
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00457B77
    • InternetCloseHandle.WININET(?), ref: 00457B82
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A81FEC, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00A81FFF
    • GetLastError.KERNEL32(?,00AA49A8,00000000,?,?,00A7AF07,?,00000008,?,?,?,?,?,00000000,00A9AE13), ref: 00A82009
      • Part of subcall function 00A824DA: HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    • GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00A82031
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00441FEC, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00441FFF
    • GetLastError.KERNEL32(?,004649A8,00000000,?,?,0043AF07,?,00000008,?,?,?,?,?,00000000,0045AE13), ref: 00442009
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00442031
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045A976, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045A999
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045A9B1
    • DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 0045A9CC
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7AEE3, Relevance: 5.6, APIs: 3, Instructions: 42
    APIs
    • OpenProcessToken.ADVAPI32(?,00000008), ref: 00A7AEF5
      • Part of subcall function 00A81FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00A81FFF
      • Part of subcall function 00A81FEC: GetLastError.KERNEL32(?,00AA49A8,00000000,?,?,00A7AF07,?,00000008,?,?,?,?,?,00000000,00A9AE13), ref: 00A82009
      • Part of subcall function 00A81FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00A82031
    • GetTokenInformation.ADVAPI32(?,0000000C,00AA49A8,00000004), ref: 00A7AF1D
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • CloseHandle.KERNEL32(?), ref: 00A7AF33
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043AEE3, Relevance: 5.6, APIs: 3, Instructions: 42
    APIs
    • OpenProcessToken.ADVAPI32(?,00000008), ref: 0043AEF5
      • Part of subcall function 00441FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00441FFF
      • Part of subcall function 00441FEC: GetLastError.KERNEL32(?,004649A8,00000000,?,?,0043AF07,?,00000008,?,?,?,?,?,00000000,0045AE13), ref: 00442009
      • Part of subcall function 00441FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00442031
    • GetTokenInformation.ADVAPI32(?,0000000C,004649A8,00000004), ref: 0043AF1D
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • CloseHandle.KERNEL32(?), ref: 0043AF33
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 0045C012, Relevance: 5.6, APIs: 3, Instructions: 37
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045BC89: memcpy.MSVCRT ref: 0045BCA4
      • Part of subcall function 0045BC89: StringFromGUID2.OLE32 ref: 0045BD4A
    • CreateMutexW.KERNEL32(004649B4,00000001), ref: 0045C058
    • GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 0045C064
    • CloseHandle.KERNEL32 ref: 0045C072
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8A755, Relevance: 5.6, APIs: 3, Instructions: 16
    APIs
    • PathFindFileNameW.SHLWAPI(000001ED), ref: 00A8A759
    • PathRemoveExtensionW.SHLWAPI ref: 00A8A76D
    • CharUpperW.USER32 ref: 00A8A777
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044A755, Relevance: 5.6, APIs: 3, Instructions: 16
    APIs
    • PathFindFileNameW.SHLWAPI(000001ED), ref: 0044A759
    • PathRemoveExtensionW.SHLWAPI ref: 0044A76D
    • CharUpperW.USER32 ref: 0044A777
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8D12D, Relevance: 5.6, APIs: 3, Instructions: 40
    APIs
    • lstrlenW.KERNEL32(00A6C448), ref: 00A8D149
    • lstrlenW.KERNEL32 ref: 00A8D14F
      • Part of subcall function 00A82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7,?,@echo off%sdel /F "%s"), ref: 00A8256D
      • Part of subcall function 00A82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7), ref: 00A82580
    • memcpy.MSVCRT ref: 00A8D173
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044D12D, Relevance: 5.6, APIs: 3, Instructions: 40
    APIs
    • lstrlenW.KERNEL32(0042C448), ref: 0044D149
    • lstrlenW.KERNEL32 ref: 0044D14F
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • memcpy.MSVCRT ref: 0044D173
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A82543, Relevance: 5.6, APIs: 2, Instructions: 32
    APIs
    • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7), ref: 00A82580
      • Part of subcall function 00A82456: EnterCriticalSection.KERNEL32(00AA5AA4,00000028,00A824C9,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A82466
      • Part of subcall function 00A82456: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A82490
    • HeapAlloc.KERNEL32(00000008,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7,?,@echo off%sdel /F "%s"), ref: 00A8256D
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00442543, Relevance: 5.6, APIs: 2, Instructions: 32
    APIs
    • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
      • Part of subcall function 00442456: EnterCriticalSection.KERNEL32(00465AA4,00000028,004424C9,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442466
      • Part of subcall function 00442456: LeaveCriticalSection.KERNEL32(00465AA4,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442490
    • HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A76EA5, Relevance: 5.6, APIs: 3, Instructions: 10
    APIs
    • GetLastError.KERNEL32(?,00A76577), ref: 00A76EA6
    • TlsSetValue.KERNEL32(00000000), ref: 00A76EB6
    • SetLastError.KERNEL32(?,?,00A76577), ref: 00A76EBD
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00436EA5, Relevance: 5.6, APIs: 3, Instructions: 10
    APIs
    • GetLastError.KERNEL32(?,00436577), ref: 00436EA6
    • TlsSetValue.KERNEL32(00000000), ref: 00436EB6
    • SetLastError.KERNEL32(?,?,00436577), ref: 00436EBD
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A986CC, Relevance: 5.5, APIs: 3, Instructions: 115
    APIs
    • GetVersionExW.KERNEL32(00AA4858), ref: 00A986E6
    • GetNativeSystemInfo.KERNEL32(000000FF), ref: 00A98822
    • memset.MSVCRT ref: 00A98857
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0046061B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 105
    APIs
      • Part of subcall function 00453704: strtoul.MSVCRT ref: 004537FC
      • Part of subcall function 0045C0DB: EnterCriticalSection.KERNEL32(00465AA4,009B1E90,0045C7BB,009B1E90,0045D34F), ref: 0045C0EB
      • Part of subcall function 0045C0DB: LeaveCriticalSection.KERNEL32(00465AA4), ref: 0045C113
    • EnterCriticalSection.KERNEL32(00000000,?,?,?,?,00465050), ref: 004606F5
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • LeaveCriticalSection.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00465050), ref: 0046071D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A84EC0, Relevance: 5.5, APIs: 3, Instructions: 93
    APIs
      • Part of subcall function 00A849CD: EnterCriticalSection.KERNEL32(00AA5AA4,00DD1E90,00A84ECC,00DD1E90), ref: 00A849DD
      • Part of subcall function 00A849CD: LeaveCriticalSection.KERNEL32(00AA5AA4,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0,00A9D345), ref: 00A84A05
    • PathFindFileNameW.SHLWAPI(00DD1E90), ref: 00A84ED2
      • Part of subcall function 00A79E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00A79E9D
      • Part of subcall function 00A79E88: StrCmpIW.SHLWAPI ref: 00A79EA7
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • InitializeCriticalSection.KERNEL32 ref: 00A84F44
      • Part of subcall function 00A76D72: EnterCriticalSection.KERNEL32(00AA468C,00000000,00A84F6E,?,000000FF), ref: 00A76D7E
      • Part of subcall function 00A76D72: LeaveCriticalSection.KERNEL32(00AA468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00A76D8E
      • Part of subcall function 00A76D9C: LeaveCriticalSection.KERNEL32(00AA468C,00A76E01,00000001,00000000,00000000,?,00A84F82,00000001,00000000,?,000000FF), ref: 00A76DA6
      • Part of subcall function 00A99DDC: GetCurrentThreadId.KERNEL32 ref: 00A99DED
      • Part of subcall function 00A99DDC: memcpy.MSVCRT ref: 00A99F56
      • Part of subcall function 00A99DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00A99FE2
      • Part of subcall function 00A99DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00A99FEC
      • Part of subcall function 00A76DAD: LeaveCriticalSection.KERNEL32(00AA468C,?,00A76E13,00000001,00000000,00000000,?,00A84F82,00000001,00000000,?,000000FF), ref: 00A76DBA
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    • DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00A84FBB
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00444EC0, Relevance: 5.5, APIs: 3, Instructions: 93
    APIs
      • Part of subcall function 004449CD: EnterCriticalSection.KERNEL32(00465AA4,009B1E90,00444ECC,009B1E90), ref: 004449DD
      • Part of subcall function 004449CD: LeaveCriticalSection.KERNEL32(00465AA4,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0,0045D345), ref: 00444A05
    • PathFindFileNameW.SHLWAPI(009B1E90), ref: 00444ED2
      • Part of subcall function 00439E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00439E9D
      • Part of subcall function 00439E88: StrCmpIW.SHLWAPI ref: 00439EA7
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • InitializeCriticalSection.KERNEL32 ref: 00444F44
      • Part of subcall function 00436D72: EnterCriticalSection.KERNEL32(0046468C,00000000,00444F6E,?,000000FF), ref: 00436D7E
      • Part of subcall function 00436D72: LeaveCriticalSection.KERNEL32(0046468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00436D8E
      • Part of subcall function 00436D9C: LeaveCriticalSection.KERNEL32(0046468C,00436E01,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DA6
      • Part of subcall function 00459DDC: GetCurrentThreadId.KERNEL32 ref: 00459DED
      • Part of subcall function 00459DDC: memcpy.MSVCRT ref: 00459F56
      • Part of subcall function 00459DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00459FE2
      • Part of subcall function 00459DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00459FEC
      • Part of subcall function 00436DAD: LeaveCriticalSection.KERNEL32(0046468C,?,00436E13,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DBA
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00444FBB
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A993C4, Relevance: 5.5, APIs: 2, Instructions: 68
    APIs
      • Part of subcall function 00A9931E: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00A99336
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00A99433
    • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00A99458
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004593C4, Relevance: 5.5, APIs: 2, Instructions: 68
    APIs
      • Part of subcall function 0045931E: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00459336
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00459433
    • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00459458
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A9D610, Relevance: 5.5, APIs: 3, Instructions: 51
    APIs
    • EnterCriticalSection.KERNEL32(00AA5AA4,?,00000001,?,?,00A9D824,?,?,?,00000001), ref: 00A9D62C
    • LeaveCriticalSection.KERNEL32(00AA5AA4,?,00000001,?,?,00A9D824,?,?,?,00000001), ref: 00A9D653
      • Part of subcall function 00A9D4EF: memset.MSVCRT ref: 00A9D506
      • Part of subcall function 00A993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00A99433
      • Part of subcall function 00A993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00A99458
      • Part of subcall function 00A9946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00A994AA
    • _ultow.MSVCRT ref: 00A9D69A
      • Part of subcall function 00A99393: CryptDestroyHash.ADVAPI32 ref: 00A993AB
      • Part of subcall function 00A99393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A993BC
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A883CA, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00A883E6
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00A88409
    • CloseHandle.KERNEL32 ref: 00A88416
      • Part of subcall function 00A95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00A95E26
      • Part of subcall function 00A95E1D: DeleteFileW.KERNEL32 ref: 00A95E2D
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A969E1, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • TlsAlloc.KERNEL32(00DD1FCC,00A96EB9,?,?,?,?,00DD1FC0), ref: 00A969EA
    • TlsGetValue.KERNEL32(?,00000001,00DD1FCC), ref: 00A969FC
    • TlsSetValue.KERNEL32(?,?), ref: 00A96A41
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004483CA, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 004483E6
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00448409
    • CloseHandle.KERNEL32 ref: 00448416
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004569E1, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • TlsAlloc.KERNEL32(0000000C,00456EB9,?,?,?,?,00000000), ref: 004569EA
    • TlsGetValue.KERNEL32(?,00000001,0000000C), ref: 004569FC
    • TlsSetValue.KERNEL32(?,?), ref: 00456A41
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00401B8E, Relevance: 5.5, APIs: 3, Instructions: 37
    APIs
    • GetLastError.KERNEL32(?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?,?,?,00402331,00000004,00492318,0000000C,00401F0C), ref: 00401B90
    • SetLastError.KERNEL32(?,?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?,?,?,00402331,00000004,00492318,0000000C), ref: 00401BF4
      • Part of subcall function 004024C3: HeapAlloc.KERNEL32(00000008,?,00492370,00000010,00401BB6,00000001,0000008C,?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?), ref: 00402545
    • GetCurrentThreadId.KERNEL32 ref: 00401BDD
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 00A79E88, Relevance: 5.5, APIs: 2, Instructions: 26
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00A79F04, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26
    APIs
    • StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00A79F19
    • lstrcmpA.KERNEL32(Basic ,?,00A954A4,00000006,Authorization,?,?,?), ref: 00A79F23
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00439F04, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26
    APIs
    • StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00439F19
    • lstrcmpA.KERNEL32(Basic ,?,004554A4,00000006,Authorization,?,?,?), ref: 00439F23
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00439E88, Relevance: 5.5, APIs: 2, Instructions: 26
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A769DF, Relevance: 5.4, APIs: 3, Instructions: 24
    APIs
    • memset.MSVCRT ref: 00A769F9
    • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00A76A02
    • InitializeCriticalSection.KERNEL32(00AA468C), ref: 00A76A12
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004369DF, Relevance: 5.4, APIs: 3, Instructions: 24
    APIs
    • memset.MSVCRT ref: 004369F9
    • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00436A02
    • InitializeCriticalSection.KERNEL32(0046468C), ref: 00436A12
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A97E98, Relevance: 5.4, APIs: 3, Instructions: 21
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00457E98, Relevance: 5.4, APIs: 3, Instructions: 21
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8B7BD, Relevance: 5.4, APIs: 3, Instructions: 20
    APIs
    • InitializeCriticalSection.KERNEL32(00AA47FC), ref: 00A8B7C7
    • QueryPerformanceCounter.KERNEL32 ref: 00A8B7D1
    • GetTickCount.KERNEL32 ref: 00A8B7DB
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044B7BD, Relevance: 5.4, APIs: 3, Instructions: 20
    APIs
    • InitializeCriticalSection.KERNEL32(004647FC), ref: 0044B7C7
    • QueryPerformanceCounter.KERNEL32 ref: 0044B7D1
    • GetTickCount.KERNEL32 ref: 0044B7DB
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004367EB, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110
    APIs
    • GetTickCount.KERNEL32 ref: 004368F7
      • Part of subcall function 0045A05A: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,-00000003,?,00000000), ref: 0045A0AD
      • Part of subcall function 0045A05A: SetEndOfFile.KERNEL32 ref: 0045A115
    • WaitForSingleObject.KERNEL32(00015F90), ref: 0043695E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 004848A3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
    APIs
      • Part of subcall function 00401FF3: EnterCriticalSection.KERNEL32(?,?,?,00402331,00000004,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0), ref: 0040201B
    • GetCurrentProcess.KERNEL32 ref: 004848CA
    • TerminateProcess.KERNEL32 ref: 004848D1
      • Part of subcall function 004011FA: GetModuleHandleA.KERNEL32(mscoree.dll), ref: 004011FF
      • Part of subcall function 004011FA: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0040120F
      • Part of subcall function 004011FA: ExitProcess.KERNEL32(?), ref: 00401223
    Strings
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp
    Function 004026FC, Relevance: 5.2, APIs: 3, Instructions: 261
    APIs
    • VirtualFree.KERNEL32(?,00008000,00004000), ref: 00402943
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040299E
    • HeapFree.KERNEL32(00000000,?,?,00000000,00008000), ref: 004029B0
    Memory Dump Source
    • Source File: 00000002.00000001.251360999.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000001.251344960.00400000.00000002.sdmp
    • Associated: 00000002.00000001.251446617.00487000.00000002.sdmp
    • Associated: 00000002.00000001.251482026.00494000.00000008.sdmp
    • Associated: 00000002.00000001.251496928.00498000.00000004.sdmp
    • Associated: 00000002.00000001.252081534.00499000.00000008.sdmp
    Function 00AA14F4, Relevance: 5.2, APIs: 4, Instructions: 191
    APIs
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • memcpy.MSVCRT ref: 00AA1657
    • memcpy.MSVCRT ref: 00AA166A
    • memcpy.MSVCRT ref: 00AA168B
      • Part of subcall function 00A94C13: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00A94D7B
      • Part of subcall function 00A82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7,?,@echo off%sdel /F "%s"), ref: 00A8256D
      • Part of subcall function 00A82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00A8D89F,?,?,?,00000000,00000000,00000000,00A8D869,?,00A7B3C7), ref: 00A82580
    • memcpy.MSVCRT ref: 00AA16FD
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
      • Part of subcall function 00A825A7: memcpy.MSVCRT ref: 00A825C6
      • Part of subcall function 00AA1070: memmove.MSVCRT ref: 00AA12E1
      • Part of subcall function 00AA1070: memcpy.MSVCRT ref: 00AA12F0
      • Part of subcall function 00AA1364: memcpy.MSVCRT ref: 00AA13D9
      • Part of subcall function 00AA1364: memmove.MSVCRT ref: 00AA149F
      • Part of subcall function 00AA1364: memcpy.MSVCRT ref: 00AA14AE
      • Part of subcall function 00A8BAD5: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?), ref: 00A8BB42
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004614F4, Relevance: 5.2, APIs: 4, Instructions: 191
    APIs
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • memcpy.MSVCRT ref: 00461657
    • memcpy.MSVCRT ref: 0046166A
    • memcpy.MSVCRT ref: 0046168B
      • Part of subcall function 00454C13: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00454D7B
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • memcpy.MSVCRT ref: 004616FD
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004425A7: memcpy.MSVCRT ref: 004425C6
      • Part of subcall function 00461070: memmove.MSVCRT ref: 004612E1
      • Part of subcall function 00461070: memcpy.MSVCRT ref: 004612F0
      • Part of subcall function 00461364: memcpy.MSVCRT ref: 004613D9
      • Part of subcall function 00461364: memmove.MSVCRT ref: 0046149F
      • Part of subcall function 00461364: memcpy.MSVCRT ref: 004614AE
      • Part of subcall function 0044BAD5: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?), ref: 0044BB42
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A8B7FF, Relevance: 5.1, APIs: 2, Instructions: 14
    APIs
      • Part of subcall function 00A8B64D: EnterCriticalSection.KERNEL32(00AA5AA4,?,00A8B806,?,?,00A959A9,00000000), ref: 00A8B65D
      • Part of subcall function 00A8B64D: LeaveCriticalSection.KERNEL32(00AA5AA4,?,?,00A959A9,00000000), ref: 00A8B687
    • EnterCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B80C
    • LeaveCriticalSection.KERNEL32(00AA47FC,?,?,00A959A9,00000000), ref: 00A8B81A
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0044B7FF, Relevance: 5.1, APIs: 2, Instructions: 14
    APIs
      • Part of subcall function 0044B64D: EnterCriticalSection.KERNEL32(00465AA4,?,0044B806,?,?,004559A9,00000000), ref: 0044B65D
      • Part of subcall function 0044B64D: LeaveCriticalSection.KERNEL32(00465AA4,?,?,004559A9,00000000), ref: 0044B687
    • EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
    • LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A824DA, Relevance: 5.1, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00A82456: EnterCriticalSection.KERNEL32(00AA5AA4,00000028,00A824C9,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A82466
      • Part of subcall function 00A82456: LeaveCriticalSection.KERNEL32(00AA5AA4,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A82490
    • HeapAlloc.KERNEL32(00000008,?,?,00A7B076,?,?,?,00000000,?,?,00000000,00A9AA69,?,00A9ADD5), ref: 00A824EB
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 004424DA, Relevance: 5.1, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00442456: EnterCriticalSection.KERNEL32(00465AA4,00000028,004424C9,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442466
      • Part of subcall function 00442456: LeaveCriticalSection.KERNEL32(00465AA4,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442490
    • HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A95E1D, Relevance: 5.1, APIs: 2, Instructions: 12
    APIs
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 00A95E26
    • DeleteFileW.KERNEL32 ref: 00A95E2D
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00455E1D, Relevance: 5.1, APIs: 2, Instructions: 12
    APIs
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
    • DeleteFileW.KERNEL32 ref: 00455E2D
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A7766D, Relevance: 5.1, APIs: 2, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 0043766D, Relevance: 5.1, APIs: 2, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00A84AA6, Relevance: 5.1, APIs: 4, Instructions: 65
    APIs
    • EnterCriticalSection.KERNEL32(00000000,00AA30F0,00000038,00A84BB2,00000000,?), ref: 00A84ACC
    • memcmp.MSVCRT ref: 00A84AE3
      • Part of subcall function 00A824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00A9D211,?,?,00000000,?,?,00000001), ref: 00A824D2
    • memcpy.MSVCRT ref: 00A84B11
    • LeaveCriticalSection.KERNEL32(00000000), ref: 00A84B68
      • Part of subcall function 00A82593: HeapFree.KERNEL32(00000000,00DD1E90,00A9D2D1,?,?,00000000,?,?,00000001), ref: 00A825A0
    Memory Dump Source
    • Source File: 00000002.00000002.277683252.00A40000.00000040.sdmp, Offset: 00A40000, based on PE: true
    Function 00444AA6, Relevance: 5.1, APIs: 4, Instructions: 65
    APIs
    • EnterCriticalSection.KERNEL32(00000000,004630F0,00000038,00444BB2,00000000,?), ref: 00444ACC
    • memcmp.MSVCRT ref: 00444AE3
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • memcpy.MSVCRT ref: 00444B11
    • LeaveCriticalSection.KERNEL32(00000000), ref: 00444B68
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000002.00000002.277447838.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.277441930.00400000.00000002.sdmp
    • Associated: 00000002.00000002.277495028.00464000.00000004.sdmp
    • Associated: 00000002.00000002.277502087.00467000.00000002.sdmp
    Function 00402A14, Relevance: 5.1, APIs: 4, Instructions: 57
    APIs
    • HeapReAlloc.KERNEL32(00000000,?,?,00403005,?,?,00000000), ref: 00402A3B
    • HeapAlloc.KERNEL32(00000008,000041C4,00000000,?,00403005,?,?,00000000), ref: 00402A74
    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00402A92
    • HeapFree.KERNEL32(00000000,?,?,00403005,?,?,00000000), ref: 00402AA9
    Memory Dump Source
    • Source File: 00000002.00000000.251083961.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000000.251077299.00400000.00000002.sdmp
    • Associated: 00000002.00000000.251140485.00487000.00000002.sdmp
    • Associated: 00000002.00000000.251150254.00494000.00000008.sdmp
    • Associated: 00000002.00000000.251160158.004A1000.00000002.sdmp

    Analysis Process: uqny.exe PID: 244 Parent PID: 496

    Executed Functions
    Function 00A3147B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 111
    APIs
    • CreateFileA.KERNEL32(\\.\NtSecureSys,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A3149C
    • IsUserAnAdmin.SHELL32 ref: 00A314A8
      • Part of subcall function 00A31829: GetModuleHandleA.KERNEL32(kernel32), ref: 00A31844
      • Part of subcall function 00A31829: GetProcAddress.KERNEL32 ref: 00A3184B
      • Part of subcall function 00A31829: GetCurrentProcess.KERNEL32 ref: 00A3185E
      • Part of subcall function 00A31829: IsWow64Process.KERNEL32 ref: 00A31865
      • Part of subcall function 00A31000: GetSystemDirectoryA.KERNEL32(?,00000100), ref: 00A31025
      • Part of subcall function 00A31000: GetTickCount.KERNEL32 ref: 00A31034
      • Part of subcall function 00A31000: sprintf.MSVCRT ref: 00A3104D
      • Part of subcall function 00A31000: sprintf.MSVCRT ref: 00A31069
      • Part of subcall function 00A31000: fopen.MSVCRT ref: 00A31077
      • Part of subcall function 00A31000: fwrite.MSVCRT ref: 00A31093
      • Part of subcall function 00A31000: fclose.MSVCRT ref: 00A3109A
      • Part of subcall function 00A31000: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 00A310AC
      • Part of subcall function 00A31000: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00A310F0
      • Part of subcall function 00A31000: CreateServiceA.ADVAPI32(?,?,?,000F01FF,00000001,00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000100), ref: 00A3111C
      • Part of subcall function 00A31000: StartServiceA.ADVAPI32(?,00000000,00000000), ref: 00A31131
      • Part of subcall function 00A31000: CloseServiceHandle.ADVAPI32 ref: 00A31138
      • Part of subcall function 00A31000: CloseServiceHandle.ADVAPI32(?), ref: 00A31144
      • Part of subcall function 00A31000: WinExec.KERNEL32(bcdedit.exe -set TESTSIGNING ON,00000000), ref: 00A3115D
      • Part of subcall function 00A31000: _unlink.MSVCRT(?,?,00000100,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 00A3116F
    • CreateFileA.KERNEL32(\\.\NtSecureSys,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A314FA
    • Sleep.KERNEL32(00000032), ref: 00A31508
    • GetCurrentProcessId.KERNEL32 ref: 00A3152F
    • DeviceIoControl.KERNEL32(00220000,?,0000000C,00000000,00000000,?,00000000), ref: 00A31559
    • DeviceIoControl.KERNEL32(00220014,00000000,00000000,?,00000004,?,00000000), ref: 00A3157B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 0045B4AA, Relevance: 42.5, APIs: 19, Strings: 2, Instructions: 267
    APIs
      • Part of subcall function 00448432: CreateFileW.KERNEL32(009B1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0044844B
      • Part of subcall function 00448432: GetFileSizeEx.KERNEL32 ref: 0044845E
      • Part of subcall function 00448432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00448484
      • Part of subcall function 00448432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0044849C
      • Part of subcall function 00448432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 004484BA
      • Part of subcall function 00448432: CloseHandle.KERNEL32 ref: 004484C3
    • CreateMutexW.KERNEL32(004649B4,00000001), ref: 0045B550
    • GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,0045B8C7), ref: 0045B560
    • CloseHandle.KERNEL32 ref: 0045B56E
    • CloseHandle.KERNEL32 ref: 0045B697
      • Part of subcall function 0045AFE8: memcpy.MSVCRT ref: 0045AFF8
    • lstrlenW.KERNEL32 ref: 0045B5D0
      • Part of subcall function 00435B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00435BC1
      • Part of subcall function 00435B9B: Process32FirstW.KERNEL32 ref: 00435BE6
      • Part of subcall function 00435B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00435C3D
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32 ref: 00435C5B
      • Part of subcall function 00435B9B: GetLengthSid.ADVAPI32 ref: 00435C77
      • Part of subcall function 00435B9B: memcmp.MSVCRT ref: 00435C8F
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32(?), ref: 00435D07
      • Part of subcall function 00435B9B: Process32NextW.KERNEL32(?,?), ref: 00435D13
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32 ref: 00435D26
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0045B615
    • OpenEventW.KERNEL32(00000002,00000000), ref: 0045B63B
    • SetEvent.KERNEL32 ref: 0045B648
    • CloseHandle.KERNEL32 ref: 0045B64F
    • Sleep.KERNEL32(00007530), ref: 0045B674
      • Part of subcall function 0043AF99: GetCurrentThread.KERNEL32 ref: 0043AFAD
      • Part of subcall function 0043AF99: OpenThreadToken.ADVAPI32 ref: 0043AFB4
      • Part of subcall function 0043AF99: GetCurrentProcess.KERNEL32 ref: 0043AFC4
      • Part of subcall function 0043AF99: OpenProcessToken.ADVAPI32 ref: 0043AFCB
      • Part of subcall function 0043AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0043AFEC
      • Part of subcall function 0043AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0043B001
      • Part of subcall function 0043AF99: GetLastError.KERNEL32 ref: 0043B00B
      • Part of subcall function 0043AF99: CloseHandle.KERNEL32(00000001), ref: 0043B01C
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 0045B68C
    • Sleep.KERNEL32(000000FF), ref: 0045B694
    • IsWellKnownSid.ADVAPI32(009B1EC0,00000016), ref: 0045B6E5
    • CreateEventW.KERNEL32(004649B4,00000001,00000000), ref: 0045B7B4
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045B7CD
    • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 0045B7DF
    • CloseHandle.KERNEL32(00000000), ref: 0045B7F6
    • CloseHandle.KERNEL32(?), ref: 0045B7FC
    • CloseHandle.KERNEL32(?), ref: 0045B802
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
      • Part of subcall function 00441DFA: VirtualProtect.KERNEL32(004396C7,?,00000040), ref: 00441E12
      • Part of subcall function 00441DFA: VirtualProtect.KERNEL32(004396C7,?,?), ref: 00441E85
      • Part of subcall function 004396C7: FreeLibrary.KERNEL32(00000003), ref: 004396B9
      • Part of subcall function 0045BC89: memcpy.MSVCRT ref: 0045BCA4
      • Part of subcall function 0045BC89: StringFromGUID2.OLE32 ref: 0045BD4A
      • Part of subcall function 00439931: LoadLibraryW.KERNEL32 ref: 00439953
      • Part of subcall function 00439931: GetProcAddress.KERNEL32 ref: 00439977
      • Part of subcall function 00439931: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 004399AF
      • Part of subcall function 00439931: lstrlenW.KERNEL32 ref: 004399C7
      • Part of subcall function 00439931: StrCmpNIW.SHLWAPI ref: 004399DB
      • Part of subcall function 00439931: lstrlenW.KERNEL32 ref: 004399F1
      • Part of subcall function 00439931: memcpy.MSVCRT ref: 004399FD
      • Part of subcall function 00439931: FreeLibrary.KERNEL32 ref: 00439A13
      • Part of subcall function 00439931: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00439A52
      • Part of subcall function 00439931: NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00439A8E
      • Part of subcall function 00439931: NetApiBufferFree.NETAPI32(?), ref: 00439B39
      • Part of subcall function 00439931: NetApiBufferFree.NETAPI32(00000000), ref: 00439B4B
      • Part of subcall function 00439931: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00439B6A
      • Part of subcall function 0043B314: CharToOemW.USER32(009B1EF0), ref: 0043B325
      • Part of subcall function 00462AC0: GetCommandLineW.KERNEL32 ref: 00462ADA
      • Part of subcall function 00462AC0: CommandLineToArgvW.SHELL32 ref: 00462AE1
      • Part of subcall function 00462AC0: StrCmpNW.SHLWAPI(?,0042CA4C,00000002), ref: 00462B07
      • Part of subcall function 00462AC0: LocalFree.KERNEL32 ref: 00462B33
      • Part of subcall function 00462AC0: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00462B70
      • Part of subcall function 00462AC0: memcpy.MSVCRT ref: 00462B83
      • Part of subcall function 00462AC0: UnmapViewOfFile.KERNEL32 ref: 00462BBC
      • Part of subcall function 00462AC0: memcpy.MSVCRT ref: 00462BDF
      • Part of subcall function 00462AC0: CloseHandle.KERNEL32 ref: 00462BF8
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 0045C09D: CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
      • Part of subcall function 0043987E: memcpy.MSVCRT ref: 00439894
      • Part of subcall function 0043987E: memcmp.MSVCRT ref: 004398B6
      • Part of subcall function 0043987E: lstrcmpiW.KERNEL32(00000000,000000FF), ref: 0043990F
      • Part of subcall function 004484D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 004484E4
      • Part of subcall function 004484D3: CloseHandle.KERNEL32 ref: 004484F3
    Strings
    • SeShutdownPrivilege, xrefs: 0045B676
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0045B779
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00A31000, Relevance: 34.3, APIs: 15, Strings: 2, Instructions: 133
    APIs
      • Part of subcall function 00A31943: GetModuleHandleA.KERNEL32(kernel32), ref: 00A3195E
      • Part of subcall function 00A31943: GetProcAddress.KERNEL32 ref: 00A31965
    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 00A31025
    • GetTickCount.KERNEL32 ref: 00A31034
    • sprintf.MSVCRT ref: 00A3104D
    • sprintf.MSVCRT ref: 00A31069
    • fopen.MSVCRT ref: 00A31077
    • fwrite.MSVCRT ref: 00A31093
    • fclose.MSVCRT ref: 00A3109A
    • GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 00A310AC
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00A310F0
    • CreateServiceA.ADVAPI32(?,?,?,000F01FF,00000001,00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000100), ref: 00A3111C
    • StartServiceA.ADVAPI32(?,00000000,00000000), ref: 00A31131
    • CloseServiceHandle.ADVAPI32 ref: 00A31138
    • CloseServiceHandle.ADVAPI32(?), ref: 00A31144
      • Part of subcall function 00A31829: GetModuleHandleA.KERNEL32(kernel32), ref: 00A31844
      • Part of subcall function 00A31829: GetProcAddress.KERNEL32 ref: 00A3184B
      • Part of subcall function 00A31829: GetCurrentProcess.KERNEL32 ref: 00A3185E
      • Part of subcall function 00A31829: IsWow64Process.KERNEL32 ref: 00A31865
    • WinExec.KERNEL32(bcdedit.exe -set TESTSIGNING ON,00000000), ref: 00A3115D
    • _unlink.MSVCRT(?,?,00000100,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 00A3116F
      • Part of subcall function 00A3197F: GetModuleHandleA.KERNEL32(kernel32), ref: 00A31992
      • Part of subcall function 00A3197F: GetProcAddress.KERNEL32 ref: 00A31999
    Strings
    • bcdedit.exe -set TESTSIGNING ON, xrefs: 00A31158
    • %s\drivers\%s.sys, xrefs: 00A31063
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 0045ACAD, Relevance: 28.4, APIs: 11, Strings: 3, Instructions: 166
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 0045ACF4
      • Part of subcall function 0045D1E0: InitializeCriticalSection.KERNEL32(00465AA4), ref: 0045D207
      • Part of subcall function 0045D1E0: InitializeCriticalSection.KERNEL32 ref: 0045D218
      • Part of subcall function 0045D1E0: memset.MSVCRT ref: 0045D229
      • Part of subcall function 0045D1E0: TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 0045D240
      • Part of subcall function 0045D1E0: GetModuleHandleW.KERNEL32(00000000), ref: 0045D25C
      • Part of subcall function 0045D1E0: GetModuleHandleW.KERNEL32 ref: 0045D272
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0045AD59
    • Process32FirstW.KERNEL32 ref: 0045AD74
    • PathFindFileNameW.SHLWAPI ref: 0045AD87
    • StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 0045AD99
    • Process32NextW.KERNEL32(?,?), ref: 0045ADA9
    • CloseHandle.KERNEL32 ref: 0045ADB4
    • WSAStartup.WS2_32(00000202), ref: 0045ADC4
    • CreateEventW.KERNEL32(004649B4,00000001,00000000,00000000), ref: 0045ADEC
      • Part of subcall function 0043AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 0043AEF5
      • Part of subcall function 0043AEE3: GetTokenInformation.ADVAPI32(?,0000000C,004649A8,00000004), ref: 0043AF1D
      • Part of subcall function 0043AEE3: CloseHandle.KERNEL32(?), ref: 0043AF33
    • GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 0045AE22
      • Part of subcall function 0045AA9A: GetTempPathW.KERNEL32(00000104), ref: 0045AAB7
      • Part of subcall function 0045AA9A: GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 0045AACF
      • Part of subcall function 0045AA9A: PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 0045AADA
      • Part of subcall function 0045AA9A: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 0045AB00
    • GetCurrentProcessId.KERNEL32 ref: 0045AE4D
      • Part of subcall function 0045AB23: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000), ref: 0045AB64
      • Part of subcall function 0045AB23: lstrcmpiW.KERNEL32 ref: 0045AB93
      • Part of subcall function 0045ABBF: lstrcatW.KERNEL32(?,.dat), ref: 0045AC32
      • Part of subcall function 0045ABBF: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0045AC57
      • Part of subcall function 0045ABBF: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 0045AC75
      • Part of subcall function 0045ABBF: CloseHandle.KERNEL32 ref: 0045AC82
      • Part of subcall function 0044C8A1: IsBadReadPtr.KERNEL32 ref: 0044C8E0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0044D8FE, Relevance: 26.3, APIs: 11, Strings: 2, Instructions: 98
    APIs
    • ShowWindow.USER32(?,00000000), ref: 0044D8B2
    • lstrcpyA.KERNEL32(0049F200,?,00000000), ref: 0044D8C5
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0044D8DA
    • DispatchMessageW.USER32(?), ref: 0044D8E7
    • InitCommonControlsEx.COMCTL32(0049E8BF), ref: 0044D91D
    • GetCommandLineW.KERNEL32 ref: 0044D935
    • SetLastError.KERNEL32(00000000), ref: 0044D942
    • LoadIconW.USER32(00000000,00000020), ref: 0044D97B
    • LoadCursorW.USER32(00000000,00000020), ref: 0044D985
    • RegisterClassExW.USER32(00000030), ref: 0044D9A1
    • CreateWindowExW.USER32 ref: 0045B5F6
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00432593, Relevance: 18.3, APIs: 6, Strings: 3, Instructions: 84
    APIs
    • SendMessageW.USER32(00000180,00000000,?,0@I), ref: 004325D8
    • SendMessageW.USER32(00000197,00000004,00000000,0@I), ref: 004325F5
      • Part of subcall function 0048471F: SendMessageW.USER32(0000018E,00000000,00000000,00432600), ref: 0048472E
    • CreateWindowExW.USER32 ref: 0043262B
    • CreateWindowExW.USER32 ref: 00432653
    • PostMessageW.USER32(?,00000111,?,000001F4,?,000001CC,000001D6,0000008C,00000028,?,00000005,44A7B82D,00000000), ref: 0043266C
    • PostQuitMessage.USER32(00000000), ref: 0043267D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00B9985F, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 173
    APIs
    • memset.MSVCRT ref: 00B9990F
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00B99920
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00B99954
    • memset.MSVCRT ref: 00B99994
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00B999A5
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00B999E5
    • memset.MSVCRT ref: 00B99A50
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00435B9B, Relevance: 16.2, APIs: 9, Instructions: 132
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00435BC1
    • Process32FirstW.KERNEL32 ref: 00435BE6
      • Part of subcall function 0045C012: CreateMutexW.KERNEL32(004649B4,00000001), ref: 0045C058
      • Part of subcall function 0045C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 0045C064
      • Part of subcall function 0045C012: CloseHandle.KERNEL32 ref: 0045C072
    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00435C3D
    • CloseHandle.KERNEL32(?), ref: 00435D07
      • Part of subcall function 0043AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 0043AEF5
      • Part of subcall function 0043AEE3: GetTokenInformation.ADVAPI32(?,0000000C,004649A8,00000004), ref: 0043AF1D
      • Part of subcall function 0043AEE3: CloseHandle.KERNEL32(?), ref: 0043AF33
    • CloseHandle.KERNEL32 ref: 00435C5B
    • GetLengthSid.ADVAPI32 ref: 00435C77
    • memcmp.MSVCRT ref: 00435C8F
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
      • Part of subcall function 00435B0B: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00435B19
      • Part of subcall function 00435B0B: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00435B5A
      • Part of subcall function 00435B0B: WaitForSingleObject.KERNEL32(?,00002710), ref: 00435B6C
      • Part of subcall function 00435B0B: CloseHandle.KERNEL32 ref: 00435B73
      • Part of subcall function 00435B0B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00435B85
      • Part of subcall function 00435B0B: CloseHandle.KERNEL32 ref: 00435B8C
    • Process32NextW.KERNEL32(?,?), ref: 00435D13
    • CloseHandle.KERNEL32 ref: 00435D26
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00438E53, Relevance: 14.9, APIs: 5, Strings: 2, Instructions: 95
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00438E6A
    • LeaveCriticalSection.KERNEL32(00465AA4,?,00000000), ref: 00438E9D
      • Part of subcall function 00441E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00441EA2
      • Part of subcall function 00441E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00441EAE
      • Part of subcall function 00441E94: SetLastError.KERNEL32(00000001,00438F04,004647C0,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00441EC6
    • CoTaskMemFree.OLE32(?), ref: 00438F36
    • PathRemoveBackslashW.SHLWAPI(00000006), ref: 00438F44
    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00438F5C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00438D34, Relevance: 14.8, APIs: 8, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(009B21B4,009B21A8,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438D3D
    • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00438D76
    • DuplicateHandle.KERNEL32(000000FF,?,000000FF,0044A99B,00000000,00000000,00000002), ref: 00438D95
    • GetLastError.KERNEL32(?,000000FF,0044A99B,00000000,00000000,00000002,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000), ref: 00438D9F
    • TerminateThread.KERNEL32 ref: 00438DA7
    • CloseHandle.KERNEL32 ref: 00438DAE
      • Part of subcall function 004424F3: HeapAlloc.KERNEL32(00000000,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 0044251D
      • Part of subcall function 004424F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 00442530
    • LeaveCriticalSection.KERNEL32(009B21B4,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438DC3
    • ResumeThread.KERNEL32 ref: 00438DDC
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B99BE6, Relevance: 14.3, APIs: 8, Instructions: 160
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00B99BEC
    • memcpy.MSVCRT ref: 00B99C39
    • GetThreadContext.KERNEL32(?,00000010), ref: 00B99CAF
    • SetThreadContext.KERNEL32(?,?), ref: 00B99D1A
    • GetCurrentProcess.KERNEL32 ref: 00B99D33
    • VirtualProtect.KERNEL32(?,0000007C,?), ref: 00B99D58
    • FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00B99D6A
      • Part of subcall function 00B99A67: memset.MSVCRT ref: 00B99A78
      • Part of subcall function 00B99821: GetCurrentProcess.KERNEL32 ref: 00B99824
      • Part of subcall function 00B99821: VirtualProtect.KERNEL32(6FFF0000,=::=::\,00000020), ref: 00B99845
      • Part of subcall function 00B99821: FlushInstructionCache.KERNEL32(?,6FFF0000,=::=::\), ref: 00B9984E
    • ResumeThread.KERNEL32(?), ref: 00B99DAB
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B99B45: GetCurrentThreadId.KERNEL32 ref: 00B99B46
      • Part of subcall function 00B99B45: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00B99B7D
      • Part of subcall function 00B99B45: ResumeThread.KERNEL32(?), ref: 00B99BBE
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00441F4F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 65
    APIs
    • InitializeSecurityDescriptor.ADVAPI32(004649C0,00000001), ref: 00441F5F
    • SetSecurityDescriptorDacl.ADVAPI32(004649C0,00000001,00000000,00000000), ref: 00441F70
    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00441F86
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00441FA2
    • SetSecurityDescriptorSacl.ADVAPI32(004649C0,?,?,00000001), ref: 00441FB6
    • LocalFree.KERNEL32(?), ref: 00441FC8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B81F4F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 65
    APIs
    • InitializeSecurityDescriptor.ADVAPI32(00BA49C0,00000001), ref: 00B81F5F
    • SetSecurityDescriptorDacl.ADVAPI32(00BA49C0,00000001,00000000,00000000), ref: 00B81F70
    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00B81F86
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00B81FA2
    • SetSecurityDescriptorSacl.ADVAPI32(00BA49C0,?,?,00000001), ref: 00B81FB6
    • LocalFree.KERNEL32(?), ref: 00B81FC8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9ABBF, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 79
    APIs
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
    • lstrcatW.KERNEL32(?,.dat), ref: 00B9AC32
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B9AC57
    • ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00B9AC75
    • CloseHandle.KERNEL32 ref: 00B9AC82
      • Part of subcall function 00B9D2D7: EnterCriticalSection.KERNEL32(01311E90,?), ref: 00B9D2EB
      • Part of subcall function 00B9D2D7: GetFileVersionInfoSizeW.VERSION(01311EF0), ref: 00B9D30C
      • Part of subcall function 00B9D2D7: GetFileVersionInfoW.VERSION(01311EF0,00000000), ref: 00B9D32A
      • Part of subcall function 00B9D2D7: LeaveCriticalSection.KERNEL32(01311E90,00000001,00000001,00000001,00000001), ref: 00B9D413
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B9ABF1
    • .dat, xrefs: 00B9AC26
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045AA9A, Relevance: 12.2, APIs: 4, Strings: 2, Instructions: 49
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 0045AAB7
    • GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 0045AACF
    • PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 0045AADA
      • Part of subcall function 00438E53: EnterCriticalSection.KERNEL32(00465AA4,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00438E6A
      • Part of subcall function 00438E53: LeaveCriticalSection.KERNEL32(00465AA4,?,00000000), ref: 00438E9D
      • Part of subcall function 00438E53: CoTaskMemFree.OLE32(?), ref: 00438F36
      • Part of subcall function 00438E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00438F44
      • Part of subcall function 00438E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00438F5C
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 0045AB00
      • Part of subcall function 00439F5F: memcpy.MSVCRT ref: 00439F99
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0045AAC2, 0045AACD, 0045AAD9
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0045AAE0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 009A0117, Relevance: 10.9, APIs: 7, Instructions: 419
    APIs
    • VirtualAlloc.KERNEL32 ref: 009A014E
    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 009A0275
    • VirtualAlloc.KERNEL32(?,00001000,00001000,00000004), ref: 009A029A
    • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 009A02EE
    • LoadLibraryA.KERNEL32(?), ref: 009A032F
    • VirtualProtect.KERNEL32(?,00001000,00000002), ref: 009A042A
    • VirtualProtect.KERNEL32(?,?,?,009A0008), ref: 009A0472
    Memory Dump Source
    • Source File: 00000003.00000002.678175246.009A0000.00000040.sdmp, Offset: 009A0000, based on PE: false
    Function 00448432, Relevance: 10.9, APIs: 6, Instructions: 66
    APIs
    • CreateFileW.KERNEL32(009B1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0044844B
    • GetFileSizeEx.KERNEL32 ref: 0044845E
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00448484
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0044849C
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004484BA
    • CloseHandle.KERNEL32 ref: 004484C3
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0045BD59, Relevance: 10.9, APIs: 6, Instructions: 57
    APIs
      • Part of subcall function 00438E53: EnterCriticalSection.KERNEL32(00465AA4,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00438E6A
      • Part of subcall function 00438E53: LeaveCriticalSection.KERNEL32(00465AA4,?,00000000), ref: 00438E9D
      • Part of subcall function 00438E53: CoTaskMemFree.OLE32(?), ref: 00438F36
      • Part of subcall function 00438E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00438F44
      • Part of subcall function 00438E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00438F5C
    • PathRemoveBackslashW.SHLWAPI(-00000258), ref: 0045BD85
    • PathRemoveFileSpecW.SHLWAPI(-00000258), ref: 0045BD92
    • PathAddBackslashW.SHLWAPI(-00000258), ref: 0045BDA3
    • GetVolumeNameForVolumeMountPointW.KERNEL32(-00000258,-00000050,00000064), ref: 0045BDB6
    • CLSIDFromString.OLE32(-0000003C,00464DF4,?,00000000), ref: 0045BDD2
    • memset.MSVCRT ref: 0045BDE4
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00435B0B, Relevance: 10.7, APIs: 6, Instructions: 60
    APIs
    • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00435B19
      • Part of subcall function 0045AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045AECF
      • Part of subcall function 0045AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045AF0A
      • Part of subcall function 0045AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045AF4A
      • Part of subcall function 0045AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045AF6D
      • Part of subcall function 0045AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0045AFBD
    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00435B5A
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 00435B6C
    • CloseHandle.KERNEL32 ref: 00435B73
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00435B85
    • CloseHandle.KERNEL32 ref: 00435B8C
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B99DDC, Relevance: 9.5, APIs: 4, Instructions: 217
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00B99DED
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
      • Part of subcall function 00B9985F: memset.MSVCRT ref: 00B9990F
      • Part of subcall function 00B9985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00B99920
      • Part of subcall function 00B9985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00B99954
      • Part of subcall function 00B9985F: memset.MSVCRT ref: 00B99994
      • Part of subcall function 00B9985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00B999A5
      • Part of subcall function 00B9985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00B999E5
      • Part of subcall function 00B9985F: memset.MSVCRT ref: 00B99A50
      • Part of subcall function 00B964A4: SetLastError.KERNEL32(0000000D), ref: 00B964DF
    • memcpy.MSVCRT ref: 00B99F56
    • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00B99FE2
    • GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00B99FEC
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B99A67: memset.MSVCRT ref: 00B99A78
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9D5A0, Relevance: 9.2, APIs: 3, Strings: 1, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00BA5AA4,00000000,?,?,00B793C9), ref: 00B9D5B6
    • LeaveCriticalSection.KERNEL32(00BA5AA4,?,?,00B793C9), ref: 00B9D5DC
      • Part of subcall function 00B9D4EF: memset.MSVCRT ref: 00B9D506
    • CreateMutexW.KERNEL32(00BA49B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00B9D5EE
      • Part of subcall function 00B775E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B775ED
      • Part of subcall function 00B775E7: CloseHandle.KERNEL32 ref: 00B775FF
    Strings
    • Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00B9D5E3
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045AEB1, Relevance: 9.2, APIs: 5, Instructions: 109
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045AECF
      • Part of subcall function 0044C90D: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 0044C93C
      • Part of subcall function 0044C90D: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0044C97B
      • Part of subcall function 0044C90D: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0044C9A2
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045AF0A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045AF4A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045AF6D
      • Part of subcall function 0045A976: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045A999
      • Part of subcall function 0045A976: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045A9B1
      • Part of subcall function 0045A976: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 0045A9CC
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0045AFBD
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B99821, Relevance: 8.4, APIs: 3, Strings: 1, Instructions: 28
    APIs
    • GetCurrentProcess.KERNEL32 ref: 00B99824
    • VirtualProtect.KERNEL32(6FFF0000,=::=::\,00000020), ref: 00B99845
    • FlushInstructionCache.KERNEL32(?,6FFF0000,=::=::\), ref: 00B9984E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0042CAB0, Relevance: 7.3, APIs: 4, Instructions: 130
    APIs
    • VirtualAlloc.KERNEL32(00000000,00006000,00003000,00000040), ref: 0042CAC5
    • LoadLibraryA.KERNEL32 ref: 0042CBAE
    • GetProcAddress.KERNEL32(00000000), ref: 0042CBD8
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042CC0A
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7AF41, Relevance: 7.2, APIs: 4, Instructions: 39
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B7AF51
    • Thread32First.KERNEL32 ref: 00B7AF6C
    • Thread32Next.KERNEL32(?,?), ref: 00B7AF7F
    • CloseHandle.KERNEL32 ref: 00B7AF8A
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B99ADD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 34
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00B99AEE
    • VirtualProtect.KERNEL32(6FFF0000,00010000,00000040,?), ref: 00B99B34
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9394D, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00053883,00000000), ref: 00B93964
    • WaitForSingleObject.KERNEL32(?,00003A98), ref: 00B93976
    • TerminateThread.KERNEL32(?,00000000), ref: 00B93982
    • CloseHandle.KERNEL32 ref: 00B93989
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045A976, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0045A999
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0045A9B1
    • DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 0045A9CC
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0045C012, Relevance: 5.6, APIs: 3, Instructions: 37
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045BC89: memcpy.MSVCRT ref: 0045BCA4
      • Part of subcall function 0045BC89: StringFromGUID2.OLE32 ref: 0045BD4A
    • CreateMutexW.KERNEL32(004649B4,00000001), ref: 0045C058
    • GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 0045C064
    • CloseHandle.KERNEL32 ref: 0045C072
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0044C90D, Relevance: 5.5, APIs: 3, Instructions: 63
    APIs
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 0044C93C
      • Part of subcall function 004425A7: memcpy.MSVCRT ref: 004425C6
    • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0044C97B
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0044C9A2
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 004507EE, Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 30
    APIs
      • Part of subcall function 004507B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 004507D8
    • RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00450823
      • Part of subcall function 00450755: RegFlushKey.ADVAPI32 ref: 00450765
      • Part of subcall function 00450755: RegCloseKey.ADVAPI32 ref: 0045076D
    Strings
    • Software\Microsoft\Tivyikdiy, xrefs: 00450803
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0045931E, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 19
    APIs
    • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00459336
    Strings
    • Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0045932E
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00401E4F, Relevance: 3.7, APIs: 2, Instructions: 26
    APIs
    • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00401E60
      • Part of subcall function 00402689: HeapAlloc.KERNEL32(00000000,00000140,00401E88,000003F8,?,00491DB0,00000060), ref: 00402696
    • HeapDestroy.KERNEL32 ref: 00401E93
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00B8342D, Relevance: 3.1, APIs: 2, Instructions: 79
    APIs
      • Part of subcall function 00B76E1F: GetLastError.KERNEL32(6FFF0380,?,00B7652A), ref: 00B76E21
      • Part of subcall function 00B76E1F: TlsGetValue.KERNEL32(?,?,00B7652A), ref: 00B76E3E
      • Part of subcall function 00B76E1F: TlsSetValue.KERNEL32(00000001), ref: 00B76E50
      • Part of subcall function 00B76E1F: SetLastError.KERNEL32(?,?,00B7652A), ref: 00B76E60
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 00B83465
      • Part of subcall function 00B9C012: CreateMutexW.KERNEL32(00BA49B4,00000001), ref: 00B9C058
      • Part of subcall function 00B9C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00B9C064
      • Part of subcall function 00B9C012: CloseHandle.KERNEL32 ref: 00B9C072
      • Part of subcall function 00B7C5A8: TlsGetValue.KERNEL32(00000014,?,00B8349E), ref: 00B7C5B1
      • Part of subcall function 00B9AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B9AECF
      • Part of subcall function 00B9AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B9AF0A
      • Part of subcall function 00B9AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B9AF4A
      • Part of subcall function 00B9AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B9AF6D
      • Part of subcall function 00B9AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B9AFBD
    • CloseHandle.KERNEL32 ref: 00B834DA
      • Part of subcall function 00B7AF41: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B7AF51
      • Part of subcall function 00B7AF41: Thread32First.KERNEL32 ref: 00B7AF6C
      • Part of subcall function 00B7AF41: Thread32Next.KERNEL32(?,?), ref: 00B7AF7F
      • Part of subcall function 00B7AF41: CloseHandle.KERNEL32 ref: 00B7AF8A
      • Part of subcall function 00B76EA5: GetLastError.KERNEL32(?,00B76577), ref: 00B76EA6
      • Part of subcall function 00B76EA5: TlsSetValue.KERNEL32(00000000), ref: 00B76EB6
      • Part of subcall function 00B76EA5: SetLastError.KERNEL32(?,?,00B76577), ref: 00B76EBD
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044D86A, Relevance: 3.1, APIs: 2, Instructions: 51
    APIs
    • lstrlenA.KERNEL32(?,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044D87D
    • wvnsprintfA.SHLWAPI(00000080,?,?,?), ref: 0044D8AE
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0045C09D, Relevance: 3.0, APIs: 1, Instructions: 25
    APIs
    • CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
      • Part of subcall function 004375E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004375ED
      • Part of subcall function 004375E7: CloseHandle.KERNEL32 ref: 004375FF
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 004508A8, Relevance: 2.2, APIs: 1, Instructions: 69
    APIs
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
      • Part of subcall function 0045083C: RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00450850
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00450903
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B908A8, Relevance: 2.2, APIs: 1, Instructions: 69
    APIs
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
      • Part of subcall function 00B9083C: RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00B90850
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B90903
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004507B0, Relevance: 2.1, APIs: 1, Instructions: 29
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 004507D8
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00442498, Relevance: 1.9, APIs: 1, Instructions: 9
    APIs
    • HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 004424A1
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B82498, Relevance: 1.9, APIs: 1, Instructions: 9
    APIs
    • HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 00B824A1
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9083C, Relevance: 1.9, APIs: 1, Instructions: 8
    APIs
    • RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00B90850
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Non-executed Functions
    Function 00A30139, Relevance: 29.3, APIs: 14, Strings: 2, Instructions: 1281
    APIs
      • Part of subcall function 00A31943: GetModuleHandleA.KERNEL32(kernel32), ref: 00A3195E
      • Part of subcall function 00A31943: GetProcAddress.KERNEL32 ref: 00A31965
    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 00A31025
    • GetTickCount.KERNEL32 ref: 00A31034
    • sprintf.MSVCRT ref: 00A3104D
    • sprintf.MSVCRT ref: 00A31069
    • fopen.MSVCRT ref: 00A31077
    • fwrite.MSVCRT ref: 00A31093
    • fclose.MSVCRT ref: 00A3109A
    • GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 00A310AC
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00A310F0
    • CreateServiceA.ADVAPI32(?,?,?,000F01FF,00000001,00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000100), ref: 00A3111C
    • StartServiceA.ADVAPI32(?,00000000,00000000), ref: 00A31131
    • CloseServiceHandle.ADVAPI32 ref: 00A31138
    • CloseServiceHandle.ADVAPI32(?), ref: 00A31144
      • Part of subcall function 00A31829: GetModuleHandleA.KERNEL32(kernel32), ref: 00A31844
      • Part of subcall function 00A31829: GetProcAddress.KERNEL32 ref: 00A3184B
      • Part of subcall function 00A31829: GetCurrentProcess.KERNEL32 ref: 00A3185E
      • Part of subcall function 00A31829: IsWow64Process.KERNEL32 ref: 00A31865
    • WinExec.KERNEL32(bcdedit.exe -set TESTSIGNING ON,00000000), ref: 00A3115D
    • _unlink.MSVCRT(?,?,00000100,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 00A3116F
      • Part of subcall function 00A3197F: GetModuleHandleA.KERNEL32(kernel32), ref: 00A31992
      • Part of subcall function 00A3197F: GetProcAddress.KERNEL32 ref: 00A31999
    Strings
    • bcdedit.exe -set TESTSIGNING ON, xrefs: 00A31158
    • %s\drivers\%s.sys, xrefs: 00A31063
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 00A31187, Relevance: 19.5, APIs: 11, Instructions: 99
    APIs
    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A311C3
    • GetCurrentProcess.KERNEL32 ref: 00A311D7
    • OpenProcessToken.ADVAPI32 ref: 00A311DE
    • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000), ref: 00A311FA
    • RtlGetLastWin32Error.NTDLL ref: 00A311FC
    • malloc.MSVCRT ref: 00A3120B
    • GetTokenInformation.ADVAPI32(?,00000002,?,?), ref: 00A31225
    • EqualSid.ADVAPI32(?), ref: 00A3123A
    • free.MSVCRT ref: 00A3125B
    • FreeSid.ADVAPI32(?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A3126C
    • CloseHandle.KERNEL32(?), ref: 00A3127B
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 00443BBE, Relevance: 10.9, APIs: 6, Instructions: 39
    APIs
    • socket.WS2_32(?,00000001,00000006), ref: 00443BCA
    • bind.WS2_32 ref: 00443BE7
    • listen.WS2_32(?,00000001), ref: 00443BF4
    • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,0044EE5F,?,?,?), ref: 00443BFE
    • closesocket.WS2_32 ref: 00443C07
    • WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,0044EE5F,?,?,?), ref: 00443C0E
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B83BBE, Relevance: 10.9, APIs: 6, Instructions: 39
    APIs
    • socket.WS2_32(?,00000001,00000006), ref: 00B83BCA
    • bind.WS2_32 ref: 00B83BE7
    • listen.WS2_32(?,00000001), ref: 00B83BF4
    • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00B8EE5F,?,?,?), ref: 00B83BFE
    • closesocket.WS2_32 ref: 00B83C07
    • WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00B8EE5F,?,?,?), ref: 00B83C0E
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00A31286, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,000001FC), ref: 00A312A9
    • getenv.MSVCRT ref: 00A312CE
    • ShellExecuteA.SHELL32(00000000,runas,?,000001FC), ref: 00A312DC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 0043BC0C, Relevance: 7.4, APIs: 4, Instructions: 54
    APIs
      • Part of subcall function 0043B7D0: socket.WS2_32(?,?,00000006), ref: 0043B804
    • bind.WS2_32(?,0043BCEA), ref: 0043BC53
    • listen.WS2_32(?,00000014), ref: 0043BC68
    • WSAGetLastError.WS2_32(00000000,?,0043BCEA,?,?,?,?,00000000), ref: 0043BC76
      • Part of subcall function 0043B979: shutdown.WS2_32(?,00000002), ref: 0043B987
      • Part of subcall function 0043B979: closesocket.WS2_32 ref: 0043B990
      • Part of subcall function 0043B979: WSACloseEvent.WS2_32 ref: 0043B9A3
    • WSASetLastError.WS2_32(?,?,0043BCEA,?,?,?,?,00000000), ref: 0043BC86
      • Part of subcall function 0043B928: WSACreateEvent.WS2_32(00000000,?,0043BB6E,00000033,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003), ref: 0043B93E
      • Part of subcall function 0043B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0043B954
      • Part of subcall function 0043B928: WSACloseEvent.WS2_32 ref: 0043B968
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7BC0C, Relevance: 7.4, APIs: 4, Instructions: 54
    APIs
      • Part of subcall function 00B7B7D0: socket.WS2_32(?,?,00000006), ref: 00B7B804
    • bind.WS2_32(?,00B7BCEA), ref: 00B7BC53
    • listen.WS2_32(?,00000014), ref: 00B7BC68
    • WSAGetLastError.WS2_32(00000000,?,00B7BCEA,?,?,?,?,00000000), ref: 00B7BC76
      • Part of subcall function 00B7B979: shutdown.WS2_32(?,00000002), ref: 00B7B987
      • Part of subcall function 00B7B979: closesocket.WS2_32 ref: 00B7B990
      • Part of subcall function 00B7B979: WSACloseEvent.WS2_32 ref: 00B7B9A3
    • WSASetLastError.WS2_32(?,?,00B7BCEA,?,?,?,?,00000000), ref: 00B7BC86
      • Part of subcall function 00B7B928: WSACreateEvent.WS2_32(00000000,?,00B7BB6E,00000033,00000000,?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003), ref: 00B7B93E
      • Part of subcall function 00B7B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00B7B954
      • Part of subcall function 00B7B928: WSACloseEvent.WS2_32 ref: 00B7B968
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00443DB8, Relevance: 5.6, APIs: 3, Instructions: 34
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B83DB8, Relevance: 5.6, APIs: 3, Instructions: 34
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00A316AA, Relevance: 1.5, APIs: 1, Instructions: 30
    APIs
    • DeviceIoControl.KERNEL32(0022002C,?,?,?,00000004,?,00000000), ref: 00A316E2
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 0045C192, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103
    APIs
    • StrStrIW.SHLWAPI(tellerplus,009B1E90), ref: 0045C1A4
    • StrStrIW.SHLWAPI(bancline), ref: 0045C1B9
    • StrStrIW.SHLWAPI(fidelity), ref: 0045C1CE
    • StrStrIW.SHLWAPI(micrsolv), ref: 0045C1E3
    • StrStrIW.SHLWAPI(bankman), ref: 0045C1F8
    • StrStrIW.SHLWAPI(vantiv), ref: 0045C20D
    • StrStrIW.SHLWAPI(episys), ref: 0045C222
    • StrStrIW.SHLWAPI(jack henry), ref: 0045C237
    • StrStrIW.SHLWAPI(cruisenet), ref: 0045C24C
    • StrStrIW.SHLWAPI(gplusmain), ref: 0045C261
    • StrStrIW.SHLWAPI(launchpadshell.exe), ref: 0045C276
    • StrStrIW.SHLWAPI(dirclt32.exe), ref: 0045C28B
    • StrStrIW.SHLWAPI(wtng.exe), ref: 0045C29C
    • StrStrIW.SHLWAPI(prologue.exe), ref: 0045C2AD
    • StrStrIW.SHLWAPI(silverlake), ref: 0045C2BE
    • StrStrIW.SHLWAPI(pcsws.exe), ref: 0045C2CF
    • StrStrIW.SHLWAPI(v48d0250s1), ref: 0045C2E0
    • StrStrIW.SHLWAPI(fdmaster.exe), ref: 0045C2F1
    • StrStrIW.SHLWAPI(fastdoc), ref: 0045C302
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9C192, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103
    APIs
    • StrStrIW.SHLWAPI(tellerplus,01311E90), ref: 00B9C1A4
    • StrStrIW.SHLWAPI(bancline), ref: 00B9C1B9
    • StrStrIW.SHLWAPI(fidelity), ref: 00B9C1CE
    • StrStrIW.SHLWAPI(micrsolv), ref: 00B9C1E3
    • StrStrIW.SHLWAPI(bankman), ref: 00B9C1F8
    • StrStrIW.SHLWAPI(vantiv), ref: 00B9C20D
    • StrStrIW.SHLWAPI(episys), ref: 00B9C222
    • StrStrIW.SHLWAPI(jack henry), ref: 00B9C237
    • StrStrIW.SHLWAPI(cruisenet), ref: 00B9C24C
    • StrStrIW.SHLWAPI(gplusmain), ref: 00B9C261
    • StrStrIW.SHLWAPI(launchpadshell.exe), ref: 00B9C276
    • StrStrIW.SHLWAPI(dirclt32.exe), ref: 00B9C28B
    • StrStrIW.SHLWAPI(wtng.exe), ref: 00B9C29C
    • StrStrIW.SHLWAPI(prologue.exe), ref: 00B9C2AD
    • StrStrIW.SHLWAPI(silverlake), ref: 00B9C2BE
    • StrStrIW.SHLWAPI(pcsws.exe), ref: 00B9C2CF
    • StrStrIW.SHLWAPI(v48d0250s1), ref: 00B9C2E0
    • StrStrIW.SHLWAPI(fdmaster.exe), ref: 00B9C2F1
    • StrStrIW.SHLWAPI(fastdoc), ref: 00B9C302
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00A31C5E, Relevance: 62.4, APIs: 18, Strings: 13, Instructions: 198
    APIs
    • longjmp.MSVCRT ref: 00A31C65
      • Part of subcall function 00A31875: GetVersionExA.KERNEL32 ref: 00A3188F
    • memset.MSVCRT ref: 00A31C85
      • Part of subcall function 00A31B0A: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00A31B1A
      • Part of subcall function 00A31B0A: GetProcAddress.KERNEL32(?,ZwQuerySystemInformation), ref: 00A31B2D
      • Part of subcall function 00A31B0A: malloc.MSVCRT ref: 00A31B3D
      • Part of subcall function 00A31B0A: realloc.MSVCRT ref: 00A31B63
      • Part of subcall function 00A31B0A: free.MSVCRT ref: 00A31B88
    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00A31CB0
      • Part of subcall function 00A31943: GetModuleHandleA.KERNEL32(kernel32), ref: 00A3195E
      • Part of subcall function 00A31943: GetProcAddress.KERNEL32 ref: 00A31965
      • Part of subcall function 00A318DC: fopen.MSVCRT ref: 00A318E6
      • Part of subcall function 00A318DC: fseek.MSVCRT ref: 00A31904
      • Part of subcall function 00A318DC: ftell.MSVCRT ref: 00A31907
      • Part of subcall function 00A318DC: malloc.MSVCRT ref: 00A31910
      • Part of subcall function 00A318DC: fseek.MSVCRT ref: 00A31924
      • Part of subcall function 00A318DC: fread.MSVCRT ref: 00A3192B
      • Part of subcall function 00A318DC: fclose.MSVCRT ref: 00A31935
      • Part of subcall function 00A3197F: GetModuleHandleA.KERNEL32(kernel32), ref: 00A31992
      • Part of subcall function 00A3197F: GetProcAddress.KERNEL32 ref: 00A31999
      • Part of subcall function 00A31829: GetModuleHandleA.KERNEL32(kernel32), ref: 00A31844
      • Part of subcall function 00A31829: GetProcAddress.KERNEL32 ref: 00A3184B
      • Part of subcall function 00A31829: GetCurrentProcess.KERNEL32 ref: 00A3185E
      • Part of subcall function 00A31829: IsWow64Process.KERNEL32 ref: 00A31865
      • Part of subcall function 00A319F4: _strcmpi.MSVCRT ref: 00A31A59
    • GetACP.KERNEL32 ref: 00A31E6F
    • _snprintf.MSVCRT ref: 00A31E87
    • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00010002,00000000,?,00000000), ref: 00A31EAC
    • RegDeleteValueA.ADVAPI32(?,SystemDefaultEUDCFont), ref: 00A31EC1
    • RegSetValueExA.ADVAPI32(?,SystemDefaultEUDCFont,00000000,00000003,?,?), ref: 00A31ED1
    • RtlAddVectoredExceptionHandler.NTDLL(00000001,00A31C5E), ref: 00A31EDF
    • _setjmp3.MSVCRT ref: 00A31EEC
    • EnableEUDC.GDI32(00000001), ref: 00A31EF9
    • RtlRemoveVectoredExceptionHandler.NTDLL(00A31C5E), ref: 00A31EFF
    • RegDeleteValueA.ADVAPI32(?,SystemDefaultEUDCFont), ref: 00A31F09
    • RegFlushKey.ADVAPI32(?), ref: 00A31F0E
    • RegCloseKey.ADVAPI32(?), ref: 00A31F17
    • GlobalAddAtomA.KERNEL32(*EUDC*), ref: 00A31F22
      • Part of subcall function 00A31B97: memset.MSVCRT ref: 00A31BA8
      • Part of subcall function 00A31B97: CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 00A31BCE
      • Part of subcall function 00A31B97: CreateProcessA.KERNEL32(00000000,svchost.exe,00000000,00000000,00000001,00000004,00000000,00000000,?), ref: 00A31BF0
      • Part of subcall function 00A31B97: CloseHandle.KERNEL32(00000104), ref: 00A31C3D
      • Part of subcall function 00A31B97: free.MSVCRT ref: 00A31C44
      • Part of subcall function 00A31B97: CloseHandle.KERNEL32(00000104), ref: 00A31C52
    • free.MSVCRT ref: 00A31F39
    • free.MSVCRT ref: 00A31F41
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 00A31C6C, Relevance: 60.4, APIs: 17, Strings: 13, Instructions: 208
    APIs
    • memset.MSVCRT ref: 00A31C85
      • Part of subcall function 00A31B0A: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00A31B1A
      • Part of subcall function 00A31B0A: GetProcAddress.KERNEL32(?,ZwQuerySystemInformation), ref: 00A31B2D
      • Part of subcall function 00A31B0A: malloc.MSVCRT ref: 00A31B3D
      • Part of subcall function 00A31B0A: realloc.MSVCRT ref: 00A31B63
      • Part of subcall function 00A31B0A: free.MSVCRT ref: 00A31B88
    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00A31CB0
      • Part of subcall function 00A31943: GetModuleHandleA.KERNEL32(kernel32), ref: 00A3195E
      • Part of subcall function 00A31943: GetProcAddress.KERNEL32 ref: 00A31965
      • Part of subcall function 00A318DC: fopen.MSVCRT ref: 00A318E6
      • Part of subcall function 00A318DC: fseek.MSVCRT ref: 00A31904
      • Part of subcall function 00A318DC: ftell.MSVCRT ref: 00A31907
      • Part of subcall function 00A318DC: malloc.MSVCRT ref: 00A31910
      • Part of subcall function 00A318DC: fseek.MSVCRT ref: 00A31924
      • Part of subcall function 00A318DC: fread.MSVCRT ref: 00A3192B
      • Part of subcall function 00A318DC: fclose.MSVCRT ref: 00A31935
      • Part of subcall function 00A3197F: GetModuleHandleA.KERNEL32(kernel32), ref: 00A31992
      • Part of subcall function 00A3197F: GetProcAddress.KERNEL32 ref: 00A31999
      • Part of subcall function 00A31829: GetModuleHandleA.KERNEL32(kernel32), ref: 00A31844
      • Part of subcall function 00A31829: GetProcAddress.KERNEL32 ref: 00A3184B
      • Part of subcall function 00A31829: GetCurrentProcess.KERNEL32 ref: 00A3185E
      • Part of subcall function 00A31829: IsWow64Process.KERNEL32 ref: 00A31865
      • Part of subcall function 00A31875: GetVersionExA.KERNEL32 ref: 00A3188F
    • GlobalAddAtomA.KERNEL32(*EUDC*), ref: 00A31F22
      • Part of subcall function 00A31B97: memset.MSVCRT ref: 00A31BA8
      • Part of subcall function 00A31B97: CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 00A31BCE
      • Part of subcall function 00A31B97: CreateProcessA.KERNEL32(00000000,svchost.exe,00000000,00000000,00000001,00000004,00000000,00000000,?), ref: 00A31BF0
      • Part of subcall function 00A31B97: CloseHandle.KERNEL32(00000104), ref: 00A31C3D
      • Part of subcall function 00A31B97: free.MSVCRT ref: 00A31C44
      • Part of subcall function 00A31B97: CloseHandle.KERNEL32(00000104), ref: 00A31C52
      • Part of subcall function 00A319F4: _strcmpi.MSVCRT ref: 00A31A59
    • GetACP.KERNEL32 ref: 00A31E6F
    • _snprintf.MSVCRT ref: 00A31E87
    • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00010002,00000000,?,00000000), ref: 00A31EAC
    • RegDeleteValueA.ADVAPI32(?,SystemDefaultEUDCFont), ref: 00A31EC1
    • RegSetValueExA.ADVAPI32(?,SystemDefaultEUDCFont,00000000,00000003,?,?), ref: 00A31ED1
    • RtlAddVectoredExceptionHandler.NTDLL(00000001,00A31C5E), ref: 00A31EDF
    • _setjmp3.MSVCRT ref: 00A31EEC
    • EnableEUDC.GDI32(00000001), ref: 00A31EF9
    • RtlRemoveVectoredExceptionHandler.NTDLL(00A31C5E), ref: 00A31EFF
    • RegDeleteValueA.ADVAPI32(?,SystemDefaultEUDCFont), ref: 00A31F09
    • RegFlushKey.ADVAPI32(?), ref: 00A31F0E
    • RegCloseKey.ADVAPI32(?), ref: 00A31F17
    • free.MSVCRT ref: 00A31F39
    • free.MSVCRT ref: 00A31F41
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 00437FA8, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151
    APIs
    • LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00437FBA
    • GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00437FD2
    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00438011
    • CreateCompatibleDC.GDI32 ref: 00438022
    • LoadCursorW.USER32(00000000,00007F00), ref: 00438038
    • GetIconInfo.USER32 ref: 0043804C
    • GetCursorPos.USER32(?), ref: 0043805B
    • GetDeviceCaps.GDI32(?,00000008), ref: 00438072
    • GetDeviceCaps.GDI32(?,0000000A), ref: 0043807B
    • CreateCompatibleBitmap.GDI32(?,?), ref: 00438087
    • SelectObject.GDI32 ref: 00438095
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 004380B6
    • DrawIcon.USER32(?,?,?,?), ref: 004380E8
      • Part of subcall function 00451285: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 0045129A
      • Part of subcall function 00451285: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 004512A5
    • SelectObject.GDI32(?,?), ref: 00438104
    • DeleteObject.GDI32 ref: 0043810B
    • DeleteDC.GDI32 ref: 00438112
    • DeleteDC.GDI32 ref: 00438119
    • FreeLibrary.KERNEL32(?), ref: 00438129
    • GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0043813F
    • FreeLibrary.KERNEL32(?), ref: 00438153
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B77FA8, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151
    APIs
    • LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00B77FBA
    • GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00B77FD2
    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B78011
    • CreateCompatibleDC.GDI32 ref: 00B78022
    • LoadCursorW.USER32(00000000,00007F00), ref: 00B78038
    • GetIconInfo.USER32 ref: 00B7804C
    • GetCursorPos.USER32(?), ref: 00B7805B
    • GetDeviceCaps.GDI32(?,00000008), ref: 00B78072
    • GetDeviceCaps.GDI32(?,0000000A), ref: 00B7807B
    • CreateCompatibleBitmap.GDI32(?,?), ref: 00B78087
    • SelectObject.GDI32 ref: 00B78095
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 00B780B6
    • DrawIcon.USER32(?,?,?,?), ref: 00B780E8
      • Part of subcall function 00B91285: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00B9129A
      • Part of subcall function 00B91285: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00B912A5
    • SelectObject.GDI32(?,?), ref: 00B78104
    • DeleteObject.GDI32 ref: 00B7810B
    • DeleteDC.GDI32 ref: 00B78112
    • DeleteDC.GDI32 ref: 00B78119
    • FreeLibrary.KERNEL32(?), ref: 00B78129
    • GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00B7813F
    • FreeLibrary.KERNEL32(?), ref: 00B78153
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9B4AA, Relevance: 42.5, APIs: 19, Strings: 2, Instructions: 267
    APIs
      • Part of subcall function 00B88432: CreateFileW.KERNEL32(01311EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B8844B
      • Part of subcall function 00B88432: GetFileSizeEx.KERNEL32 ref: 00B8845E
      • Part of subcall function 00B88432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B88484
      • Part of subcall function 00B88432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00B8849C
      • Part of subcall function 00B88432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B884BA
      • Part of subcall function 00B88432: CloseHandle.KERNEL32 ref: 00B884C3
    • CreateMutexW.KERNEL32(00BA49B4,00000001), ref: 00B9B550
    • GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,00B9B8C7), ref: 00B9B560
    • CloseHandle.KERNEL32 ref: 00B9B56E
    • CloseHandle.KERNEL32 ref: 00B9B697
      • Part of subcall function 00B9AFE8: memcpy.MSVCRT ref: 00B9AFF8
    • lstrlenW.KERNEL32 ref: 00B9B5D0
      • Part of subcall function 00B75B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B75BC1
      • Part of subcall function 00B75B9B: Process32FirstW.KERNEL32 ref: 00B75BE6
      • Part of subcall function 00B75B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00B75C3D
      • Part of subcall function 00B75B9B: CloseHandle.KERNEL32 ref: 00B75C5B
      • Part of subcall function 00B75B9B: GetLengthSid.ADVAPI32 ref: 00B75C77
      • Part of subcall function 00B75B9B: memcmp.MSVCRT ref: 00B75C8F
      • Part of subcall function 00B75B9B: CloseHandle.KERNEL32(?), ref: 00B75D07
      • Part of subcall function 00B75B9B: Process32NextW.KERNEL32(?,?), ref: 00B75D13
      • Part of subcall function 00B75B9B: CloseHandle.KERNEL32 ref: 00B75D26
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00B9B615
    • OpenEventW.KERNEL32(00000002,00000000), ref: 00B9B63B
    • SetEvent.KERNEL32 ref: 00B9B648
    • CloseHandle.KERNEL32 ref: 00B9B64F
    • Sleep.KERNEL32(00007530), ref: 00B9B674
      • Part of subcall function 00B7AF99: GetCurrentThread.KERNEL32 ref: 00B7AFAD
      • Part of subcall function 00B7AF99: OpenThreadToken.ADVAPI32 ref: 00B7AFB4
      • Part of subcall function 00B7AF99: GetCurrentProcess.KERNEL32 ref: 00B7AFC4
      • Part of subcall function 00B7AF99: OpenProcessToken.ADVAPI32 ref: 00B7AFCB
      • Part of subcall function 00B7AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00B7AFEC
      • Part of subcall function 00B7AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00B7B001
      • Part of subcall function 00B7AF99: GetLastError.KERNEL32 ref: 00B7B00B
      • Part of subcall function 00B7AF99: CloseHandle.KERNEL32(00000001), ref: 00B7B01C
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 00B9B68C
    • Sleep.KERNEL32(000000FF), ref: 00B9B694
    • IsWellKnownSid.ADVAPI32(01311EC0,00000016), ref: 00B9B6E5
    • CreateEventW.KERNEL32(00BA49B4,00000001,00000000), ref: 00B9B7B4
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B9B7CD
    • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 00B9B7DF
    • CloseHandle.KERNEL32(00000000), ref: 00B9B7F6
    • CloseHandle.KERNEL32(?), ref: 00B9B7FC
    • CloseHandle.KERNEL32(?), ref: 00B9B802
      • Part of subcall function 00B7766D: ReleaseMutex.KERNEL32 ref: 00B77671
      • Part of subcall function 00B7766D: CloseHandle.KERNEL32 ref: 00B77678
      • Part of subcall function 00B81DFA: VirtualProtect.KERNEL32(00B796C7,?,00000040), ref: 00B81E12
      • Part of subcall function 00B81DFA: VirtualProtect.KERNEL32(00B796C7,?,?), ref: 00B81E85
      • Part of subcall function 00B796C7: FreeLibrary.KERNEL32(00000003), ref: 00B796B9
      • Part of subcall function 00B9BC89: memcpy.MSVCRT ref: 00B9BCA4
      • Part of subcall function 00B9BC89: StringFromGUID2.OLE32 ref: 00B9BD4A
      • Part of subcall function 00B79931: LoadLibraryW.KERNEL32 ref: 00B79953
      • Part of subcall function 00B79931: GetProcAddress.KERNEL32 ref: 00B79977
      • Part of subcall function 00B79931: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 00B799AF
      • Part of subcall function 00B79931: lstrlenW.KERNEL32 ref: 00B799C7
      • Part of subcall function 00B79931: StrCmpNIW.SHLWAPI ref: 00B799DB
      • Part of subcall function 00B79931: lstrlenW.KERNEL32 ref: 00B799F1
      • Part of subcall function 00B79931: memcpy.MSVCRT ref: 00B799FD
      • Part of subcall function 00B79931: FreeLibrary.KERNEL32 ref: 00B79A13
      • Part of subcall function 00B79931: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00B79A52
      • Part of subcall function 00B79931: NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00B79A8E
      • Part of subcall function 00B79931: NetApiBufferFree.NETAPI32(?), ref: 00B79B39
      • Part of subcall function 00B79931: NetApiBufferFree.NETAPI32(00000000), ref: 00B79B4B
      • Part of subcall function 00B79931: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00B79B6A
      • Part of subcall function 00B7B314: CharToOemW.USER32(01311EF0), ref: 00B7B325
      • Part of subcall function 00BA2AC0: GetCommandLineW.KERNEL32 ref: 00BA2ADA
      • Part of subcall function 00BA2AC0: CommandLineToArgvW.SHELL32 ref: 00BA2AE1
      • Part of subcall function 00BA2AC0: StrCmpNW.SHLWAPI(?,00B6CA4C,00000002), ref: 00BA2B07
      • Part of subcall function 00BA2AC0: LocalFree.KERNEL32 ref: 00BA2B33
      • Part of subcall function 00BA2AC0: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00BA2B70
      • Part of subcall function 00BA2AC0: memcpy.MSVCRT ref: 00BA2B83
      • Part of subcall function 00BA2AC0: UnmapViewOfFile.KERNEL32 ref: 00BA2BBC
      • Part of subcall function 00BA2AC0: memcpy.MSVCRT ref: 00BA2BDF
      • Part of subcall function 00BA2AC0: CloseHandle.KERNEL32 ref: 00BA2BF8
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B9C09D: CreateMutexW.KERNEL32(00BA49B4,00000000), ref: 00B9C0BF
      • Part of subcall function 00B7987E: memcpy.MSVCRT ref: 00B79894
      • Part of subcall function 00B7987E: memcmp.MSVCRT ref: 00B798B6
      • Part of subcall function 00B7987E: lstrcmpiW.KERNEL32(00000000,000000FF), ref: 00B7990F
      • Part of subcall function 00B884D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B884E4
      • Part of subcall function 00B884D3: CloseHandle.KERNEL32 ref: 00B884F3
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00B9B779
    • SeShutdownPrivilege, xrefs: 00B9B676
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00403667, Relevance: 38.6, APIs: 12, Strings: 7, Instructions: 396
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004036E8
      • Part of subcall function 00402096: LoadLibraryA.KERNEL32(user32.dll), ref: 004020AE
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,MessageBoxA), ref: 004020CA
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 004020DB
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 004020E8
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetUserObjectInformationA), ref: 004020FE
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0040210F
    • LCMapStringW.KERNEL32(00000000,00000100,00492BE4,00000001,00000000,00000000), ref: 004037D6
    • GetLastError.KERNEL32 ref: 004037E8
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0040386F
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?), ref: 004038F0
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000), ref: 0040390A
    • LCMapStringW.KERNEL32(?,?,?,?,?,?), ref: 00403945
    • LCMapStringW.KERNEL32(?,?,?,?,?), ref: 004039B9
    • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 004039DC
      • Part of subcall function 00404008: GetLocaleInfoA.KERNEL32(00000038,00001004,?,00000006), ref: 00404028
    • LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000), ref: 00403A72
    • LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403AF3
    • LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403B4A
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 00404089
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 0040409C
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,?,?,00000000,00000000), ref: 004040E1
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,00000001,?,?,00000001), ref: 00404163
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00404184
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 004041A5
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004041CC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00442593, Relevance: 36.0, APIs: 1, Instructions: 7
    APIs
    • HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B82593, Relevance: 35.1, APIs: 1, Instructions: 7
    APIs
    • HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00439931, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205
    APIs
    • LoadLibraryW.KERNEL32 ref: 00439953
    • GetProcAddress.KERNEL32 ref: 00439977
    • SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 004399AF
    • lstrlenW.KERNEL32 ref: 004399C7
    • StrCmpNIW.SHLWAPI ref: 004399DB
    • lstrlenW.KERNEL32 ref: 004399F1
    • memcpy.MSVCRT ref: 004399FD
    • FreeLibrary.KERNEL32 ref: 00439A13
    • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00439A52
    • NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00439A8E
      • Part of subcall function 0045B31B: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0045B32F
      • Part of subcall function 0045B31B: PathUnquoteSpacesW.SHLWAPI ref: 0045B394
      • Part of subcall function 0045B31B: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0045B3A3
      • Part of subcall function 0045B31B: LocalFree.KERNEL32(00000001), ref: 0045B3B7
    • NetApiBufferFree.NETAPI32(?), ref: 00439B39
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
      • Part of subcall function 004390A3: PathSkipRootW.SHLWAPI ref: 004390CD
      • Part of subcall function 004390A3: GetFileAttributesW.KERNEL32(00000000), ref: 004390FA
      • Part of subcall function 004390A3: CreateDirectoryW.KERNEL32(?,00000000), ref: 0043910E
      • Part of subcall function 004390A3: SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00439131
      • Part of subcall function 00439583: LoadLibraryW.KERNEL32 ref: 004395A7
      • Part of subcall function 00439583: GetProcAddress.KERNEL32 ref: 004395D5
      • Part of subcall function 00439583: GetProcAddress.KERNEL32 ref: 004395EF
      • Part of subcall function 00439583: GetProcAddress.KERNEL32 ref: 0043960B
      • Part of subcall function 00439583: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00439638
      • Part of subcall function 00439583: FreeLibrary.KERNEL32(00000003), ref: 004396B9
    • NetApiBufferFree.NETAPI32(00000000), ref: 00439B4B
    • SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00439B6A
      • Part of subcall function 0045038C: CreateDirectoryW.KERNEL32(?,00000000), ref: 00450405
      • Part of subcall function 0045038C: SetFileAttributesW.KERNEL32(?), ref: 00450424
      • Part of subcall function 0045038C: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0045043B
      • Part of subcall function 0045038C: GetLastError.KERNEL32 ref: 00450448
      • Part of subcall function 0045038C: CloseHandle.KERNEL32 ref: 00450481
      • Part of subcall function 0046258D: GetFileSizeEx.KERNEL32(00000000), ref: 004625C4
      • Part of subcall function 0046258D: SetEndOfFile.KERNEL32 ref: 0046263A
      • Part of subcall function 0046258D: FlushFileBuffers.KERNEL32(?), ref: 00462645
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B79931, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205
    APIs
    • LoadLibraryW.KERNEL32 ref: 00B79953
    • GetProcAddress.KERNEL32 ref: 00B79977
    • SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 00B799AF
    • lstrlenW.KERNEL32 ref: 00B799C7
    • StrCmpNIW.SHLWAPI ref: 00B799DB
    • lstrlenW.KERNEL32 ref: 00B799F1
    • memcpy.MSVCRT ref: 00B799FD
    • FreeLibrary.KERNEL32 ref: 00B79A13
    • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00B79A52
    • NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00B79A8E
      • Part of subcall function 00B9B31B: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00B9B32F
      • Part of subcall function 00B9B31B: PathUnquoteSpacesW.SHLWAPI ref: 00B9B394
      • Part of subcall function 00B9B31B: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00B9B3A3
      • Part of subcall function 00B9B31B: LocalFree.KERNEL32(00000001), ref: 00B9B3B7
    • NetApiBufferFree.NETAPI32(?), ref: 00B79B39
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
      • Part of subcall function 00B790A3: PathSkipRootW.SHLWAPI ref: 00B790CD
      • Part of subcall function 00B790A3: GetFileAttributesW.KERNEL32(00000000), ref: 00B790FA
      • Part of subcall function 00B790A3: CreateDirectoryW.KERNEL32(?,00000000), ref: 00B7910E
      • Part of subcall function 00B790A3: SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00B79131
      • Part of subcall function 00B79583: LoadLibraryW.KERNEL32 ref: 00B795A7
      • Part of subcall function 00B79583: GetProcAddress.KERNEL32 ref: 00B795D5
      • Part of subcall function 00B79583: GetProcAddress.KERNEL32 ref: 00B795EF
      • Part of subcall function 00B79583: GetProcAddress.KERNEL32 ref: 00B7960B
      • Part of subcall function 00B79583: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00B79638
      • Part of subcall function 00B79583: FreeLibrary.KERNEL32(00000003), ref: 00B796B9
    • NetApiBufferFree.NETAPI32(00000000), ref: 00B79B4B
    • SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00B79B6A
      • Part of subcall function 00B9038C: CreateDirectoryW.KERNEL32(?,00000000), ref: 00B90405
      • Part of subcall function 00B9038C: SetFileAttributesW.KERNEL32(?), ref: 00B90424
      • Part of subcall function 00B9038C: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00B9043B
      • Part of subcall function 00B9038C: GetLastError.KERNEL32 ref: 00B90448
      • Part of subcall function 00B9038C: CloseHandle.KERNEL32 ref: 00B90481
      • Part of subcall function 00BA258D: GetFileSizeEx.KERNEL32(00000000), ref: 00BA25C4
      • Part of subcall function 00BA258D: SetEndOfFile.KERNEL32 ref: 00BA263A
      • Part of subcall function 00BA258D: FlushFileBuffers.KERNEL32(?), ref: 00BA2645
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9ACAD, Relevance: 28.4, APIs: 11, Strings: 3, Instructions: 166
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 00B9ACF4
      • Part of subcall function 00B9D1E0: InitializeCriticalSection.KERNEL32(00BA5AA4), ref: 00B9D207
      • Part of subcall function 00B9D1E0: InitializeCriticalSection.KERNEL32 ref: 00B9D218
      • Part of subcall function 00B9D1E0: memset.MSVCRT ref: 00B9D229
      • Part of subcall function 00B9D1E0: TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 00B9D240
      • Part of subcall function 00B9D1E0: GetModuleHandleW.KERNEL32(00000000), ref: 00B9D25C
      • Part of subcall function 00B9D1E0: GetModuleHandleW.KERNEL32 ref: 00B9D272
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B9AD59
    • Process32FirstW.KERNEL32 ref: 00B9AD74
    • PathFindFileNameW.SHLWAPI ref: 00B9AD87
    • StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 00B9AD99
    • Process32NextW.KERNEL32(?,?), ref: 00B9ADA9
    • CloseHandle.KERNEL32 ref: 00B9ADB4
    • WSAStartup.WS2_32(00000202), ref: 00B9ADC4
    • CreateEventW.KERNEL32(00BA49B4,00000001,00000000,00000000), ref: 00B9ADEC
      • Part of subcall function 00B7AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 00B7AEF5
      • Part of subcall function 00B7AEE3: GetTokenInformation.ADVAPI32(?,0000000C,00BA49A8,00000004), ref: 00B7AF1D
      • Part of subcall function 00B7AEE3: CloseHandle.KERNEL32(?), ref: 00B7AF33
    • GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 00B9AE22
      • Part of subcall function 00B9AA9A: GetTempPathW.KERNEL32(00000104), ref: 00B9AAB7
      • Part of subcall function 00B9AA9A: GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 00B9AACF
      • Part of subcall function 00B9AA9A: PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 00B9AADA
      • Part of subcall function 00B9AA9A: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00B9AB00
    • GetCurrentProcessId.KERNEL32 ref: 00B9AE4D
      • Part of subcall function 00B9AB23: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000), ref: 00B9AB64
      • Part of subcall function 00B9AB23: lstrcmpiW.KERNEL32 ref: 00B9AB93
      • Part of subcall function 00B9ABBF: lstrcatW.KERNEL32(?,.dat), ref: 00B9AC32
      • Part of subcall function 00B9ABBF: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B9AC57
      • Part of subcall function 00B9ABBF: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00B9AC75
      • Part of subcall function 00B9ABBF: CloseHandle.KERNEL32 ref: 00B9AC82
      • Part of subcall function 00B8C8A1: IsBadReadPtr.KERNEL32 ref: 00B8C8E0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045F887, Relevance: 27.2, APIs: 18, Instructions: 215
    APIs
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F8AB
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F8CB
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F8E4
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F8FD
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F916
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F92F
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F94C
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F969
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F986
    • GetProcAddress.KERNEL32(0045FEC7,?), ref: 0045F9A3
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F9C0
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F9DD
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045F9FA
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045FA17
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045FA34
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045FA51
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045FA6E
    • GetProcAddress.KERNEL32(0045FEC7), ref: 0045FA8B
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9F887, Relevance: 27.2, APIs: 18, Instructions: 215
    APIs
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F8AB
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F8CB
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F8E4
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F8FD
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F916
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F92F
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F94C
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F969
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F986
    • GetProcAddress.KERNEL32(00B9FEC7,?), ref: 00B9F9A3
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F9C0
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F9DD
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9F9FA
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9FA17
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9FA34
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9FA51
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9FA6E
    • GetProcAddress.KERNEL32(00B9FEC7), ref: 00B9FA8B
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00402096, Relevance: 26.5, APIs: 6, Strings: 7, Instructions: 90
    APIs
    • LoadLibraryA.KERNEL32(user32.dll), ref: 004020AE
    • GetProcAddress.KERNEL32(?,MessageBoxA), ref: 004020CA
    • GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 004020DB
    • GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 004020E8
    • GetProcAddress.KERNEL32(?,GetUserObjectInformationA), ref: 004020FE
    • GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0040210F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 0043B1DE, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89
    APIs
    • LoadLibraryA.KERNEL32(userenv.dll), ref: 0043B1EE
    • GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0043B20C
    • GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0043B218
    • memset.MSVCRT ref: 0043B258
    • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 0043B2A5
    • CloseHandle.KERNEL32(?), ref: 0043B2B9
    • CloseHandle.KERNEL32(?), ref: 0043B2BF
    • FreeLibrary.KERNEL32 ref: 0043B2D3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7B1DE, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89
    APIs
    • LoadLibraryA.KERNEL32(userenv.dll), ref: 00B7B1EE
    • GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00B7B20C
    • GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00B7B218
    • memset.MSVCRT ref: 00B7B258
    • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 00B7B2A5
    • CloseHandle.KERNEL32(?), ref: 00B7B2B9
    • CloseHandle.KERNEL32(?), ref: 00B7B2BF
    • FreeLibrary.KERNEL32 ref: 00B7B2D3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00401D46, Relevance: 24.3, APIs: 6, Strings: 6, Instructions: 71
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00401D5E
    • GetProcAddress.KERNEL32(?,FlsAlloc), ref: 00401D76
    • GetProcAddress.KERNEL32(?,FlsGetValue), ref: 00401D83
    • GetProcAddress.KERNEL32(?,FlsSetValue), ref: 00401D90
    • GetProcAddress.KERNEL32(?,FlsFree), ref: 00401D9D
    • GetCurrentThreadId.KERNEL32 ref: 00401E1B
      • Part of subcall function 00401B71: DeleteCriticalSection.KERNEL32(?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00401F04
      • Part of subcall function 00401B71: DeleteCriticalSection.KERNEL32(?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00401F2E
      • Part of subcall function 004024C3: HeapAlloc.KERNEL32(00000008,?,00492370,00000010,00401BB6,00000001,0000008C,?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?), ref: 00402545
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 0043A01E, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 260
    APIs
      • Part of subcall function 0044D189: lstrlenW.KERNEL32 ref: 0044D190
      • Part of subcall function 0044D189: memcpy.MSVCRT ref: 0044D21E
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • getpeername.WS2_32 ref: 0043A254
      • Part of subcall function 0043C091: memcmp.MSVCRT ref: 0043C0B3
      • Part of subcall function 00439E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00439E9D
      • Part of subcall function 00439E88: StrCmpIW.SHLWAPI ref: 00439EA7
      • Part of subcall function 0043B764: EnterCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B774
      • Part of subcall function 0043B764: LeaveCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B79E
    • WSAAddressToStringW.WS2_32(?,?,00000000), ref: 0043A2CC
    • lstrcpyW.KERNEL32(?,0:0), ref: 0043A2E0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7A01E, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 260
    APIs
      • Part of subcall function 00B8D189: lstrlenW.KERNEL32 ref: 00B8D190
      • Part of subcall function 00B8D189: memcpy.MSVCRT ref: 00B8D21E
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • getpeername.WS2_32 ref: 00B7A254
      • Part of subcall function 00B7C091: memcmp.MSVCRT ref: 00B7C0B3
      • Part of subcall function 00B79E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B79E9D
      • Part of subcall function 00B79E88: StrCmpIW.SHLWAPI ref: 00B79EA7
      • Part of subcall function 00B7B764: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B7B826,?,00B9C86A,00B8C4AB,00B8C4AB,?,00B8C4AB,?,00000001), ref: 00B7B774
      • Part of subcall function 00B7B764: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B7B826,?,00B9C86A,00B8C4AB,00B8C4AB,?,00B8C4AB,?,00000001), ref: 00B7B79E
    • WSAAddressToStringW.WS2_32(?,?,00000000), ref: 00B7A2CC
    • lstrcpyW.KERNEL32(?,0:0), ref: 00B7A2E0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043B365, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 110
    APIs
      • Part of subcall function 00455947: GetTempPathW.KERNEL32(00000104,?), ref: 00455962
      • Part of subcall function 00455947: PathAddBackslashW.SHLWAPI(?), ref: 0045598C
      • Part of subcall function 00455947: CreateDirectoryW.KERNEL32(?), ref: 00455A44
      • Part of subcall function 00455947: SetFileAttributesW.KERNEL32(?), ref: 00455A55
      • Part of subcall function 00455947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00455A6E
      • Part of subcall function 00455947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00455A7F
    • CharToOemW.USER32 ref: 0043B3AB
    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0043B3E2
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • CloseHandle.KERNEL32(000000FF), ref: 0043B40A
    • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 0043B44C
    • memset.MSVCRT ref: 0043B461
    • CloseHandle.KERNEL32(000000FF), ref: 0043B49C
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7B365, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 110
    APIs
      • Part of subcall function 00B95947: GetTempPathW.KERNEL32(00000104,?), ref: 00B95962
      • Part of subcall function 00B95947: PathAddBackslashW.SHLWAPI(?), ref: 00B9598C
      • Part of subcall function 00B95947: CreateDirectoryW.KERNEL32(?), ref: 00B95A44
      • Part of subcall function 00B95947: SetFileAttributesW.KERNEL32(?), ref: 00B95A55
      • Part of subcall function 00B95947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00B95A6E
      • Part of subcall function 00B95947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00B95A7F
    • CharToOemW.USER32 ref: 00B7B3AB
    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00B7B3E2
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • CloseHandle.KERNEL32(000000FF), ref: 00B7B40A
    • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00B7B44C
    • memset.MSVCRT ref: 00B7B461
    • CloseHandle.KERNEL32(000000FF), ref: 00B7B49C
      • Part of subcall function 00B95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B95E26
      • Part of subcall function 00B95E1D: DeleteFileW.KERNEL32 ref: 00B95E2D
      • Part of subcall function 00B95934: CloseHandle.KERNEL32 ref: 00B95940
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00451A52, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60
    APIs
    • LoadLibraryW.KERNEL32(cabinet.dll), ref: 00451A66
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • GetProcAddress.KERNEL32(?,FCICreate), ref: 00451A95
    • GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00451AA4
    • GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00451AB3
    • GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00451AC2
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • FreeLibrary.KERNEL32 ref: 00451AF7
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B91A52, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60
    APIs
    • LoadLibraryW.KERNEL32(cabinet.dll), ref: 00B91A66
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    • GetProcAddress.KERNEL32(?,FCICreate), ref: 00B91A95
    • GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00B91AA4
    • GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00B91AB3
    • GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00B91AC2
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • FreeLibrary.KERNEL32 ref: 00B91AF7
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044BBB1, Relevance: 21.3, APIs: 12, Instructions: 150
    APIs
      • Part of subcall function 004484FB: memchr.MSVCRT ref: 0044853B
      • Part of subcall function 004484FB: memcmp.MSVCRT ref: 0044855A
    • VirtualProtect.KERNEL32(?,?,00000080,?), ref: 0044BC21
    • VirtualProtect.KERNEL32(?,?,00000000,?), ref: 0044BD99
      • Part of subcall function 00442633: memcmp.MSVCRT ref: 00442653
      • Part of subcall function 004425A7: memcpy.MSVCRT ref: 004425C6
    • GetCurrentThread.KERNEL32 ref: 0044BCBE
    • GetThreadPriority.KERNEL32 ref: 0044BCC7
    • SetThreadPriority.KERNEL32(?,0000000F), ref: 0044BCD2
    • Sleep.KERNEL32(00000000), ref: 0044BCDA
    • memcpy.MSVCRT ref: 0044BCE9
    • FlushInstructionCache.KERNEL32(000000FF,?,?), ref: 0044BCFA
    • SetThreadPriority.KERNEL32 ref: 0044BD02
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • GetTickCount.KERNEL32 ref: 0044BD3C
    • GetTickCount.KERNEL32 ref: 0044BD4F
    • Sleep.KERNEL32(00000000), ref: 0044BD61
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8BBB1, Relevance: 21.3, APIs: 12, Instructions: 150
    APIs
      • Part of subcall function 00B884FB: memchr.MSVCRT ref: 00B8853B
      • Part of subcall function 00B884FB: memcmp.MSVCRT ref: 00B8855A
    • VirtualProtect.KERNEL32(?,?,00000080,?), ref: 00B8BC21
    • VirtualProtect.KERNEL32(?,?,00000000,?), ref: 00B8BD99
      • Part of subcall function 00B82633: memcmp.MSVCRT ref: 00B82653
      • Part of subcall function 00B825A7: memcpy.MSVCRT ref: 00B825C6
    • GetCurrentThread.KERNEL32 ref: 00B8BCBE
    • GetThreadPriority.KERNEL32 ref: 00B8BCC7
    • SetThreadPriority.KERNEL32(?,0000000F), ref: 00B8BCD2
    • Sleep.KERNEL32(00000000), ref: 00B8BCDA
    • memcpy.MSVCRT ref: 00B8BCE9
    • FlushInstructionCache.KERNEL32(000000FF,?,?), ref: 00B8BCFA
    • SetThreadPriority.KERNEL32 ref: 00B8BD02
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • GetTickCount.KERNEL32 ref: 00B8BD3C
    • GetTickCount.KERNEL32 ref: 00B8BD4F
    • Sleep.KERNEL32(00000000), ref: 00B8BD61
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00449516, Relevance: 21.3, APIs: 14, Instructions: 290
    APIs
    • Sleep.KERNEL32(00003A98), ref: 0044952D
      • Part of subcall function 00438C74: InitializeCriticalSection.KERNEL32 ref: 00438C7B
    • InitializeCriticalSection.KERNEL32 ref: 00449591
    • memset.MSVCRT ref: 004495A8
    • InitializeCriticalSection.KERNEL32 ref: 004495C2
      • Part of subcall function 0044AAA2: memset.MSVCRT ref: 0044AAB9
      • Part of subcall function 0044AAA2: memset.MSVCRT ref: 0044AB8D
    • InitializeCriticalSection.KERNEL32 ref: 0044961C
    • memset.MSVCRT ref: 00449627
    • memset.MSVCRT ref: 00449635
      • Part of subcall function 00446431: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00446531
      • Part of subcall function 00446431: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00446572
      • Part of subcall function 00446431: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00446581
      • Part of subcall function 00446431: SetEvent.KERNEL32 ref: 00446591
      • Part of subcall function 00446431: GetExitCodeThread.KERNEL32 ref: 004465A5
      • Part of subcall function 00446431: CloseHandle.KERNEL32 ref: 004465BB
      • Part of subcall function 00448626: getsockopt.WS2_32(?,0000FFFF,00001008,00429417,00429417), ref: 004486B2
      • Part of subcall function 00448626: GetHandleInformation.KERNEL32 ref: 004486C4
      • Part of subcall function 00448626: socket.WS2_32(?,00000001,00000006), ref: 004486F7
      • Part of subcall function 00448626: socket.WS2_32(?,00000002,00000011), ref: 00448708
      • Part of subcall function 00448626: closesocket.WS2_32(?), ref: 00448727
      • Part of subcall function 00448626: closesocket.WS2_32 ref: 0044872E
      • Part of subcall function 00448626: memset.MSVCRT ref: 004487F2
      • Part of subcall function 00448626: memcpy.MSVCRT ref: 00448902
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 004496AB
      • Part of subcall function 00438CBF: EnterCriticalSection.KERNEL32(?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438CC7
      • Part of subcall function 00438CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00438CEB
      • Part of subcall function 00438CBF: CloseHandle.KERNEL32 ref: 00438CFB
      • Part of subcall function 00438CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438D2B
      • Part of subcall function 00448A6A: EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00448A9B
      • Part of subcall function 00448A6A: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00448B2D
      • Part of subcall function 00448A6A: SetEvent.KERNEL32 ref: 00448B80
      • Part of subcall function 00448A6A: SetEvent.KERNEL32 ref: 00448BB9
      • Part of subcall function 00448A6A: LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00448C3E
      • Part of subcall function 00437D03: EnterCriticalSection.KERNEL32(?,?,?,?,?,0044979E,?,?,?,00000001), ref: 00437D24
      • Part of subcall function 00437D03: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,0044979E,?,?,?,00000001), ref: 00437D40
      • Part of subcall function 004358AE: memset.MSVCRT ref: 004359CD
      • Part of subcall function 004358AE: memcpy.MSVCRT ref: 004359E0
      • Part of subcall function 004358AE: memcpy.MSVCRT ref: 004359F6
      • Part of subcall function 0043BD24: accept.WS2_32(?,?), ref: 0043BD45
      • Part of subcall function 0043BD24: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 0043BD57
      • Part of subcall function 0043BD24: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 0043BD88
      • Part of subcall function 0043BD24: shutdown.WS2_32(?,00000002), ref: 0043BDA0
      • Part of subcall function 0043BD24: closesocket.WS2_32 ref: 0043BDA7
      • Part of subcall function 0043BD24: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 0043BDAE
      • Part of subcall function 00448C4C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0044984D,?,?,00000000,?,?,00000590), ref: 00448C7F
      • Part of subcall function 00448C4C: memcmp.MSVCRT ref: 00448CCD
      • Part of subcall function 00448C4C: SetEvent.KERNEL32 ref: 00448D0E
      • Part of subcall function 00448C4C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0044984D,?,?,00000000,?,?,00000590), ref: 00448D3B
      • Part of subcall function 00438DE6: EnterCriticalSection.KERNEL32(009B21B4,?,?,?,0045B2F2,?,?,00000001), ref: 00438DEF
      • Part of subcall function 00438DE6: LeaveCriticalSection.KERNEL32(009B21B4,?,?,?,0045B2F2,?,?,00000001), ref: 00438DF9
      • Part of subcall function 00438DE6: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00438E1F
      • Part of subcall function 00438DE6: EnterCriticalSection.KERNEL32(009B21B4,?,?,?,0045B2F2,?,?,00000001), ref: 00438E37
      • Part of subcall function 00438DE6: LeaveCriticalSection.KERNEL32(009B21B4,?,?,?,0045B2F2,?,?,00000001), ref: 00438E41
    • CloseHandle.KERNEL32(00000000), ref: 004498AA
    • CloseHandle.KERNEL32(00000000), ref: 004498B7
      • Part of subcall function 00446865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00446B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 0044686E
      • Part of subcall function 00446865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00446B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 004468A5
    • DeleteCriticalSection.KERNEL32 ref: 004498CD
      • Part of subcall function 0044ABB8: memset.MSVCRT ref: 0044ABC8
    • DeleteCriticalSection.KERNEL32 ref: 004498EC
    • CloseHandle.KERNEL32(00000000), ref: 004498F9
    • DeleteCriticalSection.KERNEL32 ref: 00449903
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00438C8F: CloseHandle.KERNEL32 ref: 00438C9F
      • Part of subcall function 00438C8F: DeleteCriticalSection.KERNEL32(?,?,009B21A8,0045B303,?,?,00000001), ref: 00438CB6
      • Part of subcall function 004494FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00449503
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B89516, Relevance: 21.3, APIs: 14, Instructions: 290
    APIs
    • Sleep.KERNEL32(00003A98), ref: 00B8952D
      • Part of subcall function 00B78C74: InitializeCriticalSection.KERNEL32 ref: 00B78C7B
    • InitializeCriticalSection.KERNEL32 ref: 00B89591
    • memset.MSVCRT ref: 00B895A8
    • InitializeCriticalSection.KERNEL32 ref: 00B895C2
      • Part of subcall function 00B8AAA2: memset.MSVCRT ref: 00B8AAB9
      • Part of subcall function 00B8AAA2: memset.MSVCRT ref: 00B8AB8D
    • InitializeCriticalSection.KERNEL32 ref: 00B8961C
    • memset.MSVCRT ref: 00B89627
    • memset.MSVCRT ref: 00B89635
      • Part of subcall function 00B86431: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00B86531
      • Part of subcall function 00B86431: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00B86572
      • Part of subcall function 00B86431: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B86581
      • Part of subcall function 00B86431: SetEvent.KERNEL32 ref: 00B86591
      • Part of subcall function 00B86431: GetExitCodeThread.KERNEL32 ref: 00B865A5
      • Part of subcall function 00B86431: CloseHandle.KERNEL32 ref: 00B865BB
      • Part of subcall function 00B88626: getsockopt.WS2_32(?,0000FFFF,00001008,00B69417,00B69417), ref: 00B886B2
      • Part of subcall function 00B88626: GetHandleInformation.KERNEL32 ref: 00B886C4
      • Part of subcall function 00B88626: socket.WS2_32(?,00000001,00000006), ref: 00B886F7
      • Part of subcall function 00B88626: socket.WS2_32(?,00000002,00000011), ref: 00B88708
      • Part of subcall function 00B88626: closesocket.WS2_32(?), ref: 00B88727
      • Part of subcall function 00B88626: closesocket.WS2_32 ref: 00B8872E
      • Part of subcall function 00B88626: memset.MSVCRT ref: 00B887F2
      • Part of subcall function 00B88626: memcpy.MSVCRT ref: 00B88902
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 00B896AB
      • Part of subcall function 00B78CBF: EnterCriticalSection.KERNEL32(?,?,?,00B82B51,00000005,00007530,?,00000000,00000000), ref: 00B78CC7
      • Part of subcall function 00B78CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B78CEB
      • Part of subcall function 00B78CBF: CloseHandle.KERNEL32 ref: 00B78CFB
      • Part of subcall function 00B78CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00B82B51,00000005,00007530,?,00000000,00000000), ref: 00B78D2B
      • Part of subcall function 00B88A6A: EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00B88A9B
      • Part of subcall function 00B88A6A: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00B88B2D
      • Part of subcall function 00B88A6A: SetEvent.KERNEL32 ref: 00B88B80
      • Part of subcall function 00B88A6A: SetEvent.KERNEL32 ref: 00B88BB9
      • Part of subcall function 00B88A6A: LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00B88C3E
      • Part of subcall function 00B77D03: EnterCriticalSection.KERNEL32(?,?,?,?,?,00B8979E,?,?,?,00000001), ref: 00B77D24
      • Part of subcall function 00B77D03: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00B8979E,?,?,?,00000001), ref: 00B77D40
      • Part of subcall function 00B758AE: memset.MSVCRT ref: 00B759CD
      • Part of subcall function 00B758AE: memcpy.MSVCRT ref: 00B759E0
      • Part of subcall function 00B758AE: memcpy.MSVCRT ref: 00B759F6
      • Part of subcall function 00B7BD24: accept.WS2_32(?,?), ref: 00B7BD45
      • Part of subcall function 00B7BD24: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00B7BD57
      • Part of subcall function 00B7BD24: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 00B7BD88
      • Part of subcall function 00B7BD24: shutdown.WS2_32(?,00000002), ref: 00B7BDA0
      • Part of subcall function 00B7BD24: closesocket.WS2_32 ref: 00B7BDA7
      • Part of subcall function 00B7BD24: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 00B7BDAE
      • Part of subcall function 00B88C4C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00B8984D,?,?,00000000,?,?,00000590), ref: 00B88C7F
      • Part of subcall function 00B88C4C: memcmp.MSVCRT ref: 00B88CCD
      • Part of subcall function 00B88C4C: SetEvent.KERNEL32 ref: 00B88D0E
      • Part of subcall function 00B88C4C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00B8984D,?,?,00000000,?,?,00000590), ref: 00B88D3B
      • Part of subcall function 00B78DE6: EnterCriticalSection.KERNEL32(01312054,?,?,?,00B9B2F2,?,?,00000001), ref: 00B78DEF
      • Part of subcall function 00B78DE6: LeaveCriticalSection.KERNEL32(01312054,?,?,?,00B9B2F2,?,?,00000001), ref: 00B78DF9
      • Part of subcall function 00B78DE6: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00B78E1F
      • Part of subcall function 00B78DE6: EnterCriticalSection.KERNEL32(01312054,?,?,?,00B9B2F2,?,?,00000001), ref: 00B78E37
      • Part of subcall function 00B78DE6: LeaveCriticalSection.KERNEL32(01312054,?,?,?,00B9B2F2,?,?,00000001), ref: 00B78E41
    • CloseHandle.KERNEL32(00000000), ref: 00B898AA
    • CloseHandle.KERNEL32(00000000), ref: 00B898B7
      • Part of subcall function 00B86865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00B86B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00B8686E
      • Part of subcall function 00B86865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00B86B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00B868A5
    • DeleteCriticalSection.KERNEL32 ref: 00B898CD
      • Part of subcall function 00B8ABB8: memset.MSVCRT ref: 00B8ABC8
    • DeleteCriticalSection.KERNEL32 ref: 00B898EC
    • CloseHandle.KERNEL32(00000000), ref: 00B898F9
    • DeleteCriticalSection.KERNEL32 ref: 00B89903
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B78C8F: CloseHandle.KERNEL32 ref: 00B78C9F
      • Part of subcall function 00B78C8F: DeleteCriticalSection.KERNEL32(?,?,01312048,00B9B303,?,?,00000001), ref: 00B78CB6
      • Part of subcall function 00B894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B89503
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004512E6, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 140
    APIs
    • GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00451304
    • GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 0045130F
    • GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 0045131A
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • lstrcmpiW.KERNEL32(?), ref: 004513A7
    • memcpy.MSVCRT ref: 004513CA
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 004513F5
    • memcpy.MSVCRT ref: 00451423
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B912E6, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 140
    APIs
    • GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00B91304
    • GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00B9130F
    • GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00B9131A
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    • lstrcmpiW.KERNEL32(?), ref: 00B913A7
    • memcpy.MSVCRT ref: 00B913CA
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 00B913F5
    • memcpy.MSVCRT ref: 00B91423
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00462D17, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107
    APIs
    • memcpy.MSVCRT ref: 00462D3D
    • CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 00462D5E
    • MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 00462D76
      • Part of subcall function 00462922: UnmapViewOfFile.KERNEL32 ref: 0046292E
      • Part of subcall function 00462922: CloseHandle.KERNEL32 ref: 0046293F
    • memset.MSVCRT ref: 00462DCB
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000004,00000000,00000000,00000000,00000000), ref: 00462E04
      • Part of subcall function 0046294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00463210), ref: 0046297C
      • Part of subcall function 0046294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 0046299C
      • Part of subcall function 0046294A: memset.MSVCRT ref: 00462A39
      • Part of subcall function 0046294A: memcpy.MSVCRT ref: 00462A4B
    • ResumeThread.KERNEL32(?), ref: 00462E27
    • CloseHandle.KERNEL32(?), ref: 00462E3E
    • CloseHandle.KERNEL32(?), ref: 00462E44
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00BA2D17, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107
    APIs
    • memcpy.MSVCRT ref: 00BA2D3D
    • CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 00BA2D5E
    • MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 00BA2D76
      • Part of subcall function 00BA2922: UnmapViewOfFile.KERNEL32 ref: 00BA292E
      • Part of subcall function 00BA2922: CloseHandle.KERNEL32 ref: 00BA293F
    • memset.MSVCRT ref: 00BA2DCB
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000004,00000000,00000000,00000000,00000000), ref: 00BA2E04
      • Part of subcall function 00BA294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00BA3210), ref: 00BA297C
      • Part of subcall function 00BA294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00BA299C
      • Part of subcall function 00BA294A: memset.MSVCRT ref: 00BA2A39
      • Part of subcall function 00BA294A: memcpy.MSVCRT ref: 00BA2A4B
    • ResumeThread.KERNEL32(?), ref: 00BA2E27
    • CloseHandle.KERNEL32(?), ref: 00BA2E3E
    • CloseHandle.KERNEL32(?), ref: 00BA2E44
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043AF99, Relevance: 18.7, APIs: 8, Strings: 1, Instructions: 61
    APIs
    • GetCurrentThread.KERNEL32 ref: 0043AFAD
    • OpenThreadToken.ADVAPI32 ref: 0043AFB4
    • GetCurrentProcess.KERNEL32 ref: 0043AFC4
    • OpenProcessToken.ADVAPI32 ref: 0043AFCB
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0043AFEC
    • AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0043B001
    • GetLastError.KERNEL32 ref: 0043B00B
    • CloseHandle.KERNEL32(00000001), ref: 0043B01C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7AF99, Relevance: 18.7, APIs: 8, Strings: 1, Instructions: 61
    APIs
    • GetCurrentThread.KERNEL32 ref: 00B7AFAD
    • OpenThreadToken.ADVAPI32 ref: 00B7AFB4
    • GetCurrentProcess.KERNEL32 ref: 00B7AFC4
    • OpenProcessToken.ADVAPI32 ref: 00B7AFCB
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00B7AFEC
    • AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00B7B001
    • GetLastError.KERNEL32 ref: 00B7B00B
    • CloseHandle.KERNEL32(00000001), ref: 00B7B01C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00439BC4, Relevance: 18.3, APIs: 7, Strings: 2, Instructions: 147
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00439C2E
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00439C75
    • SetEvent.KERNEL32 ref: 00439C84
    • WaitForSingleObject.KERNEL32 ref: 00439C95
      • Part of subcall function 0044A9C2: Sleep.KERNEL32(000001F4), ref: 0044AA6D
      • Part of subcall function 0043913F: FindFirstFileW.KERNEL32(?), ref: 00439170
      • Part of subcall function 0043913F: FindNextFileW.KERNEL32(?,?), ref: 004391C2
      • Part of subcall function 0043913F: FindClose.KERNEL32 ref: 004391CD
      • Part of subcall function 0043913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 004391D9
      • Part of subcall function 0043913F: RemoveDirectoryW.KERNEL32 ref: 004391E0
      • Part of subcall function 00450B2C: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00450B87
      • Part of subcall function 00450B2C: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00450BF1
      • Part of subcall function 00450B2C: RegFlushKey.ADVAPI32(?), ref: 00450C1F
      • Part of subcall function 00450B2C: RegCloseKey.ADVAPI32(?), ref: 00450C26
    • CharToOemW.USER32 ref: 00439D26
    • CharToOemW.USER32 ref: 00439D36
    • ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00439D9A
      • Part of subcall function 0043B365: CharToOemW.USER32 ref: 0043B3AB
      • Part of subcall function 0043B365: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0043B3E2
      • Part of subcall function 0043B365: CloseHandle.KERNEL32(000000FF), ref: 0043B40A
      • Part of subcall function 0043B365: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 0043B44C
      • Part of subcall function 0043B365: memset.MSVCRT ref: 0043B461
      • Part of subcall function 0043B365: CloseHandle.KERNEL32(000000FF), ref: 0043B49C
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00439BFE
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00439C4B
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B79BC4, Relevance: 18.3, APIs: 7, Strings: 2, Instructions: 147
    APIs
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B79C2E
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B79C75
    • SetEvent.KERNEL32 ref: 00B79C84
    • WaitForSingleObject.KERNEL32 ref: 00B79C95
      • Part of subcall function 00B8A9C2: Sleep.KERNEL32(000001F4), ref: 00B8AA6D
      • Part of subcall function 00B7913F: FindFirstFileW.KERNEL32(?), ref: 00B79170
      • Part of subcall function 00B7913F: FindNextFileW.KERNEL32(?,?), ref: 00B791C2
      • Part of subcall function 00B7913F: FindClose.KERNEL32 ref: 00B791CD
      • Part of subcall function 00B7913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B791D9
      • Part of subcall function 00B7913F: RemoveDirectoryW.KERNEL32 ref: 00B791E0
      • Part of subcall function 00B90B2C: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B90B87
      • Part of subcall function 00B90B2C: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B90BF1
      • Part of subcall function 00B90B2C: RegFlushKey.ADVAPI32(?), ref: 00B90C1F
      • Part of subcall function 00B90B2C: RegCloseKey.ADVAPI32(?), ref: 00B90C26
    • CharToOemW.USER32 ref: 00B79D26
    • CharToOemW.USER32 ref: 00B79D36
    • ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00B79D9A
      • Part of subcall function 00B7B365: CharToOemW.USER32 ref: 00B7B3AB
      • Part of subcall function 00B7B365: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00B7B3E2
      • Part of subcall function 00B7B365: CloseHandle.KERNEL32(000000FF), ref: 00B7B40A
      • Part of subcall function 00B7B365: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00B7B44C
      • Part of subcall function 00B7B365: memset.MSVCRT ref: 00B7B461
      • Part of subcall function 00B7B365: CloseHandle.KERNEL32(000000FF), ref: 00B7B49C
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00B79BFE
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B79C4B
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00445528, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184
    APIs
    • GetLogicalDrives.KERNEL32 ref: 0044553C
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000), ref: 00445581
    • PathGetDriveNumberW.SHLWAPI ref: 00445593
    • lstrcpyW.KERNEL32(?,0042AACC), ref: 004455A7
    • GetDriveTypeW.KERNEL32 ref: 00445610
    • GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000105), ref: 00445671
    • CharUpperW.USER32(00000000), ref: 0044568D
    • lstrcmpW.KERNEL32 ref: 004456B0
    • GetDiskFreeSpaceExW.KERNEL32(?,00000000), ref: 004456EE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B85528, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184
    APIs
    • GetLogicalDrives.KERNEL32 ref: 00B8553C
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    • SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000), ref: 00B85581
    • PathGetDriveNumberW.SHLWAPI ref: 00B85593
    • lstrcpyW.KERNEL32(?,00B6AACC), ref: 00B855A7
    • GetDriveTypeW.KERNEL32 ref: 00B85610
    • GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000105), ref: 00B85671
    • CharUpperW.USER32(00000000), ref: 00B8568D
    • lstrcmpW.KERNEL32 ref: 00B856B0
    • GetDiskFreeSpaceExW.KERNEL32(?,00000000), ref: 00B856EE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00A3136B, Relevance: 16.6, APIs: 11, Instructions: 107
    APIs
    • IsUserAnAdmin.SHELL32 ref: 00A3137B
    • GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00A31399
      • Part of subcall function 00A31A9C: GetVersionExA.KERNEL32 ref: 00A31AB2
      • Part of subcall function 00A31A9C: GlobalFindAtomA.KERNEL32(*EUDC*), ref: 00A31AF1
    • CloseHandle.KERNEL32(?), ref: 00A31469
      • Part of subcall function 00A31C6C: memset.MSVCRT ref: 00A31C85
      • Part of subcall function 00A31C6C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00A31CB0
      • Part of subcall function 00A31C6C: GetACP.KERNEL32 ref: 00A31E6F
      • Part of subcall function 00A31C6C: _snprintf.MSVCRT ref: 00A31E87
      • Part of subcall function 00A31C6C: RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00010002,00000000,?,00000000), ref: 00A31EAC
      • Part of subcall function 00A31C6C: RegDeleteValueA.ADVAPI32(?,SystemDefaultEUDCFont), ref: 00A31EC1
      • Part of subcall function 00A31C6C: RegSetValueExA.ADVAPI32(?,SystemDefaultEUDCFont,00000000,00000003,?,?), ref: 00A31ED1
      • Part of subcall function 00A31C6C: RtlAddVectoredExceptionHandler.NTDLL(00000001,00A31C5E), ref: 00A31EDF
      • Part of subcall function 00A31C6C: _setjmp3.MSVCRT ref: 00A31EEC
      • Part of subcall function 00A31C6C: EnableEUDC.GDI32(00000001), ref: 00A31EF9
      • Part of subcall function 00A31C6C: RtlRemoveVectoredExceptionHandler.NTDLL(00A31C5E), ref: 00A31EFF
      • Part of subcall function 00A31C6C: RegDeleteValueA.ADVAPI32(?,SystemDefaultEUDCFont), ref: 00A31F09
      • Part of subcall function 00A31C6C: RegFlushKey.ADVAPI32(?), ref: 00A31F0E
      • Part of subcall function 00A31C6C: RegCloseKey.ADVAPI32(?), ref: 00A31F17
      • Part of subcall function 00A31C6C: GlobalAddAtomA.KERNEL32(*EUDC*), ref: 00A31F22
      • Part of subcall function 00A31C6C: free.MSVCRT ref: 00A31F39
      • Part of subcall function 00A31C6C: free.MSVCRT ref: 00A31F41
    • IsUserAnAdmin.SHELL32(?,00000200), ref: 00A313B5
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A313E0
    • ExitProcess.KERNEL32(00000000,?,?,?,00007530,?,?,00000200), ref: 00A313EF
      • Part of subcall function 00A318AA: GetVersionExA.KERNEL32 ref: 00A318C4
      • Part of subcall function 00A31187: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A311C3
      • Part of subcall function 00A31187: GetCurrentProcess.KERNEL32 ref: 00A311D7
      • Part of subcall function 00A31187: OpenProcessToken.ADVAPI32 ref: 00A311DE
      • Part of subcall function 00A31187: GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000), ref: 00A311FA
      • Part of subcall function 00A31187: RtlGetLastWin32Error.NTDLL ref: 00A311FC
      • Part of subcall function 00A31187: malloc.MSVCRT ref: 00A3120B
      • Part of subcall function 00A31187: GetTokenInformation.ADVAPI32(?,00000002,?,?), ref: 00A31225
      • Part of subcall function 00A31187: EqualSid.ADVAPI32(?), ref: 00A3123A
      • Part of subcall function 00A31187: free.MSVCRT ref: 00A3125B
      • Part of subcall function 00A31187: FreeSid.ADVAPI32(?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A3126C
      • Part of subcall function 00A31187: CloseHandle.KERNEL32(?), ref: 00A3127B
    • CreateThread.KERNEL32(00000000,00000000,Function_00001286,00000000), ref: 00A31418
    • CreateThread.KERNEL32(00000000,00000000,Function_000012FB,00000000), ref: 00A31426
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 00A3143F
    • GetExitCodeThread.KERNEL32 ref: 00A3144E
    • CloseHandle.KERNEL32 ref: 00A3145E
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 0045985F, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 173
    APIs
    • memset.MSVCRT ref: 0045990F
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00459920
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00459954
    • memset.MSVCRT ref: 00459994
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 004599A5
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 004599E5
    • memset.MSVCRT ref: 00459A50
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0045621D, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00456283
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    • FindFirstFileW.KERNEL32 ref: 004562F1
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0045634A
    • FindClose.KERNEL32 ref: 00456453
      • Part of subcall function 00455AB0: GetFileSizeEx.KERNEL32(?,?), ref: 00455ABB
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 004563BB
      • Part of subcall function 00455B34: ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00455B46
    • CloseHandle.KERNEL32 ref: 004563F5
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
    • FindNextFileW.KERNEL32 ref: 00456429
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00456256
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9621D, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B96283
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    • FindFirstFileW.KERNEL32 ref: 00B962F1
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B9634A
    • FindClose.KERNEL32 ref: 00B96453
      • Part of subcall function 00B95AB0: GetFileSizeEx.KERNEL32 ref: 00B95ABB
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    • SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B963BB
      • Part of subcall function 00B95B34: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00B95B46
    • CloseHandle.KERNEL32 ref: 00B963F5
      • Part of subcall function 00B95934: CloseHandle.KERNEL32 ref: 00B95940
    • FindNextFileW.KERNEL32 ref: 00B96429
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B95E26
      • Part of subcall function 00B95E1D: DeleteFileW.KERNEL32 ref: 00B95E2D
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B96256
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00A31B97, Relevance: 16.3, APIs: 6, Strings: 2, Instructions: 83
    APIs
    • memset.MSVCRT ref: 00A31BA8
    • CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 00A31BCE
    • CreateProcessA.KERNEL32(00000000,svchost.exe,00000000,00000000,00000001,00000004,00000000,00000000,?), ref: 00A31BF0
    • CloseHandle.KERNEL32(00000104), ref: 00A31C52
      • Part of subcall function 00A31B0A: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00A31B1A
      • Part of subcall function 00A31B0A: GetProcAddress.KERNEL32(?,ZwQuerySystemInformation), ref: 00A31B2D
      • Part of subcall function 00A31B0A: malloc.MSVCRT ref: 00A31B3D
      • Part of subcall function 00A31B0A: realloc.MSVCRT ref: 00A31B63
      • Part of subcall function 00A31B0A: free.MSVCRT ref: 00A31B88
    • CloseHandle.KERNEL32(00000104), ref: 00A31C3D
    • free.MSVCRT ref: 00A31C44
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 0045CCA8, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 76
    APIs
      • Part of subcall function 0045CB85: InternetCloseHandle.WININET ref: 0045CB99
    • HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,0042C9E0,?,00000000), ref: 0045CCE9
    • HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 0045CD0C
    • HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 0045CD4E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9CCA8, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 76
    APIs
      • Part of subcall function 00B9CB85: InternetCloseHandle.WININET ref: 00B9CB99
    • HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,00B6C9E0,?,00000000), ref: 00B9CCE9
    • HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 00B9CD0C
    • HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 00B9CD4E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B75B9B, Relevance: 16.2, APIs: 9, Instructions: 132
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B75BC1
    • Process32FirstW.KERNEL32 ref: 00B75BE6
      • Part of subcall function 00B9C012: CreateMutexW.KERNEL32(00BA49B4,00000001), ref: 00B9C058
      • Part of subcall function 00B9C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00B9C064
      • Part of subcall function 00B9C012: CloseHandle.KERNEL32 ref: 00B9C072
    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00B75C3D
    • CloseHandle.KERNEL32(?), ref: 00B75D07
      • Part of subcall function 00B7AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 00B7AEF5
      • Part of subcall function 00B7AEE3: GetTokenInformation.ADVAPI32(?,0000000C,00BA49A8,00000004), ref: 00B7AF1D
      • Part of subcall function 00B7AEE3: CloseHandle.KERNEL32(?), ref: 00B7AF33
    • CloseHandle.KERNEL32 ref: 00B75C5B
    • GetLengthSid.ADVAPI32 ref: 00B75C77
    • memcmp.MSVCRT ref: 00B75C8F
      • Part of subcall function 00B82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7,?,@echo off%sdel /F "%s"), ref: 00B8256D
      • Part of subcall function 00B82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7), ref: 00B82580
      • Part of subcall function 00B75B0B: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00B75B19
      • Part of subcall function 00B75B0B: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00B75B5A
      • Part of subcall function 00B75B0B: WaitForSingleObject.KERNEL32(?,00002710), ref: 00B75B6C
      • Part of subcall function 00B75B0B: CloseHandle.KERNEL32 ref: 00B75B73
      • Part of subcall function 00B75B0B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B75B85
      • Part of subcall function 00B75B0B: CloseHandle.KERNEL32 ref: 00B75B8C
    • Process32NextW.KERNEL32(?,?), ref: 00B75D13
    • CloseHandle.KERNEL32 ref: 00B75D26
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00461CCA, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 193
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,?,?,?,?,?,?,?,?,?,?), ref: 00461CE8
    • LeaveCriticalSection.KERNEL32(00465AA4,?,?,?,?,?,?,?,?,?), ref: 00461D12
      • Part of subcall function 0045FEDF: memset.MSVCRT ref: 0045FEF5
      • Part of subcall function 0045FEDF: InitializeCriticalSection.KERNEL32(00465050), ref: 0045FF05
      • Part of subcall function 0045FEDF: memset.MSVCRT ref: 0045FF34
      • Part of subcall function 0045FEDF: InitializeCriticalSection.KERNEL32(00465030), ref: 0045FF3E
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
      • Part of subcall function 00439FB3: memcpy.MSVCRT ref: 00439FE9
    • memcmp.MSVCRT ref: 00461E03
    • memcmp.MSVCRT ref: 00461E34
      • Part of subcall function 00439F5F: memcpy.MSVCRT ref: 00439F99
    • EnterCriticalSection.KERNEL32(00465050), ref: 00461EA7
      • Part of subcall function 0045FFD8: GetTickCount.KERNEL32 ref: 0045FFDF
      • Part of subcall function 004603D0: EnterCriticalSection.KERNEL32(00465030,0046506C,?,?,00465050), ref: 004603E3
      • Part of subcall function 004603D0: LeaveCriticalSection.KERNEL32(00465030,?,?,00465050), ref: 00460559
      • Part of subcall function 0046061B: EnterCriticalSection.KERNEL32(00000000,?,?,?,?,00465050), ref: 004606F5
      • Part of subcall function 0046061B: LeaveCriticalSection.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00465050), ref: 0046071D
    • LeaveCriticalSection.KERNEL32(00465050,0046506C,0046506C,0046506C), ref: 00461EF7
      • Part of subcall function 0045DD3E: lstrlenA.KERNEL32(?,?,?,?,?,?,0046506C,?,?,00465050), ref: 0045DD52
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0043C9BF, Relevance: 16.0, APIs: 9, Instructions: 113
    APIs
    • GetProcAddress.KERNEL32(?), ref: 0043C9E1
    • GetProcAddress.KERNEL32(?,?), ref: 0043CA03
    • GetProcAddress.KERNEL32(?,?), ref: 0043CA1E
    • GetProcAddress.KERNEL32(?,?), ref: 0043CA39
    • GetProcAddress.KERNEL32(?,?), ref: 0043CA54
    • GetProcAddress.KERNEL32(?), ref: 0043CA6F
    • GetProcAddress.KERNEL32(?), ref: 0043CA8E
    • GetProcAddress.KERNEL32(?), ref: 0043CAAD
    • GetProcAddress.KERNEL32(?), ref: 0043CACC
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7C9BF, Relevance: 16.0, APIs: 9, Instructions: 113
    APIs
    • GetProcAddress.KERNEL32(?), ref: 00B7C9E1
    • GetProcAddress.KERNEL32(?,?), ref: 00B7CA03
    • GetProcAddress.KERNEL32(?,?), ref: 00B7CA1E
    • GetProcAddress.KERNEL32(?,?), ref: 00B7CA39
    • GetProcAddress.KERNEL32(?,?), ref: 00B7CA54
    • GetProcAddress.KERNEL32(?), ref: 00B7CA6F
    • GetProcAddress.KERNEL32(?), ref: 00B7CA8E
    • GetProcAddress.KERNEL32(?), ref: 00B7CAAD
    • GetProcAddress.KERNEL32(?), ref: 00B7CACC
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00462AC0, Relevance: 16.0, APIs: 9, Instructions: 103
    APIs
    • GetCommandLineW.KERNEL32 ref: 00462ADA
    • CommandLineToArgvW.SHELL32 ref: 00462AE1
    • StrCmpNW.SHLWAPI(?,0042CA4C,00000002), ref: 00462B07
    • LocalFree.KERNEL32 ref: 00462B33
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00462B70
    • memcpy.MSVCRT ref: 00462B83
      • Part of subcall function 0044E043: memcpy.MSVCRT ref: 0044E070
    • UnmapViewOfFile.KERNEL32 ref: 00462BBC
    • CloseHandle.KERNEL32 ref: 00462BF8
      • Part of subcall function 00462F3B: memset.MSVCRT ref: 00462F5F
      • Part of subcall function 00462F3B: memcpy.MSVCRT ref: 00462FBF
      • Part of subcall function 00462F3B: memcpy.MSVCRT ref: 00462FD7
      • Part of subcall function 00462F3B: memcpy.MSVCRT ref: 0046304D
    • memcpy.MSVCRT ref: 00462BDF
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00BA2AC0, Relevance: 16.0, APIs: 9, Instructions: 103
    APIs
    • GetCommandLineW.KERNEL32 ref: 00BA2ADA
    • CommandLineToArgvW.SHELL32 ref: 00BA2AE1
    • StrCmpNW.SHLWAPI(?,00B6CA4C,00000002), ref: 00BA2B07
    • LocalFree.KERNEL32 ref: 00BA2B33
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00BA2B70
    • memcpy.MSVCRT ref: 00BA2B83
      • Part of subcall function 00B8E043: memcpy.MSVCRT ref: 00B8E070
    • UnmapViewOfFile.KERNEL32 ref: 00BA2BBC
    • CloseHandle.KERNEL32 ref: 00BA2BF8
      • Part of subcall function 00BA2F3B: memset.MSVCRT ref: 00BA2F5F
      • Part of subcall function 00BA2F3B: memcpy.MSVCRT ref: 00BA2FBF
      • Part of subcall function 00BA2F3B: memcpy.MSVCRT ref: 00BA2FD7
      • Part of subcall function 00BA2F3B: memcpy.MSVCRT ref: 00BA304D
    • memcpy.MSVCRT ref: 00BA2BDF
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045CE98, Relevance: 16.0, APIs: 9, Instructions: 98
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0045CEB9
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • CloseHandle.KERNEL32 ref: 0045CEDE
    • SetLastError.KERNEL32(00000008,?,?,?,?,004479D8,?,?,?,?), ref: 0045CEE6
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0045CF03
    • InternetReadFile.WININET(?,?,00001000), ref: 0045CF21
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0045CF56
    • FlushFileBuffers.KERNEL32 ref: 0045CF6F
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • CloseHandle.KERNEL32 ref: 0045CF82
    • SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,004479D8,?,?,?,?), ref: 0045CF9D
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9CE98, Relevance: 16.0, APIs: 9, Instructions: 98
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00B9CEB9
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • CloseHandle.KERNEL32 ref: 00B9CEDE
    • SetLastError.KERNEL32(00000008,?,?,?,?,00B879D8,?,?,?,?), ref: 00B9CEE6
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B9CF03
    • InternetReadFile.WININET(?,?,00001000), ref: 00B9CF21
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B9CF56
    • FlushFileBuffers.KERNEL32 ref: 00B9CF6F
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • CloseHandle.KERNEL32 ref: 00B9CF82
    • SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,00B879D8,?,?,?,?), ref: 00B9CF9D
      • Part of subcall function 00B95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B95E26
      • Part of subcall function 00B95E1D: DeleteFileW.KERNEL32 ref: 00B95E2D
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00445AC1, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230
    APIs
      • Part of subcall function 004441F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00444206
      • Part of subcall function 0043645E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00445B49), ref: 00436470
      • Part of subcall function 0043645E: #2.OLEAUT32(?,00000000,?,?,?,00445B49), ref: 004364A4
      • Part of subcall function 0043645E: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00445B49), ref: 004364D9
      • Part of subcall function 0043645E: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004364F9
    • #2.OLEAUT32(WQL), ref: 00445BAF
    • #2.OLEAUT32 ref: 00445BCB
    • #6.OLEAUT32(?,?,00000030,00000000), ref: 00445BFB
    • #9.OLEAUT32(?,?,00000000,00000000), ref: 00445C6C
      • Part of subcall function 00436433: #6.OLEAUT32(?,00000000,00445CA3), ref: 00436450
      • Part of subcall function 00436433: CoUninitialize.OLE32 ref: 00444244
    • memcpy.MSVCRT ref: 00445D45
    • memcpy.MSVCRT ref: 00445D57
    • memcpy.MSVCRT ref: 00445D69
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B85AC1, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230
    APIs
      • Part of subcall function 00B841F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00B84206
      • Part of subcall function 00B7645E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00B85B49), ref: 00B76470
      • Part of subcall function 00B7645E: #2.OLEAUT32(?,00000000,?,?,?,00B85B49), ref: 00B764A4
      • Part of subcall function 00B7645E: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B85B49), ref: 00B764D9
      • Part of subcall function 00B7645E: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00B764F9
    • #2.OLEAUT32(WQL), ref: 00B85BAF
    • #2.OLEAUT32 ref: 00B85BCB
    • #6.OLEAUT32(?,?,00000030,00000000), ref: 00B85BFB
    • #9.OLEAUT32(?,?,00000000,00000000), ref: 00B85C6C
      • Part of subcall function 00B76433: #6.OLEAUT32(?,00000000,00B85CA3), ref: 00B76450
      • Part of subcall function 00B76433: CoUninitialize.OLE32 ref: 00B84244
    • memcpy.MSVCRT ref: 00B85D45
    • memcpy.MSVCRT ref: 00B85D57
    • memcpy.MSVCRT ref: 00B85D69
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00448626, Relevance: 15.0, APIs: 8, Instructions: 327
    APIs
      • Part of subcall function 0045D9E1: memset.MSVCRT ref: 0045D9F0
      • Part of subcall function 0045D9E1: memcpy.MSVCRT ref: 0045DA17
      • Part of subcall function 004441F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00444206
    • getsockopt.WS2_32(?,0000FFFF,00001008,00429417,00429417), ref: 004486B2
    • GetHandleInformation.KERNEL32 ref: 004486C4
      • Part of subcall function 0043B764: EnterCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B774
      • Part of subcall function 0043B764: LeaveCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B79E
    • socket.WS2_32(?,00000001,00000006), ref: 004486F7
    • socket.WS2_32(?,00000002,00000011), ref: 00448708
    • closesocket.WS2_32(?), ref: 00448727
    • closesocket.WS2_32 ref: 0044872E
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • memset.MSVCRT ref: 004487F2
      • Part of subcall function 0043BC0C: bind.WS2_32(?,0043BCEA), ref: 0043BC53
      • Part of subcall function 0043BC0C: listen.WS2_32(?,00000014), ref: 0043BC68
      • Part of subcall function 0043BC0C: WSAGetLastError.WS2_32(00000000,?,0043BCEA,?,?,?,?,00000000), ref: 0043BC76
      • Part of subcall function 0043BC0C: WSASetLastError.WS2_32(?,?,0043BCEA,?,?,?,?,00000000), ref: 0043BC86
      • Part of subcall function 0043BC93: memset.MSVCRT ref: 0043BCA9
      • Part of subcall function 0043BC93: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 0043BCEE
      • Part of subcall function 00448A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00448A52
    • memcpy.MSVCRT ref: 00448902
      • Part of subcall function 0043BAC9: memset.MSVCRT ref: 0043BADE
      • Part of subcall function 0043BAC9: getsockname.WS2_32(?,00437C25), ref: 0043BAF1
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B88626, Relevance: 15.0, APIs: 8, Instructions: 327
    APIs
      • Part of subcall function 00B9D9E1: memset.MSVCRT ref: 00B9D9F0
      • Part of subcall function 00B9D9E1: memcpy.MSVCRT ref: 00B9DA17
      • Part of subcall function 00B841F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00B84206
    • getsockopt.WS2_32(?,0000FFFF,00001008,00B69417,00B69417), ref: 00B886B2
    • GetHandleInformation.KERNEL32 ref: 00B886C4
      • Part of subcall function 00B7B764: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B7B826,?,00B9C86A,00B8C4AB,00B8C4AB,?,00B8C4AB,?,00000001), ref: 00B7B774
      • Part of subcall function 00B7B764: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B7B826,?,00B9C86A,00B8C4AB,00B8C4AB,?,00B8C4AB,?,00000001), ref: 00B7B79E
    • socket.WS2_32(?,00000001,00000006), ref: 00B886F7
    • socket.WS2_32(?,00000002,00000011), ref: 00B88708
    • closesocket.WS2_32(?), ref: 00B88727
    • closesocket.WS2_32 ref: 00B8872E
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • memset.MSVCRT ref: 00B887F2
      • Part of subcall function 00B7BC0C: bind.WS2_32(?,00B7BCEA), ref: 00B7BC53
      • Part of subcall function 00B7BC0C: listen.WS2_32(?,00000014), ref: 00B7BC68
      • Part of subcall function 00B7BC0C: WSAGetLastError.WS2_32(00000000,?,00B7BCEA,?,?,?,?,00000000), ref: 00B7BC76
      • Part of subcall function 00B7BC0C: WSASetLastError.WS2_32(?,?,00B7BCEA,?,?,?,?,00000000), ref: 00B7BC86
      • Part of subcall function 00B7BC93: memset.MSVCRT ref: 00B7BCA9
      • Part of subcall function 00B7BC93: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 00B7BCEE
      • Part of subcall function 00B88A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B88A52
    • memcpy.MSVCRT ref: 00B88902
      • Part of subcall function 00B7BAC9: memset.MSVCRT ref: 00B7BADE
      • Part of subcall function 00B7BAC9: getsockname.WS2_32(?,00B77C25), ref: 00B7BAF1
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044E133, Relevance: 15.0, APIs: 8, Instructions: 103
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8E133, Relevance: 15.0, APIs: 8, Instructions: 103
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B78E53, Relevance: 14.9, APIs: 5, Strings: 2, Instructions: 95
    APIs
    • EnterCriticalSection.KERNEL32(00BA5AA4,?,00BA4DF4,00000000,00000006,00B9BD7A,00BA4DF4,-00000258,?,00000000), ref: 00B78E6A
    • LeaveCriticalSection.KERNEL32(00BA5AA4,?,00000000), ref: 00B78E9D
      • Part of subcall function 00B81E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00B81EA2
      • Part of subcall function 00B81E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00B81EAE
      • Part of subcall function 00B81E94: SetLastError.KERNEL32(00000001,00B78F04,00BA47C0,?,00BA4DF4,00000000,00000006,00B9BD7A,00BA4DF4,-00000258,?,00000000), ref: 00B81EC6
    • CoTaskMemFree.OLE32(?), ref: 00B78F36
    • PathRemoveBackslashW.SHLWAPI(00000006), ref: 00B78F44
    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00B78F5C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B78D34, Relevance: 14.8, APIs: 8, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(01312054,01312048,?,?,00B8A99B,00000000,00B8A6E2,00000000,?,00000000,?,?,?,00B9B2E2,?,00000001), ref: 00B78D3D
    • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B78D76
    • DuplicateHandle.KERNEL32(000000FF,?,000000FF,00B8A99B,00000000,00000000,00000002), ref: 00B78D95
    • GetLastError.KERNEL32(?,000000FF,00B8A99B,00000000,00000000,00000002,?,?,00B8A99B,00000000,00B8A6E2,00000000,?,00000000), ref: 00B78D9F
    • TerminateThread.KERNEL32 ref: 00B78DA7
    • CloseHandle.KERNEL32 ref: 00B78DAE
      • Part of subcall function 00B824F3: HeapAlloc.KERNEL32(00000000,?,?,?,00B76328,?,?,00B98D10,?,?,?,?,0000FFFF), ref: 00B8251D
      • Part of subcall function 00B824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00B76328,?,?,00B98D10,?,?,?,?,0000FFFF), ref: 00B82530
    • LeaveCriticalSection.KERNEL32(01312054,?,00B8A99B,00000000,00B8A6E2,00000000,?,00000000,?,?,?,00B9B2E2,?,00000001), ref: 00B78DC3
    • ResumeThread.KERNEL32 ref: 00B78DDC
      • Part of subcall function 00B82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7,?,@echo off%sdel /F "%s"), ref: 00B8256D
      • Part of subcall function 00B82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7), ref: 00B82580
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00A31B0A, Relevance: 14.5, APIs: 5, Strings: 2, Instructions: 61
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 00438F6F, Relevance: 14.4, APIs: 5, Instructions: 98
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B78F6F, Relevance: 14.4, APIs: 5, Instructions: 98
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00459BE6, Relevance: 14.3, APIs: 8, Instructions: 160
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00459BEC
    • memcpy.MSVCRT ref: 00459C39
    • GetThreadContext.KERNEL32(?,00000010), ref: 00459CAF
    • SetThreadContext.KERNEL32(?,?), ref: 00459D1A
    • GetCurrentProcess.KERNEL32 ref: 00459D33
    • VirtualProtect.KERNEL32(?,0000007C,?), ref: 00459D58
    • FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00459D6A
      • Part of subcall function 00459A67: memset.MSVCRT ref: 00459A78
      • Part of subcall function 00459821: GetCurrentProcess.KERNEL32 ref: 00459824
      • Part of subcall function 00459821: VirtualProtect.KERNEL32(00000000,=::=::\,00000020), ref: 00459845
      • Part of subcall function 00459821: FlushInstructionCache.KERNEL32(?,00000000,=::=::\), ref: 0045984E
    • ResumeThread.KERNEL32(?), ref: 00459DAB
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00459B45: GetCurrentThreadId.KERNEL32 ref: 00459B46
      • Part of subcall function 00459B45: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00459B7D
      • Part of subcall function 00459B45: ResumeThread.KERNEL32(?), ref: 00459BBE
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00456067, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 134
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 004425A7: memcpy.MSVCRT ref: 004425C6
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00456103
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 0045617B
    • GetLastError.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000,?,?,?,?,00000000,3D94878D), ref: 00456188
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004561B2
    • FlushFileBuffers.KERNEL32 ref: 004561CC
    • CloseHandle.KERNEL32 ref: 004561D3
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 004560D6
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B96067, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 134
    APIs
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
      • Part of subcall function 00B825A7: memcpy.MSVCRT ref: 00B825C6
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B96103
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00B9617B
    • GetLastError.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000,?,?,?,?,00000000,3D94878D), ref: 00B96188
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B961B2
    • FlushFileBuffers.KERNEL32 ref: 00B961CC
    • CloseHandle.KERNEL32 ref: 00B961D3
      • Part of subcall function 00B95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B95E26
      • Part of subcall function 00B95E1D: DeleteFileW.KERNEL32 ref: 00B95E2D
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B960D6
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00439583, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107
    APIs
    • LoadLibraryW.KERNEL32 ref: 004395A7
    • GetProcAddress.KERNEL32 ref: 004395D5
    • GetProcAddress.KERNEL32 ref: 004395EF
    • GetProcAddress.KERNEL32 ref: 0043960B
    • FreeLibrary.KERNEL32(00000003), ref: 004396B9
      • Part of subcall function 0043AF99: GetCurrentThread.KERNEL32 ref: 0043AFAD
      • Part of subcall function 0043AF99: OpenThreadToken.ADVAPI32 ref: 0043AFB4
      • Part of subcall function 0043AF99: GetCurrentProcess.KERNEL32 ref: 0043AFC4
      • Part of subcall function 0043AF99: OpenProcessToken.ADVAPI32 ref: 0043AFCB
      • Part of subcall function 0043AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0043AFEC
      • Part of subcall function 0043AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0043B001
      • Part of subcall function 0043AF99: GetLastError.KERNEL32 ref: 0043B00B
      • Part of subcall function 0043AF99: CloseHandle.KERNEL32(00000001), ref: 0043B01C
    • WTSGetActiveConsoleSessionId.KERNEL32 ref: 00439638
      • Part of subcall function 0043950C: EqualSid.ADVAPI32(?,5B867A00), ref: 0043952F
      • Part of subcall function 0043950C: CloseHandle.KERNEL32(00000001), ref: 00439576
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B79583, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107
    APIs
    • LoadLibraryW.KERNEL32 ref: 00B795A7
    • GetProcAddress.KERNEL32 ref: 00B795D5
    • GetProcAddress.KERNEL32 ref: 00B795EF
    • GetProcAddress.KERNEL32 ref: 00B7960B
    • FreeLibrary.KERNEL32(00000003), ref: 00B796B9
      • Part of subcall function 00B7AF99: GetCurrentThread.KERNEL32 ref: 00B7AFAD
      • Part of subcall function 00B7AF99: OpenThreadToken.ADVAPI32 ref: 00B7AFB4
      • Part of subcall function 00B7AF99: GetCurrentProcess.KERNEL32 ref: 00B7AFC4
      • Part of subcall function 00B7AF99: OpenProcessToken.ADVAPI32 ref: 00B7AFCB
      • Part of subcall function 00B7AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00B7AFEC
      • Part of subcall function 00B7AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00B7B001
      • Part of subcall function 00B7AF99: GetLastError.KERNEL32 ref: 00B7B00B
      • Part of subcall function 00B7AF99: CloseHandle.KERNEL32(00000001), ref: 00B7B01C
    • WTSGetActiveConsoleSessionId.KERNEL32 ref: 00B79638
      • Part of subcall function 00B7950C: EqualSid.ADVAPI32(?,5B867A00), ref: 00B7952F
      • Part of subcall function 00B7950C: CloseHandle.KERNEL32(00000001), ref: 00B79576
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004017C0, Relevance: 14.3, APIs: 8, Instructions: 131
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 004017DC
    • GetLastError.KERNEL32(?,?,?,?,0040113A,?,00491DB0,00000060), ref: 004017F0
    • GetEnvironmentStringsW.KERNEL32 ref: 00401812
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401846
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00401868
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
    • FreeEnvironmentStringsW.KERNEL32 ref: 00401881
    • GetEnvironmentStrings.KERNEL32(00093156,00000000,?,?,?,?,0040113A,?,00491DB0,00000060), ref: 00401897
    • FreeEnvironmentStringsA.KERNEL32 ref: 004018D3
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00455D0E, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 89
    APIs
    • memcpy.MSVCRT ref: 00455D6C
    • memcpy.MSVCRT ref: 00455D81
    • memcpy.MSVCRT ref: 00455D96
    • memcpy.MSVCRT ref: 00455DA5
      • Part of subcall function 004558ED: EnterCriticalSection.KERNEL32(00465AA4,?,00455BB2,?,00455C0A,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 004558FD
      • Part of subcall function 004558ED: LeaveCriticalSection.KERNEL32(00465AA4,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,0045A856), ref: 0045592C
      • Part of subcall function 00441E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00441EA2
      • Part of subcall function 00441E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00441EAE
      • Part of subcall function 00441E94: SetLastError.KERNEL32(00000001,00438F04,004647C0,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00441EC6
    • SetFileTime.KERNEL32(?,?,?,?), ref: 00455E0A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B95D0E, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 89
    APIs
    • memcpy.MSVCRT ref: 00B95D6C
    • memcpy.MSVCRT ref: 00B95D81
    • memcpy.MSVCRT ref: 00B95D96
    • memcpy.MSVCRT ref: 00B95DA5
      • Part of subcall function 00B958ED: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B95BB2,?,00B95C0A,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 00B958FD
      • Part of subcall function 00B958ED: LeaveCriticalSection.KERNEL32(00BA5AA4,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,00B9A856), ref: 00B9592C
      • Part of subcall function 00B81E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00B81EA2
      • Part of subcall function 00B81E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00B81EAE
      • Part of subcall function 00B81E94: SetLastError.KERNEL32(00000001,00B78F04,00BA47C0,?,00BA4DF4,00000000,00000006,00B9BD7A,00BA4DF4,-00000258,?,00000000), ref: 00B81EC6
    • SetFileTime.KERNEL32(?,?,?,?), ref: 00B95E0A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00462474, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88
    APIs
    • GetFileAttributesW.KERNEL32 ref: 00462485
    • FlushFileBuffers.KERNEL32 ref: 0046256B
      • Part of subcall function 0043913F: FindFirstFileW.KERNEL32(?), ref: 00439170
      • Part of subcall function 0043913F: FindNextFileW.KERNEL32(?,?), ref: 004391C2
      • Part of subcall function 0043913F: FindClose.KERNEL32 ref: 004391CD
      • Part of subcall function 0043913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 004391D9
      • Part of subcall function 0043913F: RemoveDirectoryW.KERNEL32 ref: 004391E0
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
    • PathRemoveFileSpecW.SHLWAPI(?), ref: 004624BA
      • Part of subcall function 00455947: GetTempPathW.KERNEL32(00000104,?), ref: 00455962
      • Part of subcall function 00455947: PathAddBackslashW.SHLWAPI(?), ref: 0045598C
      • Part of subcall function 00455947: CreateDirectoryW.KERNEL32(?), ref: 00455A44
      • Part of subcall function 00455947: SetFileAttributesW.KERNEL32(?), ref: 00455A55
      • Part of subcall function 00455947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00455A6E
      • Part of subcall function 00455947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00455A7F
    • MoveFileExW.KERNEL32(?,?,00000001), ref: 00462501
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0046251A
      • Part of subcall function 00455B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00455B87
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
    • Sleep.KERNEL32(00001388), ref: 0046255D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00BA2474, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88
    APIs
    • GetFileAttributesW.KERNEL32 ref: 00BA2485
    • FlushFileBuffers.KERNEL32 ref: 00BA256B
      • Part of subcall function 00B7913F: FindFirstFileW.KERNEL32(?), ref: 00B79170
      • Part of subcall function 00B7913F: FindNextFileW.KERNEL32(?,?), ref: 00B791C2
      • Part of subcall function 00B7913F: FindClose.KERNEL32 ref: 00B791CD
      • Part of subcall function 00B7913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B791D9
      • Part of subcall function 00B7913F: RemoveDirectoryW.KERNEL32 ref: 00B791E0
      • Part of subcall function 00B95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B95E26
      • Part of subcall function 00B95E1D: DeleteFileW.KERNEL32 ref: 00B95E2D
    • PathRemoveFileSpecW.SHLWAPI(?), ref: 00BA24BA
      • Part of subcall function 00B95947: GetTempPathW.KERNEL32(00000104,?), ref: 00B95962
      • Part of subcall function 00B95947: PathAddBackslashW.SHLWAPI(?), ref: 00B9598C
      • Part of subcall function 00B95947: CreateDirectoryW.KERNEL32(?), ref: 00B95A44
      • Part of subcall function 00B95947: SetFileAttributesW.KERNEL32(?), ref: 00B95A55
      • Part of subcall function 00B95947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00B95A6E
      • Part of subcall function 00B95947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00B95A7F
    • MoveFileExW.KERNEL32(?,?,00000001), ref: 00BA2501
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00BA251A
      • Part of subcall function 00B95B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B95B87
      • Part of subcall function 00B95934: CloseHandle.KERNEL32 ref: 00B95940
    • Sleep.KERNEL32(00001388), ref: 00BA255D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00455BE4, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 83
    APIs
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00455BEB
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B95BE4, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 83
    APIs
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B95BEB
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00450A9D, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,?,?,?,00450C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00450AB3
    • LeaveCriticalSection.KERNEL32(00465AA4,?,?,?,00450C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00450ADB
    • GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00450AF7
    • GetProcAddress.KERNEL32 ref: 00450AFE
    • RegDeleteKeyW.ADVAPI32(?), ref: 00450B20
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B90A9D, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(00BA5AA4,?,?,?,00B90C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B90AB3
    • LeaveCriticalSection.KERNEL32(00BA5AA4,?,?,?,00B90C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B90ADB
    • GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00B90AF7
    • GetProcAddress.KERNEL32 ref: 00B90AFE
    • RegDeleteKeyW.ADVAPI32(?), ref: 00B90B20
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044A782, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145
    APIs
      • Part of subcall function 00436A4D: TlsSetValue.KERNEL32(00000001,0044A796), ref: 00436A5A
    • GetCurrentThread.KERNEL32 ref: 0044A799
    • SetThreadPriority.KERNEL32 ref: 0044A7A0
      • Part of subcall function 0045C09D: CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
      • Part of subcall function 0044A755: PathFindFileNameW.SHLWAPI(000001ED), ref: 0044A759
      • Part of subcall function 0044A755: PathRemoveExtensionW.SHLWAPI ref: 0044A76D
      • Part of subcall function 0044A755: CharUpperW.USER32 ref: 0044A777
    • PathQuoteSpacesW.SHLWAPI ref: 0044A83E
      • Part of subcall function 0045AFD3: WaitForSingleObject.KERNEL32(00000000,0044A849), ref: 0045AFDB
    • WaitForSingleObject.KERNEL32 ref: 0044A879
    • StrCmpW.SHLWAPI ref: 0044A8D7
      • Part of subcall function 004507B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 004507D8
    • RegSetValueExW.ADVAPI32(000000FF,?,00000000,00000001), ref: 0044A938
      • Part of subcall function 00450755: RegFlushKey.ADVAPI32 ref: 00450765
      • Part of subcall function 00450755: RegCloseKey.ADVAPI32 ref: 0045076D
    • WaitForSingleObject.KERNEL32 ref: 0044A959
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0044A7EC
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8A782, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145
    APIs
      • Part of subcall function 00B76A4D: TlsSetValue.KERNEL32(00000001,00B82D2F), ref: 00B76A5A
    • GetCurrentThread.KERNEL32 ref: 00B8A799
    • SetThreadPriority.KERNEL32 ref: 00B8A7A0
      • Part of subcall function 00B9C09D: CreateMutexW.KERNEL32(00BA49B4,00000000), ref: 00B9C0BF
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
      • Part of subcall function 00B8A755: PathFindFileNameW.SHLWAPI(000001ED), ref: 00B8A759
      • Part of subcall function 00B8A755: PathRemoveExtensionW.SHLWAPI ref: 00B8A76D
      • Part of subcall function 00B8A755: CharUpperW.USER32 ref: 00B8A777
    • PathQuoteSpacesW.SHLWAPI ref: 00B8A83E
      • Part of subcall function 00B9AFD3: WaitForSingleObject.KERNEL32(00000000,00B82D5B), ref: 00B9AFDB
    • WaitForSingleObject.KERNEL32 ref: 00B8A879
    • StrCmpW.SHLWAPI ref: 00B8A8D7
      • Part of subcall function 00B907B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00B907D8
    • RegSetValueExW.ADVAPI32(000000FF,?,00000000,00000001), ref: 00B8A938
      • Part of subcall function 00B90755: RegFlushKey.ADVAPI32 ref: 00B90765
      • Part of subcall function 00B90755: RegCloseKey.ADVAPI32 ref: 00B9076D
    • WaitForSingleObject.KERNEL32 ref: 00B8A959
      • Part of subcall function 00B7766D: ReleaseMutex.KERNEL32 ref: 00B77671
      • Part of subcall function 00B7766D: CloseHandle.KERNEL32 ref: 00B77678
      • Part of subcall function 00B8B7FF: EnterCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B80C
      • Part of subcall function 00B8B7FF: LeaveCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B81A
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00B8A7EC
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00449EBF, Relevance: 13.8, APIs: 9, Instructions: 261
    APIs
    • GetTickCount.KERNEL32 ref: 00449ECE
    • EnterCriticalSection.KERNEL32 ref: 00449EE3
    • WaitForSingleObject.KERNEL32(?,000927C0), ref: 00449F28
    • GetTickCount.KERNEL32 ref: 00449F3B
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00456875: GetSystemTime.KERNEL32 ref: 0045687F
      • Part of subcall function 004494FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00449503
    • GetTickCount.KERNEL32 ref: 0044A135
      • Part of subcall function 00441B5D: memcmp.MSVCRT ref: 00441B69
      • Part of subcall function 004493A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004493BE
      • Part of subcall function 004493A8: memcpy.MSVCRT ref: 00449419
      • Part of subcall function 004493A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111,?,00000002), ref: 00449429
      • Part of subcall function 004493A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0044945D
      • Part of subcall function 004493A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004494E9
      • Part of subcall function 00449A6F: memset.MSVCRT ref: 00449B47
      • Part of subcall function 00449A6F: memcpy.MSVCRT ref: 00449BA2
      • Part of subcall function 00449A6F: memcmp.MSVCRT ref: 00449C1B
      • Part of subcall function 00449A6F: memcpy.MSVCRT ref: 00449C6F
      • Part of subcall function 00449A6F: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00449D42
      • Part of subcall function 00449A6F: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00449D60
    • GetTickCount.KERNEL32 ref: 0044A16E
    • LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 0044A191
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • WaitForSingleObject.KERNEL32(?,-001B7740), ref: 0044A1B6
    • LeaveCriticalSection.KERNEL32 ref: 0044A1CC
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B89EBF, Relevance: 13.8, APIs: 9, Instructions: 261
    APIs
    • GetTickCount.KERNEL32 ref: 00B89ECE
    • EnterCriticalSection.KERNEL32 ref: 00B89EE3
    • WaitForSingleObject.KERNEL32(?,000927C0), ref: 00B89F28
    • GetTickCount.KERNEL32 ref: 00B89F3B
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B96875: GetSystemTime.KERNEL32 ref: 00B9687F
      • Part of subcall function 00B894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B89503
    • GetTickCount.KERNEL32 ref: 00B8A135
      • Part of subcall function 00B81B5D: memcmp.MSVCRT ref: 00B81B69
      • Part of subcall function 00B893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B8A111), ref: 00B893BE
      • Part of subcall function 00B893A8: memcpy.MSVCRT ref: 00B89419
      • Part of subcall function 00B893A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B8A111,?,00000002), ref: 00B89429
      • Part of subcall function 00B893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00B8945D
      • Part of subcall function 00B893A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B8A111), ref: 00B894E9
      • Part of subcall function 00B89A6F: memset.MSVCRT ref: 00B89B47
      • Part of subcall function 00B89A6F: memcpy.MSVCRT ref: 00B89BA2
      • Part of subcall function 00B89A6F: memcmp.MSVCRT ref: 00B89C1B
      • Part of subcall function 00B89A6F: memcpy.MSVCRT ref: 00B89C6F
      • Part of subcall function 00B89A6F: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00B89D42
      • Part of subcall function 00B89A6F: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00B89D60
    • GetTickCount.KERNEL32 ref: 00B8A16E
    • LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 00B8A191
      • Part of subcall function 00B8B7FF: EnterCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B80C
      • Part of subcall function 00B8B7FF: LeaveCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B81A
    • WaitForSingleObject.KERNEL32(?,-001B7740), ref: 00B8A1B6
    • LeaveCriticalSection.KERNEL32 ref: 00B8A1CC
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00449A6F, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326
    APIs
      • Part of subcall function 0044CAF1: WaitForSingleObject.KERNEL32(?,00000000), ref: 0044CB1D
      • Part of subcall function 0044CAF1: GetSystemTime.KERNEL32(?), ref: 0044CB54
      • Part of subcall function 0044CAF1: Sleep.KERNEL32(000005DC), ref: 0044CB6D
      • Part of subcall function 0044CAF1: WaitForSingleObject.KERNEL32(?,000005DC), ref: 0044CB76
      • Part of subcall function 0044CAF1: lstrcpyA.KERNEL32 ref: 0044CBD4
      • Part of subcall function 0044163A: memcmp.MSVCRT ref: 00441698
      • Part of subcall function 0044163A: memcpy.MSVCRT ref: 004416D6
      • Part of subcall function 0045AFE8: memcpy.MSVCRT ref: 0045AFF8
      • Part of subcall function 00441781: memset.MSVCRT ref: 00441794
      • Part of subcall function 00441781: memcpy.MSVCRT ref: 004417AF
      • Part of subcall function 00441781: memcpy.MSVCRT ref: 004417D7
      • Part of subcall function 00441781: memcpy.MSVCRT ref: 004417FB
    • memset.MSVCRT ref: 00449B47
      • Part of subcall function 004493A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004493BE
      • Part of subcall function 004493A8: memcpy.MSVCRT ref: 00449419
      • Part of subcall function 004493A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111,?,00000002), ref: 00449429
      • Part of subcall function 004493A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0044945D
      • Part of subcall function 004493A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004494E9
      • Part of subcall function 00441B16: EnterCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B26
      • Part of subcall function 00441B16: LeaveCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B50
    • memcpy.MSVCRT ref: 00449BA2
      • Part of subcall function 004494FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00449503
    • memcmp.MSVCRT ref: 00449C1B
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • memcpy.MSVCRT ref: 00449C6F
      • Part of subcall function 00441A4F: memcmp.MSVCRT ref: 00441A6B
      • Part of subcall function 00441B5D: memcmp.MSVCRT ref: 00441B69
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
      • Part of subcall function 00437E58: memcpy.MSVCRT ref: 00437E70
    • EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00449D42
    • LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00449D60
      • Part of subcall function 00441821: memcpy.MSVCRT ref: 00441848
      • Part of subcall function 00441728: memcpy.MSVCRT ref: 00441771
      • Part of subcall function 004419AE: memcmp.MSVCRT ref: 00441A24
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00434C10: _errno.MSVCRT ref: 00434C2B
      • Part of subcall function 00434C10: _errno.MSVCRT ref: 00434C5D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B89A6F, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326
    APIs
      • Part of subcall function 00B8CAF1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B8CB1D
      • Part of subcall function 00B8CAF1: GetSystemTime.KERNEL32(?), ref: 00B8CB54
      • Part of subcall function 00B8CAF1: Sleep.KERNEL32(000005DC), ref: 00B8CB6D
      • Part of subcall function 00B8CAF1: WaitForSingleObject.KERNEL32(?,000005DC), ref: 00B8CB76
      • Part of subcall function 00B8CAF1: lstrcpyA.KERNEL32 ref: 00B8CBD4
      • Part of subcall function 00B8163A: memcmp.MSVCRT ref: 00B81698
      • Part of subcall function 00B8163A: memcpy.MSVCRT ref: 00B816D6
      • Part of subcall function 00B9AFE8: memcpy.MSVCRT ref: 00B9AFF8
      • Part of subcall function 00B81781: memset.MSVCRT ref: 00B81794
      • Part of subcall function 00B81781: memcpy.MSVCRT ref: 00B817AF
      • Part of subcall function 00B81781: memcpy.MSVCRT ref: 00B817D7
      • Part of subcall function 00B81781: memcpy.MSVCRT ref: 00B817FB
    • memset.MSVCRT ref: 00B89B47
      • Part of subcall function 00B893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B8A111), ref: 00B893BE
      • Part of subcall function 00B893A8: memcpy.MSVCRT ref: 00B89419
      • Part of subcall function 00B893A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B8A111,?,00000002), ref: 00B89429
      • Part of subcall function 00B893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00B8945D
      • Part of subcall function 00B893A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B8A111), ref: 00B894E9
      • Part of subcall function 00B81B16: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B88DDC,?,?,?,?,00B9B233,?,00000001), ref: 00B81B26
      • Part of subcall function 00B81B16: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B88DDC,?,?,?,?,00B9B233,?,00000001), ref: 00B81B50
    • memcpy.MSVCRT ref: 00B89BA2
      • Part of subcall function 00B894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B89503
    • memcmp.MSVCRT ref: 00B89C1B
      • Part of subcall function 00B82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7,?,@echo off%sdel /F "%s"), ref: 00B8256D
      • Part of subcall function 00B82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7), ref: 00B82580
    • memcpy.MSVCRT ref: 00B89C6F
      • Part of subcall function 00B81A4F: memcmp.MSVCRT ref: 00B81A6B
      • Part of subcall function 00B81B5D: memcmp.MSVCRT ref: 00B81B69
      • Part of subcall function 00B8B7FF: EnterCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B80C
      • Part of subcall function 00B8B7FF: LeaveCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B81A
      • Part of subcall function 00B77E58: memcpy.MSVCRT ref: 00B77E70
    • EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00B89D42
    • LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00B89D60
      • Part of subcall function 00B81821: memcpy.MSVCRT ref: 00B81848
      • Part of subcall function 00B81728: memcpy.MSVCRT ref: 00B81771
      • Part of subcall function 00B819AE: memcmp.MSVCRT ref: 00B81A24
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B74C10: _errno.MSVCRT ref: 00B74C2B
      • Part of subcall function 00B74C10: _errno.MSVCRT ref: 00B74C5D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00A31829, Relevance: 13.2, APIs: 4, Strings: 2, Instructions: 24
    APIs
    • GetModuleHandleA.KERNEL32(kernel32), ref: 00A31844
    • GetProcAddress.KERNEL32 ref: 00A3184B
    • GetCurrentProcess.KERNEL32 ref: 00A3185E
    • IsWow64Process.KERNEL32 ref: 00A31865
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 0040404B, Relevance: 12.9, APIs: 7, Instructions: 169
    APIs
    • GetCPInfo.KERNEL32(?,?), ref: 00404089
    • GetCPInfo.KERNEL32(?,?), ref: 0040409C
    • MultiByteToWideChar.KERNEL32(00000008,00000001,?,?,00000000,00000000), ref: 004040E1
    • MultiByteToWideChar.KERNEL32(00000008,00000001,00000001,?,?,00000001), ref: 00404163
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00404184
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 004041A5
      • Part of subcall function 004024C3: HeapAlloc.KERNEL32(00000008,?,00492370,00000010,00401BB6,00000001,0000008C,?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?), ref: 00402545
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004041CC
      • Part of subcall function 00484FDC: ExitProcess.KERNEL32(00000003,004922F8,00000008,00401452), ref: 00484FD5
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00BA1CCA, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 193
    APIs
    • EnterCriticalSection.KERNEL32(00BA5AA4,?,?,?,?,?,?,?,?,?,?), ref: 00BA1CE8
    • LeaveCriticalSection.KERNEL32(00BA5AA4,?,?,?,?,?,?,?,?,?), ref: 00BA1D12
      • Part of subcall function 00B9FEDF: memset.MSVCRT ref: 00B9FEF5
      • Part of subcall function 00B9FEDF: InitializeCriticalSection.KERNEL32(00BA5050), ref: 00B9FF05
      • Part of subcall function 00B9FEDF: memset.MSVCRT ref: 00B9FF34
      • Part of subcall function 00B9FEDF: InitializeCriticalSection.KERNEL32(00BA5030), ref: 00B9FF3E
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
      • Part of subcall function 00B79FB3: memcpy.MSVCRT ref: 00B79FE9
    • memcmp.MSVCRT ref: 00BA1E03
    • memcmp.MSVCRT ref: 00BA1E34
      • Part of subcall function 00B79F5F: memcpy.MSVCRT ref: 00B79F99
    • EnterCriticalSection.KERNEL32(00BA5050), ref: 00BA1EA7
      • Part of subcall function 00B9FFD8: GetTickCount.KERNEL32 ref: 00B9FFDF
      • Part of subcall function 00BA03D0: EnterCriticalSection.KERNEL32(00BA5030,00BA506C,?,?,00BA5050), ref: 00BA03E3
      • Part of subcall function 00BA03D0: LeaveCriticalSection.KERNEL32(00BA5030,?,?,00BA5050), ref: 00BA0559
      • Part of subcall function 00BA061B: EnterCriticalSection.KERNEL32(01311FC0,?,?,?,?,00BA5050), ref: 00BA06F5
      • Part of subcall function 00BA061B: LeaveCriticalSection.KERNEL32(01311FC0,000000FF,00000000,?,?,?,?,00BA5050), ref: 00BA071D
    • LeaveCriticalSection.KERNEL32(00BA5050,00BA506C,00BA506C,00BA506C), ref: 00BA1EF7
      • Part of subcall function 00B9DD3E: lstrlenA.KERNEL32(?,?,?,?,?,?,00BA506C,?,?,00BA5050), ref: 00B9DD52
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043B02B, Relevance: 12.5, APIs: 7, Instructions: 73
    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000008), ref: 0043B03B
    • GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000), ref: 0043B054
    • GetLastError.KERNEL32(?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5,?,?,?,00000001), ref: 0043B05E
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • GetTokenInformation.ADVAPI32(?,00000019,?,?), ref: 0043B089
    • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 0043B095
    • GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 0043B0AC
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • CloseHandle.KERNEL32(?), ref: 0043B0D8
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7B02B, Relevance: 12.5, APIs: 7, Instructions: 73
    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000008), ref: 00B7B03B
    • GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000), ref: 00B7B054
    • GetLastError.KERNEL32(?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5,?,?,?,00000001), ref: 00B7B05E
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    • GetTokenInformation.ADVAPI32(?,00000019,?,?), ref: 00B7B089
    • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B7B095
    • GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B7B0AC
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • CloseHandle.KERNEL32(?), ref: 00B7B0D8
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044B286, Relevance: 12.5, APIs: 4, Strings: 2, Instructions: 295
    APIs
      • Part of subcall function 0045C09D: CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 00448432: CreateFileW.KERNEL32(009B1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0044844B
      • Part of subcall function 00448432: GetFileSizeEx.KERNEL32 ref: 0044845E
      • Part of subcall function 00448432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00448484
      • Part of subcall function 00448432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0044849C
      • Part of subcall function 00448432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 004484BA
      • Part of subcall function 00448432: CloseHandle.KERNEL32 ref: 004484C3
    • memset.MSVCRT ref: 0044B42B
    • memcpy.MSVCRT ref: 0044B457
      • Part of subcall function 00456875: GetSystemTime.KERNEL32 ref: 0045687F
      • Part of subcall function 004424F3: HeapAlloc.KERNEL32(00000000,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 0044251D
      • Part of subcall function 004424F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 00442530
      • Part of subcall function 004371D5: memcpy.MSVCRT ref: 004372E6
    • CreateFileW.KERNEL32(0042AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0044B55C
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0044B578
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 0044B161: memset.MSVCRT ref: 0044B170
      • Part of subcall function 0044B161: memset.MSVCRT ref: 0044B1B3
      • Part of subcall function 0044B161: memset.MSVCRT ref: 0044B1E9
      • Part of subcall function 00450370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0045037F
      • Part of subcall function 0044FE5C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0044FEC2
      • Part of subcall function 0044FE5C: memcpy.MSVCRT ref: 0044FEDC
      • Part of subcall function 0044FE5C: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 0044FEEF
      • Part of subcall function 0044FE5C: memset.MSVCRT ref: 0044FF46
      • Part of subcall function 0044FE5C: memcpy.MSVCRT ref: 0044FF5A
      • Part of subcall function 0044FE5C: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00450049
      • Part of subcall function 004373E0: memcmp.MSVCRT ref: 00437489
      • Part of subcall function 004484D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 004484E4
      • Part of subcall function 004484D3: CloseHandle.KERNEL32 ref: 004484F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00A318DC, Relevance: 12.5, APIs: 7, Instructions: 47
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 0043C39C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001), ref: 0043C3C0
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 0043C40C
      • Part of subcall function 0043BEC0: WSAGetLastError.WS2_32 ref: 0043BEF6
      • Part of subcall function 0043BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 0043BF3E
    • WSAGetLastError.WS2_32(?,00000800,?,00000000,?), ref: 0043C4EC
    • shutdown.WS2_32(?,00000001), ref: 0043C517
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 0043C540
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 0043C594
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7C39C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001), ref: 00B7C3C0
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 00B7C40C
      • Part of subcall function 00B7BEC0: WSAGetLastError.WS2_32 ref: 00B7BEF6
      • Part of subcall function 00B7BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 00B7BF3E
    • WSAGetLastError.WS2_32(?,00000800,?,00000000,?), ref: 00B7C4EC
    • shutdown.WS2_32(?,00000001), ref: 00B7C517
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00B7C540
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 00B7C594
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004012E6, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00401367
      • Part of subcall function 00402096: LoadLibraryA.KERNEL32(user32.dll), ref: 004020AE
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,MessageBoxA), ref: 004020CA
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 004020DB
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 004020E8
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetUserObjectInformationA), ref: 004020FE
      • Part of subcall function 00402096: GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0040210F
    • GetStdHandle.KERNEL32(000000F4), ref: 00401434
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040143B
      • Part of subcall function 00484FDC: ExitProcess.KERNEL32(00000003,004922F8,00000008,00401452), ref: 00484FD5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 0045C592, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
    APIs
    • EnterCriticalSection.KERNEL32(00000000,?,00000000,?), ref: 0045C5BC
    • LeaveCriticalSection.KERNEL32(00000000,?,00000000,?), ref: 0045C66C
      • Part of subcall function 00437FA8: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00437FBA
      • Part of subcall function 00437FA8: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00437FD2
      • Part of subcall function 00437FA8: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00438011
      • Part of subcall function 00437FA8: CreateCompatibleDC.GDI32 ref: 00438022
      • Part of subcall function 00437FA8: LoadCursorW.USER32(00000000,00007F00), ref: 00438038
      • Part of subcall function 00437FA8: GetIconInfo.USER32 ref: 0043804C
      • Part of subcall function 00437FA8: GetCursorPos.USER32(?), ref: 0043805B
      • Part of subcall function 00437FA8: GetDeviceCaps.GDI32(?,00000008), ref: 00438072
      • Part of subcall function 00437FA8: GetDeviceCaps.GDI32(?,0000000A), ref: 0043807B
      • Part of subcall function 00437FA8: CreateCompatibleBitmap.GDI32(?,?), ref: 00438087
      • Part of subcall function 00437FA8: SelectObject.GDI32 ref: 00438095
      • Part of subcall function 00437FA8: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 004380B6
      • Part of subcall function 00437FA8: DrawIcon.USER32(?,?,?,?), ref: 004380E8
      • Part of subcall function 00437FA8: SelectObject.GDI32(?,?), ref: 00438104
      • Part of subcall function 00437FA8: DeleteObject.GDI32 ref: 0043810B
      • Part of subcall function 00437FA8: DeleteDC.GDI32 ref: 00438112
      • Part of subcall function 00437FA8: DeleteDC.GDI32 ref: 00438119
      • Part of subcall function 00437FA8: FreeLibrary.KERNEL32(?), ref: 00438129
      • Part of subcall function 00437FA8: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0043813F
      • Part of subcall function 00437FA8: FreeLibrary.KERNEL32(?), ref: 00438153
    • GetTickCount.KERNEL32 ref: 0045C616
    • GetCurrentProcessId.KERNEL32 ref: 0045C61D
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • GetKeyboardState.USER32 ref: 0045C688
    • ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 0045C6AB
      • Part of subcall function 0045C410: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,?,0045C6E4,?,?,?,?,?,00000009,00000000,?,?,00000000), ref: 0045C42A
      • Part of subcall function 0045C410: memcpy.MSVCRT ref: 0045C49B
      • Part of subcall function 0045C410: memcpy.MSVCRT ref: 0045C4BF
      • Part of subcall function 0045C410: memcpy.MSVCRT ref: 0045C4D6
      • Part of subcall function 0045C410: memcpy.MSVCRT ref: 0045C4F6
      • Part of subcall function 0045C410: LeaveCriticalSection.KERNEL32(00000000,?,00000000,?), ref: 0045C511
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9C592, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
    APIs
    • EnterCriticalSection.KERNEL32(01311FC0,?,6FFF0300,?), ref: 00B9C5BC
    • LeaveCriticalSection.KERNEL32(01311FC0,?,6FFF0300,?), ref: 00B9C66C
      • Part of subcall function 00B77FA8: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00B77FBA
      • Part of subcall function 00B77FA8: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00B77FD2
      • Part of subcall function 00B77FA8: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B78011
      • Part of subcall function 00B77FA8: CreateCompatibleDC.GDI32 ref: 00B78022
      • Part of subcall function 00B77FA8: LoadCursorW.USER32(00000000,00007F00), ref: 00B78038
      • Part of subcall function 00B77FA8: GetIconInfo.USER32 ref: 00B7804C
      • Part of subcall function 00B77FA8: GetCursorPos.USER32(?), ref: 00B7805B
      • Part of subcall function 00B77FA8: GetDeviceCaps.GDI32(?,00000008), ref: 00B78072
      • Part of subcall function 00B77FA8: GetDeviceCaps.GDI32(?,0000000A), ref: 00B7807B
      • Part of subcall function 00B77FA8: CreateCompatibleBitmap.GDI32(?,?), ref: 00B78087
      • Part of subcall function 00B77FA8: SelectObject.GDI32 ref: 00B78095
      • Part of subcall function 00B77FA8: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 00B780B6
      • Part of subcall function 00B77FA8: DrawIcon.USER32(?,?,?,?), ref: 00B780E8
      • Part of subcall function 00B77FA8: SelectObject.GDI32(?,?), ref: 00B78104
      • Part of subcall function 00B77FA8: DeleteObject.GDI32 ref: 00B7810B
      • Part of subcall function 00B77FA8: DeleteDC.GDI32 ref: 00B78112
      • Part of subcall function 00B77FA8: DeleteDC.GDI32 ref: 00B78119
      • Part of subcall function 00B77FA8: FreeLibrary.KERNEL32(?), ref: 00B78129
      • Part of subcall function 00B77FA8: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00B7813F
      • Part of subcall function 00B77FA8: FreeLibrary.KERNEL32(?), ref: 00B78153
    • GetTickCount.KERNEL32 ref: 00B9C616
    • GetCurrentProcessId.KERNEL32 ref: 00B9C61D
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • GetKeyboardState.USER32 ref: 00B9C688
    • ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 00B9C6AB
      • Part of subcall function 00B9C410: EnterCriticalSection.KERNEL32(01311FC0,01311FC0,?,?,?,00B9C6E4,?,?,?,?,?,00000009,00000000,?,?,6FFF0300), ref: 00B9C42A
      • Part of subcall function 00B9C410: memcpy.MSVCRT ref: 00B9C49B
      • Part of subcall function 00B9C410: memcpy.MSVCRT ref: 00B9C4BF
      • Part of subcall function 00B9C410: memcpy.MSVCRT ref: 00B9C4D6
      • Part of subcall function 00B9C410: memcpy.MSVCRT ref: 00B9C4F6
      • Part of subcall function 00B9C410: LeaveCriticalSection.KERNEL32(01311FC0,?,6FFF0300,?), ref: 00B9C511
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004459B7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95
    APIs
    • memset.MSVCRT ref: 004459C8
    • GlobalMemoryStatusEx.KERNEL32 ref: 004459DF
    • GetNativeSystemInfo.KERNEL32 ref: 00445A10
      • Part of subcall function 00450775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0045079C
    • GetSystemMetrics.USER32(0000004F), ref: 00445A9D
      • Part of subcall function 00450A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00450A3A
      • Part of subcall function 00450755: RegFlushKey.ADVAPI32 ref: 00450765
      • Part of subcall function 00450755: RegCloseKey.ADVAPI32 ref: 0045076D
    • GetSystemMetrics.USER32(00000050), ref: 00445A90
    • GetSystemMetrics.USER32(0000004E), ref: 00445A97
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B859B7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95
    APIs
    • memset.MSVCRT ref: 00B859C8
    • GlobalMemoryStatusEx.KERNEL32 ref: 00B859DF
    • GetNativeSystemInfo.KERNEL32 ref: 00B85A10
      • Part of subcall function 00B90775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B9079C
    • GetSystemMetrics.USER32(0000004F), ref: 00B85A9D
      • Part of subcall function 00B90A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00B90A3A
      • Part of subcall function 00B90755: RegFlushKey.ADVAPI32 ref: 00B90765
      • Part of subcall function 00B90755: RegCloseKey.ADVAPI32 ref: 00B9076D
    • GetSystemMetrics.USER32(00000050), ref: 00B85A90
    • GetSystemMetrics.USER32(0000004E), ref: 00B85A97
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045ABBF, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 79
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • lstrcatW.KERNEL32(?,.dat), ref: 0045AC32
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0045AC57
    • ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 0045AC75
    • CloseHandle.KERNEL32 ref: 0045AC82
      • Part of subcall function 0045D2D7: EnterCriticalSection.KERNEL32(009B1E90,?), ref: 0045D2EB
      • Part of subcall function 0045D2D7: GetFileVersionInfoSizeW.VERSION(009B1EF0), ref: 0045D30C
      • Part of subcall function 0045D2D7: GetFileVersionInfoW.VERSION(009B1EF0,00000000), ref: 0045D32A
      • Part of subcall function 0045D2D7: LeaveCriticalSection.KERNEL32(009B1E90,00000001,00000001,00000001,00000001), ref: 0045D413
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • .dat, xrefs: 0045AC26
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0045ABF1
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0045B31B, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 61
    APIs
    • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0045B32F
    • PathUnquoteSpacesW.SHLWAPI ref: 0045B394
    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0045B3A3
    • LocalFree.KERNEL32(00000001), ref: 0045B3B7
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 0045B34C
    • ProfileImagePath, xrefs: 0045B378
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9B31B, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 61
    APIs
    • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00B9B32F
    • PathUnquoteSpacesW.SHLWAPI ref: 00B9B394
    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00B9B3A3
    • LocalFree.KERNEL32(00000001), ref: 00B9B3B7
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 00B9B34C
    • ProfileImagePath, xrefs: 00B9B378
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9AA9A, Relevance: 12.2, APIs: 4, Strings: 2, Instructions: 49
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 00B9AAB7
    • GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 00B9AACF
    • PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 00B9AADA
      • Part of subcall function 00B78E53: EnterCriticalSection.KERNEL32(00BA5AA4,?,00BA4DF4,00000000,00000006,00B9BD7A,00BA4DF4,-00000258,?,00000000), ref: 00B78E6A
      • Part of subcall function 00B78E53: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00000000), ref: 00B78E9D
      • Part of subcall function 00B78E53: CoTaskMemFree.OLE32(?), ref: 00B78F36
      • Part of subcall function 00B78E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00B78F44
      • Part of subcall function 00B78E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00B78F5C
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00B9AB00
      • Part of subcall function 00B79F5F: memcpy.MSVCRT ref: 00B79F99
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00B9AAC2, 00B9AACD, 00B9AAD9
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B9AAE0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004011FA, Relevance: 12.2, APIs: 3, Strings: 3, Instructions: 18
    APIs
    • GetModuleHandleA.KERNEL32(mscoree.dll), ref: 004011FF
    • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0040120F
    • ExitProcess.KERNEL32(?), ref: 00401223
      • Part of subcall function 00401FF3: EnterCriticalSection.KERNEL32(?,?,?,00402331,00000004,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0), ref: 0040201B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 004452AC, Relevance: 12.1, APIs: 8, Instructions: 147
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 004452E3
    • GetCommandLineW.KERNEL32 ref: 00445304
      • Part of subcall function 004511D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004511FF
      • Part of subcall function 004511D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00451234
    • GetUserNameExW.SECUR32(00000002,?,?,?,?,?,00000104), ref: 0044533C
    • GetProcessTimes.KERNEL32(000000FF), ref: 00445372
    • GetUserDefaultUILanguage.KERNEL32 ref: 004453E4
    • memcpy.MSVCRT ref: 00445418
    • memcpy.MSVCRT ref: 0044542D
    • memcpy.MSVCRT ref: 00445443
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B852AC, Relevance: 12.1, APIs: 8, Instructions: 147
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00B852E3
    • GetCommandLineW.KERNEL32 ref: 00B85304
      • Part of subcall function 00B911D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B911FF
      • Part of subcall function 00B911D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00B91234
    • GetUserNameExW.SECUR32(00000002,?,?,?,?,?,00000104), ref: 00B8533C
    • GetProcessTimes.KERNEL32(000000FF), ref: 00B85372
    • GetUserDefaultUILanguage.KERNEL32 ref: 00B853E4
    • memcpy.MSVCRT ref: 00B85418
    • memcpy.MSVCRT ref: 00B8542D
    • memcpy.MSVCRT ref: 00B85443
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044AEA2, Relevance: 12.1, APIs: 8, Instructions: 119
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00437E45,?,?,?,00000000), ref: 0044AEAE
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0044AEE7
    • CloseHandle.KERNEL32 ref: 0044AEFA
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • memcpy.MSVCRT ref: 0044AF1D
    • memset.MSVCRT ref: 0044AF37
    • memcpy.MSVCRT ref: 0044AF7D
    • memset.MSVCRT ref: 0044AF9B
      • Part of subcall function 00438CBF: EnterCriticalSection.KERNEL32(?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438CC7
      • Part of subcall function 00438CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00438CEB
      • Part of subcall function 00438CBF: CloseHandle.KERNEL32 ref: 00438CFB
      • Part of subcall function 00438CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438D2B
      • Part of subcall function 00438D34: EnterCriticalSection.KERNEL32(009B21B4,009B21A8,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438D3D
      • Part of subcall function 00438D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00438D76
      • Part of subcall function 00438D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0044A99B,00000000,00000000,00000002), ref: 00438D95
      • Part of subcall function 00438D34: GetLastError.KERNEL32(?,000000FF,0044A99B,00000000,00000000,00000002,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000), ref: 00438D9F
      • Part of subcall function 00438D34: TerminateThread.KERNEL32 ref: 00438DA7
      • Part of subcall function 00438D34: CloseHandle.KERNEL32 ref: 00438DAE
      • Part of subcall function 00438D34: LeaveCriticalSection.KERNEL32(009B21B4,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438DC3
      • Part of subcall function 00438D34: ResumeThread.KERNEL32 ref: 00438DDC
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00437E45,?,?,?,00000000), ref: 0044AFEF
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8AEA2, Relevance: 12.1, APIs: 8, Instructions: 119
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00B77E45,?,?,?,00000000), ref: 00B8AEAE
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B8AEE7
    • CloseHandle.KERNEL32 ref: 00B8AEFA
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • memcpy.MSVCRT ref: 00B8AF1D
    • memset.MSVCRT ref: 00B8AF37
    • memcpy.MSVCRT ref: 00B8AF7D
    • memset.MSVCRT ref: 00B8AF9B
      • Part of subcall function 00B78CBF: EnterCriticalSection.KERNEL32(?,?,?,00B82B51,00000005,00007530,?,00000000,00000000), ref: 00B78CC7
      • Part of subcall function 00B78CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B78CEB
      • Part of subcall function 00B78CBF: CloseHandle.KERNEL32 ref: 00B78CFB
      • Part of subcall function 00B78CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00B82B51,00000005,00007530,?,00000000,00000000), ref: 00B78D2B
      • Part of subcall function 00B78D34: EnterCriticalSection.KERNEL32(01312054,01312048,?,?,00B8A99B,00000000,00B8A6E2,00000000,?,00000000,?,?,?,00B9B2E2,?,00000001), ref: 00B78D3D
      • Part of subcall function 00B78D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B78D76
      • Part of subcall function 00B78D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00B8A99B,00000000,00000000,00000002), ref: 00B78D95
      • Part of subcall function 00B78D34: GetLastError.KERNEL32(?,000000FF,00B8A99B,00000000,00000000,00000002,?,?,00B8A99B,00000000,00B8A6E2,00000000,?,00000000), ref: 00B78D9F
      • Part of subcall function 00B78D34: TerminateThread.KERNEL32 ref: 00B78DA7
      • Part of subcall function 00B78D34: CloseHandle.KERNEL32 ref: 00B78DAE
      • Part of subcall function 00B78D34: LeaveCriticalSection.KERNEL32(01312054,?,00B8A99B,00000000,00B8A6E2,00000000,?,00000000,?,?,?,00B9B2E2,?,00000001), ref: 00B78DC3
      • Part of subcall function 00B78D34: ResumeThread.KERNEL32 ref: 00B78DDC
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00B77E45,?,?,?,00000000), ref: 00B8AFEF
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00455947, Relevance: 11.3, APIs: 6, Instructions: 130
    APIs
    • GetTempPathW.KERNEL32(00000104,?), ref: 00455962
    • PathAddBackslashW.SHLWAPI(?), ref: 0045598C
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • CreateDirectoryW.KERNEL32(?), ref: 00455A44
    • SetFileAttributesW.KERNEL32(?), ref: 00455A55
    • CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00455A6E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00455A7F
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B95947, Relevance: 11.3, APIs: 6, Instructions: 130
    APIs
    • GetTempPathW.KERNEL32(00000104,?), ref: 00B95962
    • PathAddBackslashW.SHLWAPI(?), ref: 00B9598C
      • Part of subcall function 00B8B7FF: EnterCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B80C
      • Part of subcall function 00B8B7FF: LeaveCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B81A
    • CreateDirectoryW.KERNEL32(?), ref: 00B95A44
    • SetFileAttributesW.KERNEL32(?), ref: 00B95A55
    • CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00B95A6E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00B95A7F
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00442BE5, Relevance: 11.0, APIs: 6, Instructions: 115
    APIs
    • lstrlenA.KERNEL32(?,?), ref: 00442C1E
    • CreateMutexW.KERNEL32(004649B4,00000001), ref: 00442C76
    • GetLastError.KERNEL32(?,?,?,?,?), ref: 00442C86
    • CloseHandle.KERNEL32 ref: 00442C94
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • memcpy.MSVCRT ref: 00442CBE
    • memcpy.MSVCRT ref: 00442CD2
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 0043B2E5: CreateThread.KERNEL32(00000000,00000000,00439DBA,?), ref: 0043B2F6
      • Part of subcall function 0043B2E5: CloseHandle.KERNEL32 ref: 0043B301
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B82BE5, Relevance: 11.0, APIs: 6, Instructions: 115
    APIs
    • lstrlenA.KERNEL32(?,?), ref: 00B82C1E
    • CreateMutexW.KERNEL32(00BA49B4,00000001), ref: 00B82C76
    • GetLastError.KERNEL32(?,?,?,?,?), ref: 00B82C86
    • CloseHandle.KERNEL32 ref: 00B82C94
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    • memcpy.MSVCRT ref: 00B82CBE
    • memcpy.MSVCRT ref: 00B82CD2
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B7B2E5: CreateThread.KERNEL32(00000000,00000000,00B79DBA,?), ref: 00B7B2F6
      • Part of subcall function 00B7B2E5: CloseHandle.KERNEL32 ref: 00B7B301
      • Part of subcall function 00B7766D: ReleaseMutex.KERNEL32 ref: 00B77671
      • Part of subcall function 00B7766D: CloseHandle.KERNEL32 ref: 00B77678
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B88432, Relevance: 10.9, APIs: 6, Instructions: 66
    APIs
    • CreateFileW.KERNEL32(01311EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B8844B
    • GetFileSizeEx.KERNEL32 ref: 00B8845E
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B88484
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00B8849C
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B884BA
    • CloseHandle.KERNEL32 ref: 00B884C3
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9BD59, Relevance: 10.9, APIs: 6, Instructions: 57
    APIs
      • Part of subcall function 00B78E53: EnterCriticalSection.KERNEL32(00BA5AA4,?,00BA4DF4,00000000,00000006,00B9BD7A,00BA4DF4,-00000258,?,00000000), ref: 00B78E6A
      • Part of subcall function 00B78E53: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00000000), ref: 00B78E9D
      • Part of subcall function 00B78E53: CoTaskMemFree.OLE32(?), ref: 00B78F36
      • Part of subcall function 00B78E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00B78F44
      • Part of subcall function 00B78E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00B78F5C
    • PathRemoveBackslashW.SHLWAPI(-00000258), ref: 00B9BD85
    • PathRemoveFileSpecW.SHLWAPI(-00000258), ref: 00B9BD92
    • PathAddBackslashW.SHLWAPI(-00000258), ref: 00B9BDA3
    • GetVolumeNameForVolumeMountPointW.KERNEL32(-00000258,-00000050,00000064), ref: 00B9BDB6
    • CLSIDFromString.OLE32(-0000003C,00BA4DF4,?,00000000), ref: 00B9BDD2
    • memset.MSVCRT ref: 00B9BDE4
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044FE5C, Relevance: 10.9, APIs: 6, Instructions: 197
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0044FEC2
    • memcpy.MSVCRT ref: 0044FEDC
    • VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 0044FEEF
    • memset.MSVCRT ref: 0044FF46
    • memcpy.MSVCRT ref: 0044FF5A
    • VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00450049
      • Part of subcall function 00450370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0045037F
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8FE5C, Relevance: 10.9, APIs: 6, Instructions: 197
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B8FEC2
    • memcpy.MSVCRT ref: 00B8FEDC
    • VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00B8FEEF
    • memset.MSVCRT ref: 00B8FF46
    • memcpy.MSVCRT ref: 00B8FF5A
    • VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00B90049
      • Part of subcall function 00B90370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B9037F
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00446431, Relevance: 10.8, APIs: 6, Instructions: 160
    APIs
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00446531
      • Part of subcall function 00446865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00446B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 0044686E
      • Part of subcall function 00446865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00446B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 004468A5
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00446572
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00446581
    • SetEvent.KERNEL32 ref: 00446591
    • GetExitCodeThread.KERNEL32 ref: 004465A5
    • CloseHandle.KERNEL32 ref: 004465BB
      • Part of subcall function 00438D34: EnterCriticalSection.KERNEL32(009B21B4,009B21A8,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438D3D
      • Part of subcall function 00438D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00438D76
      • Part of subcall function 00438D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0044A99B,00000000,00000000,00000002), ref: 00438D95
      • Part of subcall function 00438D34: GetLastError.KERNEL32(?,000000FF,0044A99B,00000000,00000000,00000002,?,?,0044A99B,00000000,0044A6E2,00000000,?,00000000), ref: 00438D9F
      • Part of subcall function 00438D34: TerminateThread.KERNEL32 ref: 00438DA7
      • Part of subcall function 00438D34: CloseHandle.KERNEL32 ref: 00438DAE
      • Part of subcall function 00438D34: LeaveCriticalSection.KERNEL32(009B21B4,?,0044A99B,00000000,0044A6E2,00000000,?,00000000,?,?,?,0045B2E2,?,00000001), ref: 00438DC3
      • Part of subcall function 00438D34: ResumeThread.KERNEL32 ref: 00438DDC
      • Part of subcall function 00446BD0: memcmp.MSVCRT ref: 00446BE9
      • Part of subcall function 00446BD0: memcmp.MSVCRT ref: 00446C45
      • Part of subcall function 00446BD0: memcmp.MSVCRT ref: 00446CAB
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 0045B0EA: memcpy.MSVCRT ref: 0045B110
      • Part of subcall function 0045B0EA: memset.MSVCRT ref: 0045B1B3
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B86431, Relevance: 10.8, APIs: 6, Instructions: 160
    APIs
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00B86531
      • Part of subcall function 00B86865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00B86B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00B8686E
      • Part of subcall function 00B86865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00B86B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00B868A5
      • Part of subcall function 00B8B7FF: EnterCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B80C
      • Part of subcall function 00B8B7FF: LeaveCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B81A
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00B86572
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B86581
    • SetEvent.KERNEL32 ref: 00B86591
    • GetExitCodeThread.KERNEL32 ref: 00B865A5
    • CloseHandle.KERNEL32 ref: 00B865BB
      • Part of subcall function 00B78D34: EnterCriticalSection.KERNEL32(01312054,01312048,?,?,00B8A99B,00000000,00B8A6E2,00000000,?,00000000,?,?,?,00B9B2E2,?,00000001), ref: 00B78D3D
      • Part of subcall function 00B78D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B78D76
      • Part of subcall function 00B78D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00B8A99B,00000000,00000000,00000002), ref: 00B78D95
      • Part of subcall function 00B78D34: GetLastError.KERNEL32(?,000000FF,00B8A99B,00000000,00000000,00000002,?,?,00B8A99B,00000000,00B8A6E2,00000000,?,00000000), ref: 00B78D9F
      • Part of subcall function 00B78D34: TerminateThread.KERNEL32 ref: 00B78DA7
      • Part of subcall function 00B78D34: CloseHandle.KERNEL32 ref: 00B78DAE
      • Part of subcall function 00B78D34: LeaveCriticalSection.KERNEL32(01312054,?,00B8A99B,00000000,00B8A6E2,00000000,?,00000000,?,?,?,00B9B2E2,?,00000001), ref: 00B78DC3
      • Part of subcall function 00B78D34: ResumeThread.KERNEL32 ref: 00B78DDC
      • Part of subcall function 00B86BD0: memcmp.MSVCRT ref: 00B86BE9
      • Part of subcall function 00B86BD0: memcmp.MSVCRT ref: 00B86C45
      • Part of subcall function 00B86BD0: memcmp.MSVCRT ref: 00B86CAB
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B9B0EA: memcpy.MSVCRT ref: 00B9B110
      • Part of subcall function 00B9B0EA: memset.MSVCRT ref: 00B9B1B3
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00403B6B, Relevance: 10.8, APIs: 6, Instructions: 145
    APIs
    • GetStringTypeW.KERNEL32(00000001,00492BE4,00000001), ref: 00403B8F
    • GetLastError.KERNEL32(?,00492C10,0000001C,004043E4,00000001,?,00000001,00000008,?,?,00000001,?,?,00404326), ref: 00403BA1
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00403C03
    • GetStringTypeW.KERNEL32(00000008,?,?,?), ref: 00403C93
      • Part of subcall function 004024C3: HeapAlloc.KERNEL32(00000008,?,00492370,00000010,00401BB6,00000001,0000008C,?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?), ref: 00402545
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?), ref: 00403C81
      • Part of subcall function 00404008: GetLocaleInfoA.KERNEL32(00000038,00001004,?,00000006), ref: 00404028
    • GetStringTypeA.KERNEL32(?,00000008,?,?,00404326), ref: 00403D07
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 00404089
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 0040409C
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,?,?,00000000,00000000), ref: 004040E1
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,00000001,?,?,00000001), ref: 00404163
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00404184
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 004041A5
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004041CC
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00B831F3, Relevance: 10.8, APIs: 6, Instructions: 91
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00B83205
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00B83223
    • CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00B83230
    • PFXExportCertStoreEx.CRYPT32(?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00B83264
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00B83296
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B832D5: GetUserNameExW.SECUR32(00000002), ref: 00B83303
      • Part of subcall function 00B832D5: GetSystemTime.KERNEL32 ref: 00B83356
      • Part of subcall function 00B832D5: CharLowerW.USER32(?), ref: 00B833A6
      • Part of subcall function 00B832D5: PathRenameExtensionW.SHLWAPI(?), ref: 00B833D6
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00B832C5
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045D1E0, Relevance: 10.7, APIs: 6, Instructions: 74
    APIs
    • InitializeCriticalSection.KERNEL32(00465AA4), ref: 0045D207
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • InitializeCriticalSection.KERNEL32 ref: 0045D218
    • memset.MSVCRT ref: 0045D229
    • TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 0045D240
    • GetModuleHandleW.KERNEL32(00000000), ref: 0045D25C
    • GetModuleHandleW.KERNEL32 ref: 0045D272
      • Part of subcall function 0045CAF0: EnterCriticalSection.KERNEL32(00465AA4,7C80E4DD,0045D280,?,?,?,00000000,?,?,00000001), ref: 0045CB00
      • Part of subcall function 0045CAF0: LeaveCriticalSection.KERNEL32(00465AA4,?,?,?,00000000,?,?,00000001), ref: 0045CB28
      • Part of subcall function 0045D2B1: TlsFree.KERNEL32(00000012), ref: 0045D2BD
      • Part of subcall function 0045D2B1: DeleteCriticalSection.KERNEL32(009B1E90,00000000,0045D2A8,009B1E90,?,?,00000000,?,?,00000001), ref: 0045D2C4
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9D1E0, Relevance: 10.7, APIs: 6, Instructions: 74
    APIs
    • InitializeCriticalSection.KERNEL32(00BA5AA4), ref: 00B9D207
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • InitializeCriticalSection.KERNEL32 ref: 00B9D218
    • memset.MSVCRT ref: 00B9D229
    • TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 00B9D240
    • GetModuleHandleW.KERNEL32(00000000), ref: 00B9D25C
    • GetModuleHandleW.KERNEL32 ref: 00B9D272
      • Part of subcall function 00B9CAF0: EnterCriticalSection.KERNEL32(00BA5AA4,7C80E4DD,00B9D280,?,?,?,00000000,?,?,00000001), ref: 00B9CB00
      • Part of subcall function 00B9CAF0: LeaveCriticalSection.KERNEL32(00BA5AA4,?,?,?,00000000,?,?,00000001), ref: 00B9CB28
      • Part of subcall function 00B9D2B1: TlsFree.KERNEL32(00000014), ref: 00B9D2BD
      • Part of subcall function 00B9D2B1: DeleteCriticalSection.KERNEL32(01311E90,00000000,00B9D2A8,01311E90,?,?,00000000,?,?,00000001), ref: 00B9D2C4
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043BD24, Relevance: 10.7, APIs: 6, Instructions: 65
    APIs
    • accept.WS2_32(?,?), ref: 0043BD45
    • WSAEventSelect.WS2_32(?,00000000,00000000), ref: 0043BD57
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 0043BDAE
      • Part of subcall function 0043B928: WSACreateEvent.WS2_32(00000000,?,0043BB6E,00000033,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003), ref: 0043B93E
      • Part of subcall function 0043B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0043B954
      • Part of subcall function 0043B928: WSACloseEvent.WS2_32 ref: 0043B968
      • Part of subcall function 0043B864: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 0043B89E
      • Part of subcall function 0043B864: memset.MSVCRT ref: 0043B8B2
    • WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 0043BD88
    • shutdown.WS2_32(?,00000002), ref: 0043BDA0
    • closesocket.WS2_32 ref: 0043BDA7
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7BD24, Relevance: 10.7, APIs: 6, Instructions: 65
    APIs
    • accept.WS2_32(?,?), ref: 00B7BD45
    • WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00B7BD57
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 00B7BDAE
      • Part of subcall function 00B7B928: WSACreateEvent.WS2_32(00000000,?,00B7BB6E,00000033,00000000,?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003), ref: 00B7B93E
      • Part of subcall function 00B7B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00B7B954
      • Part of subcall function 00B7B928: WSACloseEvent.WS2_32 ref: 00B7B968
      • Part of subcall function 00B7B864: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 00B7B89E
      • Part of subcall function 00B7B864: memset.MSVCRT ref: 00B7B8B2
    • WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 00B7BD88
    • shutdown.WS2_32(?,00000002), ref: 00B7BDA0
    • closesocket.WS2_32 ref: 00B7BDA7
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B75B0B, Relevance: 10.7, APIs: 6, Instructions: 60
    APIs
    • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00B75B19
      • Part of subcall function 00B9AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B9AECF
      • Part of subcall function 00B9AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B9AF0A
      • Part of subcall function 00B9AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B9AF4A
      • Part of subcall function 00B9AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B9AF6D
      • Part of subcall function 00B9AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B9AFBD
    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00B75B5A
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 00B75B6C
    • CloseHandle.KERNEL32 ref: 00B75B73
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B75B85
    • CloseHandle.KERNEL32 ref: 00B75B8C
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045FEDF, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 39
    APIs
    • memset.MSVCRT ref: 0045FEF5
    • InitializeCriticalSection.KERNEL32(00465050), ref: 0045FF05
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
    • memset.MSVCRT ref: 0045FF34
    • InitializeCriticalSection.KERNEL32(00465030), ref: 0045FF3E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00442D1D, Relevance: 10.6, APIs: 7, Instructions: 146
    APIs
      • Part of subcall function 00436A4D: TlsSetValue.KERNEL32(00000001,0044A796), ref: 00436A5A
      • Part of subcall function 0045C09D: CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
    • GetCurrentThread.KERNEL32 ref: 00442D49
    • SetThreadPriority.KERNEL32 ref: 00442D50
      • Part of subcall function 0045AFD3: WaitForSingleObject.KERNEL32(00000000,0044A849), ref: 0045AFDB
    • memset.MSVCRT ref: 00442D92
    • lstrlenA.KERNEL32(00000000), ref: 00442DA9
      • Part of subcall function 004426C5: memset.MSVCRT ref: 004426D5
      • Part of subcall function 0045621D: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00456283
      • Part of subcall function 0045621D: FindFirstFileW.KERNEL32 ref: 004562F1
      • Part of subcall function 0045621D: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0045634A
      • Part of subcall function 0045621D: SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 004563BB
      • Part of subcall function 0045621D: CloseHandle.KERNEL32 ref: 004563F5
      • Part of subcall function 0045621D: FindNextFileW.KERNEL32 ref: 00456429
      • Part of subcall function 0045621D: FindClose.KERNEL32 ref: 00456453
    • memset.MSVCRT ref: 00442E6F
    • memcpy.MSVCRT ref: 00442E7F
      • Part of subcall function 00442BE5: lstrlenA.KERNEL32(?,?), ref: 00442C1E
      • Part of subcall function 00442BE5: CreateMutexW.KERNEL32(004649B4,00000001), ref: 00442C76
      • Part of subcall function 00442BE5: GetLastError.KERNEL32(?,?,?,?,?), ref: 00442C86
      • Part of subcall function 00442BE5: CloseHandle.KERNEL32 ref: 00442C94
      • Part of subcall function 00442BE5: memcpy.MSVCRT ref: 00442CBE
      • Part of subcall function 00442BE5: memcpy.MSVCRT ref: 00442CD2
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • WaitForSingleObject.KERNEL32(00007530), ref: 00442EA9
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B82D1D, Relevance: 10.6, APIs: 7, Instructions: 146
    APIs
      • Part of subcall function 00B76A4D: TlsSetValue.KERNEL32(00000001,00B82D2F), ref: 00B76A5A
      • Part of subcall function 00B9C09D: CreateMutexW.KERNEL32(00BA49B4,00000000), ref: 00B9C0BF
    • GetCurrentThread.KERNEL32 ref: 00B82D49
    • SetThreadPriority.KERNEL32 ref: 00B82D50
      • Part of subcall function 00B9AFD3: WaitForSingleObject.KERNEL32(00000000,00B82D5B), ref: 00B9AFDB
    • memset.MSVCRT ref: 00B82D92
    • lstrlenA.KERNEL32(00000000), ref: 00B82DA9
      • Part of subcall function 00B826C5: memset.MSVCRT ref: 00B826D5
      • Part of subcall function 00B9621D: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B96283
      • Part of subcall function 00B9621D: FindFirstFileW.KERNEL32 ref: 00B962F1
      • Part of subcall function 00B9621D: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B9634A
      • Part of subcall function 00B9621D: SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B963BB
      • Part of subcall function 00B9621D: CloseHandle.KERNEL32 ref: 00B963F5
      • Part of subcall function 00B9621D: FindNextFileW.KERNEL32 ref: 00B96429
      • Part of subcall function 00B9621D: FindClose.KERNEL32 ref: 00B96453
    • memset.MSVCRT ref: 00B82E6F
    • memcpy.MSVCRT ref: 00B82E7F
      • Part of subcall function 00B82BE5: lstrlenA.KERNEL32(?,?), ref: 00B82C1E
      • Part of subcall function 00B82BE5: CreateMutexW.KERNEL32(00BA49B4,00000001), ref: 00B82C76
      • Part of subcall function 00B82BE5: GetLastError.KERNEL32(?,?,?,?,?), ref: 00B82C86
      • Part of subcall function 00B82BE5: CloseHandle.KERNEL32 ref: 00B82C94
      • Part of subcall function 00B82BE5: memcpy.MSVCRT ref: 00B82CBE
      • Part of subcall function 00B82BE5: memcpy.MSVCRT ref: 00B82CD2
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • WaitForSingleObject.KERNEL32(00007530), ref: 00B82EA9
      • Part of subcall function 00B7766D: ReleaseMutex.KERNEL32 ref: 00B77671
      • Part of subcall function 00B7766D: CloseHandle.KERNEL32 ref: 00B77678
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00401025, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134
    APIs
    • GetVersionExA.KERNEL32 ref: 00401045
    • GetModuleHandleA.KERNEL32(00000000), ref: 00401098
      • Part of subcall function 00401E4F: HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00401E60
      • Part of subcall function 00401E4F: HeapDestroy.KERNEL32 ref: 00401E93
      • Part of subcall function 00401D46: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00401D5E
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsAlloc), ref: 00401D76
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsGetValue), ref: 00401D83
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsSetValue), ref: 00401D90
      • Part of subcall function 00401D46: GetProcAddress.KERNEL32(?,FlsFree), ref: 00401D9D
      • Part of subcall function 00401D46: GetCurrentThreadId.KERNEL32 ref: 00401E1B
      • Part of subcall function 004018E2: GetStartupInfoA.KERNEL32 ref: 0040193F
      • Part of subcall function 004018E2: GetFileType.KERNEL32 ref: 004019E9
      • Part of subcall function 004018E2: GetStdHandle.KERNEL32(000000F6), ref: 00401A6A
      • Part of subcall function 004018E2: GetFileType.KERNEL32 ref: 00401A78
      • Part of subcall function 004018E2: SetHandleCount.KERNEL32 ref: 00401AD0
    • GetCommandLineA.KERNEL32 ref: 0040112A
      • Part of subcall function 004017C0: GetEnvironmentStringsW.KERNEL32 ref: 004017DC
      • Part of subcall function 004017C0: GetLastError.KERNEL32(?,?,?,?,0040113A,?,00491DB0,00000060), ref: 004017F0
      • Part of subcall function 004017C0: GetEnvironmentStringsW.KERNEL32 ref: 00401812
      • Part of subcall function 004017C0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401846
      • Part of subcall function 004017C0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00401868
      • Part of subcall function 004017C0: FreeEnvironmentStringsW.KERNEL32 ref: 00401881
      • Part of subcall function 004017C0: GetEnvironmentStrings.KERNEL32(00093156,00000000,?,?,?,?,0040113A,?,00491DB0,00000060), ref: 00401897
      • Part of subcall function 004017C0: FreeEnvironmentStringsA.KERNEL32 ref: 004018D3
      • Part of subcall function 0040171E: GetModuleFileNameA.KERNEL32(00000000,0049FA28,00000104), ref: 00401748
    • GetStartupInfoA.KERNEL32 ref: 0040117E
    • GetModuleHandleA.KERNEL32(00000000), ref: 004011A1
      • Part of subcall function 0044D8FE: ShowWindow.USER32(?,00000000), ref: 0044D8B2
      • Part of subcall function 0044D8FE: lstrcpyA.KERNEL32(0049F200,?,00000000), ref: 0044D8C5
      • Part of subcall function 0044D8FE: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0044D8DA
      • Part of subcall function 0044D8FE: DispatchMessageW.USER32(?), ref: 0044D8E7
      • Part of subcall function 0044D8FE: InitCommonControlsEx.COMCTL32(0049E8BF), ref: 0044D91D
      • Part of subcall function 0044D8FE: GetCommandLineW.KERNEL32 ref: 0044D935
      • Part of subcall function 0044D8FE: SetLastError.KERNEL32(00000000), ref: 0044D942
      • Part of subcall function 0044D8FE: LoadIconW.USER32(00000000,00000020), ref: 0044D97B
      • Part of subcall function 0044D8FE: LoadCursorW.USER32(00000000,00000020), ref: 0044D985
      • Part of subcall function 0044D8FE: RegisterClassExW.USER32(00000030), ref: 0044D9A1
      • Part of subcall function 0044D8FE: CreateWindowExW.USER32 ref: 0045B5F6
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00441E94, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27
    APIs
    • GetModuleHandleW.KERNEL32(shell32.dll), ref: 00441EA2
    • GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00441EAE
    • SetLastError.KERNEL32(00000001,00438F04,004647C0,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00441EC6
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B81E94, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27
    APIs
    • GetModuleHandleW.KERNEL32(shell32.dll), ref: 00B81EA2
    • GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00B81EAE
    • SetLastError.KERNEL32(00000001,00B78F04,00BA47C0,?,00BA4DF4,00000000,00000006,00B9BD7A,00BA4DF4,-00000258,?,00000000), ref: 00B81EC6
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00458000, Relevance: 10.6, APIs: 7, Instructions: 126
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00458037
    • WSASetLastError.WS2_32(00000008), ref: 00458046
    • memcpy.MSVCRT ref: 00458063
    • memcpy.MSVCRT ref: 00458075
    • WSASetLastError.WS2_32(00000008,?,?,?), ref: 004580DF
    • WSAGetLastError.WS2_32(?,?,?), ref: 004580FB
      • Part of subcall function 00458325: RegisterWaitForSingleObject.KERNEL32(?,?,00458164,?,000000FF,00000004), ref: 0045838A
    • WSASetLastError.WS2_32(00000008,?,00000000,?,?,?,?,?), ref: 00458124
      • Part of subcall function 0044CC4F: memcpy.MSVCRT ref: 0044CC64
      • Part of subcall function 0044CC4F: SetEvent.KERNEL32 ref: 0044CC74
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B98000, Relevance: 10.6, APIs: 7, Instructions: 126
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B98037
    • WSASetLastError.WS2_32(00000008), ref: 00B98046
    • memcpy.MSVCRT ref: 00B98063
    • memcpy.MSVCRT ref: 00B98075
    • WSASetLastError.WS2_32(00000008,?,?,?), ref: 00B980DF
    • WSAGetLastError.WS2_32(?,?,?), ref: 00B980FB
      • Part of subcall function 00B98325: RegisterWaitForSingleObject.KERNEL32(?,?,00B98164,?,000000FF,00000004), ref: 00B9838A
    • WSASetLastError.WS2_32(00000008,?,00000000,?,?,?,?,?), ref: 00B98124
      • Part of subcall function 00B8CC4F: memcpy.MSVCRT ref: 00B8CC64
      • Part of subcall function 00B8CC4F: SetEvent.KERNEL32 ref: 00B8CC74
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043B0E5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
    APIs
    • memset.MSVCRT ref: 0043B106
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,00000000), ref: 0043B13E
    • memcpy.MSVCRT ref: 0043B159
    • CloseHandle.KERNEL32(?), ref: 0043B16E
    • CloseHandle.KERNEL32(00000000), ref: 0043B174
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7B0E5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
    APIs
    • memset.MSVCRT ref: 00B7B106
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,00000000), ref: 00B7B13E
    • memcpy.MSVCRT ref: 00B7B159
    • CloseHandle.KERNEL32(?), ref: 00B7B16E
    • CloseHandle.KERNEL32(00000000), ref: 00B7B174
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00A3179F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
    APIs
    • GetCurrentProcess.KERNEL32 ref: 00A317BF
    • OpenProcessToken.ADVAPI32 ref: 00A317C6
    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege), ref: 00A317DA
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 00A317F0
    • ExitWindowsEx.USER32(00000016,00000000), ref: 00A317FD
      • Part of subcall function 00A316F1: DeviceIoControl.KERNEL32(00220030,00000000,00000000,00000000,00000000,?,00000000), ref: 00A31709
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 00B8B286, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 295
    APIs
      • Part of subcall function 00B9C09D: CreateMutexW.KERNEL32(00BA49B4,00000000), ref: 00B9C0BF
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
      • Part of subcall function 00B88432: CreateFileW.KERNEL32(01311EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B8844B
      • Part of subcall function 00B88432: GetFileSizeEx.KERNEL32 ref: 00B8845E
      • Part of subcall function 00B88432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B88484
      • Part of subcall function 00B88432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00B8849C
      • Part of subcall function 00B88432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B884BA
      • Part of subcall function 00B88432: CloseHandle.KERNEL32 ref: 00B884C3
    • memset.MSVCRT ref: 00B8B42B
    • memcpy.MSVCRT ref: 00B8B457
      • Part of subcall function 00B96875: GetSystemTime.KERNEL32 ref: 00B9687F
      • Part of subcall function 00B824F3: HeapAlloc.KERNEL32(00000000,?,?,?,00B76328,?,?,00B98D10,?,?,?,?,0000FFFF), ref: 00B8251D
      • Part of subcall function 00B824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00B76328,?,?,00B98D10,?,?,?,?,0000FFFF), ref: 00B82530
      • Part of subcall function 00B771D5: memcpy.MSVCRT ref: 00B772E6
    • CreateFileW.KERNEL32(00B6AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00B8B55C
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B8B578
      • Part of subcall function 00B95934: CloseHandle.KERNEL32 ref: 00B95940
      • Part of subcall function 00B7766D: ReleaseMutex.KERNEL32 ref: 00B77671
      • Part of subcall function 00B7766D: CloseHandle.KERNEL32 ref: 00B77678
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B8B161: memset.MSVCRT ref: 00B8B170
      • Part of subcall function 00B8B161: memset.MSVCRT ref: 00B8B1B3
      • Part of subcall function 00B8B161: memset.MSVCRT ref: 00B8B1E9
      • Part of subcall function 00B90370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B9037F
      • Part of subcall function 00B8FE5C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B8FEC2
      • Part of subcall function 00B8FE5C: memcpy.MSVCRT ref: 00B8FEDC
      • Part of subcall function 00B8FE5C: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00B8FEEF
      • Part of subcall function 00B8FE5C: memset.MSVCRT ref: 00B8FF46
      • Part of subcall function 00B8FE5C: memcpy.MSVCRT ref: 00B8FF5A
      • Part of subcall function 00B8FE5C: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00B90049
      • Part of subcall function 00B773E0: memcmp.MSVCRT ref: 00B77489
      • Part of subcall function 00B884D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B884E4
      • Part of subcall function 00B884D3: CloseHandle.KERNEL32 ref: 00B884F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00402438, Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 29
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040245B
    • GetProcAddress.KERNEL32(?,InitializeCriticalSectionAndSpinCount), ref: 0040246B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00434B40, Relevance: 10.2, APIs: 4, Strings: 1, Instructions: 48
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004354F7
    • UnhandledExceptionFilter.KERNEL32(XCF), ref: 00435502
    • GetCurrentProcess.KERNEL32 ref: 0043550D
    • TerminateProcess.KERNEL32 ref: 00435514
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0043C8CD, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46
    APIs
    • LoadLibraryW.KERNEL32(urlmon.dll), ref: 0043C8D4
    • GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 0043C8EA
    • FreeLibrary.KERNEL32 ref: 0043C935
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7C8CD, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46
    APIs
    • LoadLibraryW.KERNEL32(urlmon.dll), ref: 00B7C8D4
    • GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 00B7C8EA
    • FreeLibrary.KERNEL32 ref: 00B7C935
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00441ED5, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,?,?,0045AA21,?,0045ADD5,?,?,?,00000001), ref: 00441EE6
    • LeaveCriticalSection.KERNEL32(00465AA4,?,?,0045AA21,?,0045ADD5,?,?,?,00000001), ref: 00441F0E
      • Part of subcall function 00441E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00441EA2
      • Part of subcall function 00441E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00441EAE
      • Part of subcall function 00441E94: SetLastError.KERNEL32(00000001,00438F04,004647C0,?,00464DF4,00000000,00000006,0045BD7A,00464DF4,-00000258,?,00000000), ref: 00441EC6
    • IsWow64Process.KERNEL32(000000FF), ref: 00441F37
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B81ED5, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00BA5AA4,?,?,00B9AA21,?,00B9ADD5,?,?,?,00000001), ref: 00B81EE6
    • LeaveCriticalSection.KERNEL32(00BA5AA4,?,?,00B9AA21,?,00B9ADD5,?,?,?,00000001), ref: 00B81F0E
      • Part of subcall function 00B81E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00B81EA2
      • Part of subcall function 00B81E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00B81EAE
      • Part of subcall function 00B81E94: SetLastError.KERNEL32(00000001,00B78F04,00BA47C0,?,00BA4DF4,00000000,00000006,00B9BD7A,00BA4DF4,-00000258,?,00000000), ref: 00B81EC6
    • IsWow64Process.KERNEL32(000000FF), ref: 00B81F37
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004424C1, Relevance: 9.9, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00442456: EnterCriticalSection.KERNEL32(00465AA4,00000028,004424C9,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442466
      • Part of subcall function 00442456: LeaveCriticalSection.KERNEL32(00465AA4,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442490
    • HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B824C1, Relevance: 9.9, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00B82456: EnterCriticalSection.KERNEL32(00BA5AA4,00000028,00B824C9,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B82466
      • Part of subcall function 00B82456: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B82490
    • HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00459516, Relevance: 9.6, APIs: 5, Instructions: 138
    APIs
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    • FindFirstFileW.KERNEL32 ref: 00459555
    • SetLastError.KERNEL32(?,?,?,?,?,?,0042AB64), ref: 00459680
      • Part of subcall function 004596F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00459722
      • Part of subcall function 004596F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00459741
    • FindNextFileW.KERNEL32(?,?), ref: 0045964A
    • GetLastError.KERNEL32(?,?,?,?,0042AB64), ref: 00459663
    • FindClose.KERNEL32 ref: 00459679
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B99516, Relevance: 9.6, APIs: 5, Instructions: 138
    APIs
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    • FindFirstFileW.KERNEL32 ref: 00B99555
    • SetLastError.KERNEL32(?,?,?,?,?,?,00B6AB64), ref: 00B99680
      • Part of subcall function 00B996F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00B99722
      • Part of subcall function 00B996F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00B99741
    • FindNextFileW.KERNEL32(?,?), ref: 00B9964A
    • GetLastError.KERNEL32(?,?,?,?,00B6AB64), ref: 00B99663
    • FindClose.KERNEL32 ref: 00B99679
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043C0C5, Relevance: 9.5, APIs: 5, Instructions: 71
    APIs
      • Part of subcall function 0043B764: EnterCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B774
      • Part of subcall function 0043B764: LeaveCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B79E
    • socket.WS2_32(?,00000002,00000000), ref: 0043C0DF
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0043C112
    • WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,00000000,?,?), ref: 0043C119
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 0043C14D
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • closesocket.WS2_32 ref: 0043C15D
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7C0C5, Relevance: 9.5, APIs: 5, Instructions: 71
    APIs
      • Part of subcall function 00B7B764: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B7B826,?,00B9C86A,00B8C4AB,00B8C4AB,?,00B8C4AB,?,00000001), ref: 00B7B774
      • Part of subcall function 00B7B764: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B7B826,?,00B9C86A,00B8C4AB,00B8C4AB,?,00B8C4AB,?,00000001), ref: 00B7B79E
    • socket.WS2_32(?,00000002,00000000), ref: 00B7C0DF
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00B7C112
    • WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,00000000,?,?), ref: 00B7C119
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 00B7C14D
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • closesocket.WS2_32 ref: 00B7C15D
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043913F, Relevance: 9.5, APIs: 5, Instructions: 59
    APIs
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    • FindFirstFileW.KERNEL32(?), ref: 00439170
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
    • FindNextFileW.KERNEL32(?,?), ref: 004391C2
    • FindClose.KERNEL32 ref: 004391CD
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 004391D9
    • RemoveDirectoryW.KERNEL32 ref: 004391E0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7913F, Relevance: 9.5, APIs: 5, Instructions: 59
    APIs
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    • FindFirstFileW.KERNEL32(?), ref: 00B79170
      • Part of subcall function 00B95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B95E26
      • Part of subcall function 00B95E1D: DeleteFileW.KERNEL32 ref: 00B95E2D
    • FindNextFileW.KERNEL32(?,?), ref: 00B791C2
    • FindClose.KERNEL32 ref: 00B791CD
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 00B791D9
    • RemoveDirectoryW.KERNEL32 ref: 00B791E0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00459DDC, Relevance: 9.5, APIs: 4, Instructions: 217
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00459DED
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
      • Part of subcall function 0045985F: memset.MSVCRT ref: 0045990F
      • Part of subcall function 0045985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00459920
      • Part of subcall function 0045985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00459954
      • Part of subcall function 0045985F: memset.MSVCRT ref: 00459994
      • Part of subcall function 0045985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 004599A5
      • Part of subcall function 0045985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 004599E5
      • Part of subcall function 0045985F: memset.MSVCRT ref: 00459A50
      • Part of subcall function 004564A4: SetLastError.KERNEL32(0000000D), ref: 004564DF
    • memcpy.MSVCRT ref: 00459F56
    • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00459FE2
    • GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00459FEC
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00459A67: memset.MSVCRT ref: 00459A78
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0045038C, Relevance: 9.4, APIs: 5, Instructions: 89
    APIs
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00450405
    • SetFileAttributesW.KERNEL32(?), ref: 00450424
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0045043B
    • GetLastError.KERNEL32 ref: 00450448
    • CloseHandle.KERNEL32 ref: 00450481
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9038C, Relevance: 9.4, APIs: 5, Instructions: 89
    APIs
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B90405
    • SetFileAttributesW.KERNEL32(?), ref: 00B90424
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00B9043B
    • GetLastError.KERNEL32 ref: 00B90448
    • CloseHandle.KERNEL32 ref: 00B90481
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045C410, Relevance: 9.2, APIs: 6, Instructions: 88
    APIs
    • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,?,0045C6E4,?,?,?,?,?,00000009,00000000,?,?,00000000), ref: 0045C42A
    • LeaveCriticalSection.KERNEL32(00000000,?,00000000,?), ref: 0045C511
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • memcpy.MSVCRT ref: 0045C49B
    • memcpy.MSVCRT ref: 0045C4BF
    • memcpy.MSVCRT ref: 0045C4D6
    • memcpy.MSVCRT ref: 0045C4F6
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9C410, Relevance: 9.2, APIs: 6, Instructions: 88
    APIs
    • EnterCriticalSection.KERNEL32(01311FC0,01311FC0,?,?,?,00B9C6E4,?,?,?,?,?,00000009,00000000,?,?,6FFF0300), ref: 00B9C42A
    • LeaveCriticalSection.KERNEL32(01311FC0,?,6FFF0300,?), ref: 00B9C511
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • memcpy.MSVCRT ref: 00B9C49B
    • memcpy.MSVCRT ref: 00B9C4BF
    • memcpy.MSVCRT ref: 00B9C4D6
    • memcpy.MSVCRT ref: 00B9C4F6
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00444BDB, Relevance: 9.2, APIs: 6, Instructions: 229
    APIs
    • PathFindFileNameW.SHLWAPI(?), ref: 00444C02
      • Part of subcall function 00439E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00439E9D
      • Part of subcall function 00439E88: StrCmpIW.SHLWAPI ref: 00439EA7
    • CreateFileW.KERNEL32(?,80000000,00000007,?,00000003,00000080), ref: 00444C31
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • SetLastError.KERNEL32(00000057,?,?,00000003,00000080), ref: 00444C96
      • Part of subcall function 00455B34: ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00455B46
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
    • CharLowerW.USER32 ref: 00444CF6
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045868E: EnterCriticalSection.KERNEL32(00465AA4,?,0045AA5B,?,0045ADD5,?,?,?,00000001), ref: 0045869E
      • Part of subcall function 0045868E: LeaveCriticalSection.KERNEL32(00465AA4,?,0045AA5B,?,0045ADD5,?,?,?,00000001), ref: 004586C4
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    • memcmp.MSVCRT ref: 00444E48
    • GetTickCount.KERNEL32 ref: 00444E55
      • Part of subcall function 004507EE: RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00450823
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00455AB0: GetFileSizeEx.KERNEL32(?,?), ref: 00455ABB
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B84BDB, Relevance: 9.2, APIs: 6, Instructions: 229
    APIs
    • PathFindFileNameW.SHLWAPI(?), ref: 00B84C02
      • Part of subcall function 00B79E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B79E9D
      • Part of subcall function 00B79E88: StrCmpIW.SHLWAPI ref: 00B79EA7
    • CreateFileW.KERNEL32(?,80000000,00000007,?,00000003,00000080), ref: 00B84C31
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • SetLastError.KERNEL32(00000057,?,?,00000003,00000080), ref: 00B84C96
      • Part of subcall function 00B95B34: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00B95B46
      • Part of subcall function 00B95934: CloseHandle.KERNEL32 ref: 00B95940
    • CharLowerW.USER32 ref: 00B84CF6
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
      • Part of subcall function 00B9868E: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B9AA5B,?,00B9ADD5,?,?,?,00000001), ref: 00B9869E
      • Part of subcall function 00B9868E: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B9AA5B,?,00B9ADD5,?,?,?,00000001), ref: 00B986C4
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    • memcmp.MSVCRT ref: 00B84E48
    • GetTickCount.KERNEL32 ref: 00B84E55
      • Part of subcall function 00B907EE: RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00B90823
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B95AB0: GetFileSizeEx.KERNEL32 ref: 00B95ABB
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9AEB1, Relevance: 9.2, APIs: 5, Instructions: 109
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B9AECF
      • Part of subcall function 00B8C90D: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00B8C93C
      • Part of subcall function 00B8C90D: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00B8C97B
      • Part of subcall function 00B8C90D: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B8C9A2
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B9AF0A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B9AF4A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B9AF6D
      • Part of subcall function 00B9A976: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B9A999
      • Part of subcall function 00B9A976: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B9A9B1
      • Part of subcall function 00B9A976: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00B9A9CC
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B9AFBD
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044CAF1, Relevance: 9.2, APIs: 5, Instructions: 88
    APIs
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0044CB1D
      • Part of subcall function 0043C830: HttpQueryInfoA.WININET(0044CB41,40000009,?,?,00000000), ref: 0043C897
      • Part of subcall function 0043C830: memset.MSVCRT ref: 0043C8AD
    • GetSystemTime.KERNEL32(?), ref: 0044CB54
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • Sleep.KERNEL32(000005DC), ref: 0044CB6D
    • WaitForSingleObject.KERNEL32(?,000005DC), ref: 0044CB76
    • lstrcpyA.KERNEL32 ref: 0044CBD4
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8CAF1, Relevance: 9.2, APIs: 5, Instructions: 88
    APIs
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B8CB1D
      • Part of subcall function 00B7C830: HttpQueryInfoA.WININET(00B8CB41,40000009,?,?,00000000), ref: 00B7C897
      • Part of subcall function 00B7C830: memset.MSVCRT ref: 00B7C8AD
    • GetSystemTime.KERNEL32(?), ref: 00B8CB54
      • Part of subcall function 00B8B7FF: EnterCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B80C
      • Part of subcall function 00B8B7FF: LeaveCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B81A
    • Sleep.KERNEL32(000005DC), ref: 00B8CB6D
    • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00B8CB76
    • lstrcpyA.KERNEL32 ref: 00B8CBD4
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043BB55, Relevance: 9.2, APIs: 5, Instructions: 69
    APIs
      • Part of subcall function 0043B7D0: socket.WS2_32(?,?,00000006), ref: 0043B804
    • connect.WS2_32(?,?), ref: 0043BB93
    • WSAGetLastError.WS2_32(?,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBA2
    • WSASetLastError.WS2_32(00000000), ref: 0043BC00
      • Part of subcall function 0043B979: shutdown.WS2_32(?,00000002), ref: 0043B987
      • Part of subcall function 0043B979: closesocket.WS2_32 ref: 0043B990
      • Part of subcall function 0043B979: WSACloseEvent.WS2_32 ref: 0043B9A3
      • Part of subcall function 0043B928: WSACreateEvent.WS2_32(00000000,?,0043BB6E,00000033,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003), ref: 0043B93E
      • Part of subcall function 0043B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0043B954
      • Part of subcall function 0043B928: WSACloseEvent.WS2_32 ref: 0043B968
    • WSASetLastError.WS2_32(?,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC0
    • WSAGetLastError.WS2_32(?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC2
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7BB55, Relevance: 9.2, APIs: 5, Instructions: 69
    APIs
      • Part of subcall function 00B7B7D0: socket.WS2_32(?,?,00000006), ref: 00B7B804
    • connect.WS2_32(?,?), ref: 00B7BB93
    • WSAGetLastError.WS2_32(?,00000000,?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B7BBA2
    • WSASetLastError.WS2_32(00000000), ref: 00B7BC00
      • Part of subcall function 00B7B979: shutdown.WS2_32(?,00000002), ref: 00B7B987
      • Part of subcall function 00B7B979: closesocket.WS2_32 ref: 00B7B990
      • Part of subcall function 00B7B979: WSACloseEvent.WS2_32 ref: 00B7B9A3
      • Part of subcall function 00B7B928: WSACreateEvent.WS2_32(00000000,?,00B7BB6E,00000033,00000000,?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003), ref: 00B7B93E
      • Part of subcall function 00B7B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00B7B954
      • Part of subcall function 00B7B928: WSACloseEvent.WS2_32 ref: 00B7B968
    • WSASetLastError.WS2_32(?,?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B7BBC0
    • WSAGetLastError.WS2_32(?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B7BBC2
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00438DE6, Relevance: 9.1, APIs: 5, Instructions: 49
    APIs
    • EnterCriticalSection.KERNEL32(009B21B4,?,?,?,0045B2F2,?,?,00000001), ref: 00438DEF
    • LeaveCriticalSection.KERNEL32(009B21B4,?,?,?,0045B2F2,?,?,00000001), ref: 00438DF9
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00438E1F
    • EnterCriticalSection.KERNEL32(009B21B4,?,?,?,0045B2F2,?,?,00000001), ref: 00438E37
    • LeaveCriticalSection.KERNEL32(009B21B4,?,?,?,0045B2F2,?,?,00000001), ref: 00438E41
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B78DE6, Relevance: 9.1, APIs: 5, Instructions: 49
    APIs
    • EnterCriticalSection.KERNEL32(01312054,?,?,?,00B9B2F2,?,?,00000001), ref: 00B78DEF
    • LeaveCriticalSection.KERNEL32(01312054,?,?,?,00B9B2F2,?,?,00000001), ref: 00B78DF9
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00B78E1F
    • EnterCriticalSection.KERNEL32(01312054,?,?,?,00B9B2F2,?,?,00000001), ref: 00B78E37
    • LeaveCriticalSection.KERNEL32(01312054,?,?,?,00B9B2F2,?,?,00000001), ref: 00B78E41
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043861E, Relevance: 9.1, APIs: 6, Instructions: 145
    APIs
    • memset.MSVCRT ref: 0043865F
      • Part of subcall function 00439F5F: memcpy.MSVCRT ref: 00439F99
    • CharLowerW.USER32 ref: 004386A3
    • CharUpperW.USER32(?,?,00000001), ref: 004386B4
    • CharLowerW.USER32 ref: 004386C8
    • CharUpperW.USER32(?,00000001), ref: 004386D2
    • memcmp.MSVCRT ref: 004386E7
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7861E, Relevance: 9.1, APIs: 6, Instructions: 145
    APIs
    • memset.MSVCRT ref: 00B7865F
      • Part of subcall function 00B79F5F: memcpy.MSVCRT ref: 00B79F99
    • CharLowerW.USER32 ref: 00B786A3
    • CharUpperW.USER32(?,?,00000001), ref: 00B786B4
    • CharLowerW.USER32 ref: 00B786C8
    • CharUpperW.USER32(?,00000001), ref: 00B786D2
    • memcmp.MSVCRT ref: 00B786E7
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00458164, Relevance: 9.1, APIs: 6, Instructions: 141
    APIs
      • Part of subcall function 00436A4D: TlsSetValue.KERNEL32(00000001,0044A796), ref: 00436A5A
      • Part of subcall function 0044CC26: ResetEvent.KERNEL32 ref: 0044CC42
    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000), ref: 004581AA
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 004581B4
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 004582BD
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 004582C6
    • UnregisterWait.KERNEL32(?), ref: 004582EB
    • TlsSetValue.KERNEL32(00000000), ref: 00458316
      • Part of subcall function 0044CC4F: memcpy.MSVCRT ref: 0044CC64
      • Part of subcall function 0044CC4F: SetEvent.KERNEL32 ref: 0044CC74
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B98164, Relevance: 9.1, APIs: 6, Instructions: 141
    APIs
      • Part of subcall function 00B76A4D: TlsSetValue.KERNEL32(00000001,00B82D2F), ref: 00B76A5A
      • Part of subcall function 00B8CC26: ResetEvent.KERNEL32 ref: 00B8CC42
    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000), ref: 00B981AA
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00B981B4
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00B982BD
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00B982C6
    • UnregisterWait.KERNEL32(?), ref: 00B982EB
    • TlsSetValue.KERNEL32(00000000), ref: 00B98316
      • Part of subcall function 00B8CC4F: memcpy.MSVCRT ref: 00B8CC64
      • Part of subcall function 00B8CC4F: SetEvent.KERNEL32 ref: 00B8CC74
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004018E2, Relevance: 9.1, APIs: 5, Instructions: 172
    APIs
    • GetStartupInfoA.KERNEL32 ref: 0040193F
    • GetFileType.KERNEL32 ref: 004019E9
    • GetStdHandle.KERNEL32(000000F6), ref: 00401A6A
    • GetFileType.KERNEL32 ref: 00401A78
      • Part of subcall function 00402438: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040245B
      • Part of subcall function 00402438: GetProcAddress.KERNEL32(?,InitializeCriticalSectionAndSpinCount), ref: 0040246B
    • SetHandleCount.KERNEL32 ref: 00401AD0
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 0045BDF6, Relevance: 9.1, APIs: 5, Instructions: 172
    APIs
    • memset.MSVCRT ref: 0045BE2B
    • GetComputerNameW.KERNEL32 ref: 0045BE5F
    • GetVersionExW.KERNEL32 ref: 0045BE88
    • memset.MSVCRT ref: 0045BEA7
      • Part of subcall function 00450775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0045079C
      • Part of subcall function 00450755: RegFlushKey.ADVAPI32 ref: 00450765
      • Part of subcall function 00450755: RegCloseKey.ADVAPI32 ref: 0045076D
      • Part of subcall function 004593C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00459433
      • Part of subcall function 004593C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00459458
    • memset.MSVCRT ref: 0045BFAC
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00459393: CryptDestroyHash.ADVAPI32 ref: 004593AB
      • Part of subcall function 00459393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 004593BC
      • Part of subcall function 0045946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 004594AA
      • Part of subcall function 00450A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00450A3A
      • Part of subcall function 004508A8: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00450903
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9BDF6, Relevance: 9.1, APIs: 5, Instructions: 172
    APIs
    • memset.MSVCRT ref: 00B9BE2B
    • GetComputerNameW.KERNEL32 ref: 00B9BE5F
    • GetVersionExW.KERNEL32 ref: 00B9BE88
    • memset.MSVCRT ref: 00B9BEA7
      • Part of subcall function 00B90775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B9079C
      • Part of subcall function 00B90755: RegFlushKey.ADVAPI32 ref: 00B90765
      • Part of subcall function 00B90755: RegCloseKey.ADVAPI32 ref: 00B9076D
      • Part of subcall function 00B993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00B99433
      • Part of subcall function 00B993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00B99458
    • memset.MSVCRT ref: 00B9BFAC
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B99393: CryptDestroyHash.ADVAPI32 ref: 00B993AB
      • Part of subcall function 00B99393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00B993BC
      • Part of subcall function 00B9946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00B994AA
      • Part of subcall function 00B90A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00B90A3A
      • Part of subcall function 00B908A8: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B90903
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004431F3, Relevance: 9.1, APIs: 6, Instructions: 91
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00443205
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00443223
    • CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00443230
    • PFXExportCertStoreEx.CRYPT32(?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00443264
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00443296
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004432D5: GetUserNameExW.SECUR32(00000002), ref: 00443303
      • Part of subcall function 004432D5: GetSystemTime.KERNEL32 ref: 00443356
      • Part of subcall function 004432D5: CharLowerW.USER32(?), ref: 004433A6
      • Part of subcall function 004432D5: PathRenameExtensionW.SHLWAPI(?), ref: 004433D6
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 004432C5
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0045FC6E, Relevance: 9.1, APIs: 6, Instructions: 79
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000004,0045FD90,00000000,?,?,?,?,?,?,?,0045EA72), ref: 0045FC78
    • HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 0045FCB2
    • HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,0045FD90,00000000), ref: 0045FCCF
    • HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,0045FD90,00000000), ref: 0045FCF7
    • memcpy.MSVCRT ref: 0045FD07
      • Part of subcall function 00436D72: EnterCriticalSection.KERNEL32(0046468C,00000000,00444F6E,?,000000FF), ref: 00436D7E
      • Part of subcall function 00436D72: LeaveCriticalSection.KERNEL32(0046468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00436D8E
      • Part of subcall function 00459DDC: GetCurrentThreadId.KERNEL32 ref: 00459DED
      • Part of subcall function 00459DDC: memcpy.MSVCRT ref: 00459F56
      • Part of subcall function 00459DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00459FE2
      • Part of subcall function 00459DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00459FEC
      • Part of subcall function 00436D9C: LeaveCriticalSection.KERNEL32(0046468C,00436E01,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DA6
      • Part of subcall function 00436DAD: LeaveCriticalSection.KERNEL32(0046468C,?,00436E13,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DBA
    • LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,0045FD90,00000000), ref: 0045FD4B
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9FC6E, Relevance: 9.1, APIs: 6, Instructions: 79
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000004,00B9FD90,00000000,?,?,?,?,?,?,?,00B9EA72), ref: 00B9FC78
    • HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 00B9FCB2
    • HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,00B9FD90,00000000), ref: 00B9FCCF
    • HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,00B9FD90,00000000), ref: 00B9FCF7
    • memcpy.MSVCRT ref: 00B9FD07
      • Part of subcall function 00B76D72: EnterCriticalSection.KERNEL32(00BA468C,00000000,00B84F6E,?,000000FF), ref: 00B76D7E
      • Part of subcall function 00B76D72: LeaveCriticalSection.KERNEL32(00BA468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,01311EF0), ref: 00B76D8E
      • Part of subcall function 00B99DDC: GetCurrentThreadId.KERNEL32 ref: 00B99DED
      • Part of subcall function 00B99DDC: memcpy.MSVCRT ref: 00B99F56
      • Part of subcall function 00B99DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00B99FE2
      • Part of subcall function 00B99DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00B99FEC
      • Part of subcall function 00B76D9C: LeaveCriticalSection.KERNEL32(00BA468C,00B76E01,00000001,00000000,00000000,?,00B84F82,00000001,00000000,?,000000FF), ref: 00B76DA6
      • Part of subcall function 00B76DAD: LeaveCriticalSection.KERNEL32(00BA468C,?,00B76E13,00000001,00000000,00000000,?,00B84F82,00000001,00000000,?,000000FF), ref: 00B76DBA
    • LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,00B9FD90,00000000), ref: 00B9FD4B
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00448A6A, Relevance: 9.1, APIs: 5, Instructions: 137
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00448A9B
      • Part of subcall function 00457CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00457CF8
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00448B2D
      • Part of subcall function 00448626: getsockopt.WS2_32(?,0000FFFF,00001008,00429417,00429417), ref: 004486B2
      • Part of subcall function 00448626: GetHandleInformation.KERNEL32 ref: 004486C4
      • Part of subcall function 00448626: socket.WS2_32(?,00000001,00000006), ref: 004486F7
      • Part of subcall function 00448626: socket.WS2_32(?,00000002,00000011), ref: 00448708
      • Part of subcall function 00448626: closesocket.WS2_32(?), ref: 00448727
      • Part of subcall function 00448626: closesocket.WS2_32 ref: 0044872E
      • Part of subcall function 00448626: memset.MSVCRT ref: 004487F2
      • Part of subcall function 00448626: memcpy.MSVCRT ref: 00448902
    • SetEvent.KERNEL32 ref: 00448B80
    • SetEvent.KERNEL32 ref: 00448BB9
      • Part of subcall function 00457CD3: SetEvent.KERNEL32 ref: 00457CE3
    • LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00448C3E
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B88A6A, Relevance: 9.1, APIs: 5, Instructions: 137
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00B88A9B
      • Part of subcall function 00B97CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B97CF8
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00B88B2D
      • Part of subcall function 00B88626: getsockopt.WS2_32(?,0000FFFF,00001008,00B69417,00B69417), ref: 00B886B2
      • Part of subcall function 00B88626: GetHandleInformation.KERNEL32 ref: 00B886C4
      • Part of subcall function 00B88626: socket.WS2_32(?,00000001,00000006), ref: 00B886F7
      • Part of subcall function 00B88626: socket.WS2_32(?,00000002,00000011), ref: 00B88708
      • Part of subcall function 00B88626: closesocket.WS2_32(?), ref: 00B88727
      • Part of subcall function 00B88626: closesocket.WS2_32 ref: 00B8872E
      • Part of subcall function 00B88626: memset.MSVCRT ref: 00B887F2
      • Part of subcall function 00B88626: memcpy.MSVCRT ref: 00B88902
    • SetEvent.KERNEL32 ref: 00B88B80
    • SetEvent.KERNEL32 ref: 00B88BB9
      • Part of subcall function 00B97CD3: SetEvent.KERNEL32 ref: 00B97CE3
    • LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00B88C3E
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045B838, Relevance: 9.1, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 0045ACAD: GetModuleHandleW.KERNEL32(00000000), ref: 0045ACF4
      • Part of subcall function 0045ACAD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0045AD59
      • Part of subcall function 0045ACAD: Process32FirstW.KERNEL32 ref: 0045AD74
      • Part of subcall function 0045ACAD: PathFindFileNameW.SHLWAPI ref: 0045AD87
      • Part of subcall function 0045ACAD: StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 0045AD99
      • Part of subcall function 0045ACAD: Process32NextW.KERNEL32(?,?), ref: 0045ADA9
      • Part of subcall function 0045ACAD: CloseHandle.KERNEL32 ref: 0045ADB4
      • Part of subcall function 0045ACAD: WSAStartup.WS2_32(00000202), ref: 0045ADC4
      • Part of subcall function 0045ACAD: CreateEventW.KERNEL32(004649B4,00000001,00000000,00000000), ref: 0045ADEC
      • Part of subcall function 0045ACAD: GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 0045AE22
      • Part of subcall function 0045ACAD: GetCurrentProcessId.KERNEL32 ref: 0045AE4D
    • SetErrorMode.KERNEL32(00008007), ref: 0045B851
    • GetCommandLineW.KERNEL32 ref: 0045B85D
    • CommandLineToArgvW.SHELL32 ref: 0045B864
    • LocalFree.KERNEL32 ref: 0045B8A1
    • ExitProcess.KERNEL32(00000001), ref: 0045B8B2
      • Part of subcall function 0045B4AA: CreateMutexW.KERNEL32(004649B4,00000001), ref: 0045B550
      • Part of subcall function 0045B4AA: GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,0045B8C7), ref: 0045B560
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32 ref: 0045B56E
      • Part of subcall function 0045B4AA: lstrlenW.KERNEL32 ref: 0045B5D0
      • Part of subcall function 0045B4AA: ExitWindowsEx.USER32(00000014,80000000), ref: 0045B615
      • Part of subcall function 0045B4AA: OpenEventW.KERNEL32(00000002,00000000), ref: 0045B63B
      • Part of subcall function 0045B4AA: SetEvent.KERNEL32 ref: 0045B648
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32 ref: 0045B64F
      • Part of subcall function 0045B4AA: Sleep.KERNEL32(00007530), ref: 0045B674
      • Part of subcall function 0045B4AA: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 0045B68C
      • Part of subcall function 0045B4AA: Sleep.KERNEL32(000000FF), ref: 0045B694
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32 ref: 0045B697
      • Part of subcall function 0045B4AA: IsWellKnownSid.ADVAPI32(009B1EC0,00000016), ref: 0045B6E5
      • Part of subcall function 0045B4AA: CreateEventW.KERNEL32(004649B4,00000001,00000000), ref: 0045B7B4
      • Part of subcall function 0045B4AA: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045B7CD
      • Part of subcall function 0045B4AA: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 0045B7DF
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32(00000000), ref: 0045B7F6
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32(?), ref: 0045B7FC
      • Part of subcall function 0045B4AA: CloseHandle.KERNEL32(?), ref: 0045B802
    • Sleep.KERNEL32(000000FF), ref: 0045B8D8
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9B838, Relevance: 9.1, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 00B9ACAD: GetModuleHandleW.KERNEL32(00000000), ref: 00B9ACF4
      • Part of subcall function 00B9ACAD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B9AD59
      • Part of subcall function 00B9ACAD: Process32FirstW.KERNEL32 ref: 00B9AD74
      • Part of subcall function 00B9ACAD: PathFindFileNameW.SHLWAPI ref: 00B9AD87
      • Part of subcall function 00B9ACAD: StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 00B9AD99
      • Part of subcall function 00B9ACAD: Process32NextW.KERNEL32(?,?), ref: 00B9ADA9
      • Part of subcall function 00B9ACAD: CloseHandle.KERNEL32 ref: 00B9ADB4
      • Part of subcall function 00B9ACAD: WSAStartup.WS2_32(00000202), ref: 00B9ADC4
      • Part of subcall function 00B9ACAD: CreateEventW.KERNEL32(00BA49B4,00000001,00000000,00000000), ref: 00B9ADEC
      • Part of subcall function 00B9ACAD: GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 00B9AE22
      • Part of subcall function 00B9ACAD: GetCurrentProcessId.KERNEL32 ref: 00B9AE4D
    • SetErrorMode.KERNEL32(00008007), ref: 00B9B851
    • GetCommandLineW.KERNEL32 ref: 00B9B85D
    • CommandLineToArgvW.SHELL32 ref: 00B9B864
    • LocalFree.KERNEL32 ref: 00B9B8A1
    • ExitProcess.KERNEL32(00000001), ref: 00B9B8B2
      • Part of subcall function 00B9B4AA: CreateMutexW.KERNEL32(00BA49B4,00000001), ref: 00B9B550
      • Part of subcall function 00B9B4AA: GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,00B9B8C7), ref: 00B9B560
      • Part of subcall function 00B9B4AA: CloseHandle.KERNEL32 ref: 00B9B56E
      • Part of subcall function 00B9B4AA: lstrlenW.KERNEL32 ref: 00B9B5D0
      • Part of subcall function 00B9B4AA: ExitWindowsEx.USER32(00000014,80000000), ref: 00B9B615
      • Part of subcall function 00B9B4AA: OpenEventW.KERNEL32(00000002,00000000), ref: 00B9B63B
      • Part of subcall function 00B9B4AA: SetEvent.KERNEL32 ref: 00B9B648
      • Part of subcall function 00B9B4AA: CloseHandle.KERNEL32 ref: 00B9B64F
      • Part of subcall function 00B9B4AA: Sleep.KERNEL32(00007530), ref: 00B9B674
      • Part of subcall function 00B9B4AA: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 00B9B68C
      • Part of subcall function 00B9B4AA: Sleep.KERNEL32(000000FF), ref: 00B9B694
      • Part of subcall function 00B9B4AA: CloseHandle.KERNEL32 ref: 00B9B697
      • Part of subcall function 00B9B4AA: IsWellKnownSid.ADVAPI32(01311EC0,00000016), ref: 00B9B6E5
      • Part of subcall function 00B9B4AA: CreateEventW.KERNEL32(00BA49B4,00000001,00000000), ref: 00B9B7B4
      • Part of subcall function 00B9B4AA: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B9B7CD
      • Part of subcall function 00B9B4AA: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 00B9B7DF
      • Part of subcall function 00B9B4AA: CloseHandle.KERNEL32(00000000), ref: 00B9B7F6
      • Part of subcall function 00B9B4AA: CloseHandle.KERNEL32(?), ref: 00B9B7FC
      • Part of subcall function 00B9B4AA: CloseHandle.KERNEL32(?), ref: 00B9B802
    • Sleep.KERNEL32(000000FF), ref: 00B9B8D8
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045D5A0, Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,00000000,?,?,004393C9), ref: 0045D5B6
    • LeaveCriticalSection.KERNEL32(00465AA4,?,?,004393C9), ref: 0045D5DC
      • Part of subcall function 0045D4EF: memset.MSVCRT ref: 0045D506
    • CreateMutexW.KERNEL32(004649B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 0045D5EE
      • Part of subcall function 004375E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004375ED
      • Part of subcall function 004375E7: CloseHandle.KERNEL32 ref: 004375FF
    Strings
    • Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 0045D5E3
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0044ECD7, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 223
    APIs
      • Part of subcall function 0043BA34: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 0043BA5A
      • Part of subcall function 00443A22: select.WS2_32(00000000,?,00000000,00000000), ref: 00443A81
      • Part of subcall function 00443A22: recv.WS2_32(?,?,?,00000000), ref: 00443A91
    • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0044EDB2
    • memcpy.MSVCRT ref: 0044EDEA
    • FreeAddrInfoW.WS2_32(?), ref: 0044EDF8
    • memset.MSVCRT ref: 0044EE13
      • Part of subcall function 0044EC55: getpeername.WS2_32(?,?,?), ref: 0044EC79
      • Part of subcall function 0044EC55: getsockname.WS2_32(?,?,?), ref: 0044EC91
      • Part of subcall function 0044EC55: send.WS2_32(00000000,00000000,00000008,00000000), ref: 0044ECC2
      • Part of subcall function 00443BBE: socket.WS2_32(?,00000001,00000006), ref: 00443BCA
      • Part of subcall function 00443BBE: bind.WS2_32 ref: 00443BE7
      • Part of subcall function 00443BBE: listen.WS2_32(?,00000001), ref: 00443BF4
      • Part of subcall function 00443BBE: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,0044EE5F,?,?,?), ref: 00443BFE
      • Part of subcall function 00443BBE: closesocket.WS2_32 ref: 00443C07
      • Part of subcall function 00443BBE: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,0044EE5F,?,?,?), ref: 00443C0E
      • Part of subcall function 00443D73: accept.WS2_32(?,00000000), ref: 00443D94
      • Part of subcall function 00443AD3: socket.WS2_32(?,00000001,00000006), ref: 00443ADF
      • Part of subcall function 00443AD3: connect.WS2_32 ref: 00443AFC
      • Part of subcall function 00443AD3: closesocket.WS2_32 ref: 00443B07
      • Part of subcall function 0043C06E: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0043C082
      • Part of subcall function 00443C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00443C44
      • Part of subcall function 00443C1C: recv.WS2_32(?,?,00000400,00000000), ref: 00443C70
      • Part of subcall function 00443C1C: send.WS2_32(?,?,?,00000000), ref: 00443C92
      • Part of subcall function 00443C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00443CBF
      • Part of subcall function 00443D9E: shutdown.WS2_32(?,00000002), ref: 00443DA9
      • Part of subcall function 00443D9E: closesocket.WS2_32 ref: 00443DB0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8ECD7, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 223
    APIs
      • Part of subcall function 00B7BA34: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 00B7BA5A
      • Part of subcall function 00B83A22: select.WS2_32(00000000,?,00000000,00000000), ref: 00B83A81
      • Part of subcall function 00B83A22: recv.WS2_32(?,?,?,00000000), ref: 00B83A91
    • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00B8EDB2
    • memcpy.MSVCRT ref: 00B8EDEA
    • FreeAddrInfoW.WS2_32(?), ref: 00B8EDF8
    • memset.MSVCRT ref: 00B8EE13
      • Part of subcall function 00B8EC55: getpeername.WS2_32(?,?,?), ref: 00B8EC79
      • Part of subcall function 00B8EC55: getsockname.WS2_32(?,?,?), ref: 00B8EC91
      • Part of subcall function 00B8EC55: send.WS2_32(00000000,00000000,00000008,00000000), ref: 00B8ECC2
      • Part of subcall function 00B83BBE: socket.WS2_32(?,00000001,00000006), ref: 00B83BCA
      • Part of subcall function 00B83BBE: bind.WS2_32 ref: 00B83BE7
      • Part of subcall function 00B83BBE: listen.WS2_32(?,00000001), ref: 00B83BF4
      • Part of subcall function 00B83BBE: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00B8EE5F,?,?,?), ref: 00B83BFE
      • Part of subcall function 00B83BBE: closesocket.WS2_32 ref: 00B83C07
      • Part of subcall function 00B83BBE: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00B8EE5F,?,?,?), ref: 00B83C0E
      • Part of subcall function 00B83D73: accept.WS2_32(?,00000000), ref: 00B83D94
      • Part of subcall function 00B83AD3: socket.WS2_32(?,00000001,00000006), ref: 00B83ADF
      • Part of subcall function 00B83AD3: connect.WS2_32 ref: 00B83AFC
      • Part of subcall function 00B83AD3: closesocket.WS2_32 ref: 00B83B07
      • Part of subcall function 00B7C06E: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00B7C082
      • Part of subcall function 00B83C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00B83C44
      • Part of subcall function 00B83C1C: recv.WS2_32(?,?,00000400,00000000), ref: 00B83C70
      • Part of subcall function 00B83C1C: send.WS2_32(?,?,?,00000000), ref: 00B83C92
      • Part of subcall function 00B83C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00B83CBF
      • Part of subcall function 00B83D9E: shutdown.WS2_32(?,00000002), ref: 00B83DA9
      • Part of subcall function 00B83D9E: closesocket.WS2_32 ref: 00B83DB0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044547E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
    APIs
      • Part of subcall function 0045868E: EnterCriticalSection.KERNEL32(00465AA4,?,0045AA5B,?,0045ADD5,?,?,?,00000001), ref: 0045869E
      • Part of subcall function 0045868E: LeaveCriticalSection.KERNEL32(00465AA4,?,0045AA5B,?,0045ADD5,?,?,?,00000001), ref: 004586C4
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004454CE
    • GetProcAddress.KERNEL32(?,GetProductInfo), ref: 004454DE
    • GetSystemDefaultUILanguage.KERNEL32(?,?,?,004451C2), ref: 00445519
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8547E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
    APIs
      • Part of subcall function 00B9868E: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B9AA5B,?,00B9ADD5,?,?,?,00000001), ref: 00B9869E
      • Part of subcall function 00B9868E: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B9AA5B,?,00B9ADD5,?,?,?,00000001), ref: 00B986C4
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B854CE
    • GetProcAddress.KERNEL32(?,GetProductInfo), ref: 00B854DE
    • GetSystemDefaultUILanguage.KERNEL32(?,?,?,00B851C2), ref: 00B85519
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00459821, Relevance: 8.4, APIs: 3, Strings: 1, Instructions: 28
    APIs
    • GetCurrentProcess.KERNEL32 ref: 00459824
    • VirtualProtect.KERNEL32(00000000,=::=::\,00000020), ref: 00459845
    • FlushInstructionCache.KERNEL32(?,00000000,=::=::\), ref: 0045984E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00A31943, Relevance: 8.4, APIs: 2, Strings: 2, Instructions: 21
    APIs
    • GetModuleHandleA.KERNEL32(kernel32), ref: 00A3195E
    • GetProcAddress.KERNEL32 ref: 00A31965
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 00A3197F, Relevance: 8.4, APIs: 2, Strings: 2, Instructions: 14
    APIs
    • GetModuleHandleA.KERNEL32(kernel32), ref: 00A31992
    • GetProcAddress.KERNEL32 ref: 00A31999
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 004586CC, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 115
    APIs
    • GetVersionExW.KERNEL32(00464858), ref: 004586E6
    • GetNativeSystemInfo.KERNEL32(000000FF), ref: 00458822
    • memset.MSVCRT ref: 00458857
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00451B04, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 00451B17
    • lstrcpyA.KERNEL32(?,0042C28A,00000000,00451DA8,?,?,?,00451DA8,?,?,?,?,?,?,?,0045A7AA), ref: 00451BAE
    • lstrcpynA.KERNEL32(?,?\C,00000003,?,0042C28A,00000000,00451DA8,?,?,?,00451DA8), ref: 00451BC4
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B91B04, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 00B91B17
    • lstrcpyA.KERNEL32(?,00B6C28A,00000000,00B91DA8,?,?,?,00B91DA8,?,?,?,?,?,?,?,00B9A7AA), ref: 00B91BAE
    • lstrcpynA.KERNEL32(?,?\C,00000003,?,00B6C28A,00000000,00B91DA8,?,?,?,00B91DA8), ref: 00B91BC4
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00444FD0, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77
    APIs
    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00444FEE
    • VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 0044505B
      • Part of subcall function 00439E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00439E9D
      • Part of subcall function 00439E88: StrCmpIW.SHLWAPI ref: 00439EA7
    Strings
    • \VarFileInfo\Translation, xrefs: 00444FE7
    • \StringFileInfo\%04x%04x\%s, xrefs: 00445030
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B84FD0, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77
    APIs
    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00B84FEE
    • VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 00B8505B
      • Part of subcall function 00B79E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B79E9D
      • Part of subcall function 00B79E88: StrCmpIW.SHLWAPI ref: 00B79EA7
    Strings
    • \StringFileInfo\%04x%04x\%s, xrefs: 00B85030
    • \VarFileInfo\Translation, xrefs: 00B84FE7
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00451285, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44
    APIs
    • GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 0045129A
    • GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 004512A5
      • Part of subcall function 004512E6: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00451304
      • Part of subcall function 004512E6: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 0045130F
      • Part of subcall function 004512E6: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 0045131A
      • Part of subcall function 004512E6: lstrcmpiW.KERNEL32(?), ref: 004513A7
      • Part of subcall function 004512E6: memcpy.MSVCRT ref: 004513CA
      • Part of subcall function 004512E6: CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 004513F5
      • Part of subcall function 004512E6: memcpy.MSVCRT ref: 00451423
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B91285, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44
    APIs
    • GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00B9129A
    • GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00B912A5
      • Part of subcall function 00B912E6: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00B91304
      • Part of subcall function 00B912E6: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00B9130F
      • Part of subcall function 00B912E6: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00B9131A
      • Part of subcall function 00B912E6: lstrcmpiW.KERNEL32(?), ref: 00B913A7
      • Part of subcall function 00B912E6: memcpy.MSVCRT ref: 00B913CA
      • Part of subcall function 00B912E6: CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 00B913F5
      • Part of subcall function 00B912E6: memcpy.MSVCRT ref: 00B91423
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004493A8, Relevance: 7.9, APIs: 5, Instructions: 107
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004493BE
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111), ref: 004494E9
      • Part of subcall function 00441A4F: memcmp.MSVCRT ref: 00441A6B
    • memcpy.MSVCRT ref: 00449419
    • LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0044A111,?,00000002), ref: 00449429
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0044945D
      • Part of subcall function 00456875: GetSystemTime.KERNEL32 ref: 0045687F
      • Part of subcall function 00441728: memcpy.MSVCRT ref: 00441771
      • Part of subcall function 00441858: memcpy.MSVCRT ref: 00441935
      • Part of subcall function 00441858: memcpy.MSVCRT ref: 00441956
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B893A8, Relevance: 7.9, APIs: 5, Instructions: 107
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B8A111), ref: 00B893BE
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B8A111), ref: 00B894E9
      • Part of subcall function 00B81A4F: memcmp.MSVCRT ref: 00B81A6B
    • memcpy.MSVCRT ref: 00B89419
    • LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B8A111,?,00000002), ref: 00B89429
      • Part of subcall function 00B8B7FF: EnterCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B80C
      • Part of subcall function 00B8B7FF: LeaveCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B81A
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00B8945D
      • Part of subcall function 00B96875: GetSystemTime.KERNEL32 ref: 00B9687F
      • Part of subcall function 00B81728: memcpy.MSVCRT ref: 00B81771
      • Part of subcall function 00B81858: memcpy.MSVCRT ref: 00B81935
      • Part of subcall function 00B81858: memcpy.MSVCRT ref: 00B81956
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004026FC, Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 261
    APIs
    • VirtualFree.KERNEL32(0000000C,00008000,00004000), ref: 00402943
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040299E
    • HeapFree.KERNEL32(00000000,?), ref: 004029B0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00443C1C, Relevance: 7.8, APIs: 4, Instructions: 68
    APIs
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00443C44
    • recv.WS2_32(?,?,00000400,00000000), ref: 00443C70
    • send.WS2_32(?,?,?,00000000), ref: 00443C92
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00443CBF
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B83C1C, Relevance: 7.8, APIs: 4, Instructions: 68
    APIs
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00B83C44
    • recv.WS2_32(?,?,00000400,00000000), ref: 00B83C70
    • send.WS2_32(?,?,?,00000000), ref: 00B83C92
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00B83CBF
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00438CBF, Relevance: 7.7, APIs: 4, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438CC7
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00438CEB
    • CloseHandle.KERNEL32 ref: 00438CFB
      • Part of subcall function 004424F3: HeapAlloc.KERNEL32(00000000,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 0044251D
      • Part of subcall function 004424F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00436328,?,?,00458D10,?,?,?,?,0000FFFF), ref: 00442530
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00442B51,00000005,00007530,?,00000000,00000000), ref: 00438D2B
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B78CBF, Relevance: 7.7, APIs: 4, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,00B82B51,00000005,00007530,?,00000000,00000000), ref: 00B78CC7
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B78CEB
    • CloseHandle.KERNEL32 ref: 00B78CFB
      • Part of subcall function 00B824F3: HeapAlloc.KERNEL32(00000000,?,?,?,00B76328,?,?,00B98D10,?,?,?,?,0000FFFF), ref: 00B8251D
      • Part of subcall function 00B824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00B76328,?,?,00B98D10,?,?,?,?,0000FFFF), ref: 00B82530
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00B82B51,00000005,00007530,?,00000000,00000000), ref: 00B78D2B
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043A64B, Relevance: 7.7, APIs: 5, Instructions: 86
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00437F4D,00000001,?,00000001,?), ref: 0043A655
    • memcpy.MSVCRT ref: 0043A6D1
    • memcpy.MSVCRT ref: 0043A6E5
    • memcpy.MSVCRT ref: 0043A70F
    • LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00437F4D,00000001,?,00000001,?), ref: 0043A735
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7A64B, Relevance: 7.7, APIs: 5, Instructions: 86
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00B77F4D,00000001,?,00000001,?), ref: 00B7A655
    • memcpy.MSVCRT ref: 00B7A6D1
    • memcpy.MSVCRT ref: 00B7A6E5
    • memcpy.MSVCRT ref: 00B7A70F
    • LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00B77F4D,00000001,?,00000001,?), ref: 00B7A735
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004427B5, Relevance: 7.7, APIs: 5, Instructions: 69
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4), ref: 004427D6
    • LeaveCriticalSection.KERNEL32(00465AA4), ref: 004427FC
      • Part of subcall function 0044275F: InitializeCriticalSection.KERNEL32(004650C8), ref: 00442764
      • Part of subcall function 0044275F: memset.MSVCRT ref: 00442773
    • EnterCriticalSection.KERNEL32(004650C8), ref: 00442807
    • LeaveCriticalSection.KERNEL32(004650C8), ref: 0044287F
      • Part of subcall function 0044B1FD: PathRenameExtensionW.SHLWAPI ref: 0044B26F
      • Part of subcall function 0044B286: memset.MSVCRT ref: 0044B42B
      • Part of subcall function 0044B286: memcpy.MSVCRT ref: 0044B457
      • Part of subcall function 0044B286: CreateFileW.KERNEL32(0042AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0044B55C
      • Part of subcall function 0044B286: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0044B578
    • Sleep.KERNEL32(000007D0), ref: 00442872
      • Part of subcall function 0044B61E: memset.MSVCRT ref: 0044B640
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B827B5, Relevance: 7.7, APIs: 5, Instructions: 69
    APIs
    • EnterCriticalSection.KERNEL32(00BA5AA4), ref: 00B827D6
    • LeaveCriticalSection.KERNEL32(00BA5AA4), ref: 00B827FC
      • Part of subcall function 00B8275F: InitializeCriticalSection.KERNEL32(00BA50C8), ref: 00B82764
      • Part of subcall function 00B8275F: memset.MSVCRT ref: 00B82773
    • EnterCriticalSection.KERNEL32(00BA50C8), ref: 00B82807
    • LeaveCriticalSection.KERNEL32(00BA50C8), ref: 00B8287F
      • Part of subcall function 00B8B1FD: PathRenameExtensionW.SHLWAPI ref: 00B8B26F
      • Part of subcall function 00B8B286: memset.MSVCRT ref: 00B8B42B
      • Part of subcall function 00B8B286: memcpy.MSVCRT ref: 00B8B457
      • Part of subcall function 00B8B286: CreateFileW.KERNEL32(00B6AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00B8B55C
      • Part of subcall function 00B8B286: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B8B578
    • Sleep.KERNEL32(000007D0), ref: 00B82872
      • Part of subcall function 00B8B61E: memset.MSVCRT ref: 00B8B640
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004546D9, Relevance: 7.7, APIs: 5, Instructions: 217
    APIs
    • LoadLibraryW.KERNEL32 ref: 00454736
    • GetProcAddress.KERNEL32 ref: 0045475E
    • StrChrA.SHLWAPI(?,00000040), ref: 00454885
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • StrChrW.SHLWAPI(?,00000040,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,00000000), ref: 00454866
      • Part of subcall function 0044D12D: lstrlenW.KERNEL32(0042C448), ref: 0044D149
      • Part of subcall function 0044D12D: lstrlenW.KERNEL32 ref: 0044D14F
      • Part of subcall function 0044D12D: memcpy.MSVCRT ref: 0044D173
    • FreeLibrary.KERNEL32 ref: 0045496B
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B946D9, Relevance: 7.7, APIs: 5, Instructions: 217
    APIs
    • LoadLibraryW.KERNEL32 ref: 00B94736
    • GetProcAddress.KERNEL32 ref: 00B9475E
    • StrChrA.SHLWAPI(?,00000040), ref: 00B94885
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • StrChrW.SHLWAPI(?,00000040,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,00000000), ref: 00B94866
      • Part of subcall function 00B8D12D: lstrlenW.KERNEL32(00B6C448), ref: 00B8D149
      • Part of subcall function 00B8D12D: lstrlenW.KERNEL32 ref: 00B8D14F
      • Part of subcall function 00B8D12D: memcpy.MSVCRT ref: 00B8D173
    • FreeLibrary.KERNEL32 ref: 00B9496B
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044D8E8, Relevance: 7.7, APIs: 4, Instructions: 179
    APIs
    • memcpy.MSVCRT ref: 0044DA9F
      • Part of subcall function 0044D8E8: memcpy.MSVCRT ref: 0044D8FF
      • Part of subcall function 0044D8E8: CharLowerA.USER32 ref: 0044D9CA
      • Part of subcall function 0044D8E8: CharLowerA.USER32(?), ref: 0044D9DA
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8D8E8, Relevance: 7.7, APIs: 4, Instructions: 179
    APIs
    • memcpy.MSVCRT ref: 00B8DA9F
      • Part of subcall function 00B8D8E8: memcpy.MSVCRT ref: 00B8D8FF
      • Part of subcall function 00B8D8E8: CharLowerA.USER32 ref: 00B8D9CA
      • Part of subcall function 00B8D8E8: CharLowerA.USER32(?), ref: 00B8D9DA
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004031AC, Relevance: 7.7, APIs: 5, Instructions: 184
    APIs
    • VirtualQuery.KERNEL32(?,00000000,0000001C), ref: 0040325F
    • InterlockedExchange.KERNEL32(0049FD08,00000001), ref: 004032DD
    • InterlockedExchange.KERNEL32(0049FD08,00000000), ref: 00403342
    • InterlockedExchange.KERNEL32(0049FD08,00000001), ref: 00403366
    • InterlockedExchange.KERNEL32(0049FD08,00000000), ref: 004033C6
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00437A78, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 167
    APIs
      • Part of subcall function 0043BDD5: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00437A9F,?,00000005), ref: 0043BE0B
      • Part of subcall function 0043BDD5: WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00437A9F,?,00000005), ref: 0043BE6F
    • memcmp.MSVCRT ref: 00437AB8
    • memcmp.MSVCRT ref: 00437AD0
    • memcpy.MSVCRT ref: 00437B05
      • Part of subcall function 0044DE94: memcpy.MSVCRT ref: 0044DEA1
      • Part of subcall function 0044E043: memcpy.MSVCRT ref: 0044E070
      • Part of subcall function 0044ADFE: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00437BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0044AE37
      • Part of subcall function 0044ADFE: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00437BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0044AE5B
      • Part of subcall function 00437A05: GetTickCount.KERNEL32 ref: 00437A12
      • Part of subcall function 0043BAC9: memset.MSVCRT ref: 0043BADE
      • Part of subcall function 0043BAC9: getsockname.WS2_32(?,00437C25), ref: 0043BAF1
      • Part of subcall function 0043C091: memcmp.MSVCRT ref: 0043C0B3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B77A78, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 167
    APIs
      • Part of subcall function 00B7BDD5: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00B77A9F,?,00000005), ref: 00B7BE0B
      • Part of subcall function 00B7BDD5: WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00B77A9F,?,00000005), ref: 00B7BE6F
    • memcmp.MSVCRT ref: 00B77AB8
    • memcmp.MSVCRT ref: 00B77AD0
    • memcpy.MSVCRT ref: 00B77B05
      • Part of subcall function 00B8DE94: memcpy.MSVCRT ref: 00B8DEA1
      • Part of subcall function 00B8E043: memcpy.MSVCRT ref: 00B8E070
      • Part of subcall function 00B8ADFE: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00B77BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00B8AE37
      • Part of subcall function 00B8ADFE: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00B77BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00B8AE5B
      • Part of subcall function 00B77A05: GetTickCount.KERNEL32 ref: 00B77A12
      • Part of subcall function 00B7BAC9: memset.MSVCRT ref: 00B7BADE
      • Part of subcall function 00B7BAC9: getsockname.WS2_32(?,00B77C25), ref: 00B7BAF1
      • Part of subcall function 00B7C091: memcmp.MSVCRT ref: 00B7C0B3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004036A3, Relevance: 7.6, APIs: 5, Instructions: 139
    APIs
      • Part of subcall function 00404008: GetLocaleInfoA.KERNEL32(00000038,00001004,?,00000006), ref: 00404028
    • LCMapStringW.KERNEL32(00000000,00000100,00492BE4,00000001,00000000,00000000), ref: 004037D6
    • GetLastError.KERNEL32 ref: 004037E8
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0040386F
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?), ref: 004038F0
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000), ref: 0040390A
    • LCMapStringW.KERNEL32(?,?,?,?,?,?), ref: 00403945
    • LCMapStringW.KERNEL32(?,?,?,?,?), ref: 004039B9
    • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 004039DC
    • LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403B4A
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 00404089
      • Part of subcall function 0040404B: GetCPInfo.KERNEL32(?,?), ref: 0040409C
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,?,?,00000000,00000000), ref: 004040E1
      • Part of subcall function 0040404B: MultiByteToWideChar.KERNEL32(00000008,00000001,00000001,?,?,00000001), ref: 00404163
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00404184
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 004041A5
      • Part of subcall function 0040404B: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004041CC
    • LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000), ref: 00403A72
    • LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403AF3
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00404214, Relevance: 7.6, APIs: 5, Instructions: 92
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040422E
    • GetSystemInfo.KERNEL32 ref: 0040423F
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00404285
    • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004042C3
    • VirtualProtect.KERNEL32(?,?,?,?), ref: 004042E9
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00448DC8, Relevance: 7.6, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 00441B16: EnterCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B26
      • Part of subcall function 00441B16: LeaveCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B50
    • memset.MSVCRT ref: 00448E0A
    • memset.MSVCRT ref: 00448E16
    • memset.MSVCRT ref: 00448E22
    • InitializeCriticalSection.KERNEL32 ref: 00448E3A
    • InitializeCriticalSection.KERNEL32 ref: 00448E55
    • InitializeCriticalSection.KERNEL32 ref: 00448E92
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B88DC8, Relevance: 7.6, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 00B81B16: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B88DDC,?,?,?,?,00B9B233,?,00000001), ref: 00B81B26
      • Part of subcall function 00B81B16: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B88DDC,?,?,?,?,00B9B233,?,00000001), ref: 00B81B50
    • memset.MSVCRT ref: 00B88E0A
    • memset.MSVCRT ref: 00B88E16
    • memset.MSVCRT ref: 00B88E22
    • InitializeCriticalSection.KERNEL32 ref: 00B88E3A
    • InitializeCriticalSection.KERNEL32 ref: 00B88E55
    • InitializeCriticalSection.KERNEL32 ref: 00B88E92
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00456CDC, Relevance: 7.6, APIs: 4, Instructions: 207
    APIs
    • EnterCriticalSection.KERNEL32(0000000C,00000000), ref: 00456D43
      • Part of subcall function 00456A55: GetTickCount.KERNEL32 ref: 00456A5D
    • LeaveCriticalSection.KERNEL32(0000000C), ref: 00456F22
      • Part of subcall function 00456BBC: IsBadReadPtr.KERNEL32 ref: 00456C88
      • Part of subcall function 00456BBC: IsBadReadPtr.KERNEL32 ref: 00456CA7
    • getservbyname.WS2_32(?,00000000), ref: 00456DBD
      • Part of subcall function 004572A6: memcpy.MSVCRT ref: 0045747A
      • Part of subcall function 004572A6: memcpy.MSVCRT ref: 0045757A
      • Part of subcall function 00456F86: memcpy.MSVCRT ref: 0045715A
      • Part of subcall function 00456F86: memcpy.MSVCRT ref: 0045725A
    • memcpy.MSVCRT ref: 00456E9C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004569E1: TlsAlloc.KERNEL32(0000000C,00456EB9,?,?,?,?,00000000), ref: 004569EA
      • Part of subcall function 004569E1: TlsGetValue.KERNEL32(?,00000001,0000000C), ref: 004569FC
      • Part of subcall function 004569E1: TlsSetValue.KERNEL32(?,?), ref: 00456A41
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B96CDC, Relevance: 7.6, APIs: 4, Instructions: 207
    APIs
    • EnterCriticalSection.KERNEL32(01312004,6FFF0400), ref: 00B96D43
      • Part of subcall function 00B96A55: GetTickCount.KERNEL32 ref: 00B96A5D
    • LeaveCriticalSection.KERNEL32(01312004), ref: 00B96F22
      • Part of subcall function 00B96BBC: IsBadReadPtr.KERNEL32 ref: 00B96C88
      • Part of subcall function 00B96BBC: IsBadReadPtr.KERNEL32 ref: 00B96CA7
    • getservbyname.WS2_32(?,00000000), ref: 00B96DBD
      • Part of subcall function 00B972A6: memcpy.MSVCRT ref: 00B9747A
      • Part of subcall function 00B972A6: memcpy.MSVCRT ref: 00B9757A
      • Part of subcall function 00B96F86: memcpy.MSVCRT ref: 00B9715A
      • Part of subcall function 00B96F86: memcpy.MSVCRT ref: 00B9725A
    • memcpy.MSVCRT ref: 00B96E9C
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B969E1: TlsAlloc.KERNEL32(01312004,00B96EB9,?,?,?,?,01311FF8), ref: 00B969EA
      • Part of subcall function 00B969E1: TlsGetValue.KERNEL32(?,00000001,01312004), ref: 00B969FC
      • Part of subcall function 00B969E1: TlsSetValue.KERNEL32(?,?), ref: 00B96A41
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004519B0, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 56
    APIs
    • lstrcmpA.KERNEL32(?,?\C), ref: 004519C6
    • lstrcpyW.KERNEL32(004517B0), ref: 004519DC
    • lstrcmpA.KERNEL32(?,0042C28C), ref: 004519EC
    • StrCmpNA.SHLWAPI(?,0042C284,00000002), ref: 00451A06
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B919B0, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 56
    APIs
    • lstrcmpA.KERNEL32(?,?\C), ref: 00B919C6
    • lstrcpyW.KERNEL32(00B917B0), ref: 00B919DC
    • lstrcmpA.KERNEL32(?,00B6C28C), ref: 00B919EC
    • StrCmpNA.SHLWAPI(?,00B6C284,00000002), ref: 00B91A06
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00447AAA, Relevance: 7.5, APIs: 5, Instructions: 44
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00447AC3
    • CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00447AD4
    • CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00447ADF
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00447AE7
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00447AF5
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B87AAA, Relevance: 7.5, APIs: 5, Instructions: 44
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00B87AC3
    • CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00B87AD4
    • CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00B87ADF
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00B87AE7
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00B87AF5
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00403601, Relevance: 7.5, APIs: 5, Instructions: 32
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(BB40E64E), ref: 0040361C
    • GetCurrentProcessId.KERNEL32 ref: 00403628
    • GetCurrentThreadId.KERNEL32 ref: 00403630
    • GetTickCount.KERNEL32 ref: 00403638
    • QueryPerformanceCounter.KERNEL32 ref: 00403644
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00450B2C, Relevance: 7.5, APIs: 4, Instructions: 113
    APIs
      • Part of subcall function 00450775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0045079C
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00450B87
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00450BF1
    • RegFlushKey.ADVAPI32(?), ref: 00450C1F
    • RegCloseKey.ADVAPI32(?), ref: 00450C26
      • Part of subcall function 00450A9D: EnterCriticalSection.KERNEL32(00465AA4,?,?,?,00450C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00450AB3
      • Part of subcall function 00450A9D: LeaveCriticalSection.KERNEL32(00465AA4,?,?,?,00450C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00450ADB
      • Part of subcall function 00450A9D: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00450AF7
      • Part of subcall function 00450A9D: GetProcAddress.KERNEL32 ref: 00450AFE
      • Part of subcall function 00450A9D: RegDeleteKeyW.ADVAPI32(?), ref: 00450B20
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
      • Part of subcall function 00450755: RegFlushKey.ADVAPI32 ref: 00450765
      • Part of subcall function 00450755: RegCloseKey.ADVAPI32 ref: 0045076D
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B90B2C, Relevance: 7.5, APIs: 4, Instructions: 113
    APIs
      • Part of subcall function 00B90775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B9079C
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B90B87
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B90BF1
    • RegFlushKey.ADVAPI32(?), ref: 00B90C1F
    • RegCloseKey.ADVAPI32(?), ref: 00B90C26
      • Part of subcall function 00B90A9D: EnterCriticalSection.KERNEL32(00BA5AA4,?,?,?,00B90C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B90AB3
      • Part of subcall function 00B90A9D: LeaveCriticalSection.KERNEL32(00BA5AA4,?,?,?,00B90C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B90ADB
      • Part of subcall function 00B90A9D: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00B90AF7
      • Part of subcall function 00B90A9D: GetProcAddress.KERNEL32 ref: 00B90AFE
      • Part of subcall function 00B90A9D: RegDeleteKeyW.ADVAPI32(?), ref: 00B90B20
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
      • Part of subcall function 00B90755: RegFlushKey.ADVAPI32 ref: 00B90765
      • Part of subcall function 00B90755: RegCloseKey.ADVAPI32 ref: 00B9076D
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043645E, Relevance: 7.4, APIs: 4, Instructions: 87
    APIs
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00445B49), ref: 00436470
      • Part of subcall function 00444269: CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 0044427E
    • #2.OLEAUT32(?,00000000,?,?,?,00445B49), ref: 004364A4
    • #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00445B49), ref: 004364D9
    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004364F9
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7645E, Relevance: 7.4, APIs: 4, Instructions: 87
    APIs
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00B85B49), ref: 00B76470
      • Part of subcall function 00B84269: CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 00B8427E
    • #2.OLEAUT32(?,00000000,?,?,?,00B85B49), ref: 00B764A4
    • #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B85B49), ref: 00B764D9
    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00B764F9
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00443CD5, Relevance: 7.4, APIs: 4, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00443CFD
    • memcpy.MSVCRT ref: 00443D1A
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00443D30
    • WSASetLastError.WS2_32(0000274C,?,00000000,00000000,00000000), ref: 00443D3F
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B83CD5, Relevance: 7.4, APIs: 4, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00B83CFD
    • memcpy.MSVCRT ref: 00B83D1A
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00B83D30
    • WSASetLastError.WS2_32(0000274C,?,00000000,00000000,00000000), ref: 00B83D3F
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044920C, Relevance: 7.3, APIs: 4, Instructions: 138
    APIs
      • Part of subcall function 00441B5D: memcmp.MSVCRT ref: 00441B69
      • Part of subcall function 00441B79: memset.MSVCRT ref: 00441B87
      • Part of subcall function 00441B79: memcpy.MSVCRT ref: 00441BA8
      • Part of subcall function 00441B79: memcpy.MSVCRT ref: 00441BCE
      • Part of subcall function 00441B79: memcpy.MSVCRT ref: 00441BF2
    • TryEnterCriticalSection.KERNEL32 ref: 00449289
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • LeaveCriticalSection.KERNEL32 ref: 00449303
    • EnterCriticalSection.KERNEL32 ref: 00449322
      • Part of subcall function 00441A4F: memcmp.MSVCRT ref: 00441A6B
    • LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 0044936E
      • Part of subcall function 00441858: memcpy.MSVCRT ref: 00441935
      • Part of subcall function 00441858: memcpy.MSVCRT ref: 00441956
      • Part of subcall function 00456875: GetSystemTime.KERNEL32 ref: 0045687F
      • Part of subcall function 00441728: memcpy.MSVCRT ref: 00441771
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8920C, Relevance: 7.3, APIs: 4, Instructions: 138
    APIs
      • Part of subcall function 00B81B5D: memcmp.MSVCRT ref: 00B81B69
      • Part of subcall function 00B81B79: memset.MSVCRT ref: 00B81B87
      • Part of subcall function 00B81B79: memcpy.MSVCRT ref: 00B81BA8
      • Part of subcall function 00B81B79: memcpy.MSVCRT ref: 00B81BCE
      • Part of subcall function 00B81B79: memcpy.MSVCRT ref: 00B81BF2
    • TryEnterCriticalSection.KERNEL32 ref: 00B89289
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • LeaveCriticalSection.KERNEL32 ref: 00B89303
    • EnterCriticalSection.KERNEL32 ref: 00B89322
      • Part of subcall function 00B81A4F: memcmp.MSVCRT ref: 00B81A6B
    • LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 00B8936E
      • Part of subcall function 00B81858: memcpy.MSVCRT ref: 00B81935
      • Part of subcall function 00B81858: memcpy.MSVCRT ref: 00B81956
      • Part of subcall function 00B96875: GetSystemTime.KERNEL32 ref: 00B9687F
      • Part of subcall function 00B81728: memcpy.MSVCRT ref: 00B81771
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004432D5, Relevance: 7.3, APIs: 4, Instructions: 120
    APIs
    • GetUserNameExW.SECUR32(00000002), ref: 00443303
    • GetSystemTime.KERNEL32 ref: 00443356
    • CharLowerW.USER32(?), ref: 004433A6
    • PathRenameExtensionW.SHLWAPI(?), ref: 004433D6
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B832D5, Relevance: 7.3, APIs: 4, Instructions: 120
    APIs
    • GetUserNameExW.SECUR32(00000002), ref: 00B83303
    • GetSystemTime.KERNEL32 ref: 00B83356
    • CharLowerW.USER32(?), ref: 00B833A6
    • PathRenameExtensionW.SHLWAPI(?), ref: 00B833D6
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045D2D7, Relevance: 7.3, APIs: 4, Instructions: 113
    APIs
    • EnterCriticalSection.KERNEL32(009B1E90,?), ref: 0045D2EB
      • Part of subcall function 0044BDA7: GetModuleHandleW.KERNEL32 ref: 0044BDC3
      • Part of subcall function 0044BDA7: GetModuleHandleW.KERNEL32 ref: 0044BDFE
    • GetFileVersionInfoSizeW.VERSION(009B1EF0), ref: 0045D30C
    • GetFileVersionInfoW.VERSION(009B1EF0,00000000), ref: 0045D32A
      • Part of subcall function 00444EC0: PathFindFileNameW.SHLWAPI(009B1E90), ref: 00444ED2
      • Part of subcall function 00444EC0: InitializeCriticalSection.KERNEL32 ref: 00444F44
      • Part of subcall function 00444EC0: DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00444FBB
      • Part of subcall function 0043A90A: InitializeCriticalSection.KERNEL32 ref: 0043A938
      • Part of subcall function 0043A90A: GetModuleHandleW.KERNEL32 ref: 0043A976
      • Part of subcall function 0045C7B5: InitializeCriticalSection.KERNEL32 ref: 0045C7CA
      • Part of subcall function 004568C4: EnterCriticalSection.KERNEL32(00465AA4,009B1E90,0045D364,00000001,00000001), ref: 004568D4
      • Part of subcall function 004568C4: LeaveCriticalSection.KERNEL32(00465AA4), ref: 004568FC
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
      • Part of subcall function 00458AD4: GetCommandLineW.KERNEL32 ref: 00458B5E
      • Part of subcall function 00458AD4: CommandLineToArgvW.SHELL32 ref: 00458B65
      • Part of subcall function 00458AD4: LocalFree.KERNEL32 ref: 00458BA5
      • Part of subcall function 00458AD4: GetModuleHandleW.KERNEL32(?), ref: 00458BE7
      • Part of subcall function 0043CE23: VerQueryValueW.VERSION(?,0042AE74,?,?,009B1E90,0045D393), ref: 0043CE44
      • Part of subcall function 0043CE23: GetModuleHandleW.KERNEL32(?), ref: 0043CE85
      • Part of subcall function 0045FE99: GetModuleHandleW.KERNEL32 ref: 0045FEB6
      • Part of subcall function 0044B000: EnterCriticalSection.KERNEL32(00465AA4,009B1E90,0045D39D), ref: 0044B010
      • Part of subcall function 0044B000: LeaveCriticalSection.KERNEL32(00465AA4), ref: 0044B038
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • LeaveCriticalSection.KERNEL32(009B1E90,00000001,00000001,00000001,00000001), ref: 0045D413
      • Part of subcall function 00436D72: EnterCriticalSection.KERNEL32(0046468C,00000000,00444F6E,?,000000FF), ref: 00436D7E
      • Part of subcall function 00436D72: LeaveCriticalSection.KERNEL32(0046468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00436D8E
      • Part of subcall function 00436D9C: LeaveCriticalSection.KERNEL32(0046468C,00436E01,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DA6
      • Part of subcall function 00436DAD: LeaveCriticalSection.KERNEL32(0046468C,?,00436E13,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DBA
      • Part of subcall function 0045699E: memset.MSVCRT ref: 004569C6
      • Part of subcall function 0045699E: InitializeCriticalSection.KERNEL32 ref: 004569D3
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9D2D7, Relevance: 7.3, APIs: 4, Instructions: 113
    APIs
    • EnterCriticalSection.KERNEL32(01311E90,?), ref: 00B9D2EB
      • Part of subcall function 00B8BDA7: GetModuleHandleW.KERNEL32 ref: 00B8BDC3
      • Part of subcall function 00B8BDA7: GetModuleHandleW.KERNEL32 ref: 00B8BDFE
    • GetFileVersionInfoSizeW.VERSION(01311EF0), ref: 00B9D30C
    • GetFileVersionInfoW.VERSION(01311EF0,00000000), ref: 00B9D32A
      • Part of subcall function 00B84EC0: PathFindFileNameW.SHLWAPI(01311E90), ref: 00B84ED2
      • Part of subcall function 00B84EC0: InitializeCriticalSection.KERNEL32 ref: 00B84F44
      • Part of subcall function 00B84EC0: DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,01311EF0), ref: 00B84FBB
      • Part of subcall function 00B7A90A: InitializeCriticalSection.KERNEL32 ref: 00B7A938
      • Part of subcall function 00B7A90A: GetModuleHandleW.KERNEL32 ref: 00B7A976
      • Part of subcall function 00B9C7B5: InitializeCriticalSection.KERNEL32 ref: 00B9C7CA
      • Part of subcall function 00B968C4: EnterCriticalSection.KERNEL32(00BA5AA4,01311E90,00B9D364,00000001,00000001), ref: 00B968D4
      • Part of subcall function 00B968C4: LeaveCriticalSection.KERNEL32(00BA5AA4), ref: 00B968FC
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
      • Part of subcall function 00B98AD4: GetCommandLineW.KERNEL32 ref: 00B98B5E
      • Part of subcall function 00B98AD4: CommandLineToArgvW.SHELL32 ref: 00B98B65
      • Part of subcall function 00B98AD4: LocalFree.KERNEL32 ref: 00B98BA5
      • Part of subcall function 00B98AD4: GetModuleHandleW.KERNEL32(?), ref: 00B98BE7
      • Part of subcall function 00B7CE23: VerQueryValueW.VERSION(?,00B6AE74,?,?,01311E90,00B9D393), ref: 00B7CE44
      • Part of subcall function 00B7CE23: GetModuleHandleW.KERNEL32(?), ref: 00B7CE85
      • Part of subcall function 00B9FE99: GetModuleHandleW.KERNEL32 ref: 00B9FEB6
      • Part of subcall function 00B8B000: EnterCriticalSection.KERNEL32(00BA5AA4,01311E90,00B9D39D), ref: 00B8B010
      • Part of subcall function 00B8B000: LeaveCriticalSection.KERNEL32(00BA5AA4), ref: 00B8B038
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • LeaveCriticalSection.KERNEL32(01311E90,00000001,00000001,00000001,00000001), ref: 00B9D413
      • Part of subcall function 00B76D72: EnterCriticalSection.KERNEL32(00BA468C,00000000,00B84F6E,?,000000FF), ref: 00B76D7E
      • Part of subcall function 00B76D72: LeaveCriticalSection.KERNEL32(00BA468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,01311EF0), ref: 00B76D8E
      • Part of subcall function 00B76D9C: LeaveCriticalSection.KERNEL32(00BA468C,00B76E01,00000001,00000000,00000000,?,00B84F82,00000001,00000000,?,000000FF), ref: 00B76DA6
      • Part of subcall function 00B76DAD: LeaveCriticalSection.KERNEL32(00BA468C,?,00B76E13,00000001,00000000,00000000,?,00B84F82,00000001,00000000,?,000000FF), ref: 00B76DBA
      • Part of subcall function 00B9699E: memset.MSVCRT ref: 00B969C6
      • Part of subcall function 00B9699E: InitializeCriticalSection.KERNEL32 ref: 00B969D3
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00458AD4, Relevance: 7.3, APIs: 4, Instructions: 112
    APIs
      • Part of subcall function 00458867: EnterCriticalSection.KERNEL32(00465AA4,009B1E90,00458AE4,?,009B1E90), ref: 00458877
      • Part of subcall function 00458867: LeaveCriticalSection.KERNEL32(00465AA4,?,009B1E90), ref: 004588A6
      • Part of subcall function 00444FD0: VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00444FEE
      • Part of subcall function 00444FD0: VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 0044505B
    • GetCommandLineW.KERNEL32 ref: 00458B5E
    • CommandLineToArgvW.SHELL32 ref: 00458B65
    • LocalFree.KERNEL32 ref: 00458BA5
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • GetModuleHandleW.KERNEL32(?), ref: 00458BE7
      • Part of subcall function 00458DFE: PathFindFileNameW.SHLWAPI(00000000), ref: 00458E3F
      • Part of subcall function 004583AF: InitializeCriticalSection.KERNEL32 ref: 004583CF
      • Part of subcall function 00439E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00439E9D
      • Part of subcall function 00439E88: StrCmpIW.SHLWAPI ref: 00439EA7
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B98AD4, Relevance: 7.3, APIs: 4, Instructions: 112
    APIs
      • Part of subcall function 00B98867: EnterCriticalSection.KERNEL32(00BA5AA4,01311E90,00B98AE4,?,01311E90), ref: 00B98877
      • Part of subcall function 00B98867: LeaveCriticalSection.KERNEL32(00BA5AA4,?,01311E90), ref: 00B988A6
      • Part of subcall function 00B84FD0: VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00B84FEE
      • Part of subcall function 00B84FD0: VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 00B8505B
    • GetCommandLineW.KERNEL32 ref: 00B98B5E
    • CommandLineToArgvW.SHELL32 ref: 00B98B65
    • LocalFree.KERNEL32 ref: 00B98BA5
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • GetModuleHandleW.KERNEL32(?), ref: 00B98BE7
      • Part of subcall function 00B98DFE: PathFindFileNameW.SHLWAPI(00000000), ref: 00B98E3F
      • Part of subcall function 00B983AF: InitializeCriticalSection.KERNEL32 ref: 00B983CF
      • Part of subcall function 00B79E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B79E9D
      • Part of subcall function 00B79E88: StrCmpIW.SHLWAPI ref: 00B79EA7
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00448C4C, Relevance: 7.3, APIs: 4, Instructions: 104
    APIs
    • EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0044984D,?,?,00000000,?,?,00000590), ref: 00448C7F
      • Part of subcall function 00457CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00457CF8
    • memcmp.MSVCRT ref: 00448CCD
      • Part of subcall function 00435A03: memcpy.MSVCRT ref: 00435A39
      • Part of subcall function 00435A03: memcpy.MSVCRT ref: 00435A4D
      • Part of subcall function 00435A03: memset.MSVCRT ref: 00435A5B
    • SetEvent.KERNEL32 ref: 00448D0E
    • LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0044984D,?,?,00000000,?,?,00000590), ref: 00448D3B
      • Part of subcall function 00459175: EnterCriticalSection.KERNEL32(?,?,?,?,00449116,?), ref: 0045917B
      • Part of subcall function 00459175: memcmp.MSVCRT ref: 004591A7
      • Part of subcall function 00459175: memcpy.MSVCRT ref: 004591F2
      • Part of subcall function 00459175: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 004591FE
      • Part of subcall function 0044920C: TryEnterCriticalSection.KERNEL32 ref: 00449289
      • Part of subcall function 0044920C: LeaveCriticalSection.KERNEL32 ref: 00449303
      • Part of subcall function 0044920C: EnterCriticalSection.KERNEL32 ref: 00449322
      • Part of subcall function 0044920C: LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 0044936E
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B88C4C, Relevance: 7.3, APIs: 4, Instructions: 104
    APIs
    • EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00B8984D,?,?,00000000,?,?,00000590), ref: 00B88C7F
      • Part of subcall function 00B97CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B97CF8
    • memcmp.MSVCRT ref: 00B88CCD
      • Part of subcall function 00B75A03: memcpy.MSVCRT ref: 00B75A39
      • Part of subcall function 00B75A03: memcpy.MSVCRT ref: 00B75A4D
      • Part of subcall function 00B75A03: memset.MSVCRT ref: 00B75A5B
    • SetEvent.KERNEL32 ref: 00B88D0E
    • LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00B8984D,?,?,00000000,?,?,00000590), ref: 00B88D3B
      • Part of subcall function 00B99175: EnterCriticalSection.KERNEL32(?,?,?,?,00B89116,?), ref: 00B9917B
      • Part of subcall function 00B99175: memcmp.MSVCRT ref: 00B991A7
      • Part of subcall function 00B99175: memcpy.MSVCRT ref: 00B991F2
      • Part of subcall function 00B99175: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00B991FE
      • Part of subcall function 00B8920C: TryEnterCriticalSection.KERNEL32 ref: 00B89289
      • Part of subcall function 00B8920C: LeaveCriticalSection.KERNEL32 ref: 00B89303
      • Part of subcall function 00B8920C: EnterCriticalSection.KERNEL32 ref: 00B89322
      • Part of subcall function 00B8920C: LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 00B8936E
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0046294A, Relevance: 7.3, APIs: 4, Instructions: 91
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00463210), ref: 0046297C
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 0046299C
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
      • Part of subcall function 0045D990: memset.MSVCRT ref: 0045D9D3
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0044222C: memcpy.MSVCRT ref: 00442268
      • Part of subcall function 0044222C: memcpy.MSVCRT ref: 0044227D
      • Part of subcall function 0044222C: memcpy.MSVCRT ref: 004422BA
      • Part of subcall function 0044222C: memcpy.MSVCRT ref: 004422F2
    • memset.MSVCRT ref: 00462A39
    • memcpy.MSVCRT ref: 00462A4B
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00BA294A, Relevance: 7.3, APIs: 4, Instructions: 91
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00BA3210), ref: 00BA297C
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00BA299C
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
      • Part of subcall function 00B9D990: memset.MSVCRT ref: 00B9D9D3
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
      • Part of subcall function 00B8222C: memcpy.MSVCRT ref: 00B82268
      • Part of subcall function 00B8222C: memcpy.MSVCRT ref: 00B8227D
      • Part of subcall function 00B8222C: memcpy.MSVCRT ref: 00B822BA
      • Part of subcall function 00B8222C: memcpy.MSVCRT ref: 00B822F2
    • memset.MSVCRT ref: 00BA2A39
    • memcpy.MSVCRT ref: 00BA2A4B
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045D090, Relevance: 7.2, APIs: 4, Instructions: 65
    APIs
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 0045D0BF
    • GetLastError.KERNEL32(?,?,?,00000000,3D94878D,00000000,3D94878D,004579EF,?,?,?,?,00000000,?,?,0000203A), ref: 0045D0C5
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • memcpy.MSVCRT ref: 0045D0F0
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 0045D109
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9D090, Relevance: 7.2, APIs: 4, Instructions: 65
    APIs
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00B9D0BF
    • GetLastError.KERNEL32(?,?,?,00000000,3D94878D,00000000,3D94878D,00B979EF,?,?,?,?,00000000,?,?,0000203A), ref: 00B9D0C5
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    • memcpy.MSVCRT ref: 00B9D0F0
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00B9D109
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00441276, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 64
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
    • lstrlenW.KERNEL32 ref: 0044129F
      • Part of subcall function 004593C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00459433
      • Part of subcall function 004593C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00459458
    • memset.MSVCRT ref: 004412EA
    • memcpy.MSVCRT ref: 004412FE
      • Part of subcall function 00459393: CryptDestroyHash.ADVAPI32 ref: 004593AB
      • Part of subcall function 00459393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 004593BC
      • Part of subcall function 0045946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 004594AA
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00457D1D, Relevance: 7.2, APIs: 4, Instructions: 62
    APIs
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    • QueryPerformanceCounter.KERNEL32 ref: 00457D3C
    • GetTickCount.KERNEL32 ref: 00457D49
      • Part of subcall function 00441B16: EnterCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B26
      • Part of subcall function 00441B16: LeaveCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B50
      • Part of subcall function 004593C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00459433
      • Part of subcall function 004593C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00459458
    • memset.MSVCRT ref: 00457D9D
    • memcpy.MSVCRT ref: 00457DAD
      • Part of subcall function 00459393: CryptDestroyHash.ADVAPI32 ref: 004593AB
      • Part of subcall function 00459393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 004593BC
      • Part of subcall function 0045946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 004594AA
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B97D1D, Relevance: 7.2, APIs: 4, Instructions: 62
    APIs
      • Part of subcall function 00B8B7FF: EnterCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B80C
      • Part of subcall function 00B8B7FF: LeaveCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B81A
    • QueryPerformanceCounter.KERNEL32 ref: 00B97D3C
    • GetTickCount.KERNEL32 ref: 00B97D49
      • Part of subcall function 00B81B16: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B88DDC,?,?,?,?,00B9B233,?,00000001), ref: 00B81B26
      • Part of subcall function 00B81B16: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B88DDC,?,?,?,?,00B9B233,?,00000001), ref: 00B81B50
      • Part of subcall function 00B993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00B99433
      • Part of subcall function 00B993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00B99458
    • memset.MSVCRT ref: 00B97D9D
    • memcpy.MSVCRT ref: 00B97DAD
      • Part of subcall function 00B99393: CryptDestroyHash.ADVAPI32 ref: 00B993AB
      • Part of subcall function 00B99393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00B993BC
      • Part of subcall function 00B9946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00B994AA
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043987E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00439894
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
    • memcmp.MSVCRT ref: 004398B6
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • lstrcmpiW.KERNEL32(00000000,000000FF), ref: 0043990F
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 004398DF
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7987E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00B79894
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
    • memcmp.MSVCRT ref: 00B798B6
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
    • lstrcmpiW.KERNEL32(00000000,000000FF), ref: 00B7990F
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00B798DF
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004390A3, Relevance: 7.2, APIs: 4, Instructions: 56
    APIs
    • PathSkipRootW.SHLWAPI ref: 004390CD
    • GetFileAttributesW.KERNEL32(00000000), ref: 004390FA
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043910E
    • SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00439131
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B790A3, Relevance: 7.2, APIs: 4, Instructions: 56
    APIs
    • PathSkipRootW.SHLWAPI ref: 00B790CD
    • GetFileAttributesW.KERNEL32(00000000), ref: 00B790FA
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B7910E
    • SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00B79131
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044B161, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8B161, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B74B40, Relevance: 7.2, APIs: 4, Instructions: 48
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B754F7
    • UnhandledExceptionFilter.KERNEL32(00B46DB4), ref: 00B75502
    • GetCurrentProcess.KERNEL32 ref: 00B7550D
    • TerminateProcess.KERNEL32 ref: 00B75514
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043AF41, Relevance: 7.2, APIs: 4, Instructions: 39
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0043AF51
    • Thread32First.KERNEL32 ref: 0043AF6C
    • Thread32Next.KERNEL32(?,?), ref: 0043AF7F
    • CloseHandle.KERNEL32 ref: 0043AF8A
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0045497C, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
    APIs
      • Part of subcall function 00444269: CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 0044427E
    • StrChrW.SHLWAPI(?,00000040,?,00000000,?,00000064), ref: 00454A95
      • Part of subcall function 0044D12D: lstrlenW.KERNEL32(0042C448), ref: 0044D149
      • Part of subcall function 0044D12D: lstrlenW.KERNEL32 ref: 0044D14F
      • Part of subcall function 0044D12D: memcpy.MSVCRT ref: 0044D173
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0044A343, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133
    APIs
      • Part of subcall function 00439219: CharLowerW.USER32(?), ref: 004392D4
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0044A47D
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 0044A4BD
      • Part of subcall function 00439BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00439C2E
      • Part of subcall function 00439BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00439C75
      • Part of subcall function 00439BC4: SetEvent.KERNEL32 ref: 00439C84
      • Part of subcall function 00439BC4: WaitForSingleObject.KERNEL32 ref: 00439C95
      • Part of subcall function 00439BC4: CharToOemW.USER32 ref: 00439D26
      • Part of subcall function 00439BC4: CharToOemW.USER32 ref: 00439D36
      • Part of subcall function 00439BC4: ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00439D9A
      • Part of subcall function 0045D5A0: EnterCriticalSection.KERNEL32(00465AA4,00000000,?,?,004393C9), ref: 0045D5B6
      • Part of subcall function 0045D5A0: LeaveCriticalSection.KERNEL32(00465AA4,?,?,004393C9), ref: 0045D5DC
      • Part of subcall function 0045D5A0: CreateMutexW.KERNEL32(004649B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 0045D5EE
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0044A4D0
      • Part of subcall function 0043AF99: GetCurrentThread.KERNEL32 ref: 0043AFAD
      • Part of subcall function 0043AF99: OpenThreadToken.ADVAPI32 ref: 0043AFB4
      • Part of subcall function 0043AF99: GetCurrentProcess.KERNEL32 ref: 0043AFC4
      • Part of subcall function 0043AF99: OpenProcessToken.ADVAPI32 ref: 0043AFCB
      • Part of subcall function 0043AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0043AFEC
      • Part of subcall function 0043AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0043B001
      • Part of subcall function 0043AF99: GetLastError.KERNEL32 ref: 0043B00B
      • Part of subcall function 0043AF99: CloseHandle.KERNEL32(00000001), ref: 0043B01C
      • Part of subcall function 00439395: memcpy.MSVCRT ref: 004393B5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8A343, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133
    APIs
      • Part of subcall function 00B79219: CharLowerW.USER32(?), ref: 00B792D4
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00B8A47D
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 00B8A4BD
      • Part of subcall function 00B79BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B79C2E
      • Part of subcall function 00B79BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B79C75
      • Part of subcall function 00B79BC4: SetEvent.KERNEL32 ref: 00B79C84
      • Part of subcall function 00B79BC4: WaitForSingleObject.KERNEL32 ref: 00B79C95
      • Part of subcall function 00B79BC4: CharToOemW.USER32 ref: 00B79D26
      • Part of subcall function 00B79BC4: CharToOemW.USER32 ref: 00B79D36
      • Part of subcall function 00B79BC4: ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00B79D9A
      • Part of subcall function 00B9D5A0: EnterCriticalSection.KERNEL32(00BA5AA4,00000000,?,?,00B793C9), ref: 00B9D5B6
      • Part of subcall function 00B9D5A0: LeaveCriticalSection.KERNEL32(00BA5AA4,?,?,00B793C9), ref: 00B9D5DC
      • Part of subcall function 00B9D5A0: CreateMutexW.KERNEL32(00BA49B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00B9D5EE
      • Part of subcall function 00B7766D: ReleaseMutex.KERNEL32 ref: 00B77671
      • Part of subcall function 00B7766D: CloseHandle.KERNEL32 ref: 00B77678
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00B8A4D0
      • Part of subcall function 00B7AF99: GetCurrentThread.KERNEL32 ref: 00B7AFAD
      • Part of subcall function 00B7AF99: OpenThreadToken.ADVAPI32 ref: 00B7AFB4
      • Part of subcall function 00B7AF99: GetCurrentProcess.KERNEL32 ref: 00B7AFC4
      • Part of subcall function 00B7AF99: OpenProcessToken.ADVAPI32 ref: 00B7AFCB
      • Part of subcall function 00B7AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00B7AFEC
      • Part of subcall function 00B7AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00B7B001
      • Part of subcall function 00B7AF99: GetLastError.KERNEL32 ref: 00B7B00B
      • Part of subcall function 00B7AF99: CloseHandle.KERNEL32(00000001), ref: 00B7B01C
      • Part of subcall function 00B79395: memcpy.MSVCRT ref: 00B793B5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00436E1F, Relevance: 7.1, APIs: 4, Instructions: 27
    APIs
    • GetLastError.KERNEL32(00000000,?,0043652A), ref: 00436E21
      • Part of subcall function 0045AFD3: WaitForSingleObject.KERNEL32(00000000,0044A849), ref: 0045AFDB
    • TlsGetValue.KERNEL32(?,?,0043652A), ref: 00436E3E
    • TlsSetValue.KERNEL32(00000001), ref: 00436E50
    • SetLastError.KERNEL32(?,?,0043652A), ref: 00436E60
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B76E1F, Relevance: 7.1, APIs: 4, Instructions: 27
    APIs
    • GetLastError.KERNEL32(6FFF0380,?,00B7652A), ref: 00B76E21
      • Part of subcall function 00B9AFD3: WaitForSingleObject.KERNEL32(00000000,00B82D5B), ref: 00B9AFDB
    • TlsGetValue.KERNEL32(?,?,00B7652A), ref: 00B76E3E
    • TlsSetValue.KERNEL32(00000001), ref: 00B76E50
    • SetLastError.KERNEL32(?,?,00B7652A), ref: 00B76E60
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00447B2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
    APIs
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • lstrcatW.KERNEL32(?,.dat), ref: 00447BA0
    • lstrlenW.KERNEL32 ref: 00447BB5
      • Part of subcall function 004483CA: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 004483E6
      • Part of subcall function 004483CA: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00448409
      • Part of subcall function 004483CA: CloseHandle.KERNEL32 ref: 00448416
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    • .dat, xrefs: 00447B94
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00447B5E
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B87B2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
    APIs
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
    • lstrcatW.KERNEL32(?,.dat), ref: 00B87BA0
    • lstrlenW.KERNEL32 ref: 00B87BB5
      • Part of subcall function 00B883CA: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00B883E6
      • Part of subcall function 00B883CA: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B88409
      • Part of subcall function 00B883CA: CloseHandle.KERNEL32 ref: 00B88416
      • Part of subcall function 00B95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B95E26
      • Part of subcall function 00B95E1D: DeleteFileW.KERNEL32 ref: 00B95E2D
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B87B5E
    • .dat, xrefs: 00B87B94
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043B9AF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
    APIs
    • shutdown.WS2_32(?,00000001), ref: 0043B9BD
    • WSAGetLastError.WS2_32(?,00000020,?,00000001,?,?,?,?,?,?,?,00446970,?,?,?,00002710), ref: 0043B9DE
    • WSASetLastError.WS2_32(00000000,?,00002710,?,?,00000020,?,00000001), ref: 0043BA23
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7B9AF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
    APIs
    • shutdown.WS2_32(?,00000001), ref: 00B7B9BD
    • WSAGetLastError.WS2_32(?,00000020,?,00000001,?,?,?,?,?,?,?,00B86970,?,?,?,00002710), ref: 00B7B9DE
    • WSASetLastError.WS2_32(00000000,?,00002710,?,?,00000020,?,00000001), ref: 00B7BA23
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043C208, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
    APIs
      • Part of subcall function 0043B764: EnterCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B774
      • Part of subcall function 0043B764: LeaveCriticalSection.KERNEL32(00465AA4,?,0043B826,?,0045C86A,0044C4AB,0044C4AB,?,0044C4AB,?,00000001), ref: 0043B79E
    • WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 0043C22E
    • lstrcpyA.KERNEL32(?,0:0,?,?,00000000,?,?,?,?,?,?,00446A4A), ref: 0043C23E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7C208, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
    APIs
      • Part of subcall function 00B7B764: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B7B826,?,00B9C86A,00B8C4AB,00B8C4AB,?,00B8C4AB,?,00000001), ref: 00B7B774
      • Part of subcall function 00B7B764: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B7B826,?,00B9C86A,00B8C4AB,00B8C4AB,?,00B8C4AB,?,00000001), ref: 00B7B79E
    • WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 00B7C22E
    • lstrcpyA.KERNEL32(?,0:0,?,?,00000000,?,?,?,?,?,?,00B86A4A), ref: 00B7C23E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043BDD5, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63
    APIs
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00437A9F,?,00000005), ref: 0043BE0B
    • WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00437A9F,?,00000005), ref: 0043BE6F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7BDD5, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63
    APIs
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00B77A9F,?,00000005), ref: 00B7BE0B
    • WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00B77A9F,?,00000005), ref: 00B7BE6F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00441B16, Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 18
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B26
    • LeaveCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B50
      • Part of subcall function 00441276: lstrlenW.KERNEL32 ref: 0044129F
      • Part of subcall function 00441276: memset.MSVCRT ref: 004412EA
      • Part of subcall function 00441276: memcpy.MSVCRT ref: 004412FE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0044C318, Relevance: 6.5, APIs: 5, Instructions: 249
    APIs
    • memcmp.MSVCRT ref: 0044C385
    • memcpy.MSVCRT ref: 0044C486
      • Part of subcall function 0043BB55: connect.WS2_32(?,?), ref: 0043BB93
      • Part of subcall function 0043BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBA2
      • Part of subcall function 0043BB55: WSASetLastError.WS2_32(?,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC0
      • Part of subcall function 0043BB55: WSAGetLastError.WS2_32(?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC2
      • Part of subcall function 0043BB55: WSASetLastError.WS2_32(00000000), ref: 0043BC00
    • memcmp.MSVCRT ref: 0044C583
      • Part of subcall function 0043BEC0: WSAGetLastError.WS2_32 ref: 0043BEF6
      • Part of subcall function 0043BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 0043BF3E
      • Part of subcall function 0044C0DA: memcmp.MSVCRT ref: 0044C11A
      • Part of subcall function 0045DABF: memset.MSVCRT ref: 0045DACF
      • Part of subcall function 0045DABF: memcpy.MSVCRT ref: 0045DAF8
    • memset.MSVCRT ref: 0044C5E0
    • memcpy.MSVCRT ref: 0044C5F1
      • Part of subcall function 0045DB11: memcpy.MSVCRT ref: 0045DB22
      • Part of subcall function 0044C02F: memcmp.MSVCRT ref: 0044C06B
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8C318, Relevance: 6.5, APIs: 5, Instructions: 249
    APIs
    • memcmp.MSVCRT ref: 00B8C385
    • memcpy.MSVCRT ref: 00B8C486
      • Part of subcall function 00B7BB55: connect.WS2_32(?,?), ref: 00B7BB93
      • Part of subcall function 00B7BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B7BBA2
      • Part of subcall function 00B7BB55: WSASetLastError.WS2_32(?,?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B7BBC0
      • Part of subcall function 00B7BB55: WSAGetLastError.WS2_32(?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B7BBC2
      • Part of subcall function 00B7BB55: WSASetLastError.WS2_32(00000000), ref: 00B7BC00
    • memcmp.MSVCRT ref: 00B8C583
      • Part of subcall function 00B7BEC0: WSAGetLastError.WS2_32 ref: 00B7BEF6
      • Part of subcall function 00B7BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 00B7BF3E
      • Part of subcall function 00B8C0DA: memcmp.MSVCRT ref: 00B8C11A
      • Part of subcall function 00B9DABF: memset.MSVCRT ref: 00B9DACF
      • Part of subcall function 00B9DABF: memcpy.MSVCRT ref: 00B9DAF8
    • memset.MSVCRT ref: 00B8C5E0
    • memcpy.MSVCRT ref: 00B8C5F1
      • Part of subcall function 00B9DB11: memcpy.MSVCRT ref: 00B9DB22
      • Part of subcall function 00B8C02F: memcmp.MSVCRT ref: 00B8C06B
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004377BB, Relevance: 6.5, APIs: 5, Instructions: 207
    APIs
    • memset.MSVCRT ref: 0043785D
      • Part of subcall function 00441B5D: memcmp.MSVCRT ref: 00441B69
      • Part of subcall function 004419AE: memcmp.MSVCRT ref: 00441A24
      • Part of subcall function 00441821: memcpy.MSVCRT ref: 00441848
      • Part of subcall function 00441728: memcpy.MSVCRT ref: 00441771
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • memset.MSVCRT ref: 004378F1
    • memcpy.MSVCRT ref: 00437904
    • memcpy.MSVCRT ref: 00437926
    • memcpy.MSVCRT ref: 00437946
      • Part of subcall function 0044B7FF: EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
      • Part of subcall function 0044B7FF: LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
      • Part of subcall function 00448F55: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,0044914A,?,?,?,?,?,?,00000000,?), ref: 00448FAF
      • Part of subcall function 00448F55: SetEvent.KERNEL32 ref: 0044900A
      • Part of subcall function 00448F55: LeaveCriticalSection.KERNEL32 ref: 00449017
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B777BB, Relevance: 6.5, APIs: 5, Instructions: 207
    APIs
    • memset.MSVCRT ref: 00B7785D
      • Part of subcall function 00B81B5D: memcmp.MSVCRT ref: 00B81B69
      • Part of subcall function 00B819AE: memcmp.MSVCRT ref: 00B81A24
      • Part of subcall function 00B81821: memcpy.MSVCRT ref: 00B81848
      • Part of subcall function 00B81728: memcpy.MSVCRT ref: 00B81771
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • memset.MSVCRT ref: 00B778F1
    • memcpy.MSVCRT ref: 00B77904
    • memcpy.MSVCRT ref: 00B77926
    • memcpy.MSVCRT ref: 00B77946
      • Part of subcall function 00B8B7FF: EnterCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B80C
      • Part of subcall function 00B8B7FF: LeaveCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B81A
      • Part of subcall function 00B88F55: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,00B8914A,?,?,?,?,?,?,00000000,?), ref: 00B88FAF
      • Part of subcall function 00B88F55: SetEvent.KERNEL32 ref: 00B8900A
      • Part of subcall function 00B88F55: LeaveCriticalSection.KERNEL32 ref: 00B89017
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045D027, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47
    APIs
    • memset.MSVCRT ref: 0045D03A
    • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0045D05C
      • Part of subcall function 0045D133: SetLastError.KERNEL32(00000008,?,?,00000000,0045D06E,?,?,00000000), ref: 0045D15C
      • Part of subcall function 0045D133: memcpy.MSVCRT ref: 0045D17C
      • Part of subcall function 0045D133: memcpy.MSVCRT ref: 0045D1B4
      • Part of subcall function 0045D133: memcpy.MSVCRT ref: 0045D1CC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9D027, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47
    APIs
    • memset.MSVCRT ref: 00B9D03A
    • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00B9D05C
      • Part of subcall function 00B9D133: SetLastError.KERNEL32(00000008,?,?,00000000,00B9D06E,?,?,00000000), ref: 00B9D15C
      • Part of subcall function 00B9D133: memcpy.MSVCRT ref: 00B9D17C
      • Part of subcall function 00B9D133: memcpy.MSVCRT ref: 00B9D1B4
      • Part of subcall function 00B9D133: memcpy.MSVCRT ref: 00B9D1CC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043950C, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46
    APIs
      • Part of subcall function 00441FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00441FFF
      • Part of subcall function 00441FEC: GetLastError.KERNEL32(?,004649A8,00000000,?,?,0043AF07,?,00000008,?,?,?,?,?,00000000,0045AE13), ref: 00442009
      • Part of subcall function 00441FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00442031
    • EqualSid.ADVAPI32(?,5B867A00), ref: 0043952F
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 0043B1DE: LoadLibraryA.KERNEL32(userenv.dll), ref: 0043B1EE
      • Part of subcall function 0043B1DE: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0043B20C
      • Part of subcall function 0043B1DE: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0043B218
      • Part of subcall function 0043B1DE: memset.MSVCRT ref: 0043B258
      • Part of subcall function 0043B1DE: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 0043B2A5
      • Part of subcall function 0043B1DE: CloseHandle.KERNEL32(?), ref: 0043B2B9
      • Part of subcall function 0043B1DE: CloseHandle.KERNEL32(?), ref: 0043B2BF
      • Part of subcall function 0043B1DE: FreeLibrary.KERNEL32 ref: 0043B2D3
    • CloseHandle.KERNEL32(00000001), ref: 00439576
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7950C, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46
    APIs
      • Part of subcall function 00B81FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00B81FFF
      • Part of subcall function 00B81FEC: GetLastError.KERNEL32(?,00BA49A8,00000000,?,?,00B7AF07,?,00000008,?,?,?,?,?,00000000,00B9AE13), ref: 00B82009
      • Part of subcall function 00B81FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00B82031
    • EqualSid.ADVAPI32(?,5B867A00), ref: 00B7952F
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B7B1DE: LoadLibraryA.KERNEL32(userenv.dll), ref: 00B7B1EE
      • Part of subcall function 00B7B1DE: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00B7B20C
      • Part of subcall function 00B7B1DE: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00B7B218
      • Part of subcall function 00B7B1DE: memset.MSVCRT ref: 00B7B258
      • Part of subcall function 00B7B1DE: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 00B7B2A5
      • Part of subcall function 00B7B1DE: CloseHandle.KERNEL32(?), ref: 00B7B2B9
      • Part of subcall function 00B7B1DE: CloseHandle.KERNEL32(?), ref: 00B7B2BF
      • Part of subcall function 00B7B1DE: FreeLibrary.KERNEL32 ref: 00B7B2D3
    • CloseHandle.KERNEL32(00000001), ref: 00B79576
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00401B71, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 41
    APIs
    • DeleteCriticalSection.KERNEL32(?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00401F04
      • Part of subcall function 0040230E: HeapFree.KERNEL32(00000000,?,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00402373
    • DeleteCriticalSection.KERNEL32(?,00000000,?,00401E30,?,00491DB0,00000060), ref: 00401F2E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 0044BE6E, Relevance: 6.4, APIs: 5, Instructions: 154
    APIs
      • Part of subcall function 00441B16: EnterCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B26
      • Part of subcall function 00441B16: LeaveCriticalSection.KERNEL32(00465AA4,?,00448DDC,?,?,?,?,0045B233,?,00000001), ref: 00441B50
    • memcmp.MSVCRT ref: 0044BE99
      • Part of subcall function 00456875: GetSystemTime.KERNEL32 ref: 0045687F
    • memcmp.MSVCRT ref: 0044BEF8
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • memset.MSVCRT ref: 0044BF8A
    • memcpy.MSVCRT ref: 0044BFB7
    • memcmp.MSVCRT ref: 0044BFEE
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8BE6E, Relevance: 6.4, APIs: 5, Instructions: 154
    APIs
      • Part of subcall function 00B81B16: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B88DDC,?,?,?,?,00B9B233,?,00000001), ref: 00B81B26
      • Part of subcall function 00B81B16: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B88DDC,?,?,?,?,00B9B233,?,00000001), ref: 00B81B50
    • memcmp.MSVCRT ref: 00B8BE99
      • Part of subcall function 00B96875: GetSystemTime.KERNEL32 ref: 00B9687F
    • memcmp.MSVCRT ref: 00B8BEF8
      • Part of subcall function 00B82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7,?,@echo off%sdel /F "%s"), ref: 00B8256D
      • Part of subcall function 00B82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7), ref: 00B82580
    • memset.MSVCRT ref: 00B8BF8A
    • memcpy.MSVCRT ref: 00B8BFB7
    • memcmp.MSVCRT ref: 00B8BFEE
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00441781, Relevance: 6.4, APIs: 4, Instructions: 62
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B81781, Relevance: 6.4, APIs: 4, Instructions: 62
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00485075, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 124
    APIs
    • GetCPInfo.KERNEL32(BB40E64E), ref: 00485091
      • Part of subcall function 00403B6B: GetStringTypeW.KERNEL32(00000001,00492BE4,00000001), ref: 00403B8F
      • Part of subcall function 00403B6B: GetLastError.KERNEL32(?,00492C10,0000001C,004043E4,00000001,?,00000001,00000008,?,?,00000001,?,?,00404326), ref: 00403BA1
      • Part of subcall function 00403B6B: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00403C03
      • Part of subcall function 00403B6B: MultiByteToWideChar.KERNEL32(?,00000001,?,?), ref: 00403C81
      • Part of subcall function 00403B6B: GetStringTypeW.KERNEL32(00000008,?,?,?), ref: 00403C93
      • Part of subcall function 00403B6B: GetStringTypeA.KERNEL32(?,00000008,?,?,00404326), ref: 00403D07
      • Part of subcall function 00403667: LCMapStringW.KERNEL32(00000000,00000100,00492BE4,00000001,00000000,00000000), ref: 004037D6
      • Part of subcall function 00403667: GetLastError.KERNEL32 ref: 004037E8
      • Part of subcall function 00403667: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0040386F
      • Part of subcall function 00403667: MultiByteToWideChar.KERNEL32(?,00000001,?,?,?), ref: 004038F0
      • Part of subcall function 00403667: LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000), ref: 0040390A
      • Part of subcall function 00403667: LCMapStringW.KERNEL32(?,?,?,?,?,?), ref: 00403945
      • Part of subcall function 00403667: LCMapStringW.KERNEL32(?,?,?,?,?), ref: 004039B9
      • Part of subcall function 00403667: WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 004039DC
      • Part of subcall function 00403667: LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000), ref: 00403A72
      • Part of subcall function 00403667: LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403AF3
      • Part of subcall function 00403667: LCMapStringA.KERNEL32(?,?,?,?,?,?), ref: 00403B4A
      • Part of subcall function 00484FDC: ExitProcess.KERNEL32(00000003,004922F8,00000008,00401452), ref: 00484FD5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00450FB2, Relevance: 6.3, APIs: 4, Instructions: 168
    APIs
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
      • Part of subcall function 00457C35: memset.MSVCRT ref: 00457C5D
    • memcpy.MSVCRT ref: 00451167
      • Part of subcall function 00457CAE: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00457CBE
    • memcpy.MSVCRT ref: 004510E2
    • memcpy.MSVCRT ref: 004510FA
      • Part of subcall function 00457DC3: memcpy.MSVCRT ref: 00457DE3
      • Part of subcall function 00457DC3: memcpy.MSVCRT ref: 00457E0F
    • memcpy.MSVCRT ref: 00451156
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B90FB2, Relevance: 6.3, APIs: 4, Instructions: 168
    APIs
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
      • Part of subcall function 00B97C35: memset.MSVCRT ref: 00B97C5D
    • memcpy.MSVCRT ref: 00B91167
      • Part of subcall function 00B97CAE: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B97CBE
    • memcpy.MSVCRT ref: 00B910E2
    • memcpy.MSVCRT ref: 00B910FA
      • Part of subcall function 00B97DC3: memcpy.MSVCRT ref: 00B97DE3
      • Part of subcall function 00B97DC3: memcpy.MSVCRT ref: 00B97E0F
    • memcpy.MSVCRT ref: 00B91156
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00455465, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91
    APIs
      • Part of subcall function 00439F04: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00439F19
      • Part of subcall function 00439F04: lstrcmpA.KERNEL32(Basic ,?,004554A4,00000006,Authorization,?,?,?), ref: 00439F23
    • StrChrA.SHLWAPI(?,0000003A), ref: 004554F6
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B95465, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91
    APIs
      • Part of subcall function 00B79F04: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00B79F19
      • Part of subcall function 00B79F04: lstrcmpA.KERNEL32(Basic ,?,00B954A4,00000006,Authorization,?,?,?), ref: 00B79F23
    • StrChrA.SHLWAPI(?,0000003A), ref: 00B954F6
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00462F3B, Relevance: 6.3, APIs: 4, Instructions: 118
    APIs
    • memset.MSVCRT ref: 00462F5F
    • memcpy.MSVCRT ref: 00462FBF
    • memcpy.MSVCRT ref: 00462FD7
      • Part of subcall function 00442070: memset.MSVCRT ref: 00442084
      • Part of subcall function 0045A7D7: memset.MSVCRT ref: 0045A862
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • memcpy.MSVCRT ref: 0046304D
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00BA2F3B, Relevance: 6.3, APIs: 4, Instructions: 118
    APIs
    • memset.MSVCRT ref: 00BA2F5F
    • memcpy.MSVCRT ref: 00BA2FBF
    • memcpy.MSVCRT ref: 00BA2FD7
      • Part of subcall function 00B82070: memset.MSVCRT ref: 00B82084
      • Part of subcall function 00B9A7D7: memset.MSVCRT ref: 00B9A862
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
    • memcpy.MSVCRT ref: 00BA304D
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00455CA4, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 48
    APIs
    • GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00455CB1
    • CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00455CD1
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
      • Part of subcall function 00455BE4: memcpy.MSVCRT ref: 00455C25
      • Part of subcall function 00455BE4: memcpy.MSVCRT ref: 00455C38
      • Part of subcall function 00455BE4: memcpy.MSVCRT ref: 00455C4B
      • Part of subcall function 00455BE4: memcpy.MSVCRT ref: 00455C56
      • Part of subcall function 00455BE4: GetFileTime.KERNEL32(?,?,?), ref: 00455C7A
      • Part of subcall function 00455BE4: memcpy.MSVCRT ref: 00455C90
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B95CA4, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 48
    APIs
    • GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00B95CB1
    • CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00B95CD1
      • Part of subcall function 00B95934: CloseHandle.KERNEL32 ref: 00B95940
      • Part of subcall function 00B95BE4: memcpy.MSVCRT ref: 00B95C25
      • Part of subcall function 00B95BE4: memcpy.MSVCRT ref: 00B95C38
      • Part of subcall function 00B95BE4: memcpy.MSVCRT ref: 00B95C4B
      • Part of subcall function 00B95BE4: memcpy.MSVCRT ref: 00B95C56
      • Part of subcall function 00B95BE4: GetFileTime.KERNEL32(?,?,?), ref: 00B95C7A
      • Part of subcall function 00B95BE4: memcpy.MSVCRT ref: 00B95C90
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043CE23, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 47
    APIs
      • Part of subcall function 0043C942: EnterCriticalSection.KERNEL32(00465AA4,?,0043CE31,009B1E90,0045D393), ref: 0043C952
      • Part of subcall function 0043C942: LeaveCriticalSection.KERNEL32(00465AA4,?,0043CE31,009B1E90,0045D393), ref: 0043C987
    • VerQueryValueW.VERSION(?,0042AE74,?,?,009B1E90,0045D393), ref: 0043CE44
    • GetModuleHandleW.KERNEL32(?), ref: 0043CE85
      • Part of subcall function 0043CE9F: PathFindFileNameW.SHLWAPI(00000000), ref: 0043CEE3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7CE23, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 47
    APIs
      • Part of subcall function 00B7C942: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B7CE31,01311E90,00B9D393), ref: 00B7C952
      • Part of subcall function 00B7C942: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B7CE31,01311E90,00B9D393), ref: 00B7C987
    • VerQueryValueW.VERSION(?,00B6AE74,?,?,01311E90,00B9D393), ref: 00B7CE44
    • GetModuleHandleW.KERNEL32(?), ref: 00B7CE85
      • Part of subcall function 00B7CE9F: PathFindFileNameW.SHLWAPI(00000000), ref: 00B7CEE3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00459ADD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 34
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00459AEE
    • VirtualProtect.KERNEL32(00000000,00010000,00000040,?), ref: 00459B34
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00A31A9C, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 34
    APIs
    • GetVersionExA.KERNEL32 ref: 00A31AB2
      • Part of subcall function 00A31829: GetModuleHandleA.KERNEL32(kernel32), ref: 00A31844
      • Part of subcall function 00A31829: GetProcAddress.KERNEL32 ref: 00A3184B
      • Part of subcall function 00A31829: GetCurrentProcess.KERNEL32 ref: 00A3185E
      • Part of subcall function 00A31829: IsWow64Process.KERNEL32 ref: 00A31865
    • GlobalFindAtomA.KERNEL32(*EUDC*), ref: 00A31AF1
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 0044222C, Relevance: 6.2, APIs: 4, Instructions: 77
    APIs
    • memcpy.MSVCRT ref: 00442268
    • memcpy.MSVCRT ref: 0044227D
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
    • memcpy.MSVCRT ref: 004422BA
    • memcpy.MSVCRT ref: 004422F2
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8222C, Relevance: 6.2, APIs: 4, Instructions: 77
    APIs
    • memcpy.MSVCRT ref: 00B82268
    • memcpy.MSVCRT ref: 00B8227D
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
    • memcpy.MSVCRT ref: 00B822BA
    • memcpy.MSVCRT ref: 00B822F2
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045D133, Relevance: 6.2, APIs: 4, Instructions: 70
    APIs
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • SetLastError.KERNEL32(00000008,?,?,00000000,0045D06E,?,?,00000000), ref: 0045D15C
    • memcpy.MSVCRT ref: 0045D17C
    • memcpy.MSVCRT ref: 0045D1B4
    • memcpy.MSVCRT ref: 0045D1CC
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9D133, Relevance: 6.2, APIs: 4, Instructions: 70
    APIs
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    • SetLastError.KERNEL32(00000008,?,?,00000000,00B9D06E,?,?,00000000), ref: 00B9D15C
    • memcpy.MSVCRT ref: 00B9D17C
    • memcpy.MSVCRT ref: 00B9D1B4
    • memcpy.MSVCRT ref: 00B9D1CC
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00441B79, Relevance: 6.2, APIs: 4, Instructions: 63
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B81B79, Relevance: 6.2, APIs: 4, Instructions: 63
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00459175, Relevance: 6.2, APIs: 4, Instructions: 60
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00449116,?), ref: 0045917B
    • memcmp.MSVCRT ref: 004591A7
    • memcpy.MSVCRT ref: 004591F2
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 004591FE
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B99175, Relevance: 6.2, APIs: 4, Instructions: 60
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00B89116,?), ref: 00B9917B
    • memcmp.MSVCRT ref: 00B991A7
    • memcpy.MSVCRT ref: 00B991F2
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00B991FE
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9FEDF, Relevance: 6.2, APIs: 4, Instructions: 39
    APIs
    • memset.MSVCRT ref: 00B9FEF5
    • InitializeCriticalSection.KERNEL32(00BA5050), ref: 00B9FF05
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
    • memset.MSVCRT ref: 00B9FF34
    • InitializeCriticalSection.KERNEL32(00BA5030), ref: 00B9FF3E
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B6CAB0, Relevance: 6.1, APIs: 4, Instructions: 130
    APIs
    • VirtualAlloc.KERNEL32(00000000,00006000,00003000,00000040), ref: 00B6CAC5
    • LoadLibraryA.KERNEL32 ref: 00B6CBAE
    • GetProcAddress.KERNEL32(00000000), ref: 00B6CBD8
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B6CC0A
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00442F98, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 111
    APIs
      • Part of subcall function 004426C5: memset.MSVCRT ref: 004426D5
    • lstrlenA.KERNEL32(?), ref: 0044304D
    • lstrlenA.KERNEL32 ref: 0044305C
      • Part of subcall function 0044D8E8: memcpy.MSVCRT ref: 0044D8FF
      • Part of subcall function 0044D8E8: CharLowerA.USER32 ref: 0044D9CA
      • Part of subcall function 0044D8E8: CharLowerA.USER32(?), ref: 0044D9DA
      • Part of subcall function 0044D8E8: memcpy.MSVCRT ref: 0044DA9F
      • Part of subcall function 0044260E: memcpy.MSVCRT ref: 00442621
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B82F98, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 111
    APIs
      • Part of subcall function 00B826C5: memset.MSVCRT ref: 00B826D5
    • lstrlenA.KERNEL32(?), ref: 00B8304D
    • lstrlenA.KERNEL32 ref: 00B8305C
      • Part of subcall function 00B8D8E8: memcpy.MSVCRT ref: 00B8D8FF
      • Part of subcall function 00B8D8E8: CharLowerA.USER32 ref: 00B8D9CA
      • Part of subcall function 00B8D8E8: CharLowerA.USER32(?), ref: 00B8D9DA
      • Part of subcall function 00B8D8E8: memcpy.MSVCRT ref: 00B8DA9F
      • Part of subcall function 00B8260E: memcpy.MSVCRT ref: 00B82621
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044C63D, Relevance: 6.1, APIs: 4, Instructions: 108
    APIs
      • Part of subcall function 0045601D: FreeAddrInfoW.WS2_32 ref: 0045602C
      • Part of subcall function 0045601D: memset.MSVCRT ref: 00456042
    • getaddrinfo.WS2_32(?,00000000), ref: 0044C675
    • memset.MSVCRT ref: 0044C6BB
    • memcpy.MSVCRT ref: 0044C6CE
      • Part of subcall function 0043BB55: connect.WS2_32(?,?), ref: 0043BB93
      • Part of subcall function 0043BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBA2
      • Part of subcall function 0043BB55: WSASetLastError.WS2_32(?,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC0
      • Part of subcall function 0043BB55: WSAGetLastError.WS2_32(?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0043BBC2
      • Part of subcall function 0043BB55: WSASetLastError.WS2_32(00000000), ref: 0043BC00
      • Part of subcall function 0043B979: shutdown.WS2_32(?,00000002), ref: 0043B987
      • Part of subcall function 0043B979: closesocket.WS2_32 ref: 0043B990
      • Part of subcall function 0043B979: WSACloseEvent.WS2_32 ref: 0043B9A3
    • FreeAddrInfoW.WS2_32(00000000), ref: 0044C778
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8C63D, Relevance: 6.1, APIs: 4, Instructions: 108
    APIs
      • Part of subcall function 00B9601D: FreeAddrInfoW.WS2_32 ref: 00B9602C
      • Part of subcall function 00B9601D: memset.MSVCRT ref: 00B96042
    • getaddrinfo.WS2_32(?,00000000), ref: 00B8C675
    • memset.MSVCRT ref: 00B8C6BB
    • memcpy.MSVCRT ref: 00B8C6CE
      • Part of subcall function 00B7BB55: connect.WS2_32(?,?), ref: 00B7BB93
      • Part of subcall function 00B7BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B7BBA2
      • Part of subcall function 00B7BB55: WSASetLastError.WS2_32(?,?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B7BBC0
      • Part of subcall function 00B7BB55: WSAGetLastError.WS2_32(?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B7BBC2
      • Part of subcall function 00B7BB55: WSASetLastError.WS2_32(00000000), ref: 00B7BC00
      • Part of subcall function 00B7B979: shutdown.WS2_32(?,00000002), ref: 00B7B987
      • Part of subcall function 00B7B979: closesocket.WS2_32 ref: 00B7B990
      • Part of subcall function 00B7B979: WSACloseEvent.WS2_32 ref: 00B7B9A3
    • FreeAddrInfoW.WS2_32(00000000), ref: 00B8C778
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045CDAD, Relevance: 6.1, APIs: 4, Instructions: 89
    APIs
    • memset.MSVCRT ref: 0045CDD2
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • InternetReadFile.WININET(004499F7,?,00001000,?), ref: 0045CE24
    • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0045CE01
      • Part of subcall function 004425D5: memcpy.MSVCRT ref: 004425FB
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,004499F7,?,00000CCA,?,?,00000001), ref: 0045CE78
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9CDAD, Relevance: 6.1, APIs: 4, Instructions: 89
    APIs
    • memset.MSVCRT ref: 00B9CDD2
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • InternetReadFile.WININET(00B899F7,?,00001000,?), ref: 00B9CE24
    • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00B9CE01
      • Part of subcall function 00B825D5: memcpy.MSVCRT ref: 00B825FB
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,00B899F7,?,00000CCA,?,?,00000001), ref: 00B9CE78
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00446E45, Relevance: 6.1, APIs: 4, Instructions: 86
    APIs
      • Part of subcall function 004371D5: memcpy.MSVCRT ref: 004372E6
      • Part of subcall function 00455B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00455B25
    • WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00446EB2
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00446ECA
    • FlushFileBuffers.KERNEL32(?), ref: 00446EE4
    • SetEndOfFile.KERNEL32 ref: 00446EFE
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 00455ADF: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00455AF1
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B86E45, Relevance: 6.1, APIs: 4, Instructions: 86
    APIs
      • Part of subcall function 00B771D5: memcpy.MSVCRT ref: 00B772E6
      • Part of subcall function 00B95B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00B95B25
    • WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00B86EB2
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B86ECA
    • FlushFileBuffers.KERNEL32(?), ref: 00B86EE4
    • SetEndOfFile.KERNEL32 ref: 00B86EFE
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B95ADF: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00B95AF1
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044669D, Relevance: 6.1, APIs: 4, Instructions: 77
    APIs
    • GetTickCount.KERNEL32 ref: 004466A8
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 004466BA
    • memcmp.MSVCRT ref: 004466F4
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00446760
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8669D, Relevance: 6.1, APIs: 4, Instructions: 77
    APIs
    • GetTickCount.KERNEL32 ref: 00B866A8
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 00B866BA
    • memcmp.MSVCRT ref: 00B866F4
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00B86760
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043BF70, Relevance: 6.1, APIs: 4, Instructions: 75
    APIs
    • WSAEventSelect.WS2_32(?,?,?), ref: 0043BF85
    • WaitForMultipleObjects.KERNEL32(?,00000001,00000000,?), ref: 0043BFBA
    • WSAEventSelect.WS2_32 ref: 0043C008
    • WSASetLastError.WS2_32(?,?,?,?,?,00000001,00000000,?,?,?,?), ref: 0043C01B
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7BF70, Relevance: 6.1, APIs: 4, Instructions: 75
    APIs
    • WSAEventSelect.WS2_32(?,?,?), ref: 00B7BF85
    • WaitForMultipleObjects.KERNEL32(?,00000001,00000000,?), ref: 00B7BFBA
    • WSAEventSelect.WS2_32 ref: 00B7C008
    • WSASetLastError.WS2_32(?,?,?,?,?,00000001,00000000,?,?,?,?), ref: 00B7C01B
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044BA48, Relevance: 6.1, APIs: 4, Instructions: 60
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 0044BA66
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000), ref: 0044BA9B
    • RegCloseKey.ADVAPI32(?), ref: 0044BAAA
    • RegCloseKey.ADVAPI32(?), ref: 0044BAC5
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8BA48, Relevance: 6.1, APIs: 4, Instructions: 60
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 00B8BA66
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000), ref: 00B8BA9B
    • RegCloseKey.ADVAPI32(?), ref: 00B8BAAA
    • RegCloseKey.ADVAPI32(?), ref: 00B8BAC5
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044660E, Relevance: 6.1, APIs: 4, Instructions: 55
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,004468D1,?,?,?,?,00000002), ref: 00446619
    • GetTickCount.KERNEL32 ref: 0044664A
    • memcpy.MSVCRT ref: 00446681
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,004468D1,?,?,?,?,00000002), ref: 0044668D
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8660E, Relevance: 6.1, APIs: 4, Instructions: 55
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,00B868D1,?,?,?,?,00000002), ref: 00B86619
    • GetTickCount.KERNEL32 ref: 00B8664A
    • memcpy.MSVCRT ref: 00B86681
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00B868D1,?,?,?,?,00000002), ref: 00B8668D
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00460588, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 49
    APIs
    • EnterCriticalSection.KERNEL32(00465030,?,?,?,004618E8), ref: 00460594
    • LeaveCriticalSection.KERNEL32(00465030,?,?,?,004618E8), ref: 0046060A
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • memcpy.MSVCRT ref: 004605EA
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0044512B, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • GetTickCount.KERNEL32 ref: 00445138
    • GetLastInputInfo.USER32(?), ref: 0044514B
    • GetLocalTime.KERNEL32 ref: 0044516F
      • Part of subcall function 00456891: SystemTimeToFileTime.KERNEL32 ref: 0045689B
    • GetTimeZoneInformation.KERNEL32 ref: 00445187
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8512B, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • GetTickCount.KERNEL32 ref: 00B85138
    • GetLastInputInfo.USER32(?), ref: 00B8514B
    • GetLocalTime.KERNEL32 ref: 00B8516F
      • Part of subcall function 00B96891: SystemTimeToFileTime.KERNEL32 ref: 00B9689B
    • GetTimeZoneInformation.KERNEL32 ref: 00B85187
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00A312FB, Relevance: 6.0, APIs: 4, Instructions: 41
    APIs
    • Sleep.KERNEL32(000003E8), ref: 00A31325
    • SendInput.USER32(00000001,?,0000001C), ref: 00A31343
    • Sleep.KERNEL32(00000032), ref: 00A31347
    • SendInput.USER32(00000001,?,0000001C), ref: 00A31358
    Memory Dump Source
    • Source File: 00000003.00000002.678185872.00A30000.00000040.sdmp, Offset: 00A30000, based on PE: false
    Function 0043760D, Relevance: 6.0, APIs: 4, Instructions: 39
    APIs
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00437622
    • TranslateMessage.USER32 ref: 00437646
    • DispatchMessageW.USER32 ref: 00437651
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00437661
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7760D, Relevance: 6.0, APIs: 4, Instructions: 39
    APIs
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00B77622
    • TranslateMessage.USER32 ref: 00B77646
    • DispatchMessageW.USER32 ref: 00B77651
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B77661
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044A6E2, Relevance: 6.0, APIs: 4, Instructions: 38
    APIs
      • Part of subcall function 00436A4D: TlsSetValue.KERNEL32(00000001,0044A796), ref: 00436A5A
      • Part of subcall function 0045C09D: CreateMutexW.KERNEL32(004649B4,00000000), ref: 0045C0BF
      • Part of subcall function 0045AFD3: WaitForSingleObject.KERNEL32(00000000,0044A849), ref: 0045AFDB
    • GetCurrentThread.KERNEL32 ref: 0044A70A
    • SetThreadPriority.KERNEL32 ref: 0044A711
    • WaitForSingleObject.KERNEL32(00001388), ref: 0044A723
      • Part of subcall function 00435B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00435BC1
      • Part of subcall function 00435B9B: Process32FirstW.KERNEL32 ref: 00435BE6
      • Part of subcall function 00435B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00435C3D
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32 ref: 00435C5B
      • Part of subcall function 00435B9B: GetLengthSid.ADVAPI32 ref: 00435C77
      • Part of subcall function 00435B9B: memcmp.MSVCRT ref: 00435C8F
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32(?), ref: 00435D07
      • Part of subcall function 00435B9B: Process32NextW.KERNEL32(?,?), ref: 00435D13
      • Part of subcall function 00435B9B: CloseHandle.KERNEL32 ref: 00435D26
    • WaitForSingleObject.KERNEL32(00001388), ref: 0044A73C
      • Part of subcall function 0043766D: ReleaseMutex.KERNEL32 ref: 00437671
      • Part of subcall function 0043766D: CloseHandle.KERNEL32 ref: 00437678
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8A6E2, Relevance: 6.0, APIs: 4, Instructions: 38
    APIs
      • Part of subcall function 00B76A4D: TlsSetValue.KERNEL32(00000001,00B82D2F), ref: 00B76A5A
      • Part of subcall function 00B9C09D: CreateMutexW.KERNEL32(00BA49B4,00000000), ref: 00B9C0BF
      • Part of subcall function 00B9AFD3: WaitForSingleObject.KERNEL32(00000000,00B82D5B), ref: 00B9AFDB
    • GetCurrentThread.KERNEL32 ref: 00B8A70A
    • SetThreadPriority.KERNEL32 ref: 00B8A711
    • WaitForSingleObject.KERNEL32(00001388), ref: 00B8A723
      • Part of subcall function 00B75B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B75BC1
      • Part of subcall function 00B75B9B: Process32FirstW.KERNEL32 ref: 00B75BE6
      • Part of subcall function 00B75B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00B75C3D
      • Part of subcall function 00B75B9B: CloseHandle.KERNEL32 ref: 00B75C5B
      • Part of subcall function 00B75B9B: GetLengthSid.ADVAPI32 ref: 00B75C77
      • Part of subcall function 00B75B9B: memcmp.MSVCRT ref: 00B75C8F
      • Part of subcall function 00B75B9B: CloseHandle.KERNEL32(?), ref: 00B75D07
      • Part of subcall function 00B75B9B: Process32NextW.KERNEL32(?,?), ref: 00B75D13
      • Part of subcall function 00B75B9B: CloseHandle.KERNEL32 ref: 00B75D26
    • WaitForSingleObject.KERNEL32(00001388), ref: 00B8A73C
      • Part of subcall function 00B7766D: ReleaseMutex.KERNEL32 ref: 00B77671
      • Part of subcall function 00B7766D: CloseHandle.KERNEL32 ref: 00B77678
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045394D, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00053883,00000000), ref: 00453964
    • WaitForSingleObject.KERNEL32(?,00003A98), ref: 00453976
    • TerminateThread.KERNEL32(?,00000000), ref: 00453982
    • CloseHandle.KERNEL32 ref: 00453989
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 0045C3C1, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 0045C3D1
    • EnterCriticalSection.KERNEL32(?,?,00007530), ref: 0045C3DF
    • LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 0045C3F4
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 0045C3FE
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9C3C1, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 00B9C3D1
    • EnterCriticalSection.KERNEL32(?,?,00007530), ref: 00B9C3DF
    • LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 00B9C3F4
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 00B9C3FE
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00448F55, Relevance: 6.0, APIs: 3, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,0044914A,?,?,?,?,?,?,00000000,?), ref: 00448FAF
    • LeaveCriticalSection.KERNEL32 ref: 00449017
      • Part of subcall function 00448A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00448A52
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • SetEvent.KERNEL32 ref: 0044900A
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B88F55, Relevance: 6.0, APIs: 3, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,00B8914A,?,?,?,?,?,?,00000000,?), ref: 00B88FAF
    • LeaveCriticalSection.KERNEL32 ref: 00B89017
      • Part of subcall function 00B88A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B88A52
      • Part of subcall function 00B82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7,?,@echo off%sdel /F "%s"), ref: 00B8256D
      • Part of subcall function 00B82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7), ref: 00B82580
    • SetEvent.KERNEL32 ref: 00B8900A
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044EC55, Relevance: 6.0, APIs: 3, Instructions: 51
    APIs
    • getpeername.WS2_32(?,?,?), ref: 0044EC79
    • getsockname.WS2_32(?,?,?), ref: 0044EC91
    • send.WS2_32(00000000,00000000,00000008,00000000), ref: 0044ECC2
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8EC55, Relevance: 6.0, APIs: 3, Instructions: 51
    APIs
    • getpeername.WS2_32(?,?,?), ref: 00B8EC79
    • getsockname.WS2_32(?,?,?), ref: 00B8EC91
    • send.WS2_32(00000000,00000000,00000008,00000000), ref: 00B8ECC2
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00443AD3, Relevance: 6.0, APIs: 3, Instructions: 30
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B83AD3, Relevance: 6.0, APIs: 3, Instructions: 30
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043B979, Relevance: 6.0, APIs: 3, Instructions: 17
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7B979, Relevance: 6.0, APIs: 3, Instructions: 17
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043B928, Relevance: 5.8, APIs: 3, Instructions: 30
    APIs
    • WSACreateEvent.WS2_32(00000000,?,0043BB6E,00000033,00000000,?,?,?,0044C4F0,?,00003A98,?,00000000,?,00000003), ref: 0043B93E
    • WSAEventSelect.WS2_32(?,?,00000033), ref: 0043B954
    • WSACloseEvent.WS2_32 ref: 0043B968
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7B928, Relevance: 5.8, APIs: 3, Instructions: 30
    APIs
    • WSACreateEvent.WS2_32(00000000,?,00B7BB6E,00000033,00000000,?,?,?,00B8C4F0,?,00003A98,?,00000000,?,00000003), ref: 00B7B93E
    • WSAEventSelect.WS2_32(?,?,00000033), ref: 00B7B954
    • WSACloseEvent.WS2_32 ref: 00B7B968
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00454C13, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138
    APIs
      • Part of subcall function 00454BC8: StrCmpNIA.SHLWAPI ref: 00454BDF
    • StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00454D7B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B94C13, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138
    APIs
      • Part of subcall function 00B94BC8: StrCmpNIA.SHLWAPI ref: 00B94BDF
    • StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00B94D7B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0046258D, Relevance: 5.7, APIs: 3, Instructions: 83
    APIs
      • Part of subcall function 00457ED8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00457EEF
      • Part of subcall function 00457ED8: CloseHandle.KERNEL32 ref: 00457F0E
    • GetFileSizeEx.KERNEL32(00000000), ref: 004625C4
      • Part of subcall function 00457F3D: UnmapViewOfFile.KERNEL32 ref: 00457F49
      • Part of subcall function 00457F3D: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000001), ref: 00457F60
      • Part of subcall function 00455B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00455B25
    • SetEndOfFile.KERNEL32 ref: 0046263A
    • FlushFileBuffers.KERNEL32(?), ref: 00462645
      • Part of subcall function 00455934: CloseHandle.KERNEL32 ref: 00455940
      • Part of subcall function 00455B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00455B87
      • Part of subcall function 00462474: GetFileAttributesW.KERNEL32 ref: 00462485
      • Part of subcall function 00462474: PathRemoveFileSpecW.SHLWAPI(?), ref: 004624BA
      • Part of subcall function 00462474: MoveFileExW.KERNEL32(?,?,00000001), ref: 00462501
      • Part of subcall function 00462474: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0046251A
      • Part of subcall function 00462474: Sleep.KERNEL32(00001388), ref: 0046255D
      • Part of subcall function 00462474: FlushFileBuffers.KERNEL32 ref: 0046256B
      • Part of subcall function 00457E98: UnmapViewOfFile.KERNEL32 ref: 00457EA4
      • Part of subcall function 00457E98: CloseHandle.KERNEL32 ref: 00457EB7
      • Part of subcall function 00457E98: CloseHandle.KERNEL32 ref: 00457ECD
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00BA258D, Relevance: 5.7, APIs: 3, Instructions: 83
    APIs
      • Part of subcall function 00B97ED8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00B97EEF
      • Part of subcall function 00B97ED8: CloseHandle.KERNEL32 ref: 00B97F0E
    • GetFileSizeEx.KERNEL32(00000000), ref: 00BA25C4
      • Part of subcall function 00B97F3D: UnmapViewOfFile.KERNEL32 ref: 00B97F49
      • Part of subcall function 00B97F3D: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000001), ref: 00B97F60
      • Part of subcall function 00B95B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00B95B25
    • SetEndOfFile.KERNEL32 ref: 00BA263A
    • FlushFileBuffers.KERNEL32(?), ref: 00BA2645
      • Part of subcall function 00B95934: CloseHandle.KERNEL32 ref: 00B95940
      • Part of subcall function 00B95B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B95B87
      • Part of subcall function 00BA2474: GetFileAttributesW.KERNEL32 ref: 00BA2485
      • Part of subcall function 00BA2474: PathRemoveFileSpecW.SHLWAPI(?), ref: 00BA24BA
      • Part of subcall function 00BA2474: MoveFileExW.KERNEL32(?,?,00000001), ref: 00BA2501
      • Part of subcall function 00BA2474: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00BA251A
      • Part of subcall function 00BA2474: Sleep.KERNEL32(00001388), ref: 00BA255D
      • Part of subcall function 00BA2474: FlushFileBuffers.KERNEL32 ref: 00BA256B
      • Part of subcall function 00B97E98: UnmapViewOfFile.KERNEL32 ref: 00B97EA4
      • Part of subcall function 00B97E98: CloseHandle.KERNEL32 ref: 00B97EB7
      • Part of subcall function 00B97E98: CloseHandle.KERNEL32 ref: 00B97ECD
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00461F21, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 75
    APIs
    • EnterCriticalSection.KERNEL32(00465050,?,?,00000000,?,0044F3D7,00000000), ref: 00461F47
    • LeaveCriticalSection.KERNEL32(00465050,00465068,?,?,00000000,?,0044F3D7,00000000), ref: 00461F86
      • Part of subcall function 00460F60: memcmp.MSVCRT ref: 00460FF5
      • Part of subcall function 00460F60: memcpy.MSVCRT ref: 00461025
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00443A22, Relevance: 5.7, APIs: 2, Instructions: 57
    APIs
    • select.WS2_32(00000000,?,00000000,00000000), ref: 00443A81
    • recv.WS2_32(?,?,?,00000000), ref: 00443A91
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B83A22, Relevance: 5.7, APIs: 2, Instructions: 57
    APIs
    • select.WS2_32(00000000,?,00000000,00000000), ref: 00B83A81
    • recv.WS2_32(?,?,?,00000000), ref: 00B83A91
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00459B45, Relevance: 5.7, APIs: 3, Instructions: 56
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00459B46
    • VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00459B7D
      • Part of subcall function 00459A67: memset.MSVCRT ref: 00459A78
      • Part of subcall function 00459821: GetCurrentProcess.KERNEL32 ref: 00459824
      • Part of subcall function 00459821: VirtualProtect.KERNEL32(00000000,=::=::\,00000020), ref: 00459845
      • Part of subcall function 00459821: FlushInstructionCache.KERNEL32(?,00000000,=::=::\), ref: 0045984E
    • ResumeThread.KERNEL32(?), ref: 00459BBE
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B99B45, Relevance: 5.7, APIs: 3, Instructions: 56
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00B99B46
    • VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00B99B7D
      • Part of subcall function 00B99A67: memset.MSVCRT ref: 00B99A78
      • Part of subcall function 00B99821: GetCurrentProcess.KERNEL32 ref: 00B99824
      • Part of subcall function 00B99821: VirtualProtect.KERNEL32(6FFF0000,=::=::\,00000020), ref: 00B99845
      • Part of subcall function 00B99821: FlushInstructionCache.KERNEL32(?,6FFF0000,=::=::\), ref: 00B9984E
    • ResumeThread.KERNEL32(?), ref: 00B99BBE
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045D4EF, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 52
    APIs
    • memset.MSVCRT ref: 0045D506
      • Part of subcall function 0045BC89: memcpy.MSVCRT ref: 0045BCA4
      • Part of subcall function 0045BC89: StringFromGUID2.OLE32 ref: 0045BD4A
      • Part of subcall function 0044204E: memcpy.MSVCRT ref: 0044205C
      • Part of subcall function 0045570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0045ABEA,0045ABEA), ref: 0045573C
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00438FE0
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 00438FEA
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439033
      • Part of subcall function 00438F6F: memcpy.MSVCRT ref: 00439060
      • Part of subcall function 00438F6F: PathRemoveBackslashW.SHLWAPI ref: 0043906A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9D4EF, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 52
    APIs
    • memset.MSVCRT ref: 00B9D506
      • Part of subcall function 00B9BC89: memcpy.MSVCRT ref: 00B9BCA4
      • Part of subcall function 00B9BC89: StringFromGUID2.OLE32 ref: 00B9BD4A
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
      • Part of subcall function 00B9570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B9ABEA,00B9ABEA), ref: 00B9573C
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B78FE0
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B78FEA
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79033
      • Part of subcall function 00B78F6F: memcpy.MSVCRT ref: 00B79060
      • Part of subcall function 00B78F6F: PathRemoveBackslashW.SHLWAPI ref: 00B7906A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0045D610, Relevance: 5.7, APIs: 3, Instructions: 51
    APIs
    • EnterCriticalSection.KERNEL32(00465AA4,?,00000001,?,?,0045D824,?,?,?,00000001), ref: 0045D62C
    • LeaveCriticalSection.KERNEL32(00465AA4,?,00000001,?,?,0045D824,?,?,?,00000001), ref: 0045D653
      • Part of subcall function 0045D4EF: memset.MSVCRT ref: 0045D506
      • Part of subcall function 004593C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00459433
      • Part of subcall function 004593C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00459458
      • Part of subcall function 0045946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 004594AA
    • _ultow.MSVCRT ref: 0045D69A
      • Part of subcall function 00459393: CryptDestroyHash.ADVAPI32 ref: 004593AB
      • Part of subcall function 00459393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 004593BC
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00457B26, Relevance: 5.6, APIs: 3, Instructions: 48
    APIs
    • CloseHandle.KERNEL32(?), ref: 00457B37
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00457B77
    • InternetCloseHandle.WININET(?), ref: 00457B82
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B97B26, Relevance: 5.6, APIs: 3, Instructions: 48
    APIs
    • CloseHandle.KERNEL32(?), ref: 00B97B37
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00B97B77
    • InternetCloseHandle.WININET(?), ref: 00B97B82
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00441FEC, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00441FFF
    • GetLastError.KERNEL32(?,004649A8,00000000,?,?,0043AF07,?,00000008,?,?,?,?,?,00000000,0045AE13), ref: 00442009
      • Part of subcall function 004424DA: HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    • GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00442031
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B9A976, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B9A999
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B9A9B1
    • DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00B9A9CC
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B81FEC, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00B81FFF
    • GetLastError.KERNEL32(?,00BA49A8,00000000,?,?,00B7AF07,?,00000008,?,?,?,?,?,00000000,00B9AE13), ref: 00B82009
      • Part of subcall function 00B824DA: HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    • GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00B82031
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0043AEE3, Relevance: 5.6, APIs: 3, Instructions: 42
    APIs
    • OpenProcessToken.ADVAPI32(?,00000008), ref: 0043AEF5
      • Part of subcall function 00441FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00441FFF
      • Part of subcall function 00441FEC: GetLastError.KERNEL32(?,004649A8,00000000,?,?,0043AF07,?,00000008,?,?,?,?,?,00000000,0045AE13), ref: 00442009
      • Part of subcall function 00441FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00442031
    • GetTokenInformation.ADVAPI32(?,0000000C,004649A8,00000004), ref: 0043AF1D
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • CloseHandle.KERNEL32(?), ref: 0043AF33
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B7AEE3, Relevance: 5.6, APIs: 3, Instructions: 42
    APIs
    • OpenProcessToken.ADVAPI32(?,00000008), ref: 00B7AEF5
      • Part of subcall function 00B81FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00B81FFF
      • Part of subcall function 00B81FEC: GetLastError.KERNEL32(?,00BA49A8,00000000,?,?,00B7AF07,?,00000008,?,?,?,?,?,00000000,00B9AE13), ref: 00B82009
      • Part of subcall function 00B81FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00B82031
    • GetTokenInformation.ADVAPI32(?,0000000C,00BA49A8,00000004), ref: 00B7AF1D
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • CloseHandle.KERNEL32(?), ref: 00B7AF33
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9C012, Relevance: 5.6, APIs: 3, Instructions: 37
    APIs
      • Part of subcall function 00B8204E: memcpy.MSVCRT ref: 00B8205C
      • Part of subcall function 00B9BC89: memcpy.MSVCRT ref: 00B9BCA4
      • Part of subcall function 00B9BC89: StringFromGUID2.OLE32 ref: 00B9BD4A
    • CreateMutexW.KERNEL32(00BA49B4,00000001), ref: 00B9C058
    • GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00B9C064
    • CloseHandle.KERNEL32 ref: 00B9C072
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044A755, Relevance: 5.6, APIs: 3, Instructions: 16
    APIs
    • PathFindFileNameW.SHLWAPI(000001ED), ref: 0044A759
    • PathRemoveExtensionW.SHLWAPI ref: 0044A76D
    • CharUpperW.USER32 ref: 0044A777
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8A755, Relevance: 5.6, APIs: 3, Instructions: 16
    APIs
    • PathFindFileNameW.SHLWAPI(000001ED), ref: 00B8A759
    • PathRemoveExtensionW.SHLWAPI ref: 00B8A76D
    • CharUpperW.USER32 ref: 00B8A777
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044D12D, Relevance: 5.6, APIs: 3, Instructions: 40
    APIs
    • lstrlenW.KERNEL32(0042C448), ref: 0044D149
    • lstrlenW.KERNEL32 ref: 0044D14F
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • memcpy.MSVCRT ref: 0044D173
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8D12D, Relevance: 5.6, APIs: 3, Instructions: 40
    APIs
    • lstrlenW.KERNEL32(00B6C448), ref: 00B8D149
    • lstrlenW.KERNEL32 ref: 00B8D14F
      • Part of subcall function 00B82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7,?,@echo off%sdel /F "%s"), ref: 00B8256D
      • Part of subcall function 00B82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7), ref: 00B82580
    • memcpy.MSVCRT ref: 00B8D173
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00442543, Relevance: 5.6, APIs: 2, Instructions: 32
    APIs
    • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
      • Part of subcall function 00442456: EnterCriticalSection.KERNEL32(00465AA4,00000028,004424C9,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442466
      • Part of subcall function 00442456: LeaveCriticalSection.KERNEL32(00465AA4,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442490
    • HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B82543, Relevance: 5.6, APIs: 2, Instructions: 32
    APIs
    • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7), ref: 00B82580
      • Part of subcall function 00B82456: EnterCriticalSection.KERNEL32(00BA5AA4,00000028,00B824C9,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B82466
      • Part of subcall function 00B82456: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B82490
    • HeapAlloc.KERNEL32(00000008,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7,?,@echo off%sdel /F "%s"), ref: 00B8256D
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00436EA5, Relevance: 5.6, APIs: 3, Instructions: 10
    APIs
    • GetLastError.KERNEL32(?,00436577), ref: 00436EA6
    • TlsSetValue.KERNEL32(00000000), ref: 00436EB6
    • SetLastError.KERNEL32(?,?,00436577), ref: 00436EBD
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B76EA5, Relevance: 5.6, APIs: 3, Instructions: 10
    APIs
    • GetLastError.KERNEL32(?,00B76577), ref: 00B76EA6
    • TlsSetValue.KERNEL32(00000000), ref: 00B76EB6
    • SetLastError.KERNEL32(?,?,00B76577), ref: 00B76EBD
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B986CC, Relevance: 5.5, APIs: 3, Instructions: 115
    APIs
    • GetVersionExW.KERNEL32(00BA4858), ref: 00B986E6
    • GetNativeSystemInfo.KERNEL32(000000FF), ref: 00B98822
    • memset.MSVCRT ref: 00B98857
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0046061B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 105
    APIs
      • Part of subcall function 00453704: strtoul.MSVCRT ref: 004537FC
      • Part of subcall function 0045C0DB: EnterCriticalSection.KERNEL32(00465AA4,009B1E90,0045C7BB,009B1E90,0045D34F), ref: 0045C0EB
      • Part of subcall function 0045C0DB: LeaveCriticalSection.KERNEL32(00465AA4), ref: 0045C113
    • EnterCriticalSection.KERNEL32(00000000,?,?,?,?,00465050), ref: 004606F5
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • LeaveCriticalSection.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00465050), ref: 0046071D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00444EC0, Relevance: 5.5, APIs: 3, Instructions: 93
    APIs
      • Part of subcall function 004449CD: EnterCriticalSection.KERNEL32(00465AA4,009B1E90,00444ECC,009B1E90), ref: 004449DD
      • Part of subcall function 004449CD: LeaveCriticalSection.KERNEL32(00465AA4,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0,0045D345), ref: 00444A05
    • PathFindFileNameW.SHLWAPI(009B1E90), ref: 00444ED2
      • Part of subcall function 00439E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00439E9D
      • Part of subcall function 00439E88: StrCmpIW.SHLWAPI ref: 00439EA7
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • InitializeCriticalSection.KERNEL32 ref: 00444F44
      • Part of subcall function 00436D72: EnterCriticalSection.KERNEL32(0046468C,00000000,00444F6E,?,000000FF), ref: 00436D7E
      • Part of subcall function 00436D72: LeaveCriticalSection.KERNEL32(0046468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00436D8E
      • Part of subcall function 00436D9C: LeaveCriticalSection.KERNEL32(0046468C,00436E01,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DA6
      • Part of subcall function 00459DDC: GetCurrentThreadId.KERNEL32 ref: 00459DED
      • Part of subcall function 00459DDC: memcpy.MSVCRT ref: 00459F56
      • Part of subcall function 00459DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00459FE2
      • Part of subcall function 00459DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00459FEC
      • Part of subcall function 00436DAD: LeaveCriticalSection.KERNEL32(0046468C,?,00436E13,00000001,00000000,00000000,?,00444F82,00000001,00000000,?,000000FF), ref: 00436DBA
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    • DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00444FBB
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B84EC0, Relevance: 5.5, APIs: 3, Instructions: 93
    APIs
      • Part of subcall function 00B849CD: EnterCriticalSection.KERNEL32(00BA5AA4,01311E90,00B84ECC,01311E90), ref: 00B849DD
      • Part of subcall function 00B849CD: LeaveCriticalSection.KERNEL32(00BA5AA4,?,?,?,?,?,?,?,?,?,?,?,?,01311EF0,00B9D345), ref: 00B84A05
    • PathFindFileNameW.SHLWAPI(01311E90), ref: 00B84ED2
      • Part of subcall function 00B79E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B79E9D
      • Part of subcall function 00B79E88: StrCmpIW.SHLWAPI ref: 00B79EA7
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • InitializeCriticalSection.KERNEL32 ref: 00B84F44
      • Part of subcall function 00B76D72: EnterCriticalSection.KERNEL32(00BA468C,00000000,00B84F6E,?,000000FF), ref: 00B76D7E
      • Part of subcall function 00B76D72: LeaveCriticalSection.KERNEL32(00BA468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,01311EF0), ref: 00B76D8E
      • Part of subcall function 00B76D9C: LeaveCriticalSection.KERNEL32(00BA468C,00B76E01,00000001,00000000,00000000,?,00B84F82,00000001,00000000,?,000000FF), ref: 00B76DA6
      • Part of subcall function 00B99DDC: GetCurrentThreadId.KERNEL32 ref: 00B99DED
      • Part of subcall function 00B99DDC: memcpy.MSVCRT ref: 00B99F56
      • Part of subcall function 00B99DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00B99FE2
      • Part of subcall function 00B99DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00B99FEC
      • Part of subcall function 00B76DAD: LeaveCriticalSection.KERNEL32(00BA468C,?,00B76E13,00000001,00000000,00000000,?,00B84F82,00000001,00000000,?,000000FF), ref: 00B76DBA
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,01311EF0), ref: 00B84FBB
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004593C4, Relevance: 5.5, APIs: 2, Instructions: 68
    APIs
      • Part of subcall function 0045931E: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00459336
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00459433
    • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00459458
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B993C4, Relevance: 5.5, APIs: 2, Instructions: 68
    APIs
      • Part of subcall function 00B9931E: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00B99336
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00B99433
    • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00B99458
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B8C90D, Relevance: 5.5, APIs: 3, Instructions: 63
    APIs
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00B8C93C
      • Part of subcall function 00B825A7: memcpy.MSVCRT ref: 00B825C6
    • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00B8C97B
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B8C9A2
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B9D610, Relevance: 5.5, APIs: 3, Instructions: 51
    APIs
    • EnterCriticalSection.KERNEL32(00BA5AA4,?,00000001,?,?,00B9D824,?,?,?,00000001), ref: 00B9D62C
    • LeaveCriticalSection.KERNEL32(00BA5AA4,?,00000001,?,?,00B9D824,?,?,?,00000001), ref: 00B9D653
      • Part of subcall function 00B9D4EF: memset.MSVCRT ref: 00B9D506
      • Part of subcall function 00B993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00B99433
      • Part of subcall function 00B993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00B99458
      • Part of subcall function 00B9946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00B994AA
    • _ultow.MSVCRT ref: 00B9D69A
      • Part of subcall function 00B99393: CryptDestroyHash.ADVAPI32 ref: 00B993AB
      • Part of subcall function 00B99393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00B993BC
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004483CA, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 004483E6
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00448409
    • CloseHandle.KERNEL32 ref: 00448416
      • Part of subcall function 00455E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
      • Part of subcall function 00455E1D: DeleteFileW.KERNEL32 ref: 00455E2D
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 004569E1, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • TlsAlloc.KERNEL32(0000000C,00456EB9,?,?,?,?,00000000), ref: 004569EA
    • TlsGetValue.KERNEL32(?,00000001,0000000C), ref: 004569FC
    • TlsSetValue.KERNEL32(?,?), ref: 00456A41
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B969E1, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • TlsAlloc.KERNEL32(01312004,00B96EB9,?,?,?,?,01311FF8), ref: 00B969EA
    • TlsGetValue.KERNEL32(?,00000001,01312004), ref: 00B969FC
    • TlsSetValue.KERNEL32(?,?), ref: 00B96A41
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B883CA, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00B883E6
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B88409
    • CloseHandle.KERNEL32 ref: 00B88416
      • Part of subcall function 00B95E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B95E26
      • Part of subcall function 00B95E1D: DeleteFileW.KERNEL32 ref: 00B95E2D
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00401B8E, Relevance: 5.5, APIs: 3, Instructions: 37
    APIs
    • GetLastError.KERNEL32(?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?,?,?,00402331,00000004,00492318,0000000C,00401F0C), ref: 00401B90
    • SetLastError.KERNEL32(?,?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?,?,?,00402331,00000004,00492318,0000000C), ref: 00401BF4
      • Part of subcall function 004024C3: HeapAlloc.KERNEL32(00000008,?,00492370,00000010,00401BB6,00000001,0000008C,?,00000000,004033DA,00401FB5,?,00492268,00000008,0040200C,?), ref: 00402545
    • GetCurrentThreadId.KERNEL32 ref: 00401BDD
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 00439F04, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26
    APIs
    • StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00439F19
    • lstrcmpA.KERNEL32(Basic ,?,004554A4,00000006,Authorization,?,?,?), ref: 00439F23
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00439E88, Relevance: 5.5, APIs: 2, Instructions: 26
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B79F04, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26
    APIs
    • StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00B79F19
    • lstrcmpA.KERNEL32(Basic ,?,00B954A4,00000006,Authorization,?,?,?), ref: 00B79F23
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B79E88, Relevance: 5.5, APIs: 2, Instructions: 26
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004369DF, Relevance: 5.4, APIs: 3, Instructions: 24
    APIs
    • memset.MSVCRT ref: 004369F9
    • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009B1EF0), ref: 00436A02
    • InitializeCriticalSection.KERNEL32(0046468C), ref: 00436A12
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B769DF, Relevance: 5.4, APIs: 3, Instructions: 24
    APIs
    • memset.MSVCRT ref: 00B769F9
    • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01311EF0), ref: 00B76A02
    • InitializeCriticalSection.KERNEL32(00BA468C), ref: 00B76A12
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00457E98, Relevance: 5.4, APIs: 3, Instructions: 21
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B97E98, Relevance: 5.4, APIs: 3, Instructions: 21
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044B7BD, Relevance: 5.4, APIs: 3, Instructions: 20
    APIs
    • InitializeCriticalSection.KERNEL32(004647FC), ref: 0044B7C7
    • QueryPerformanceCounter.KERNEL32 ref: 0044B7D1
    • GetTickCount.KERNEL32 ref: 0044B7DB
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8B7BD, Relevance: 5.4, APIs: 3, Instructions: 20
    APIs
    • InitializeCriticalSection.KERNEL32(00BA47FC), ref: 00B8B7C7
    • QueryPerformanceCounter.KERNEL32 ref: 00B8B7D1
    • GetTickCount.KERNEL32 ref: 00B8B7DB
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004367EB, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110
    APIs
    • GetTickCount.KERNEL32 ref: 004368F7
      • Part of subcall function 0045A05A: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,-00000003,?,00000000), ref: 0045A0AD
      • Part of subcall function 0045A05A: SetEndOfFile.KERNEL32 ref: 0045A115
    • WaitForSingleObject.KERNEL32(00015F90), ref: 0043695E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 004848A3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
    APIs
      • Part of subcall function 00401FF3: EnterCriticalSection.KERNEL32(?,?,?,00402331,00000004,00492318,0000000C,00401F0C,?,?,?,00000000,?,00401E30,?,00491DB0), ref: 0040201B
    • GetCurrentProcess.KERNEL32 ref: 004848CA
    • TerminateProcess.KERNEL32 ref: 004848D1
      • Part of subcall function 004011FA: GetModuleHandleA.KERNEL32(mscoree.dll), ref: 004011FF
      • Part of subcall function 004011FA: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0040120F
      • Part of subcall function 004011FA: ExitProcess.KERNEL32(?), ref: 00401223
    Strings
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp
    Function 0043766D, Relevance: 5.3, APIs: 2, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 004614F4, Relevance: 5.2, APIs: 4, Instructions: 191
    APIs
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • memcpy.MSVCRT ref: 00461657
    • memcpy.MSVCRT ref: 0046166A
    • memcpy.MSVCRT ref: 0046168B
      • Part of subcall function 00454C13: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00454D7B
      • Part of subcall function 00442543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7,?,@echo off%sdel /F "%s"), ref: 0044256D
      • Part of subcall function 00442543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0044D89F,?,?,?,00000000,00000000,00000000,0044D869,?,0043B3C7), ref: 00442580
    • memcpy.MSVCRT ref: 004616FD
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
      • Part of subcall function 004425A7: memcpy.MSVCRT ref: 004425C6
      • Part of subcall function 00461070: memmove.MSVCRT ref: 004612E1
      • Part of subcall function 00461070: memcpy.MSVCRT ref: 004612F0
      • Part of subcall function 00461364: memcpy.MSVCRT ref: 004613D9
      • Part of subcall function 00461364: memmove.MSVCRT ref: 0046149F
      • Part of subcall function 00461364: memcpy.MSVCRT ref: 004614AE
      • Part of subcall function 0044BAD5: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?), ref: 0044BB42
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00BA14F4, Relevance: 5.2, APIs: 4, Instructions: 191
    APIs
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • memcpy.MSVCRT ref: 00BA1657
    • memcpy.MSVCRT ref: 00BA166A
    • memcpy.MSVCRT ref: 00BA168B
      • Part of subcall function 00B94C13: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00B94D7B
      • Part of subcall function 00B82543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7,?,@echo off%sdel /F "%s"), ref: 00B8256D
      • Part of subcall function 00B82543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B8D89F,?,?,?,00000000,00000000,00000000,00B8D869,?,00B7B3C7), ref: 00B82580
    • memcpy.MSVCRT ref: 00BA16FD
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
      • Part of subcall function 00B825A7: memcpy.MSVCRT ref: 00B825C6
      • Part of subcall function 00BA1070: memmove.MSVCRT ref: 00BA12E1
      • Part of subcall function 00BA1070: memcpy.MSVCRT ref: 00BA12F0
      • Part of subcall function 00BA1364: memcpy.MSVCRT ref: 00BA13D9
      • Part of subcall function 00BA1364: memmove.MSVCRT ref: 00BA149F
      • Part of subcall function 00BA1364: memcpy.MSVCRT ref: 00BA14AE
      • Part of subcall function 00B8BAD5: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?), ref: 00B8BB42
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 0044B7FF, Relevance: 5.1, APIs: 2, Instructions: 14
    APIs
      • Part of subcall function 0044B64D: EnterCriticalSection.KERNEL32(00465AA4,?,0044B806,?,?,004559A9,00000000), ref: 0044B65D
      • Part of subcall function 0044B64D: LeaveCriticalSection.KERNEL32(00465AA4,?,?,004559A9,00000000), ref: 0044B687
    • EnterCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B80C
    • LeaveCriticalSection.KERNEL32(004647FC,?,?,004559A9,00000000), ref: 0044B81A
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B8B7FF, Relevance: 5.1, APIs: 2, Instructions: 14
    APIs
      • Part of subcall function 00B8B64D: EnterCriticalSection.KERNEL32(00BA5AA4,?,00B8B806,?,?,00B959A9,00000000), ref: 00B8B65D
      • Part of subcall function 00B8B64D: LeaveCriticalSection.KERNEL32(00BA5AA4,?,?,00B959A9,00000000), ref: 00B8B687
    • EnterCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B80C
    • LeaveCriticalSection.KERNEL32(00BA47FC,?,?,00B959A9,00000000), ref: 00B8B81A
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 004424DA, Relevance: 5.1, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00442456: EnterCriticalSection.KERNEL32(00465AA4,00000028,004424C9,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442466
      • Part of subcall function 00442456: LeaveCriticalSection.KERNEL32(00465AA4,?,0045D211,?,?,00000000,?,?,00000001), ref: 00442490
    • HeapAlloc.KERNEL32(00000008,?,?,0043B076,?,?,?,00000000,?,?,00000000,0045AA69,?,0045ADD5), ref: 004424EB
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B824DA, Relevance: 5.1, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00B82456: EnterCriticalSection.KERNEL32(00BA5AA4,00000028,00B824C9,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B82466
      • Part of subcall function 00B82456: LeaveCriticalSection.KERNEL32(00BA5AA4,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B82490
    • HeapAlloc.KERNEL32(00000008,?,?,00B7B076,?,?,?,00000000,?,?,00000000,00B9AA69,?,00B9ADD5), ref: 00B824EB
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00455E1D, Relevance: 5.1, APIs: 2, Instructions: 12
    APIs
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 00455E26
    • DeleteFileW.KERNEL32 ref: 00455E2D
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B95E1D, Relevance: 5.1, APIs: 2, Instructions: 12
    APIs
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 00B95E26
    • DeleteFileW.KERNEL32 ref: 00B95E2D
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00B7766D, Relevance: 5.1, APIs: 2, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00444AA6, Relevance: 5.1, APIs: 4, Instructions: 65
    APIs
    • EnterCriticalSection.KERNEL32(00000000,004630F0,00000038,00444BB2,00000000,?), ref: 00444ACC
    • memcmp.MSVCRT ref: 00444AE3
      • Part of subcall function 004424C1: HeapAlloc.KERNEL32(00000000,00000028,?,0045D211,?,?,00000000,?,?,00000001), ref: 004424D2
    • memcpy.MSVCRT ref: 00444B11
    • LeaveCriticalSection.KERNEL32(00000000), ref: 00444B68
      • Part of subcall function 00442593: HeapFree.KERNEL32(00000000,009B1E90,0045D2D1,?,?,00000000,?,?,00000001), ref: 004425A0
    Memory Dump Source
    • Source File: 00000003.00000002.677971297.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.677966094.00400000.00000002.sdmp
    • Associated: 00000003.00000002.678006194.00464000.00000004.sdmp
    • Associated: 00000003.00000002.678011456.00467000.00000002.sdmp
    Function 00B84AA6, Relevance: 5.1, APIs: 4, Instructions: 65
    APIs
    • EnterCriticalSection.KERNEL32(00000000,00BA30F0,00000038,00B84BB2,00000000,?), ref: 00B84ACC
    • memcmp.MSVCRT ref: 00B84AE3
      • Part of subcall function 00B824C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B9D211,?,?,00000000,?,?,00000001), ref: 00B824D2
    • memcpy.MSVCRT ref: 00B84B11
    • LeaveCriticalSection.KERNEL32(00000000), ref: 00B84B68
      • Part of subcall function 00B82593: HeapFree.KERNEL32(00000000,01311E90,00B9D2D1,?,?,00000000,?,?,00000001), ref: 00B825A0
    Memory Dump Source
    • Source File: 00000003.00000002.678200240.00B40000.00000040.sdmp, Offset: 00B40000, based on PE: true
    Function 00402A14, Relevance: 5.1, APIs: 4, Instructions: 57
    APIs
    • HeapReAlloc.KERNEL32(00000000,?,?,00403005,?,?,00000000), ref: 00402A3B
    • HeapAlloc.KERNEL32(00000008,000041C4,00000000,?,00403005,?,?,00000000), ref: 00402A74
    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00402A92
    • HeapFree.KERNEL32(00000000,?,?,00403005,?,?,00000000), ref: 00402AA9
    Memory Dump Source
    • Source File: 00000003.00000000.254658263.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000000.254647752.00400000.00000002.sdmp
    • Associated: 00000003.00000000.254742621.00487000.00000002.sdmp
    • Associated: 00000003.00000000.254759473.00494000.00000008.sdmp
    • Associated: 00000003.00000000.254780696.004A1000.00000002.sdmp

    Analysis Process: 10a0d.sys PID: 4 Parent PID: -1

    Executed Functions
    Non-executed Functions

    Analysis Process: 2e19aac6887a7667.sys PID: 4 Parent PID: -1

    Executed Functions
    Non-executed Functions

    Analysis Process: explorer.exe PID: 1564 Parent PID: 244

    Executed Functions
    Function 0267BC0C, Relevance: 7.4, APIs: 4, Instructions: 54
    APIs
      • Part of subcall function 0267B7D0: socket.WS2_32(?,?,00000006), ref: 0267B804
    • bind.WS2_32(?,0267BCEA), ref: 0267BC53
    • listen.WS2_32(?,00000014), ref: 0267BC68
    • WSAGetLastError.WS2_32(00000000,?,0267BCEA,?,?,?,?,00000000), ref: 0267BC76
      • Part of subcall function 0267B979: shutdown.WS2_32(?,00000002), ref: 0267B987
      • Part of subcall function 0267B979: closesocket.WS2_32 ref: 0267B990
      • Part of subcall function 0267B979: WSACloseEvent.WS2_32 ref: 0267B9A3
    • WSASetLastError.WS2_32(?,?,0267BCEA,?,?,?,?,00000000), ref: 0267BC86
      • Part of subcall function 0267B928: WSACreateEvent.WS2_32(00000000,?,0267BB6E,00000033,00000000,?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003), ref: 0267B93E
      • Part of subcall function 0267B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0267B954
      • Part of subcall function 0267B928: WSACloseEvent.WS2_32 ref: 0267B968
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02689516, Relevance: 21.3, APIs: 14, Instructions: 290
    APIs
    • Sleep.KERNEL32(00003A98), ref: 0268952D
      • Part of subcall function 02678C74: InitializeCriticalSection.KERNEL32 ref: 02678C7B
    • InitializeCriticalSection.KERNEL32 ref: 02689591
    • memset.MSVCRT ref: 026895A8
    • InitializeCriticalSection.KERNEL32 ref: 026895C2
      • Part of subcall function 0268AAA2: memset.MSVCRT ref: 0268AAB9
      • Part of subcall function 0268AAA2: memset.MSVCRT ref: 0268AB8D
    • InitializeCriticalSection.KERNEL32 ref: 0268961C
    • memset.MSVCRT ref: 02689627
    • memset.MSVCRT ref: 02689635
      • Part of subcall function 02686431: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 02686531
      • Part of subcall function 02686431: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 02686572
      • Part of subcall function 02686431: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02686581
      • Part of subcall function 02686431: SetEvent.KERNEL32 ref: 02686591
      • Part of subcall function 02686431: GetExitCodeThread.KERNEL32 ref: 026865A5
      • Part of subcall function 02686431: CloseHandle.KERNEL32 ref: 026865BB
      • Part of subcall function 02688626: getsockopt.WS2_32(?,0000FFFF,00001008,02669417,02669417), ref: 026886B2
      • Part of subcall function 02688626: GetHandleInformation.KERNEL32 ref: 026886C4
      • Part of subcall function 02688626: socket.WS2_32(?,00000001,00000006), ref: 026886F7
      • Part of subcall function 02688626: socket.WS2_32(?,00000002,00000011), ref: 02688708
      • Part of subcall function 02688626: closesocket.WS2_32(?), ref: 02688727
      • Part of subcall function 02688626: closesocket.WS2_32 ref: 0268872E
      • Part of subcall function 02688626: memset.MSVCRT ref: 026887F2
      • Part of subcall function 02688626: memcpy.MSVCRT ref: 02688902
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 026896AB
      • Part of subcall function 02678CBF: EnterCriticalSection.KERNEL32(?,?,?,02682B51,00000005,00007530,?,00000000,00000000), ref: 02678CC7
      • Part of subcall function 02678CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 02678CEB
      • Part of subcall function 02678CBF: CloseHandle.KERNEL32 ref: 02678CFB
      • Part of subcall function 02678CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,02682B51,00000005,00007530,?,00000000,00000000), ref: 02678D2B
      • Part of subcall function 02688A6A: EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 02688A9B
      • Part of subcall function 02688A6A: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 02688B2D
      • Part of subcall function 02688A6A: SetEvent.KERNEL32 ref: 02688B80
      • Part of subcall function 02688A6A: SetEvent.KERNEL32 ref: 02688BB9
      • Part of subcall function 02688A6A: LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 02688C3E
      • Part of subcall function 02677D03: EnterCriticalSection.KERNEL32(?,?,?,?,?,0268979E,?,?,?,00000001), ref: 02677D24
      • Part of subcall function 02677D03: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,0268979E,?,?,?,00000001), ref: 02677D40
      • Part of subcall function 026758AE: memset.MSVCRT ref: 026759CD
      • Part of subcall function 026758AE: memcpy.MSVCRT ref: 026759E0
      • Part of subcall function 026758AE: memcpy.MSVCRT ref: 026759F6
      • Part of subcall function 0267BD24: accept.WS2_32(?,?), ref: 0267BD45
      • Part of subcall function 0267BD24: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 0267BD57
      • Part of subcall function 0267BD24: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 0267BD88
      • Part of subcall function 0267BD24: shutdown.WS2_32(?,00000002), ref: 0267BDA0
      • Part of subcall function 0267BD24: closesocket.WS2_32 ref: 0267BDA7
      • Part of subcall function 0267BD24: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 0267BDAE
      • Part of subcall function 02688C4C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0268984D,?,?,00000000,?,?,00000590), ref: 02688C7F
      • Part of subcall function 02688C4C: memcmp.MSVCRT ref: 02688CCD
      • Part of subcall function 02688C4C: SetEvent.KERNEL32 ref: 02688D0E
      • Part of subcall function 02688C4C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0268984D,?,?,00000000,?,?,00000590), ref: 02688D3B
      • Part of subcall function 02678DE6: EnterCriticalSection.KERNEL32(027F1F34,?,?,?,0269B2F2,?,?,00000001), ref: 02678DEF
      • Part of subcall function 02678DE6: LeaveCriticalSection.KERNEL32(027F1F34,?,?,?,0269B2F2,?,?,00000001), ref: 02678DF9
      • Part of subcall function 02678DE6: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 02678E1F
      • Part of subcall function 02678DE6: EnterCriticalSection.KERNEL32(027F1F34,?,?,?,0269B2F2,?,?,00000001), ref: 02678E37
      • Part of subcall function 02678DE6: LeaveCriticalSection.KERNEL32(027F1F34,?,?,?,0269B2F2,?,?,00000001), ref: 02678E41
    • CloseHandle.KERNEL32(00000000), ref: 026898AA
    • CloseHandle.KERNEL32(00000000), ref: 026898B7
      • Part of subcall function 02686865: EnterCriticalSection.KERNEL32(?,?,00000000,?,02686B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 0268686E
      • Part of subcall function 02686865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,02686B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 026868A5
    • DeleteCriticalSection.KERNEL32 ref: 026898CD
      • Part of subcall function 0268ABB8: memset.MSVCRT ref: 0268ABC8
    • DeleteCriticalSection.KERNEL32 ref: 026898EC
    • CloseHandle.KERNEL32(00000000), ref: 026898F9
    • DeleteCriticalSection.KERNEL32 ref: 02689903
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 02678C8F: CloseHandle.KERNEL32 ref: 02678C9F
      • Part of subcall function 02678C8F: DeleteCriticalSection.KERNEL32(?,?,027F1F28,0269B303,?,?,00000001), ref: 02678CB6
      • Part of subcall function 026894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 02689503
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269CCA8, Relevance: 16.5, APIs: 3, Strings: 5, Instructions: 76
    APIs
      • Part of subcall function 0269CB85: InternetCloseHandle.WININET ref: 0269CB99
    • HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,0266C9E0,?,00000000), ref: 0269CCE9
    • HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 0269CD0C
    • HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 0269CD4E
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269985F, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 173
    APIs
    • memset.MSVCRT ref: 0269990F
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02699920
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 02699954
    • memset.MSVCRT ref: 02699994
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 026999A5
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 026999E5
    • memset.MSVCRT ref: 02699A50
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269621D, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 02696283
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    • FindFirstFileW.KERNEL32 ref: 026962F1
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0269634A
    • FindClose.KERNEL32 ref: 02696453
      • Part of subcall function 02695AB0: GetFileSizeEx.KERNEL32(?,?), ref: 02695ABB
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 026963BB
      • Part of subcall function 02695B34: ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 02695B46
    • CloseHandle.KERNEL32 ref: 026963F5
      • Part of subcall function 02695934: CloseHandle.KERNEL32 ref: 02695940
    • FindNextFileW.KERNEL32 ref: 02696429
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 02695E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 02695E26
      • Part of subcall function 02695E1D: DeleteFileW.KERNEL32 ref: 02695E2D
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 02696256
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02675B9B, Relevance: 16.2, APIs: 9, Instructions: 132
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02675BC1
    • Process32FirstW.KERNEL32 ref: 02675BE6
      • Part of subcall function 0269C012: CreateMutexW.KERNEL32(026A49B4,00000001), ref: 0269C058
      • Part of subcall function 0269C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 0269C064
      • Part of subcall function 0269C012: CloseHandle.KERNEL32 ref: 0269C072
    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 02675C3D
    • CloseHandle.KERNEL32(?), ref: 02675D07
      • Part of subcall function 0267AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 0267AEF5
      • Part of subcall function 0267AEE3: GetTokenInformation.ADVAPI32(?,0000000C,026A49A8,00000004), ref: 0267AF1D
      • Part of subcall function 0267AEE3: CloseHandle.KERNEL32(?), ref: 0267AF33
    • CloseHandle.KERNEL32 ref: 02675C5B
    • GetLengthSid.ADVAPI32 ref: 02675C77
    • memcmp.MSVCRT ref: 02675C8F
      • Part of subcall function 02682543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7,?,@echo off%sdel /F "%s"), ref: 0268256D
      • Part of subcall function 02682543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7), ref: 02682580
      • Part of subcall function 02675B0B: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 02675B19
      • Part of subcall function 02675B0B: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 02675B5A
      • Part of subcall function 02675B0B: WaitForSingleObject.KERNEL32(?,00002710), ref: 02675B6C
      • Part of subcall function 02675B0B: CloseHandle.KERNEL32 ref: 02675B73
      • Part of subcall function 02675B0B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 02675B85
      • Part of subcall function 02675B0B: CloseHandle.KERNEL32 ref: 02675B8C
    • Process32NextW.KERNEL32(?,?), ref: 02675D13
    • CloseHandle.KERNEL32 ref: 02675D26
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02688626, Relevance: 15.0, APIs: 8, Instructions: 327
    APIs
      • Part of subcall function 0269D9E1: memset.MSVCRT ref: 0269D9F0
      • Part of subcall function 0269D9E1: memcpy.MSVCRT ref: 0269DA17
      • Part of subcall function 026841F9: CoInitializeEx.OLE32(00000000,00000000), ref: 02684206
    • getsockopt.WS2_32(?,0000FFFF,00001008,02669417,02669417), ref: 026886B2
    • GetHandleInformation.KERNEL32 ref: 026886C4
      • Part of subcall function 0267B764: EnterCriticalSection.KERNEL32(026A5AA4,?,0267B826,?,0269C86A,0268C4AB,0268C4AB,?,0268C4AB,?,00000001), ref: 0267B774
      • Part of subcall function 0267B764: LeaveCriticalSection.KERNEL32(026A5AA4,?,0267B826,?,0269C86A,0268C4AB,0268C4AB,?,0268C4AB,?,00000001), ref: 0267B79E
    • socket.WS2_32(?,00000001,00000006), ref: 026886F7
    • socket.WS2_32(?,00000002,00000011), ref: 02688708
    • closesocket.WS2_32(?), ref: 02688727
    • closesocket.WS2_32 ref: 0268872E
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • memset.MSVCRT ref: 026887F2
      • Part of subcall function 0267BC0C: bind.WS2_32(?,0267BCEA), ref: 0267BC53
      • Part of subcall function 0267BC0C: listen.WS2_32(?,00000014), ref: 0267BC68
      • Part of subcall function 0267BC0C: WSAGetLastError.WS2_32(00000000,?,0267BCEA,?,?,?,?,00000000), ref: 0267BC76
      • Part of subcall function 0267BC0C: WSASetLastError.WS2_32(?,?,0267BCEA,?,?,?,?,00000000), ref: 0267BC86
      • Part of subcall function 0267BC93: memset.MSVCRT ref: 0267BCA9
      • Part of subcall function 0267BC93: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 0267BCEE
      • Part of subcall function 02688A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02688A52
    • memcpy.MSVCRT ref: 02688902
      • Part of subcall function 0267BAC9: memset.MSVCRT ref: 0267BADE
      • Part of subcall function 0267BAC9: getsockname.WS2_32(?,02677C25), ref: 0267BAF1
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02678D34, Relevance: 14.8, APIs: 8, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(027F1F34,027F1F28,?,?,0268A99B,00000000,0268A6E2,00000000,?,00000000,?,?,?,0269B2E2,?,00000001), ref: 02678D3D
    • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 02678D76
    • DuplicateHandle.KERNEL32(000000FF,?,000000FF,0268A99B,00000000,00000000,00000002), ref: 02678D95
    • GetLastError.KERNEL32(?,000000FF,0268A99B,00000000,00000000,00000002,?,?,0268A99B,00000000,0268A6E2,00000000,?,00000000), ref: 02678D9F
    • TerminateThread.KERNEL32 ref: 02678DA7
    • CloseHandle.KERNEL32 ref: 02678DAE
      • Part of subcall function 026824F3: HeapAlloc.KERNEL32(00000000,?,?,?,02676328,?,?,02698D10,?,?,?,?,0000FFFF), ref: 0268251D
      • Part of subcall function 026824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,02676328,?,?,02698D10,?,?,?,?,0000FFFF), ref: 02682530
    • LeaveCriticalSection.KERNEL32(027F1F34,?,0268A99B,00000000,0268A6E2,00000000,?,00000000,?,?,?,0269B2E2,?,00000001), ref: 02678DC3
    • ResumeThread.KERNEL32 ref: 02678DDC
      • Part of subcall function 02682543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7,?,@echo off%sdel /F "%s"), ref: 0268256D
      • Part of subcall function 02682543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7), ref: 02682580
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02699BE6, Relevance: 14.3, APIs: 8, Instructions: 160
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 02699BEC
    • memcpy.MSVCRT ref: 02699C39
    • GetThreadContext.KERNEL32(?,00000010), ref: 02699CAF
    • SetThreadContext.KERNEL32(?,?), ref: 02699D1A
    • GetCurrentProcess.KERNEL32 ref: 02699D33
    • VirtualProtect.KERNEL32(?,0000007C,?), ref: 02699D58
    • FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 02699D6A
      • Part of subcall function 02699A67: memset.MSVCRT ref: 02699A78
      • Part of subcall function 02699821: GetCurrentProcess.KERNEL32 ref: 02699824
      • Part of subcall function 02699821: VirtualProtect.KERNEL32(3D920000,=::=::\,00000020), ref: 02699845
      • Part of subcall function 02699821: FlushInstructionCache.KERNEL32(?,3D920000,=::=::\), ref: 0269984E
    • ResumeThread.KERNEL32(?), ref: 02699DAB
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 02699B45: GetCurrentThreadId.KERNEL32 ref: 02699B46
      • Part of subcall function 02699B45: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 02699B7D
      • Part of subcall function 02699B45: ResumeThread.KERNEL32(?), ref: 02699BBE
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02681F4F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 65
    APIs
    • InitializeSecurityDescriptor.ADVAPI32(026A49C0,00000001), ref: 02681F5F
    • SetSecurityDescriptorDacl.ADVAPI32(026A49C0,00000001,00000000,00000000), ref: 02681F70
    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 02681F86
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 02681FA2
    • SetSecurityDescriptorSacl.ADVAPI32(026A49C0,?,?,00000001), ref: 02681FB6
    • LocalFree.KERNEL32(?), ref: 02681FC8
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268A782, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145
    APIs
      • Part of subcall function 02676A4D: TlsSetValue.KERNEL32(00000001,0268A6E8), ref: 02676A5A
    • GetCurrentThread.KERNEL32 ref: 0268A799
    • SetThreadPriority.KERNEL32 ref: 0268A7A0
      • Part of subcall function 0269C09D: CreateMutexW.KERNEL32(026A49B4,00000000), ref: 0269C0BF
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
      • Part of subcall function 0268A755: PathFindFileNameW.SHLWAPI(000001ED), ref: 0268A759
      • Part of subcall function 0268A755: PathRemoveExtensionW.SHLWAPI ref: 0268A76D
      • Part of subcall function 0268A755: CharUpperW.USER32 ref: 0268A777
    • PathQuoteSpacesW.SHLWAPI ref: 0268A83E
      • Part of subcall function 0269AFD3: WaitForSingleObject.KERNEL32(00000000,0268A702), ref: 0269AFDB
    • WaitForSingleObject.KERNEL32 ref: 0268A879
    • StrCmpW.SHLWAPI ref: 0268A8D7
      • Part of subcall function 026907B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 026907D8
    • RegSetValueExW.ADVAPI32(000000FF,?,00000000,00000001), ref: 0268A938
      • Part of subcall function 02690755: RegFlushKey.ADVAPI32 ref: 02690765
      • Part of subcall function 02690755: RegCloseKey.ADVAPI32 ref: 0269076D
    • WaitForSingleObject.KERNEL32 ref: 0268A959
      • Part of subcall function 0267766D: ReleaseMutex.KERNEL32 ref: 02677671
      • Part of subcall function 0267766D: CloseHandle.KERNEL32 ref: 02677678
      • Part of subcall function 0268B7FF: EnterCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B80C
      • Part of subcall function 0268B7FF: LeaveCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B81A
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0268A7EC
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269ABBF, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 79
    APIs
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
    • lstrcatW.KERNEL32(?,.dat), ref: 0269AC32
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0269AC57
    • ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 0269AC75
    • CloseHandle.KERNEL32 ref: 0269AC82
      • Part of subcall function 0269D2D7: EnterCriticalSection.KERNEL32(027F1E90,?), ref: 0269D2EB
      • Part of subcall function 0269D2D7: GetFileVersionInfoSizeW.VERSION(027F1EF0), ref: 0269D30C
      • Part of subcall function 0269D2D7: GetFileVersionInfoW.VERSION(027F1EF0,00000000), ref: 0269D32A
      • Part of subcall function 0269D2D7: LeaveCriticalSection.KERNEL32(027F1E90,00000001,00000001,00000001,00000001), ref: 0269D413
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    Strings
    • .dat, xrefs: 0269AC26
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0269ABF1
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267C8CD, Relevance: 12.2, APIs: 4, Strings: 2, Instructions: 46
    APIs
    • LoadLibraryW.KERNEL32(urlmon.dll), ref: 0267C8D4
    • GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 0267C8EA
    • FreeLibrary.KERNEL32 ref: 0267C935
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • ObtainUserAgentString.URLMON ref: 0267C918
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02675B0B, Relevance: 10.7, APIs: 6, Instructions: 60
    APIs
    • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 02675B19
      • Part of subcall function 0269AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0269AECF
      • Part of subcall function 0269AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0269AF0A
      • Part of subcall function 0269AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0269AF4A
      • Part of subcall function 0269AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0269AF6D
      • Part of subcall function 0269AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0269AFBD
    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 02675B5A
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 02675B6C
    • CloseHandle.KERNEL32 ref: 02675B73
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 02675B85
    • CloseHandle.KERNEL32 ref: 02675B8C
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026824C1, Relevance: 10.1, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 02682456: EnterCriticalSection.KERNEL32(026A5AA4,00000028,026824C9,?,0269D211,?,?,00000000,?,?,00000001), ref: 02682466
      • Part of subcall function 02682456: LeaveCriticalSection.KERNEL32(026A5AA4,?,0269D211,?,?,00000000,?,?,00000001), ref: 02682490
    • HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267C0C5, Relevance: 9.5, APIs: 5, Instructions: 71
    APIs
      • Part of subcall function 0267B764: EnterCriticalSection.KERNEL32(026A5AA4,?,0267B826,?,0269C86A,0268C4AB,0268C4AB,?,0268C4AB,?,00000001), ref: 0267B774
      • Part of subcall function 0267B764: LeaveCriticalSection.KERNEL32(026A5AA4,?,0267B826,?,0269C86A,0268C4AB,0268C4AB,?,0268C4AB,?,00000001), ref: 0267B79E
    • socket.WS2_32(?,00000002,00000000), ref: 0267C0DF
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0267C112
    • WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,00000000,?,?), ref: 0267C119
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 0267C14D
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • closesocket.WS2_32 ref: 0267C15D
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02699DDC, Relevance: 9.5, APIs: 4, Instructions: 217
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 02699DED
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
      • Part of subcall function 0269985F: memset.MSVCRT ref: 0269990F
      • Part of subcall function 0269985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02699920
      • Part of subcall function 0269985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 02699954
      • Part of subcall function 0269985F: memset.MSVCRT ref: 02699994
      • Part of subcall function 0269985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 026999A5
      • Part of subcall function 0269985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 026999E5
      • Part of subcall function 0269985F: memset.MSVCRT ref: 02699A50
      • Part of subcall function 026964A4: SetLastError.KERNEL32(0000000D), ref: 026964DF
    • memcpy.MSVCRT ref: 02699F56
    • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 02699FE2
    • GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 02699FEC
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 02699A67: memset.MSVCRT ref: 02699A78
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269D5A0, Relevance: 9.2, APIs: 3, Strings: 1, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(026A5AA4,00000000,?,?,026793C9), ref: 0269D5B6
    • LeaveCriticalSection.KERNEL32(026A5AA4,?,?,026793C9), ref: 0269D5DC
      • Part of subcall function 0269D4EF: memset.MSVCRT ref: 0269D506
    • CreateMutexW.KERNEL32(026A49B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 0269D5EE
      • Part of subcall function 026775E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 026775ED
      • Part of subcall function 026775E7: CloseHandle.KERNEL32 ref: 026775FF
    Strings
    • Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 0269D5E3
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269AEB1, Relevance: 9.2, APIs: 5, Instructions: 109
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0269AECF
      • Part of subcall function 0268C90D: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 0268C93C
      • Part of subcall function 0268C90D: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0268C97B
      • Part of subcall function 0268C90D: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0268C9A2
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0269AF0A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0269AF4A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0269AF6D
      • Part of subcall function 0269A976: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0269A999
      • Part of subcall function 0269A976: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0269A9B1
      • Part of subcall function 0269A976: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 0269A9CC
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0269AFBD
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267BB55, Relevance: 9.2, APIs: 5, Instructions: 69
    APIs
      • Part of subcall function 0267B7D0: socket.WS2_32(?,?,00000006), ref: 0267B804
    • connect.WS2_32(?,?), ref: 0267BB93
    • WSAGetLastError.WS2_32(?,00000000,?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0267BBA2
    • WSASetLastError.WS2_32(00000000), ref: 0267BC00
      • Part of subcall function 0267B979: shutdown.WS2_32(?,00000002), ref: 0267B987
      • Part of subcall function 0267B979: closesocket.WS2_32 ref: 0267B990
      • Part of subcall function 0267B979: WSACloseEvent.WS2_32 ref: 0267B9A3
      • Part of subcall function 0267B928: WSACreateEvent.WS2_32(00000000,?,0267BB6E,00000033,00000000,?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003), ref: 0267B93E
      • Part of subcall function 0267B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0267B954
      • Part of subcall function 0267B928: WSACloseEvent.WS2_32 ref: 0267B968
    • WSASetLastError.WS2_32(?,?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0267BBC0
    • WSAGetLastError.WS2_32(?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0267BBC2
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02699821, Relevance: 8.4, APIs: 3, Strings: 1, Instructions: 28
    APIs
    • GetCurrentProcess.KERNEL32 ref: 02699824
    • VirtualProtect.KERNEL32(3D920000,=::=::\,00000020), ref: 02699845
    • FlushInstructionCache.KERNEL32(?,3D920000,=::=::\), ref: 0269984E
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269D2D7, Relevance: 7.3, APIs: 4, Instructions: 113
    APIs
    • EnterCriticalSection.KERNEL32(027F1E90,?), ref: 0269D2EB
      • Part of subcall function 0268BDA7: GetModuleHandleW.KERNEL32 ref: 0268BDC3
      • Part of subcall function 0268BDA7: GetModuleHandleW.KERNEL32 ref: 0268BDFE
    • GetFileVersionInfoSizeW.VERSION(027F1EF0), ref: 0269D30C
    • GetFileVersionInfoW.VERSION(027F1EF0,00000000), ref: 0269D32A
      • Part of subcall function 02684EC0: PathFindFileNameW.SHLWAPI(027F1E90), ref: 02684ED2
      • Part of subcall function 02684EC0: InitializeCriticalSection.KERNEL32 ref: 02684F44
      • Part of subcall function 02684EC0: DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,027F1EF0), ref: 02684FBB
      • Part of subcall function 0267A90A: InitializeCriticalSection.KERNEL32 ref: 0267A938
      • Part of subcall function 0267A90A: GetModuleHandleW.KERNEL32 ref: 0267A976
      • Part of subcall function 0269C7B5: InitializeCriticalSection.KERNEL32 ref: 0269C7CA
      • Part of subcall function 026968C4: EnterCriticalSection.KERNEL32(026A5AA4,027F1E90,0269D364,00000001,00000001), ref: 026968D4
      • Part of subcall function 026968C4: LeaveCriticalSection.KERNEL32(026A5AA4), ref: 026968FC
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
      • Part of subcall function 02698AD4: GetCommandLineW.KERNEL32 ref: 02698B5E
      • Part of subcall function 02698AD4: CommandLineToArgvW.SHELL32 ref: 02698B65
      • Part of subcall function 02698AD4: LocalFree.KERNEL32 ref: 02698BA5
      • Part of subcall function 02698AD4: GetModuleHandleW.KERNEL32(?), ref: 02698BE7
      • Part of subcall function 0267CE23: VerQueryValueW.VERSION(?,0266AE74,?,?,027F1E90,0269D393), ref: 0267CE44
      • Part of subcall function 0267CE23: GetModuleHandleW.KERNEL32(?), ref: 0267CE85
      • Part of subcall function 0269FE99: GetModuleHandleW.KERNEL32 ref: 0269FEB6
      • Part of subcall function 0268B000: EnterCriticalSection.KERNEL32(026A5AA4,027F1E90,0269D39D), ref: 0268B010
      • Part of subcall function 0268B000: LeaveCriticalSection.KERNEL32(026A5AA4), ref: 0268B038
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • LeaveCriticalSection.KERNEL32(027F1E90,00000001,00000001,00000001,00000001), ref: 0269D413
      • Part of subcall function 02676D72: EnterCriticalSection.KERNEL32(026A468C,00000000,02684F6E,?,000000FF), ref: 02676D7E
      • Part of subcall function 02676D72: LeaveCriticalSection.KERNEL32(026A468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,027F1EF0), ref: 02676D8E
      • Part of subcall function 02676D9C: LeaveCriticalSection.KERNEL32(026A468C,02676E01,00000001,00000000,00000000,?,02684F82,00000001,00000000,?,000000FF), ref: 02676DA6
      • Part of subcall function 02676DAD: LeaveCriticalSection.KERNEL32(026A468C,?,02676E13,00000001,00000000,00000000,?,02684F82,00000001,00000000,?,000000FF), ref: 02676DBA
      • Part of subcall function 0269699E: memset.MSVCRT ref: 026969C6
      • Part of subcall function 0269699E: InitializeCriticalSection.KERNEL32 ref: 026969D3
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268512B, Relevance: 7.2, APIs: 4, Instructions: 45
    APIs
    • GetTickCount.KERNEL32 ref: 02685138
    • GetLastInputInfo.USER32(?), ref: 0268514B
    • GetLocalTime.KERNEL32 ref: 0268516F
      • Part of subcall function 02696891: SystemTimeToFileTime.KERNEL32 ref: 0269689B
    • GetTimeZoneInformation.KERNEL32 ref: 02685187
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267AF41, Relevance: 7.2, APIs: 4, Instructions: 39
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0267AF51
    • Thread32First.KERNEL32 ref: 0267AF6C
    • Thread32Next.KERNEL32(?,?), ref: 0267AF7F
    • CloseHandle.KERNEL32 ref: 0267AF8A
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02699ADD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 34
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 02699AEE
    • VirtualProtect.KERNEL32(3D920000,00010000,00000040,?), ref: 02699B34
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267BF70, Relevance: 6.1, APIs: 4, Instructions: 75
    APIs
    • WSAEventSelect.WS2_32(?,?,?), ref: 0267BF85
    • WaitForMultipleObjects.KERNEL32(?,00000001,00000000,?), ref: 0267BFBA
    • WSAEventSelect.WS2_32 ref: 0267C008
    • WSASetLastError.WS2_32(?,?,?,?,?,00000001,00000000,?,?,?,?), ref: 0267C01B
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269394D, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00053883,00000000), ref: 02693964
    • WaitForSingleObject.KERNEL32(?,00003A98), ref: 02693976
    • TerminateThread.KERNEL32(?,00000000), ref: 02693982
    • CloseHandle.KERNEL32 ref: 02693989
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267B979, Relevance: 6.0, APIs: 3, Instructions: 17
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267B928, Relevance: 5.8, APIs: 3, Instructions: 30
    APIs
    • WSACreateEvent.WS2_32(00000000,?,0267BB6E,00000033,00000000,?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003), ref: 0267B93E
    • WSAEventSelect.WS2_32(?,?,00000033), ref: 0267B954
    • WSACloseEvent.WS2_32 ref: 0267B968
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269A976, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0269A999
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0269A9B1
    • DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 0269A9CC
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269C012, Relevance: 5.6, APIs: 3, Instructions: 37
    APIs
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
      • Part of subcall function 0269BC89: memcpy.MSVCRT ref: 0269BCA4
      • Part of subcall function 0269BC89: StringFromGUID2.OLE32 ref: 0269BD4A
    • CreateMutexW.KERNEL32(026A49B4,00000001), ref: 0269C058
    • GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 0269C064
    • CloseHandle.KERNEL32 ref: 0269C072
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026986CC, Relevance: 5.5, APIs: 3, Instructions: 115
    APIs
    • GetVersionExW.KERNEL32(026A4858), ref: 026986E6
    • GetNativeSystemInfo.KERNEL32(000000FF), ref: 02698822
    • memset.MSVCRT ref: 02698857
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269EEC0, Relevance: 5.5, APIs: 3, Instructions: 81
    APIs
      • Part of subcall function 02676E1F: GetLastError.KERNEL32(3D920680,?,0267652A), ref: 02676E21
      • Part of subcall function 02676E1F: TlsGetValue.KERNEL32(?,?,0267652A), ref: 02676E3E
      • Part of subcall function 02676E1F: TlsSetValue.KERNEL32(00000001), ref: 02676E50
      • Part of subcall function 02676E1F: SetLastError.KERNEL32(?,?,0267652A), ref: 02676E60
    • HttpSendRequestExA.WININET(?,?,?,?,?), ref: 0269EEF5
    • memset.MSVCRT ref: 0269EF0F
    • memcpy.MSVCRT ref: 0269EF20
      • Part of subcall function 02676EA5: GetLastError.KERNEL32(?,02676577), ref: 02676EA6
      • Part of subcall function 02676EA5: TlsSetValue.KERNEL32(00000000), ref: 02676EB6
      • Part of subcall function 02676EA5: SetLastError.KERNEL32(?,?,02676577), ref: 02676EBD
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268C90D, Relevance: 5.5, APIs: 3, Instructions: 63
    APIs
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 0268C93C
      • Part of subcall function 026825A7: memcpy.MSVCRT ref: 026825C6
    • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0268C97B
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0268C9A2
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026824DA, Relevance: 5.1, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 02682456: EnterCriticalSection.KERNEL32(026A5AA4,00000028,026824C9,?,0269D211,?,?,00000000,?,?,00000001), ref: 02682466
      • Part of subcall function 02682456: LeaveCriticalSection.KERNEL32(026A5AA4,?,0269D211,?,?,00000000,?,?,00000001), ref: 02682490
    • HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026907EE, Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 30
    APIs
      • Part of subcall function 026907B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 026907D8
    • RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 02690823
      • Part of subcall function 02690755: RegFlushKey.ADVAPI32 ref: 02690765
      • Part of subcall function 02690755: RegCloseKey.ADVAPI32 ref: 0269076D
    Strings
    • Software\Microsoft\Tivyikdiy, xrefs: 02690803
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269931E, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 19
    APIs
    • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 02699336
    Strings
    • Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0269932E
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026824F3, Relevance: 4.2, APIs: 2, Instructions: 32
    APIs
    • HeapReAlloc.KERNEL32(00000000,?,?,?,?,02676328,?,?,02698D10,?,?,?,?,0000FFFF), ref: 02682530
      • Part of subcall function 02682456: EnterCriticalSection.KERNEL32(026A5AA4,00000028,026824C9,?,0269D211,?,?,00000000,?,?,00000001), ref: 02682466
      • Part of subcall function 02682456: LeaveCriticalSection.KERNEL32(026A5AA4,?,0269D211,?,?,00000000,?,?,00000001), ref: 02682490
    • HeapAlloc.KERNEL32(00000000,?,?,?,02676328,?,?,02698D10,?,?,?,?,0000FFFF), ref: 0268251D
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02682498, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 9
    APIs
    • HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 026824A1
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269A05A, Relevance: 3.8, APIs: 2, Instructions: 100
    APIs
      • Part of subcall function 0269C09D: CreateMutexW.KERNEL32(026A49B4,00000000), ref: 0269C0BF
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,-00000003,?,00000000), ref: 0269A0AD
      • Part of subcall function 02695B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 02695B25
    • SetEndOfFile.KERNEL32 ref: 0269A115
      • Part of subcall function 02695934: CloseHandle.KERNEL32 ref: 02695940
      • Part of subcall function 02695D0E: memcpy.MSVCRT ref: 02695D6C
      • Part of subcall function 02695D0E: memcpy.MSVCRT ref: 02695D81
      • Part of subcall function 02695D0E: memcpy.MSVCRT ref: 02695D96
      • Part of subcall function 02695D0E: memcpy.MSVCRT ref: 02695DA5
      • Part of subcall function 02695D0E: SetFileTime.KERNEL32(?,?,?,?), ref: 02695E0A
      • Part of subcall function 02695AB0: GetFileSizeEx.KERNEL32(?,?), ref: 02695ABB
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267C16D, Relevance: 3.7, APIs: 2, Instructions: 50
    APIs
      • Part of subcall function 026824F3: HeapAlloc.KERNEL32(00000000,?,?,?,02676328,?,?,02698D10,?,?,?,?,0000FFFF), ref: 0268251D
      • Part of subcall function 026824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,02676328,?,?,02698D10,?,?,?,?,0000FFFF), ref: 02682530
    • GetAdaptersAddresses.IPHLPAPI(?,0000002E,00000000,00000000,?,?,?,?,?,?,?,026857AD), ref: 0267C1A8
    • SetLastError.KERNEL32(00000008,?,?,?,?,?,?,026857AD), ref: 0267C1D3
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268342D, Relevance: 3.1, APIs: 2, Instructions: 79
    APIs
      • Part of subcall function 02676E1F: GetLastError.KERNEL32(3D920680,?,0267652A), ref: 02676E21
      • Part of subcall function 02676E1F: TlsGetValue.KERNEL32(?,?,0267652A), ref: 02676E3E
      • Part of subcall function 02676E1F: TlsSetValue.KERNEL32(00000001), ref: 02676E50
      • Part of subcall function 02676E1F: SetLastError.KERNEL32(?,?,0267652A), ref: 02676E60
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 02683465
      • Part of subcall function 0269C012: CreateMutexW.KERNEL32(026A49B4,00000001), ref: 0269C058
      • Part of subcall function 0269C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 0269C064
      • Part of subcall function 0269C012: CloseHandle.KERNEL32 ref: 0269C072
      • Part of subcall function 0267C5A8: TlsGetValue.KERNEL32(00000026,?,0268349E), ref: 0267C5B1
      • Part of subcall function 0269AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0269AECF
      • Part of subcall function 0269AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0269AF0A
      • Part of subcall function 0269AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0269AF4A
      • Part of subcall function 0269AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0269AF6D
      • Part of subcall function 0269AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0269AFBD
    • CloseHandle.KERNEL32 ref: 026834DA
      • Part of subcall function 0267AF41: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0267AF51
      • Part of subcall function 0267AF41: Thread32First.KERNEL32 ref: 0267AF6C
      • Part of subcall function 0267AF41: Thread32Next.KERNEL32(?,?), ref: 0267AF7F
      • Part of subcall function 0267AF41: CloseHandle.KERNEL32 ref: 0267AF8A
      • Part of subcall function 02676EA5: GetLastError.KERNEL32(?,02676577), ref: 02676EA6
      • Part of subcall function 02676EA5: TlsSetValue.KERNEL32(00000000), ref: 02676EB6
      • Part of subcall function 02676EA5: SetLastError.KERNEL32(?,?,02676577), ref: 02676EBD
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269C09D, Relevance: 3.0, APIs: 1, Instructions: 25
    APIs
    • CreateMutexW.KERNEL32(026A49B4,00000000), ref: 0269C0BF
      • Part of subcall function 026775E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 026775ED
      • Part of subcall function 026775E7: CloseHandle.KERNEL32 ref: 026775FF
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02684269, Relevance: 2.6, APIs: 1, Instructions: 20
    APIs
    • CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 0268427E
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269CD6E, Relevance: 2.3, APIs: 1, Instructions: 10
    APIs
    • HttpEndRequestA.WININET(?,00000000,00000000,00000000), ref: 0269CD75
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026908A8, Relevance: 2.2, APIs: 1, Instructions: 69
    APIs
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
      • Part of subcall function 0269083C: RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 02690850
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 02690903
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267B7D0, Relevance: 2.1, APIs: 1, Instructions: 36
    APIs
    • socket.WS2_32(?,?,00000006), ref: 0267B804
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026907B0, Relevance: 2.1, APIs: 1, Instructions: 29
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 026907D8
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269094D, Relevance: 2.0, APIs: 1, Instructions: 60
    APIs
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 02690971
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269083C, Relevance: 1.9, APIs: 1, Instructions: 8
    APIs
    • RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 02690850
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02687EF7, Relevance: 1.5, APIs: 1, Instructions: 35
    APIs
      • Part of subcall function 02676E1F: GetLastError.KERNEL32(3D920680,?,0267652A), ref: 02676E21
      • Part of subcall function 02676E1F: TlsGetValue.KERNEL32(?,?,0267652A), ref: 02676E3E
      • Part of subcall function 02676E1F: TlsSetValue.KERNEL32(00000001), ref: 02676E50
      • Part of subcall function 02676E1F: SetLastError.KERNEL32(?,?,0267652A), ref: 02676E60
    • recv.WS2_32 ref: 02687F15
      • Part of subcall function 02676EA5: GetLastError.KERNEL32(?,02676577), ref: 02676EA6
      • Part of subcall function 02676EA5: TlsSetValue.KERNEL32(00000000), ref: 02676EB6
      • Part of subcall function 02676EA5: SetLastError.KERNEL32(?,?,02676577), ref: 02676EBD
      • Part of subcall function 0267A64B: EnterCriticalSection.KERNEL32(?,?,?,?,02677F4D,00000001,?,00000001,?), ref: 0267A655
      • Part of subcall function 0267A64B: memcpy.MSVCRT ref: 0267A6D1
      • Part of subcall function 0267A64B: memcpy.MSVCRT ref: 0267A6E5
      • Part of subcall function 0267A64B: memcpy.MSVCRT ref: 0267A70F
      • Part of subcall function 0267A64B: LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,02677F4D,00000001,?,00000001,?), ref: 0267A735
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268808E, Relevance: 1.5, APIs: 1, Instructions: 33
    APIs
      • Part of subcall function 02676E1F: GetLastError.KERNEL32(3D920680,?,0267652A), ref: 02676E21
      • Part of subcall function 02676E1F: TlsGetValue.KERNEL32(?,?,0267652A), ref: 02676E3E
      • Part of subcall function 02676E1F: TlsSetValue.KERNEL32(00000001), ref: 02676E50
      • Part of subcall function 02676E1F: SetLastError.KERNEL32(?,?,0267652A), ref: 02676E60
    • send.WS2_32 ref: 026880AC
      • Part of subcall function 02676EA5: GetLastError.KERNEL32(?,02676577), ref: 02676EA6
      • Part of subcall function 02676EA5: TlsSetValue.KERNEL32(00000000), ref: 02676EB6
      • Part of subcall function 02676EA5: SetLastError.KERNEL32(?,?,02676577), ref: 02676EBD
      • Part of subcall function 0267A64B: EnterCriticalSection.KERNEL32(?,?,?,?,02677F4D,00000001,?,00000001,?), ref: 0267A655
      • Part of subcall function 0267A64B: memcpy.MSVCRT ref: 0267A6D1
      • Part of subcall function 0267A64B: memcpy.MSVCRT ref: 0267A6E5
      • Part of subcall function 0267A64B: memcpy.MSVCRT ref: 0267A70F
      • Part of subcall function 0267A64B: LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,02677F4D,00000001,?,00000001,?), ref: 0267A735
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Non-executed Functions
    Function 02683BBE, Relevance: 10.9, APIs: 6, Instructions: 39
    APIs
    • socket.WS2_32(?,00000001,00000006), ref: 02683BCA
    • bind.WS2_32 ref: 02683BE7
    • listen.WS2_32(?,00000001), ref: 02683BF4
    • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,0268EE5F,?,?,?), ref: 02683BFE
    • closesocket.WS2_32 ref: 02683C07
    • WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,0268EE5F,?,?,?), ref: 02683C0E
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02683DB8, Relevance: 5.6, APIs: 3, Instructions: 34
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269C192, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103
    APIs
    • StrStrIW.SHLWAPI(tellerplus,027F1E90), ref: 0269C1A4
    • StrStrIW.SHLWAPI(bancline), ref: 0269C1B9
    • StrStrIW.SHLWAPI(fidelity), ref: 0269C1CE
    • StrStrIW.SHLWAPI(micrsolv), ref: 0269C1E3
    • StrStrIW.SHLWAPI(bankman), ref: 0269C1F8
    • StrStrIW.SHLWAPI(vantiv), ref: 0269C20D
    • StrStrIW.SHLWAPI(episys), ref: 0269C222
    • StrStrIW.SHLWAPI(jack henry), ref: 0269C237
    • StrStrIW.SHLWAPI(cruisenet), ref: 0269C24C
    • StrStrIW.SHLWAPI(gplusmain), ref: 0269C261
    • StrStrIW.SHLWAPI(launchpadshell.exe), ref: 0269C276
    • StrStrIW.SHLWAPI(dirclt32.exe), ref: 0269C28B
    • StrStrIW.SHLWAPI(wtng.exe), ref: 0269C29C
    • StrStrIW.SHLWAPI(prologue.exe), ref: 0269C2AD
    • StrStrIW.SHLWAPI(silverlake), ref: 0269C2BE
    • StrStrIW.SHLWAPI(pcsws.exe), ref: 0269C2CF
    • StrStrIW.SHLWAPI(v48d0250s1), ref: 0269C2E0
    • StrStrIW.SHLWAPI(fdmaster.exe), ref: 0269C2F1
    • StrStrIW.SHLWAPI(fastdoc), ref: 0269C302
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02677FA8, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151
    APIs
    • LoadLibraryA.KERNEL32(gdiplus.dll), ref: 02677FBA
    • GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 02677FD2
    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 02678011
    • CreateCompatibleDC.GDI32 ref: 02678022
    • LoadCursorW.USER32(00000000,00007F00), ref: 02678038
    • GetIconInfo.USER32 ref: 0267804C
    • GetCursorPos.USER32(?), ref: 0267805B
    • GetDeviceCaps.GDI32(?,00000008), ref: 02678072
    • GetDeviceCaps.GDI32(?,0000000A), ref: 0267807B
    • CreateCompatibleBitmap.GDI32(?,?), ref: 02678087
    • SelectObject.GDI32 ref: 02678095
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 026780B6
    • DrawIcon.USER32(?,?,?,?), ref: 026780E8
      • Part of subcall function 02691285: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 0269129A
      • Part of subcall function 02691285: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 026912A5
    • SelectObject.GDI32(?,?), ref: 02678104
    • DeleteObject.GDI32 ref: 0267810B
    • DeleteDC.GDI32 ref: 02678112
    • DeleteDC.GDI32 ref: 02678119
    • FreeLibrary.KERNEL32(?), ref: 02678129
    • GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0267813F
    • FreeLibrary.KERNEL32(?), ref: 02678153
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269B4AA, Relevance: 42.5, APIs: 19, Strings: 2, Instructions: 267
    APIs
      • Part of subcall function 02688432: CreateFileW.KERNEL32(027F1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0268844B
      • Part of subcall function 02688432: GetFileSizeEx.KERNEL32 ref: 0268845E
      • Part of subcall function 02688432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02688484
      • Part of subcall function 02688432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0268849C
      • Part of subcall function 02688432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 026884BA
      • Part of subcall function 02688432: CloseHandle.KERNEL32 ref: 026884C3
    • CreateMutexW.KERNEL32(026A49B4,00000001), ref: 0269B550
    • GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,0269B8C7), ref: 0269B560
    • CloseHandle.KERNEL32 ref: 0269B56E
    • CloseHandle.KERNEL32 ref: 0269B697
      • Part of subcall function 0269AFE8: memcpy.MSVCRT ref: 0269AFF8
    • lstrlenW.KERNEL32 ref: 0269B5D0
      • Part of subcall function 02675B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02675BC1
      • Part of subcall function 02675B9B: Process32FirstW.KERNEL32 ref: 02675BE6
      • Part of subcall function 02675B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 02675C3D
      • Part of subcall function 02675B9B: CloseHandle.KERNEL32 ref: 02675C5B
      • Part of subcall function 02675B9B: GetLengthSid.ADVAPI32 ref: 02675C77
      • Part of subcall function 02675B9B: memcmp.MSVCRT ref: 02675C8F
      • Part of subcall function 02675B9B: CloseHandle.KERNEL32(?), ref: 02675D07
      • Part of subcall function 02675B9B: Process32NextW.KERNEL32(?,?), ref: 02675D13
      • Part of subcall function 02675B9B: CloseHandle.KERNEL32 ref: 02675D26
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0269B615
    • OpenEventW.KERNEL32(00000002,00000000), ref: 0269B63B
    • SetEvent.KERNEL32 ref: 0269B648
    • CloseHandle.KERNEL32 ref: 0269B64F
    • Sleep.KERNEL32(00007530), ref: 0269B674
      • Part of subcall function 0267AF99: GetCurrentThread.KERNEL32 ref: 0267AFAD
      • Part of subcall function 0267AF99: OpenThreadToken.ADVAPI32 ref: 0267AFB4
      • Part of subcall function 0267AF99: GetCurrentProcess.KERNEL32 ref: 0267AFC4
      • Part of subcall function 0267AF99: OpenProcessToken.ADVAPI32 ref: 0267AFCB
      • Part of subcall function 0267AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0267AFEC
      • Part of subcall function 0267AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0267B001
      • Part of subcall function 0267AF99: GetLastError.KERNEL32 ref: 0267B00B
      • Part of subcall function 0267AF99: CloseHandle.KERNEL32(00000001), ref: 0267B01C
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 0269B68C
    • Sleep.KERNEL32(000000FF), ref: 0269B694
    • IsWellKnownSid.ADVAPI32(027F1EC0,00000016), ref: 0269B6E5
    • CreateEventW.KERNEL32(026A49B4,00000001,00000000), ref: 0269B7B4
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0269B7CD
    • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 0269B7DF
    • CloseHandle.KERNEL32(00000000), ref: 0269B7F6
    • CloseHandle.KERNEL32(?), ref: 0269B7FC
    • CloseHandle.KERNEL32(?), ref: 0269B802
      • Part of subcall function 0267766D: ReleaseMutex.KERNEL32 ref: 02677671
      • Part of subcall function 0267766D: CloseHandle.KERNEL32 ref: 02677678
      • Part of subcall function 02681DFA: VirtualProtect.KERNEL32(026796C7,?,00000040), ref: 02681E12
      • Part of subcall function 02681DFA: VirtualProtect.KERNEL32(026796C7,?,?), ref: 02681E85
      • Part of subcall function 026796C7: FreeLibrary.KERNEL32(00000003), ref: 026796B9
      • Part of subcall function 0269BC89: memcpy.MSVCRT ref: 0269BCA4
      • Part of subcall function 0269BC89: StringFromGUID2.OLE32 ref: 0269BD4A
      • Part of subcall function 02679931: LoadLibraryW.KERNEL32 ref: 02679953
      • Part of subcall function 02679931: GetProcAddress.KERNEL32 ref: 02679977
      • Part of subcall function 02679931: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 026799AF
      • Part of subcall function 02679931: lstrlenW.KERNEL32 ref: 026799C7
      • Part of subcall function 02679931: StrCmpNIW.SHLWAPI ref: 026799DB
      • Part of subcall function 02679931: lstrlenW.KERNEL32 ref: 026799F1
      • Part of subcall function 02679931: memcpy.MSVCRT ref: 026799FD
      • Part of subcall function 02679931: FreeLibrary.KERNEL32 ref: 02679A13
      • Part of subcall function 02679931: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 02679A52
      • Part of subcall function 02679931: NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 02679A8E
      • Part of subcall function 02679931: NetApiBufferFree.NETAPI32(?), ref: 02679B39
      • Part of subcall function 02679931: NetApiBufferFree.NETAPI32(00000000), ref: 02679B4B
      • Part of subcall function 02679931: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 02679B6A
      • Part of subcall function 0267B314: CharToOemW.USER32(027F1EF0), ref: 0267B325
      • Part of subcall function 026A2AC0: GetCommandLineW.KERNEL32 ref: 026A2ADA
      • Part of subcall function 026A2AC0: CommandLineToArgvW.SHELL32 ref: 026A2AE1
      • Part of subcall function 026A2AC0: StrCmpNW.SHLWAPI(?,0266CA4C,00000002), ref: 026A2B07
      • Part of subcall function 026A2AC0: LocalFree.KERNEL32 ref: 026A2B33
      • Part of subcall function 026A2AC0: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 026A2B70
      • Part of subcall function 026A2AC0: memcpy.MSVCRT ref: 026A2B83
      • Part of subcall function 026A2AC0: UnmapViewOfFile.KERNEL32 ref: 026A2BBC
      • Part of subcall function 026A2AC0: memcpy.MSVCRT ref: 026A2BDF
      • Part of subcall function 026A2AC0: CloseHandle.KERNEL32 ref: 026A2BF8
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 0269C09D: CreateMutexW.KERNEL32(026A49B4,00000000), ref: 0269C0BF
      • Part of subcall function 0267987E: memcpy.MSVCRT ref: 02679894
      • Part of subcall function 0267987E: memcmp.MSVCRT ref: 026798B6
      • Part of subcall function 0267987E: lstrcmpiW.KERNEL32(00000000,000000FF), ref: 0267990F
      • Part of subcall function 026884D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 026884E4
      • Part of subcall function 026884D3: CloseHandle.KERNEL32 ref: 026884F3
    Strings
    • SeShutdownPrivilege, xrefs: 0269B676
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0269B779
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02682593, Relevance: 37.5, APIs: 1, Instructions: 7
    APIs
    • HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02679931, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205
    APIs
    • LoadLibraryW.KERNEL32 ref: 02679953
    • GetProcAddress.KERNEL32 ref: 02679977
    • SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 026799AF
    • lstrlenW.KERNEL32 ref: 026799C7
    • StrCmpNIW.SHLWAPI ref: 026799DB
    • lstrlenW.KERNEL32 ref: 026799F1
    • memcpy.MSVCRT ref: 026799FD
    • FreeLibrary.KERNEL32 ref: 02679A13
    • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 02679A52
    • NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 02679A8E
      • Part of subcall function 0269B31B: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0269B32F
      • Part of subcall function 0269B31B: PathUnquoteSpacesW.SHLWAPI ref: 0269B394
      • Part of subcall function 0269B31B: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0269B3A3
      • Part of subcall function 0269B31B: LocalFree.KERNEL32(00000001), ref: 0269B3B7
    • NetApiBufferFree.NETAPI32(?), ref: 02679B39
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
      • Part of subcall function 026790A3: PathSkipRootW.SHLWAPI ref: 026790CD
      • Part of subcall function 026790A3: GetFileAttributesW.KERNEL32(00000000), ref: 026790FA
      • Part of subcall function 026790A3: CreateDirectoryW.KERNEL32(?,00000000), ref: 0267910E
      • Part of subcall function 026790A3: SetLastError.KERNEL32(00000050,?,?,00000000), ref: 02679131
      • Part of subcall function 02679583: LoadLibraryW.KERNEL32 ref: 026795A7
      • Part of subcall function 02679583: GetProcAddress.KERNEL32 ref: 026795D5
      • Part of subcall function 02679583: GetProcAddress.KERNEL32 ref: 026795EF
      • Part of subcall function 02679583: GetProcAddress.KERNEL32 ref: 0267960B
      • Part of subcall function 02679583: WTSGetActiveConsoleSessionId.KERNEL32 ref: 02679638
      • Part of subcall function 02679583: FreeLibrary.KERNEL32(00000003), ref: 026796B9
    • NetApiBufferFree.NETAPI32(00000000), ref: 02679B4B
    • SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 02679B6A
      • Part of subcall function 0269038C: CreateDirectoryW.KERNEL32(?,00000000), ref: 02690405
      • Part of subcall function 0269038C: SetFileAttributesW.KERNEL32(?), ref: 02690424
      • Part of subcall function 0269038C: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0269043B
      • Part of subcall function 0269038C: GetLastError.KERNEL32 ref: 02690448
      • Part of subcall function 0269038C: CloseHandle.KERNEL32 ref: 02690481
      • Part of subcall function 026A258D: GetFileSizeEx.KERNEL32(00000000), ref: 026A25C4
      • Part of subcall function 026A258D: SetEndOfFile.KERNEL32 ref: 026A263A
      • Part of subcall function 026A258D: FlushFileBuffers.KERNEL32(?), ref: 026A2645
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269ACAD, Relevance: 28.4, APIs: 11, Strings: 3, Instructions: 166
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 0269ACF4
      • Part of subcall function 0269D1E0: InitializeCriticalSection.KERNEL32(026A5AA4), ref: 0269D207
      • Part of subcall function 0269D1E0: InitializeCriticalSection.KERNEL32 ref: 0269D218
      • Part of subcall function 0269D1E0: memset.MSVCRT ref: 0269D229
      • Part of subcall function 0269D1E0: TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 0269D240
      • Part of subcall function 0269D1E0: GetModuleHandleW.KERNEL32(00000000), ref: 0269D25C
      • Part of subcall function 0269D1E0: GetModuleHandleW.KERNEL32 ref: 0269D272
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0269AD59
    • Process32FirstW.KERNEL32 ref: 0269AD74
    • PathFindFileNameW.SHLWAPI ref: 0269AD87
    • StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 0269AD99
    • Process32NextW.KERNEL32(?,?), ref: 0269ADA9
    • CloseHandle.KERNEL32 ref: 0269ADB4
    • WSAStartup.WS2_32(00000202), ref: 0269ADC4
    • CreateEventW.KERNEL32(026A49B4,00000001,00000000,00000000), ref: 0269ADEC
      • Part of subcall function 0267AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 0267AEF5
      • Part of subcall function 0267AEE3: GetTokenInformation.ADVAPI32(?,0000000C,026A49A8,00000004), ref: 0267AF1D
      • Part of subcall function 0267AEE3: CloseHandle.KERNEL32(?), ref: 0267AF33
    • GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 0269AE22
      • Part of subcall function 0269AA9A: GetTempPathW.KERNEL32(00000104), ref: 0269AAB7
      • Part of subcall function 0269AA9A: GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 0269AACF
      • Part of subcall function 0269AA9A: PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 0269AADA
      • Part of subcall function 0269AA9A: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 0269AB00
    • GetCurrentProcessId.KERNEL32 ref: 0269AE4D
      • Part of subcall function 0269AB23: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000), ref: 0269AB64
      • Part of subcall function 0269AB23: lstrcmpiW.KERNEL32 ref: 0269AB93
      • Part of subcall function 0269ABBF: lstrcatW.KERNEL32(?,.dat), ref: 0269AC32
      • Part of subcall function 0269ABBF: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0269AC57
      • Part of subcall function 0269ABBF: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 0269AC75
      • Part of subcall function 0269ABBF: CloseHandle.KERNEL32 ref: 0269AC82
      • Part of subcall function 0268C8A1: IsBadReadPtr.KERNEL32 ref: 0268C8E0
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269F887, Relevance: 27.2, APIs: 18, Instructions: 215
    APIs
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F8AB
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F8CB
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F8E4
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F8FD
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F916
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F92F
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F94C
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F969
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F986
    • GetProcAddress.KERNEL32(0269FEC7,?), ref: 0269F9A3
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F9C0
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F9DD
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269F9FA
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269FA17
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269FA34
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269FA51
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269FA6E
    • GetProcAddress.KERNEL32(0269FEC7), ref: 0269FA8B
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267B1DE, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89
    APIs
    • LoadLibraryA.KERNEL32(userenv.dll), ref: 0267B1EE
    • GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0267B20C
    • GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0267B218
    • memset.MSVCRT ref: 0267B258
    • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 0267B2A5
    • CloseHandle.KERNEL32(?), ref: 0267B2B9
    • CloseHandle.KERNEL32(?), ref: 0267B2BF
    • FreeLibrary.KERNEL32 ref: 0267B2D3
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267A01E, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 260
    APIs
      • Part of subcall function 0268D189: lstrlenW.KERNEL32 ref: 0268D190
      • Part of subcall function 0268D189: memcpy.MSVCRT ref: 0268D21E
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • getpeername.WS2_32 ref: 0267A254
      • Part of subcall function 0267C091: memcmp.MSVCRT ref: 0267C0B3
      • Part of subcall function 02679E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 02679E9D
      • Part of subcall function 02679E88: StrCmpIW.SHLWAPI ref: 02679EA7
      • Part of subcall function 0267B764: EnterCriticalSection.KERNEL32(026A5AA4,?,0267B826,?,0269C86A,0268C4AB,0268C4AB,?,0268C4AB,?,00000001), ref: 0267B774
      • Part of subcall function 0267B764: LeaveCriticalSection.KERNEL32(026A5AA4,?,0267B826,?,0269C86A,0268C4AB,0268C4AB,?,0268C4AB,?,00000001), ref: 0267B79E
    • WSAAddressToStringW.WS2_32(?,?,00000000), ref: 0267A2CC
    • lstrcpyW.KERNEL32(?,0:0), ref: 0267A2E0
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267B365, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 110
    APIs
      • Part of subcall function 02695947: GetTempPathW.KERNEL32(00000104,?), ref: 02695962
      • Part of subcall function 02695947: PathAddBackslashW.SHLWAPI(?), ref: 0269598C
      • Part of subcall function 02695947: CreateDirectoryW.KERNEL32(?), ref: 02695A44
      • Part of subcall function 02695947: SetFileAttributesW.KERNEL32(?), ref: 02695A55
      • Part of subcall function 02695947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 02695A6E
      • Part of subcall function 02695947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 02695A7F
    • CharToOemW.USER32 ref: 0267B3AB
    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0267B3E2
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • CloseHandle.KERNEL32(000000FF), ref: 0267B40A
    • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 0267B44C
    • memset.MSVCRT ref: 0267B461
    • CloseHandle.KERNEL32(000000FF), ref: 0267B49C
      • Part of subcall function 02695E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 02695E26
      • Part of subcall function 02695E1D: DeleteFileW.KERNEL32 ref: 02695E2D
      • Part of subcall function 02695934: CloseHandle.KERNEL32 ref: 02695940
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02691A52, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60
    APIs
    • LoadLibraryW.KERNEL32(cabinet.dll), ref: 02691A66
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • GetProcAddress.KERNEL32(?,FCICreate), ref: 02691A95
    • GetProcAddress.KERNEL32(?,FCIAddFile), ref: 02691AA4
    • GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 02691AB3
    • GetProcAddress.KERNEL32(?,FCIDestroy), ref: 02691AC2
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • FreeLibrary.KERNEL32 ref: 02691AF7
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268BBB1, Relevance: 21.3, APIs: 12, Instructions: 150
    APIs
      • Part of subcall function 026884FB: memchr.MSVCRT ref: 0268853B
      • Part of subcall function 026884FB: memcmp.MSVCRT ref: 0268855A
    • VirtualProtect.KERNEL32(?,?,00000080,?), ref: 0268BC21
    • VirtualProtect.KERNEL32(?,?,00000000,?), ref: 0268BD99
      • Part of subcall function 02682633: memcmp.MSVCRT ref: 02682653
      • Part of subcall function 026825A7: memcpy.MSVCRT ref: 026825C6
    • GetCurrentThread.KERNEL32 ref: 0268BCBE
    • GetThreadPriority.KERNEL32 ref: 0268BCC7
    • SetThreadPriority.KERNEL32(?,0000000F), ref: 0268BCD2
    • Sleep.KERNEL32(00000000), ref: 0268BCDA
    • memcpy.MSVCRT ref: 0268BCE9
    • FlushInstructionCache.KERNEL32(000000FF,?,?), ref: 0268BCFA
    • SetThreadPriority.KERNEL32 ref: 0268BD02
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • GetTickCount.KERNEL32 ref: 0268BD3C
    • GetTickCount.KERNEL32 ref: 0268BD4F
    • Sleep.KERNEL32(00000000), ref: 0268BD61
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02685528, Relevance: 20.4, APIs: 9, Strings: 1, Instructions: 184
    APIs
    • GetLogicalDrives.KERNEL32 ref: 0268553C
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000), ref: 02685581
    • PathGetDriveNumberW.SHLWAPI ref: 02685593
    • lstrcpyW.KERNEL32(?,0266AACC), ref: 026855A7
    • GetDriveTypeW.KERNEL32 ref: 02685610
    • GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000105), ref: 02685671
    • CharUpperW.USER32(00000000), ref: 0268568D
    • lstrcmpW.KERNEL32 ref: 026856B0
    • GetDiskFreeSpaceExW.KERNEL32(?,00000000), ref: 026856EE
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026912E6, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 140
    APIs
    • GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 02691304
    • GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 0269130F
    • GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 0269131A
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • lstrcmpiW.KERNEL32(?), ref: 026913A7
    • memcpy.MSVCRT ref: 026913CA
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 026913F5
    • memcpy.MSVCRT ref: 02691423
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026A2D17, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107
    APIs
    • memcpy.MSVCRT ref: 026A2D3D
    • CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 026A2D5E
    • MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 026A2D76
      • Part of subcall function 026A2922: UnmapViewOfFile.KERNEL32 ref: 026A292E
      • Part of subcall function 026A2922: CloseHandle.KERNEL32 ref: 026A293F
    • memset.MSVCRT ref: 026A2DCB
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000004,00000000,00000000,00000000,00000000), ref: 026A2E04
      • Part of subcall function 026A294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,026A3210), ref: 026A297C
      • Part of subcall function 026A294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 026A299C
      • Part of subcall function 026A294A: memset.MSVCRT ref: 026A2A39
      • Part of subcall function 026A294A: memcpy.MSVCRT ref: 026A2A4B
    • ResumeThread.KERNEL32(?), ref: 026A2E27
    • CloseHandle.KERNEL32(?), ref: 026A2E3E
    • CloseHandle.KERNEL32(?), ref: 026A2E44
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267AF99, Relevance: 18.7, APIs: 8, Strings: 1, Instructions: 61
    APIs
    • GetCurrentThread.KERNEL32 ref: 0267AFAD
    • OpenThreadToken.ADVAPI32 ref: 0267AFB4
    • GetCurrentProcess.KERNEL32 ref: 0267AFC4
    • OpenProcessToken.ADVAPI32 ref: 0267AFCB
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0267AFEC
    • AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0267B001
    • GetLastError.KERNEL32 ref: 0267B00B
    • CloseHandle.KERNEL32(00000001), ref: 0267B01C
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02685AC1, Relevance: 18.4, APIs: 7, Strings: 2, Instructions: 230
    APIs
      • Part of subcall function 026841F9: CoInitializeEx.OLE32(00000000,00000000), ref: 02684206
      • Part of subcall function 0267645E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,02685B49), ref: 02676470
      • Part of subcall function 0267645E: #2.OLEAUT32(?,00000000,?,?,?,02685B49), ref: 026764A4
      • Part of subcall function 0267645E: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,02685B49), ref: 026764D9
      • Part of subcall function 0267645E: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 026764F9
    • #2.OLEAUT32(WQL), ref: 02685BAF
    • #2.OLEAUT32 ref: 02685BCB
    • #6.OLEAUT32(?,?,00000030,00000000), ref: 02685BFB
    • #9.OLEAUT32(?,?,00000000,00000000), ref: 02685C6C
      • Part of subcall function 02676433: #6.OLEAUT32(?,00000000,02685CA3), ref: 02676450
      • Part of subcall function 02676433: CoUninitialize.OLE32 ref: 02684244
    • memcpy.MSVCRT ref: 02685D45
    • memcpy.MSVCRT ref: 02685D57
    • memcpy.MSVCRT ref: 02685D69
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02679BC4, Relevance: 18.3, APIs: 7, Strings: 2, Instructions: 147
    APIs
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 02679C2E
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 02679C75
    • SetEvent.KERNEL32 ref: 02679C84
    • WaitForSingleObject.KERNEL32 ref: 02679C95
      • Part of subcall function 0268A9C2: Sleep.KERNEL32(000001F4), ref: 0268AA6D
      • Part of subcall function 0267913F: FindFirstFileW.KERNEL32(?), ref: 02679170
      • Part of subcall function 0267913F: FindNextFileW.KERNEL32(?,?), ref: 026791C2
      • Part of subcall function 0267913F: FindClose.KERNEL32 ref: 026791CD
      • Part of subcall function 0267913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 026791D9
      • Part of subcall function 0267913F: RemoveDirectoryW.KERNEL32 ref: 026791E0
      • Part of subcall function 02690B2C: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02690B87
      • Part of subcall function 02690B2C: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 02690BF1
      • Part of subcall function 02690B2C: RegFlushKey.ADVAPI32(?), ref: 02690C1F
      • Part of subcall function 02690B2C: RegCloseKey.ADVAPI32(?), ref: 02690C26
    • CharToOemW.USER32 ref: 02679D26
    • CharToOemW.USER32 ref: 02679D36
    • ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 02679D9A
      • Part of subcall function 0267B365: CharToOemW.USER32 ref: 0267B3AB
      • Part of subcall function 0267B365: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0267B3E2
      • Part of subcall function 0267B365: CloseHandle.KERNEL32(000000FF), ref: 0267B40A
      • Part of subcall function 0267B365: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 0267B44C
      • Part of subcall function 0267B365: memset.MSVCRT ref: 0267B461
      • Part of subcall function 0267B365: CloseHandle.KERNEL32(000000FF), ref: 0267B49C
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 02679C4B
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 02679BFE
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267C9BF, Relevance: 16.0, APIs: 9, Instructions: 113
    APIs
    • GetProcAddress.KERNEL32(?), ref: 0267C9E1
    • GetProcAddress.KERNEL32(?,?), ref: 0267CA03
    • GetProcAddress.KERNEL32(?,?), ref: 0267CA1E
    • GetProcAddress.KERNEL32(?,?), ref: 0267CA39
    • GetProcAddress.KERNEL32(?,?), ref: 0267CA54
    • GetProcAddress.KERNEL32(?), ref: 0267CA6F
    • GetProcAddress.KERNEL32(?), ref: 0267CA8E
    • GetProcAddress.KERNEL32(?), ref: 0267CAAD
    • GetProcAddress.KERNEL32(?), ref: 0267CACC
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026A2AC0, Relevance: 16.0, APIs: 9, Instructions: 103
    APIs
    • GetCommandLineW.KERNEL32 ref: 026A2ADA
    • CommandLineToArgvW.SHELL32 ref: 026A2AE1
    • StrCmpNW.SHLWAPI(?,0266CA4C,00000002), ref: 026A2B07
    • LocalFree.KERNEL32 ref: 026A2B33
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 026A2B70
    • memcpy.MSVCRT ref: 026A2B83
      • Part of subcall function 0268E043: memcpy.MSVCRT ref: 0268E070
    • UnmapViewOfFile.KERNEL32 ref: 026A2BBC
    • CloseHandle.KERNEL32 ref: 026A2BF8
      • Part of subcall function 026A2F3B: memset.MSVCRT ref: 026A2F5F
      • Part of subcall function 026A2F3B: memcpy.MSVCRT ref: 026A2FBF
      • Part of subcall function 026A2F3B: memcpy.MSVCRT ref: 026A2FD7
      • Part of subcall function 026A2F3B: memcpy.MSVCRT ref: 026A304D
    • memcpy.MSVCRT ref: 026A2BDF
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269CE98, Relevance: 16.0, APIs: 9, Instructions: 98
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0269CEB9
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • CloseHandle.KERNEL32 ref: 0269CEDE
    • SetLastError.KERNEL32(00000008,?,?,?,?,026879D8,?,?,?,?), ref: 0269CEE6
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0269CF03
    • InternetReadFile.WININET(?,?,00001000), ref: 0269CF21
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0269CF56
    • FlushFileBuffers.KERNEL32 ref: 0269CF6F
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • CloseHandle.KERNEL32 ref: 0269CF82
    • SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,026879D8,?,?,?,?), ref: 0269CF9D
      • Part of subcall function 02695E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 02695E26
      • Part of subcall function 02695E1D: DeleteFileW.KERNEL32 ref: 02695E2D
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268AEA2, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 119
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,02677E45,?,?,?,00000000), ref: 0268AEAE
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0268AEE7
    • CloseHandle.KERNEL32 ref: 0268AEFA
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • memcpy.MSVCRT ref: 0268AF1D
    • memset.MSVCRT ref: 0268AF37
    • memcpy.MSVCRT ref: 0268AF7D
    • memset.MSVCRT ref: 0268AF9B
      • Part of subcall function 02678CBF: EnterCriticalSection.KERNEL32(?,?,?,02682B51,00000005,00007530,?,00000000,00000000), ref: 02678CC7
      • Part of subcall function 02678CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 02678CEB
      • Part of subcall function 02678CBF: CloseHandle.KERNEL32 ref: 02678CFB
      • Part of subcall function 02678CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,02682B51,00000005,00007530,?,00000000,00000000), ref: 02678D2B
      • Part of subcall function 02678D34: EnterCriticalSection.KERNEL32(027F1F34,027F1F28,?,?,0268A99B,00000000,0268A6E2,00000000,?,00000000,?,?,?,0269B2E2,?,00000001), ref: 02678D3D
      • Part of subcall function 02678D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 02678D76
      • Part of subcall function 02678D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0268A99B,00000000,00000000,00000002), ref: 02678D95
      • Part of subcall function 02678D34: GetLastError.KERNEL32(?,000000FF,0268A99B,00000000,00000000,00000002,?,?,0268A99B,00000000,0268A6E2,00000000,?,00000000), ref: 02678D9F
      • Part of subcall function 02678D34: TerminateThread.KERNEL32 ref: 02678DA7
      • Part of subcall function 02678D34: CloseHandle.KERNEL32 ref: 02678DAE
      • Part of subcall function 02678D34: LeaveCriticalSection.KERNEL32(027F1F34,?,0268A99B,00000000,0268A6E2,00000000,?,00000000,?,?,?,0269B2E2,?,00000001), ref: 02678DC3
      • Part of subcall function 02678D34: ResumeThread.KERNEL32 ref: 02678DDC
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,02677E45,?,?,?,00000000), ref: 0268AFEF
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268E133, Relevance: 15.0, APIs: 8, Instructions: 103
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02678E53, Relevance: 14.9, APIs: 5, Strings: 2, Instructions: 95
    APIs
    • EnterCriticalSection.KERNEL32(026A5AA4,?,026A4DF4,00000000,00000006,0269BD7A,026A4DF4,-00000258,?,00000000), ref: 02678E6A
    • LeaveCriticalSection.KERNEL32(026A5AA4,?,00000000), ref: 02678E9D
      • Part of subcall function 02681E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 02681EA2
      • Part of subcall function 02681E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 02681EAE
      • Part of subcall function 02681E94: SetLastError.KERNEL32(00000001,02678F04,026A47C0,?,026A4DF4,00000000,00000006,0269BD7A,026A4DF4,-00000258,?,00000000), ref: 02681EC6
    • CoTaskMemFree.OLE32(?), ref: 02678F36
    • PathRemoveBackslashW.SHLWAPI(00000006), ref: 02678F44
    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 02678F5C
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02682BE5, Relevance: 14.5, APIs: 6, Strings: 1, Instructions: 115
    APIs
    • lstrlenA.KERNEL32(?,?), ref: 02682C1E
    • CreateMutexW.KERNEL32(026A49B4,00000001), ref: 02682C76
    • GetLastError.KERNEL32(?,?,?,?,?), ref: 02682C86
    • CloseHandle.KERNEL32 ref: 02682C94
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • memcpy.MSVCRT ref: 02682CBE
    • memcpy.MSVCRT ref: 02682CD2
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 0267B2E5: CreateThread.KERNEL32(00000000,00000000,02679DBA,?), ref: 0267B2F6
      • Part of subcall function 0267B2E5: CloseHandle.KERNEL32 ref: 0267B301
      • Part of subcall function 0267766D: ReleaseMutex.KERNEL32 ref: 02677671
      • Part of subcall function 0267766D: CloseHandle.KERNEL32 ref: 02677678
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02678F6F, Relevance: 14.4, APIs: 5, Instructions: 98
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02686431, Relevance: 14.4, APIs: 6, Strings: 1, Instructions: 160
    APIs
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 02686531
      • Part of subcall function 02686865: EnterCriticalSection.KERNEL32(?,?,00000000,?,02686B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 0268686E
      • Part of subcall function 02686865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,02686B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 026868A5
      • Part of subcall function 0268B7FF: EnterCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B80C
      • Part of subcall function 0268B7FF: LeaveCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B81A
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 02686572
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02686581
    • SetEvent.KERNEL32 ref: 02686591
    • GetExitCodeThread.KERNEL32 ref: 026865A5
    • CloseHandle.KERNEL32 ref: 026865BB
      • Part of subcall function 02678D34: EnterCriticalSection.KERNEL32(027F1F34,027F1F28,?,?,0268A99B,00000000,0268A6E2,00000000,?,00000000,?,?,?,0269B2E2,?,00000001), ref: 02678D3D
      • Part of subcall function 02678D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 02678D76
      • Part of subcall function 02678D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0268A99B,00000000,00000000,00000002), ref: 02678D95
      • Part of subcall function 02678D34: GetLastError.KERNEL32(?,000000FF,0268A99B,00000000,00000000,00000002,?,?,0268A99B,00000000,0268A6E2,00000000,?,00000000), ref: 02678D9F
      • Part of subcall function 02678D34: TerminateThread.KERNEL32 ref: 02678DA7
      • Part of subcall function 02678D34: CloseHandle.KERNEL32 ref: 02678DAE
      • Part of subcall function 02678D34: LeaveCriticalSection.KERNEL32(027F1F34,?,0268A99B,00000000,0268A6E2,00000000,?,00000000,?,?,?,0269B2E2,?,00000001), ref: 02678DC3
      • Part of subcall function 02678D34: ResumeThread.KERNEL32 ref: 02678DDC
      • Part of subcall function 02686BD0: memcmp.MSVCRT ref: 02686BE9
      • Part of subcall function 02686BD0: memcmp.MSVCRT ref: 02686C45
      • Part of subcall function 02686BD0: memcmp.MSVCRT ref: 02686CAB
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 0269B0EA: memcpy.MSVCRT ref: 0269B110
      • Part of subcall function 0269B0EA: memset.MSVCRT ref: 0269B1B3
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02696067, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 134
    APIs
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
      • Part of subcall function 026825A7: memcpy.MSVCRT ref: 026825C6
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 02696103
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 0269617B
    • GetLastError.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000,?,?,?,?,00000000,3D94878D), ref: 02696188
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 026961B2
    • FlushFileBuffers.KERNEL32 ref: 026961CC
    • CloseHandle.KERNEL32 ref: 026961D3
      • Part of subcall function 02695E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 02695E26
      • Part of subcall function 02695E1D: DeleteFileW.KERNEL32 ref: 02695E2D
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 026960D6
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02679583, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107
    APIs
    • LoadLibraryW.KERNEL32 ref: 026795A7
    • GetProcAddress.KERNEL32 ref: 026795D5
    • GetProcAddress.KERNEL32 ref: 026795EF
    • GetProcAddress.KERNEL32 ref: 0267960B
    • FreeLibrary.KERNEL32(00000003), ref: 026796B9
      • Part of subcall function 0267AF99: GetCurrentThread.KERNEL32 ref: 0267AFAD
      • Part of subcall function 0267AF99: OpenThreadToken.ADVAPI32 ref: 0267AFB4
      • Part of subcall function 0267AF99: GetCurrentProcess.KERNEL32 ref: 0267AFC4
      • Part of subcall function 0267AF99: OpenProcessToken.ADVAPI32 ref: 0267AFCB
      • Part of subcall function 0267AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0267AFEC
      • Part of subcall function 0267AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0267B001
      • Part of subcall function 0267AF99: GetLastError.KERNEL32 ref: 0267B00B
      • Part of subcall function 0267AF99: CloseHandle.KERNEL32(00000001), ref: 0267B01C
    • WTSGetActiveConsoleSessionId.KERNEL32 ref: 02679638
      • Part of subcall function 0267950C: EqualSid.ADVAPI32(?,5B867A00), ref: 0267952F
      • Part of subcall function 0267950C: CloseHandle.KERNEL32(00000001), ref: 02679576
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026859B7, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 95
    APIs
    • memset.MSVCRT ref: 026859C8
    • GlobalMemoryStatusEx.KERNEL32 ref: 026859DF
    • GetNativeSystemInfo.KERNEL32 ref: 02685A10
      • Part of subcall function 02690775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0269079C
    • GetSystemMetrics.USER32(0000004F), ref: 02685A9D
      • Part of subcall function 02690A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 02690A3A
      • Part of subcall function 02690755: RegFlushKey.ADVAPI32 ref: 02690765
      • Part of subcall function 02690755: RegCloseKey.ADVAPI32 ref: 0269076D
    • GetSystemMetrics.USER32(00000050), ref: 02685A90
    • GetSystemMetrics.USER32(0000004E), ref: 02685A97
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02695D0E, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 89
    APIs
    • memcpy.MSVCRT ref: 02695D6C
    • memcpy.MSVCRT ref: 02695D81
    • memcpy.MSVCRT ref: 02695D96
    • memcpy.MSVCRT ref: 02695DA5
      • Part of subcall function 026958ED: EnterCriticalSection.KERNEL32(026A5AA4,?,02695BB2,?,02695C0A,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 026958FD
      • Part of subcall function 026958ED: LeaveCriticalSection.KERNEL32(026A5AA4,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,0269A856), ref: 0269592C
      • Part of subcall function 02681E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 02681EA2
      • Part of subcall function 02681E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 02681EAE
      • Part of subcall function 02681E94: SetLastError.KERNEL32(00000001,02678F04,026A47C0,?,026A4DF4,00000000,00000006,0269BD7A,026A4DF4,-00000258,?,00000000), ref: 02681EC6
    • SetFileTime.KERNEL32(?,?,?,?), ref: 02695E0A
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026A2474, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88
    APIs
    • GetFileAttributesW.KERNEL32 ref: 026A2485
    • FlushFileBuffers.KERNEL32 ref: 026A256B
      • Part of subcall function 0267913F: FindFirstFileW.KERNEL32(?), ref: 02679170
      • Part of subcall function 0267913F: FindNextFileW.KERNEL32(?,?), ref: 026791C2
      • Part of subcall function 0267913F: FindClose.KERNEL32 ref: 026791CD
      • Part of subcall function 0267913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 026791D9
      • Part of subcall function 0267913F: RemoveDirectoryW.KERNEL32 ref: 026791E0
      • Part of subcall function 02695E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 02695E26
      • Part of subcall function 02695E1D: DeleteFileW.KERNEL32 ref: 02695E2D
    • PathRemoveFileSpecW.SHLWAPI(?), ref: 026A24BA
      • Part of subcall function 02695947: GetTempPathW.KERNEL32(00000104,?), ref: 02695962
      • Part of subcall function 02695947: PathAddBackslashW.SHLWAPI(?), ref: 0269598C
      • Part of subcall function 02695947: CreateDirectoryW.KERNEL32(?), ref: 02695A44
      • Part of subcall function 02695947: SetFileAttributesW.KERNEL32(?), ref: 02695A55
      • Part of subcall function 02695947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 02695A6E
      • Part of subcall function 02695947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 02695A7F
    • MoveFileExW.KERNEL32(?,?,00000001), ref: 026A2501
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 026A251A
      • Part of subcall function 02695B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02695B87
      • Part of subcall function 02695934: CloseHandle.KERNEL32 ref: 02695940
    • Sleep.KERNEL32(00001388), ref: 026A255D
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02695BE4, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 83
    APIs
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 02695BEB
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02690A9D, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(026A5AA4,?,?,?,02690C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02690AB3
    • LeaveCriticalSection.KERNEL32(026A5AA4,?,?,?,02690C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02690ADB
    • GetModuleHandleW.KERNEL32(advapi32.dll), ref: 02690AF7
    • GetProcAddress.KERNEL32 ref: 02690AFE
    • RegDeleteKeyW.ADVAPI32(?), ref: 02690B20
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02689EBF, Relevance: 13.8, APIs: 9, Instructions: 261
    APIs
    • GetTickCount.KERNEL32 ref: 02689ECE
    • EnterCriticalSection.KERNEL32 ref: 02689EE3
    • WaitForSingleObject.KERNEL32(?,000927C0), ref: 02689F28
    • GetTickCount.KERNEL32 ref: 02689F3B
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 02696875: GetSystemTime.KERNEL32 ref: 0269687F
      • Part of subcall function 026894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 02689503
    • GetTickCount.KERNEL32 ref: 0268A135
      • Part of subcall function 02681B5D: memcmp.MSVCRT ref: 02681B69
      • Part of subcall function 026893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0268A111), ref: 026893BE
      • Part of subcall function 026893A8: memcpy.MSVCRT ref: 02689419
      • Part of subcall function 026893A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0268A111,?,00000002), ref: 02689429
      • Part of subcall function 026893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0268945D
      • Part of subcall function 026893A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0268A111), ref: 026894E9
      • Part of subcall function 02689A6F: memset.MSVCRT ref: 02689B47
      • Part of subcall function 02689A6F: memcpy.MSVCRT ref: 02689BA2
      • Part of subcall function 02689A6F: memcmp.MSVCRT ref: 02689C1B
      • Part of subcall function 02689A6F: memcpy.MSVCRT ref: 02689C6F
      • Part of subcall function 02689A6F: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 02689D42
      • Part of subcall function 02689A6F: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 02689D60
    • GetTickCount.KERNEL32 ref: 0268A16E
    • LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 0268A191
      • Part of subcall function 0268B7FF: EnterCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B80C
      • Part of subcall function 0268B7FF: LeaveCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B81A
    • WaitForSingleObject.KERNEL32(?,-001B7740), ref: 0268A1B6
    • LeaveCriticalSection.KERNEL32 ref: 0268A1CC
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02689A6F, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326
    APIs
      • Part of subcall function 0268CAF1: WaitForSingleObject.KERNEL32(?,00000000), ref: 0268CB1D
      • Part of subcall function 0268CAF1: GetSystemTime.KERNEL32(?), ref: 0268CB54
      • Part of subcall function 0268CAF1: Sleep.KERNEL32(000005DC), ref: 0268CB6D
      • Part of subcall function 0268CAF1: WaitForSingleObject.KERNEL32(?,000005DC), ref: 0268CB76
      • Part of subcall function 0268CAF1: lstrcpyA.KERNEL32 ref: 0268CBD4
      • Part of subcall function 0268163A: memcmp.MSVCRT ref: 02681698
      • Part of subcall function 0268163A: memcpy.MSVCRT ref: 026816D6
      • Part of subcall function 0269AFE8: memcpy.MSVCRT ref: 0269AFF8
      • Part of subcall function 02681781: memset.MSVCRT ref: 02681794
      • Part of subcall function 02681781: memcpy.MSVCRT ref: 026817AF
      • Part of subcall function 02681781: memcpy.MSVCRT ref: 026817D7
      • Part of subcall function 02681781: memcpy.MSVCRT ref: 026817FB
    • memset.MSVCRT ref: 02689B47
      • Part of subcall function 026893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0268A111), ref: 026893BE
      • Part of subcall function 026893A8: memcpy.MSVCRT ref: 02689419
      • Part of subcall function 026893A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0268A111,?,00000002), ref: 02689429
      • Part of subcall function 026893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0268945D
      • Part of subcall function 026893A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0268A111), ref: 026894E9
      • Part of subcall function 02681B16: EnterCriticalSection.KERNEL32(026A5AA4,?,02688DDC,?,?,?,?,0269B233,?,00000001), ref: 02681B26
      • Part of subcall function 02681B16: LeaveCriticalSection.KERNEL32(026A5AA4,?,02688DDC,?,?,?,?,0269B233,?,00000001), ref: 02681B50
    • memcpy.MSVCRT ref: 02689BA2
      • Part of subcall function 026894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 02689503
    • memcmp.MSVCRT ref: 02689C1B
      • Part of subcall function 02682543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7,?,@echo off%sdel /F "%s"), ref: 0268256D
      • Part of subcall function 02682543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7), ref: 02682580
    • memcpy.MSVCRT ref: 02689C6F
      • Part of subcall function 02681A4F: memcmp.MSVCRT ref: 02681A6B
      • Part of subcall function 02681B5D: memcmp.MSVCRT ref: 02681B69
      • Part of subcall function 0268B7FF: EnterCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B80C
      • Part of subcall function 0268B7FF: LeaveCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B81A
      • Part of subcall function 02677E58: memcpy.MSVCRT ref: 02677E70
    • EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 02689D42
    • LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 02689D60
      • Part of subcall function 02681821: memcpy.MSVCRT ref: 02681848
      • Part of subcall function 02681728: memcpy.MSVCRT ref: 02681771
      • Part of subcall function 026819AE: memcmp.MSVCRT ref: 02681A24
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 02674C10: _errno.MSVCRT ref: 02674C2B
      • Part of subcall function 02674C10: _errno.MSVCRT ref: 02674C5D
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026A1CCA, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 193
    APIs
    • EnterCriticalSection.KERNEL32(026A5AA4,?,?,?,?,?,?,?,?,?,?), ref: 026A1CE8
    • LeaveCriticalSection.KERNEL32(026A5AA4,?,?,?,?,?,?,?,?,?), ref: 026A1D12
      • Part of subcall function 0269FEDF: memset.MSVCRT ref: 0269FEF5
      • Part of subcall function 0269FEDF: InitializeCriticalSection.KERNEL32(026A5050), ref: 0269FF05
      • Part of subcall function 0269FEDF: memset.MSVCRT ref: 0269FF34
      • Part of subcall function 0269FEDF: InitializeCriticalSection.KERNEL32(026A5030), ref: 0269FF3E
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
      • Part of subcall function 02679FB3: memcpy.MSVCRT ref: 02679FE9
    • memcmp.MSVCRT ref: 026A1E03
    • memcmp.MSVCRT ref: 026A1E34
      • Part of subcall function 02679F5F: memcpy.MSVCRT ref: 02679F99
    • EnterCriticalSection.KERNEL32(026A5050), ref: 026A1EA7
      • Part of subcall function 0269FFD8: GetTickCount.KERNEL32 ref: 0269FFDF
      • Part of subcall function 026A03D0: EnterCriticalSection.KERNEL32(026A5030,026A506C,?,?,026A5050), ref: 026A03E3
      • Part of subcall function 026A03D0: LeaveCriticalSection.KERNEL32(026A5030,?,?,026A5050), ref: 026A0559
      • Part of subcall function 026A061B: EnterCriticalSection.KERNEL32(027F27B8,?,?,?,?,026A5050), ref: 026A06F5
      • Part of subcall function 026A061B: LeaveCriticalSection.KERNEL32(027F27B8,000000FF,00000000,?,?,?,?,026A5050), ref: 026A071D
    • LeaveCriticalSection.KERNEL32(026A5050,026A506C,026A506C,026A506C), ref: 026A1EF7
      • Part of subcall function 0269DD3E: lstrlenA.KERNEL32(?,?,?,?,?,?,026A506C,?,?,026A5050), ref: 0269DD52
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267B02B, Relevance: 12.5, APIs: 7, Instructions: 73
    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000008), ref: 0267B03B
    • GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000), ref: 0267B054
    • GetLastError.KERNEL32(?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5,?,?,?,00000001), ref: 0267B05E
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • GetTokenInformation.ADVAPI32(?,00000019,?,?), ref: 0267B089
    • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 0267B095
    • GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 0267B0AC
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • CloseHandle.KERNEL32(?), ref: 0267B0D8
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267C39C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001), ref: 0267C3C0
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 0267C40C
      • Part of subcall function 0267BEC0: WSAGetLastError.WS2_32 ref: 0267BEF6
      • Part of subcall function 0267BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 0267BF3E
    • WSAGetLastError.WS2_32(?,00000800,?,00000000,?), ref: 0267C4EC
    • shutdown.WS2_32(?,00000001), ref: 0267C517
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 0267C540
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 0267C594
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269C592, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
    APIs
    • EnterCriticalSection.KERNEL32(027F27B8,?,3D920600,?), ref: 0269C5BC
    • LeaveCriticalSection.KERNEL32(027F27B8,?,3D920600,?), ref: 0269C66C
      • Part of subcall function 02677FA8: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 02677FBA
      • Part of subcall function 02677FA8: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 02677FD2
      • Part of subcall function 02677FA8: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 02678011
      • Part of subcall function 02677FA8: CreateCompatibleDC.GDI32 ref: 02678022
      • Part of subcall function 02677FA8: LoadCursorW.USER32(00000000,00007F00), ref: 02678038
      • Part of subcall function 02677FA8: GetIconInfo.USER32 ref: 0267804C
      • Part of subcall function 02677FA8: GetCursorPos.USER32(?), ref: 0267805B
      • Part of subcall function 02677FA8: GetDeviceCaps.GDI32(?,00000008), ref: 02678072
      • Part of subcall function 02677FA8: GetDeviceCaps.GDI32(?,0000000A), ref: 0267807B
      • Part of subcall function 02677FA8: CreateCompatibleBitmap.GDI32(?,?), ref: 02678087
      • Part of subcall function 02677FA8: SelectObject.GDI32 ref: 02678095
      • Part of subcall function 02677FA8: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 026780B6
      • Part of subcall function 02677FA8: DrawIcon.USER32(?,?,?,?), ref: 026780E8
      • Part of subcall function 02677FA8: SelectObject.GDI32(?,?), ref: 02678104
      • Part of subcall function 02677FA8: DeleteObject.GDI32 ref: 0267810B
      • Part of subcall function 02677FA8: DeleteDC.GDI32 ref: 02678112
      • Part of subcall function 02677FA8: DeleteDC.GDI32 ref: 02678119
      • Part of subcall function 02677FA8: FreeLibrary.KERNEL32(?), ref: 02678129
      • Part of subcall function 02677FA8: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0267813F
      • Part of subcall function 02677FA8: FreeLibrary.KERNEL32(?), ref: 02678153
    • GetTickCount.KERNEL32 ref: 0269C616
    • GetCurrentProcessId.KERNEL32 ref: 0269C61D
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • GetKeyboardState.USER32 ref: 0269C688
    • ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 0269C6AB
      • Part of subcall function 0269C410: EnterCriticalSection.KERNEL32(027F27B8,027F27B8,?,?,?,0269C6E4,?,?,?,?,?,00000009,00000000,?,?,3D920600), ref: 0269C42A
      • Part of subcall function 0269C410: memcpy.MSVCRT ref: 0269C49B
      • Part of subcall function 0269C410: memcpy.MSVCRT ref: 0269C4BF
      • Part of subcall function 0269C410: memcpy.MSVCRT ref: 0269C4D6
      • Part of subcall function 0269C410: memcpy.MSVCRT ref: 0269C4F6
      • Part of subcall function 0269C410: LeaveCriticalSection.KERNEL32(027F27B8,?,3D920600,?), ref: 0269C511
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269B31B, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 61
    APIs
    • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0269B32F
    • PathUnquoteSpacesW.SHLWAPI ref: 0269B394
    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0269B3A3
    • LocalFree.KERNEL32(00000001), ref: 0269B3B7
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 0269B34C
    • ProfileImagePath, xrefs: 0269B378
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269AA9A, Relevance: 12.2, APIs: 4, Strings: 2, Instructions: 49
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 0269AAB7
    • GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 0269AACF
    • PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 0269AADA
      • Part of subcall function 02678E53: EnterCriticalSection.KERNEL32(026A5AA4,?,026A4DF4,00000000,00000006,0269BD7A,026A4DF4,-00000258,?,00000000), ref: 02678E6A
      • Part of subcall function 02678E53: LeaveCriticalSection.KERNEL32(026A5AA4,?,00000000), ref: 02678E9D
      • Part of subcall function 02678E53: CoTaskMemFree.OLE32(?), ref: 02678F36
      • Part of subcall function 02678E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 02678F44
      • Part of subcall function 02678E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 02678F5C
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 0269AB00
      • Part of subcall function 02679F5F: memcpy.MSVCRT ref: 02679F99
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0269AAE0
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0269AAC2, 0269AACD, 0269AAD9
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026852AC, Relevance: 12.1, APIs: 8, Instructions: 147
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 026852E3
    • GetCommandLineW.KERNEL32 ref: 02685304
      • Part of subcall function 026911D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 026911FF
      • Part of subcall function 026911D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 02691234
    • GetUserNameExW.SECUR32(00000002,?,?,?,?,?,00000104), ref: 0268533C
    • GetProcessTimes.KERNEL32(000000FF), ref: 02685372
    • GetUserDefaultUILanguage.KERNEL32 ref: 026853E4
    • memcpy.MSVCRT ref: 02685418
    • memcpy.MSVCRT ref: 0268542D
    • memcpy.MSVCRT ref: 02685443
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02695947, Relevance: 11.3, APIs: 6, Instructions: 130
    APIs
    • GetTempPathW.KERNEL32(00000104,?), ref: 02695962
    • PathAddBackslashW.SHLWAPI(?), ref: 0269598C
      • Part of subcall function 0268B7FF: EnterCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B80C
      • Part of subcall function 0268B7FF: LeaveCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B81A
    • CreateDirectoryW.KERNEL32(?), ref: 02695A44
    • SetFileAttributesW.KERNEL32(?), ref: 02695A55
    • CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 02695A6E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 02695A7F
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02688432, Relevance: 10.9, APIs: 6, Instructions: 66
    APIs
    • CreateFileW.KERNEL32(027F1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0268844B
    • GetFileSizeEx.KERNEL32 ref: 0268845E
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02688484
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0268849C
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 026884BA
    • CloseHandle.KERNEL32 ref: 026884C3
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269BD59, Relevance: 10.9, APIs: 6, Instructions: 57
    APIs
      • Part of subcall function 02678E53: EnterCriticalSection.KERNEL32(026A5AA4,?,026A4DF4,00000000,00000006,0269BD7A,026A4DF4,-00000258,?,00000000), ref: 02678E6A
      • Part of subcall function 02678E53: LeaveCriticalSection.KERNEL32(026A5AA4,?,00000000), ref: 02678E9D
      • Part of subcall function 02678E53: CoTaskMemFree.OLE32(?), ref: 02678F36
      • Part of subcall function 02678E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 02678F44
      • Part of subcall function 02678E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 02678F5C
    • PathRemoveBackslashW.SHLWAPI(-00000258), ref: 0269BD85
    • PathRemoveFileSpecW.SHLWAPI(-00000258), ref: 0269BD92
    • PathAddBackslashW.SHLWAPI(-00000258), ref: 0269BDA3
    • GetVolumeNameForVolumeMountPointW.KERNEL32(-00000258,-00000050,00000064), ref: 0269BDB6
    • CLSIDFromString.OLE32(-0000003C,026A4DF4,?,00000000), ref: 0269BDD2
    • memset.MSVCRT ref: 0269BDE4
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268FE5C, Relevance: 10.9, APIs: 6, Instructions: 197
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0268FEC2
    • memcpy.MSVCRT ref: 0268FEDC
    • VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 0268FEEF
    • memset.MSVCRT ref: 0268FF46
    • memcpy.MSVCRT ref: 0268FF5A
    • VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 02690049
      • Part of subcall function 02690370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0269037F
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026831F3, Relevance: 10.8, APIs: 6, Instructions: 91
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 02683205
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 02683223
    • CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 02683230
    • PFXExportCertStoreEx.CRYPT32(?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 02683264
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 02683296
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 026832D5: GetUserNameExW.SECUR32(00000002), ref: 02683303
      • Part of subcall function 026832D5: GetSystemTime.KERNEL32 ref: 02683356
      • Part of subcall function 026832D5: CharLowerW.USER32(?), ref: 026833A6
      • Part of subcall function 026832D5: PathRenameExtensionW.SHLWAPI(?), ref: 026833D6
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 026832C5
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269D1E0, Relevance: 10.7, APIs: 6, Instructions: 74
    APIs
    • InitializeCriticalSection.KERNEL32(026A5AA4), ref: 0269D207
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • InitializeCriticalSection.KERNEL32 ref: 0269D218
    • memset.MSVCRT ref: 0269D229
    • TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 0269D240
    • GetModuleHandleW.KERNEL32(00000000), ref: 0269D25C
    • GetModuleHandleW.KERNEL32 ref: 0269D272
      • Part of subcall function 0269CAF0: EnterCriticalSection.KERNEL32(026A5AA4,7C80E4DD,0269D280,?,?,?,00000000,?,?,00000001), ref: 0269CB00
      • Part of subcall function 0269CAF0: LeaveCriticalSection.KERNEL32(026A5AA4,?,?,?,00000000,?,?,00000001), ref: 0269CB28
      • Part of subcall function 0269D2B1: TlsFree.KERNEL32(00000026), ref: 0269D2BD
      • Part of subcall function 0269D2B1: DeleteCriticalSection.KERNEL32(027F1E90,00000000,0269D2A8,027F1E90,?,?,00000000,?,?,00000001), ref: 0269D2C4
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267BD24, Relevance: 10.7, APIs: 6, Instructions: 65
    APIs
    • accept.WS2_32(?,?), ref: 0267BD45
    • WSAEventSelect.WS2_32(?,00000000,00000000), ref: 0267BD57
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 0267BDAE
      • Part of subcall function 0267B928: WSACreateEvent.WS2_32(00000000,?,0267BB6E,00000033,00000000,?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003), ref: 0267B93E
      • Part of subcall function 0267B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0267B954
      • Part of subcall function 0267B928: WSACloseEvent.WS2_32 ref: 0267B968
      • Part of subcall function 0267B864: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 0267B89E
      • Part of subcall function 0267B864: memset.MSVCRT ref: 0267B8B2
    • WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 0267BD88
    • shutdown.WS2_32(?,00000002), ref: 0267BDA0
    • closesocket.WS2_32 ref: 0267BDA7
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02682D1D, Relevance: 10.6, APIs: 7, Instructions: 146
    APIs
      • Part of subcall function 02676A4D: TlsSetValue.KERNEL32(00000001,0268A6E8), ref: 02676A5A
      • Part of subcall function 0269C09D: CreateMutexW.KERNEL32(026A49B4,00000000), ref: 0269C0BF
    • GetCurrentThread.KERNEL32 ref: 02682D49
    • SetThreadPriority.KERNEL32 ref: 02682D50
      • Part of subcall function 0269AFD3: WaitForSingleObject.KERNEL32(00000000,0268A702), ref: 0269AFDB
    • memset.MSVCRT ref: 02682D92
    • lstrlenA.KERNEL32(00000000), ref: 02682DA9
      • Part of subcall function 026826C5: memset.MSVCRT ref: 026826D5
      • Part of subcall function 0269621D: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 02696283
      • Part of subcall function 0269621D: FindFirstFileW.KERNEL32 ref: 026962F1
      • Part of subcall function 0269621D: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0269634A
      • Part of subcall function 0269621D: SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 026963BB
      • Part of subcall function 0269621D: CloseHandle.KERNEL32 ref: 026963F5
      • Part of subcall function 0269621D: FindNextFileW.KERNEL32 ref: 02696429
      • Part of subcall function 0269621D: FindClose.KERNEL32 ref: 02696453
    • memset.MSVCRT ref: 02682E6F
    • memcpy.MSVCRT ref: 02682E7F
      • Part of subcall function 02682BE5: lstrlenA.KERNEL32(?,?), ref: 02682C1E
      • Part of subcall function 02682BE5: CreateMutexW.KERNEL32(026A49B4,00000001), ref: 02682C76
      • Part of subcall function 02682BE5: GetLastError.KERNEL32(?,?,?,?,?), ref: 02682C86
      • Part of subcall function 02682BE5: CloseHandle.KERNEL32 ref: 02682C94
      • Part of subcall function 02682BE5: memcpy.MSVCRT ref: 02682CBE
      • Part of subcall function 02682BE5: memcpy.MSVCRT ref: 02682CD2
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • WaitForSingleObject.KERNEL32(00007530), ref: 02682EA9
      • Part of subcall function 0267766D: ReleaseMutex.KERNEL32 ref: 02677671
      • Part of subcall function 0267766D: CloseHandle.KERNEL32 ref: 02677678
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02681E94, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27
    APIs
    • GetModuleHandleW.KERNEL32(shell32.dll), ref: 02681EA2
    • GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 02681EAE
    • SetLastError.KERNEL32(00000001,02678F04,026A47C0,?,026A4DF4,00000000,00000006,0269BD7A,026A4DF4,-00000258,?,00000000), ref: 02681EC6
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02698000, Relevance: 10.6, APIs: 7, Instructions: 126
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 02698037
    • WSASetLastError.WS2_32(00000008), ref: 02698046
    • memcpy.MSVCRT ref: 02698063
    • memcpy.MSVCRT ref: 02698075
    • WSASetLastError.WS2_32(00000008,?,?,?), ref: 026980DF
    • WSAGetLastError.WS2_32(?,?,?), ref: 026980FB
      • Part of subcall function 02698325: RegisterWaitForSingleObject.KERNEL32(?,?,02698164,?,000000FF,00000004), ref: 0269838A
    • WSASetLastError.WS2_32(00000008,?,00000000,?,?,?,?,?), ref: 02698124
      • Part of subcall function 0268CC4F: memcpy.MSVCRT ref: 0268CC64
      • Part of subcall function 0268CC4F: SetEvent.KERNEL32 ref: 0268CC74
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267B0E5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
    APIs
    • memset.MSVCRT ref: 0267B106
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,00000000), ref: 0267B13E
    • memcpy.MSVCRT ref: 0267B159
    • CloseHandle.KERNEL32(?), ref: 0267B16E
    • CloseHandle.KERNEL32(00000000), ref: 0267B174
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268B286, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 295
    APIs
      • Part of subcall function 0269C09D: CreateMutexW.KERNEL32(026A49B4,00000000), ref: 0269C0BF
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
      • Part of subcall function 02688432: CreateFileW.KERNEL32(027F1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0268844B
      • Part of subcall function 02688432: GetFileSizeEx.KERNEL32 ref: 0268845E
      • Part of subcall function 02688432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02688484
      • Part of subcall function 02688432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0268849C
      • Part of subcall function 02688432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 026884BA
      • Part of subcall function 02688432: CloseHandle.KERNEL32 ref: 026884C3
    • memset.MSVCRT ref: 0268B42B
    • memcpy.MSVCRT ref: 0268B457
      • Part of subcall function 02696875: GetSystemTime.KERNEL32 ref: 0269687F
      • Part of subcall function 026824F3: HeapAlloc.KERNEL32(00000000,?,?,?,02676328,?,?,02698D10,?,?,?,?,0000FFFF), ref: 0268251D
      • Part of subcall function 026824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,02676328,?,?,02698D10,?,?,?,?,0000FFFF), ref: 02682530
      • Part of subcall function 026771D5: memcpy.MSVCRT ref: 026772E6
    • CreateFileW.KERNEL32(0266AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0268B55C
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0268B578
      • Part of subcall function 02695934: CloseHandle.KERNEL32 ref: 02695940
      • Part of subcall function 0267766D: ReleaseMutex.KERNEL32 ref: 02677671
      • Part of subcall function 0267766D: CloseHandle.KERNEL32 ref: 02677678
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 0268B161: memset.MSVCRT ref: 0268B170
      • Part of subcall function 0268B161: memset.MSVCRT ref: 0268B1B3
      • Part of subcall function 0268B161: memset.MSVCRT ref: 0268B1E9
      • Part of subcall function 02690370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0269037F
      • Part of subcall function 0268FE5C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0268FEC2
      • Part of subcall function 0268FE5C: memcpy.MSVCRT ref: 0268FEDC
      • Part of subcall function 0268FE5C: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 0268FEEF
      • Part of subcall function 0268FE5C: memset.MSVCRT ref: 0268FF46
      • Part of subcall function 0268FE5C: memcpy.MSVCRT ref: 0268FF5A
      • Part of subcall function 0268FE5C: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 02690049
      • Part of subcall function 026773E0: memcmp.MSVCRT ref: 02677489
      • Part of subcall function 026884D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 026884E4
      • Part of subcall function 026884D3: CloseHandle.KERNEL32 ref: 026884F3
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02681ED5, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(026A5AA4,?,?,0269AA21,?,0269ADD5,?,?,?,00000001), ref: 02681EE6
    • LeaveCriticalSection.KERNEL32(026A5AA4,?,?,0269AA21,?,0269ADD5,?,?,?,00000001), ref: 02681F0E
      • Part of subcall function 02681E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 02681EA2
      • Part of subcall function 02681E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 02681EAE
      • Part of subcall function 02681E94: SetLastError.KERNEL32(00000001,02678F04,026A47C0,?,026A4DF4,00000000,00000006,0269BD7A,026A4DF4,-00000258,?,00000000), ref: 02681EC6
    • IsWow64Process.KERNEL32(000000FF), ref: 02681F37
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02699516, Relevance: 9.6, APIs: 5, Instructions: 138
    APIs
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    • FindFirstFileW.KERNEL32 ref: 02699555
    • SetLastError.KERNEL32(?,?,?,?,?,?,0266AB64), ref: 02699680
      • Part of subcall function 026996F5: PathMatchSpecW.SHLWAPI(00000010), ref: 02699722
      • Part of subcall function 026996F5: PathMatchSpecW.SHLWAPI(00000010), ref: 02699741
    • FindNextFileW.KERNEL32(?,?), ref: 0269964A
    • GetLastError.KERNEL32(?,?,?,?,0266AB64), ref: 02699663
    • FindClose.KERNEL32 ref: 02699679
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267913F, Relevance: 9.5, APIs: 5, Instructions: 59
    APIs
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    • FindFirstFileW.KERNEL32(?), ref: 02679170
      • Part of subcall function 02695E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 02695E26
      • Part of subcall function 02695E1D: DeleteFileW.KERNEL32 ref: 02695E2D
    • FindNextFileW.KERNEL32(?,?), ref: 026791C2
    • FindClose.KERNEL32 ref: 026791CD
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 026791D9
    • RemoveDirectoryW.KERNEL32 ref: 026791E0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269038C, Relevance: 9.4, APIs: 5, Instructions: 89
    APIs
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 02690405
    • SetFileAttributesW.KERNEL32(?), ref: 02690424
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0269043B
    • GetLastError.KERNEL32 ref: 02690448
    • CloseHandle.KERNEL32 ref: 02690481
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269C410, Relevance: 9.2, APIs: 6, Instructions: 88
    APIs
    • EnterCriticalSection.KERNEL32(027F27B8,027F27B8,?,?,?,0269C6E4,?,?,?,?,?,00000009,00000000,?,?,3D920600), ref: 0269C42A
    • LeaveCriticalSection.KERNEL32(027F27B8,?,3D920600,?), ref: 0269C511
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • memcpy.MSVCRT ref: 0269C49B
    • memcpy.MSVCRT ref: 0269C4BF
    • memcpy.MSVCRT ref: 0269C4D6
    • memcpy.MSVCRT ref: 0269C4F6
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02684BDB, Relevance: 9.2, APIs: 6, Instructions: 229
    APIs
    • PathFindFileNameW.SHLWAPI(?), ref: 02684C02
      • Part of subcall function 02679E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 02679E9D
      • Part of subcall function 02679E88: StrCmpIW.SHLWAPI ref: 02679EA7
    • CreateFileW.KERNEL32(?,80000000,00000007,?,00000003,00000080), ref: 02684C31
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • SetLastError.KERNEL32(00000057,?,?,00000003,00000080), ref: 02684C96
      • Part of subcall function 02695B34: ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 02695B46
      • Part of subcall function 02695934: CloseHandle.KERNEL32 ref: 02695940
    • CharLowerW.USER32 ref: 02684CF6
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
      • Part of subcall function 0269868E: EnterCriticalSection.KERNEL32(026A5AA4,?,0269AA5B,?,0269ADD5,?,?,?,00000001), ref: 0269869E
      • Part of subcall function 0269868E: LeaveCriticalSection.KERNEL32(026A5AA4,?,0269AA5B,?,0269ADD5,?,?,?,00000001), ref: 026986C4
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    • memcmp.MSVCRT ref: 02684E48
    • GetTickCount.KERNEL32 ref: 02684E55
      • Part of subcall function 026907EE: RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 02690823
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 02695AB0: GetFileSizeEx.KERNEL32(?,?), ref: 02695ABB
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268CAF1, Relevance: 9.2, APIs: 5, Instructions: 88
    APIs
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0268CB1D
      • Part of subcall function 0267C830: HttpQueryInfoA.WININET(0268CB41,40000009,?,?,00000000), ref: 0267C897
      • Part of subcall function 0267C830: memset.MSVCRT ref: 0267C8AD
    • GetSystemTime.KERNEL32(?), ref: 0268CB54
      • Part of subcall function 0268B7FF: EnterCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B80C
      • Part of subcall function 0268B7FF: LeaveCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B81A
    • Sleep.KERNEL32(000005DC), ref: 0268CB6D
    • WaitForSingleObject.KERNEL32(?,000005DC), ref: 0268CB76
    • lstrcpyA.KERNEL32 ref: 0268CBD4
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02678DE6, Relevance: 9.1, APIs: 5, Instructions: 49
    APIs
    • EnterCriticalSection.KERNEL32(027F1F34,?,?,?,0269B2F2,?,?,00000001), ref: 02678DEF
    • LeaveCriticalSection.KERNEL32(027F1F34,?,?,?,0269B2F2,?,?,00000001), ref: 02678DF9
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 02678E1F
    • EnterCriticalSection.KERNEL32(027F1F34,?,?,?,0269B2F2,?,?,00000001), ref: 02678E37
    • LeaveCriticalSection.KERNEL32(027F1F34,?,?,?,0269B2F2,?,?,00000001), ref: 02678E41
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267861E, Relevance: 9.1, APIs: 6, Instructions: 145
    APIs
    • memset.MSVCRT ref: 0267865F
      • Part of subcall function 02679F5F: memcpy.MSVCRT ref: 02679F99
    • CharLowerW.USER32 ref: 026786A3
    • CharUpperW.USER32(?,?,00000001), ref: 026786B4
    • CharLowerW.USER32 ref: 026786C8
    • CharUpperW.USER32(?,00000001), ref: 026786D2
    • memcmp.MSVCRT ref: 026786E7
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02698164, Relevance: 9.1, APIs: 6, Instructions: 141
    APIs
      • Part of subcall function 02676A4D: TlsSetValue.KERNEL32(00000001,0268A6E8), ref: 02676A5A
      • Part of subcall function 0268CC26: ResetEvent.KERNEL32 ref: 0268CC42
    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000), ref: 026981AA
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 026981B4
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 026982BD
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 026982C6
    • UnregisterWait.KERNEL32(?), ref: 026982EB
    • TlsSetValue.KERNEL32(00000000), ref: 02698316
      • Part of subcall function 0268CC4F: memcpy.MSVCRT ref: 0268CC64
      • Part of subcall function 0268CC4F: SetEvent.KERNEL32 ref: 0268CC74
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269BDF6, Relevance: 9.1, APIs: 5, Instructions: 172
    APIs
    • memset.MSVCRT ref: 0269BE2B
    • GetComputerNameW.KERNEL32 ref: 0269BE5F
    • GetVersionExW.KERNEL32 ref: 0269BE88
    • memset.MSVCRT ref: 0269BEA7
      • Part of subcall function 02690775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0269079C
      • Part of subcall function 02690755: RegFlushKey.ADVAPI32 ref: 02690765
      • Part of subcall function 02690755: RegCloseKey.ADVAPI32 ref: 0269076D
      • Part of subcall function 026993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 02699433
      • Part of subcall function 026993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 02699458
    • memset.MSVCRT ref: 0269BFAC
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 02699393: CryptDestroyHash.ADVAPI32 ref: 026993AB
      • Part of subcall function 02699393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 026993BC
      • Part of subcall function 0269946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 026994AA
      • Part of subcall function 02690A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 02690A3A
      • Part of subcall function 026908A8: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 02690903
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269FC6E, Relevance: 9.1, APIs: 6, Instructions: 79
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000004,0269FD90,00000000,?,?,?,?,?,?,?,0269EA72), ref: 0269FC78
    • HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 0269FCB2
    • HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,0269FD90,00000000), ref: 0269FCCF
    • HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,0269FD90,00000000), ref: 0269FCF7
    • memcpy.MSVCRT ref: 0269FD07
      • Part of subcall function 02676D72: EnterCriticalSection.KERNEL32(026A468C,00000000,02684F6E,?,000000FF), ref: 02676D7E
      • Part of subcall function 02676D72: LeaveCriticalSection.KERNEL32(026A468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,027F1EF0), ref: 02676D8E
      • Part of subcall function 02699DDC: GetCurrentThreadId.KERNEL32 ref: 02699DED
      • Part of subcall function 02699DDC: memcpy.MSVCRT ref: 02699F56
      • Part of subcall function 02699DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 02699FE2
      • Part of subcall function 02699DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 02699FEC
      • Part of subcall function 02676D9C: LeaveCriticalSection.KERNEL32(026A468C,02676E01,00000001,00000000,00000000,?,02684F82,00000001,00000000,?,000000FF), ref: 02676DA6
      • Part of subcall function 02676DAD: LeaveCriticalSection.KERNEL32(026A468C,?,02676E13,00000001,00000000,00000000,?,02684F82,00000001,00000000,?,000000FF), ref: 02676DBA
    • LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,0269FD90,00000000), ref: 0269FD4B
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02688A6A, Relevance: 9.1, APIs: 5, Instructions: 137
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 02688A9B
      • Part of subcall function 02697CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 02697CF8
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 02688B2D
      • Part of subcall function 02688626: getsockopt.WS2_32(?,0000FFFF,00001008,02669417,02669417), ref: 026886B2
      • Part of subcall function 02688626: GetHandleInformation.KERNEL32 ref: 026886C4
      • Part of subcall function 02688626: socket.WS2_32(?,00000001,00000006), ref: 026886F7
      • Part of subcall function 02688626: socket.WS2_32(?,00000002,00000011), ref: 02688708
      • Part of subcall function 02688626: closesocket.WS2_32(?), ref: 02688727
      • Part of subcall function 02688626: closesocket.WS2_32 ref: 0268872E
      • Part of subcall function 02688626: memset.MSVCRT ref: 026887F2
      • Part of subcall function 02688626: memcpy.MSVCRT ref: 02688902
    • SetEvent.KERNEL32 ref: 02688B80
    • SetEvent.KERNEL32 ref: 02688BB9
      • Part of subcall function 02697CD3: SetEvent.KERNEL32 ref: 02697CE3
    • LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 02688C3E
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269B838, Relevance: 9.1, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 0269ACAD: GetModuleHandleW.KERNEL32(00000000), ref: 0269ACF4
      • Part of subcall function 0269ACAD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0269AD59
      • Part of subcall function 0269ACAD: Process32FirstW.KERNEL32 ref: 0269AD74
      • Part of subcall function 0269ACAD: PathFindFileNameW.SHLWAPI ref: 0269AD87
      • Part of subcall function 0269ACAD: StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 0269AD99
      • Part of subcall function 0269ACAD: Process32NextW.KERNEL32(?,?), ref: 0269ADA9
      • Part of subcall function 0269ACAD: CloseHandle.KERNEL32 ref: 0269ADB4
      • Part of subcall function 0269ACAD: WSAStartup.WS2_32(00000202), ref: 0269ADC4
      • Part of subcall function 0269ACAD: CreateEventW.KERNEL32(026A49B4,00000001,00000000,00000000), ref: 0269ADEC
      • Part of subcall function 0269ACAD: GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 0269AE22
      • Part of subcall function 0269ACAD: GetCurrentProcessId.KERNEL32 ref: 0269AE4D
    • SetErrorMode.KERNEL32(00008007), ref: 0269B851
    • GetCommandLineW.KERNEL32 ref: 0269B85D
    • CommandLineToArgvW.SHELL32 ref: 0269B864
    • LocalFree.KERNEL32 ref: 0269B8A1
    • ExitProcess.KERNEL32(00000001), ref: 0269B8B2
      • Part of subcall function 0269B4AA: CreateMutexW.KERNEL32(026A49B4,00000001), ref: 0269B550
      • Part of subcall function 0269B4AA: GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,0269B8C7), ref: 0269B560
      • Part of subcall function 0269B4AA: CloseHandle.KERNEL32 ref: 0269B56E
      • Part of subcall function 0269B4AA: lstrlenW.KERNEL32 ref: 0269B5D0
      • Part of subcall function 0269B4AA: ExitWindowsEx.USER32(00000014,80000000), ref: 0269B615
      • Part of subcall function 0269B4AA: OpenEventW.KERNEL32(00000002,00000000), ref: 0269B63B
      • Part of subcall function 0269B4AA: SetEvent.KERNEL32 ref: 0269B648
      • Part of subcall function 0269B4AA: CloseHandle.KERNEL32 ref: 0269B64F
      • Part of subcall function 0269B4AA: Sleep.KERNEL32(00007530), ref: 0269B674
      • Part of subcall function 0269B4AA: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 0269B68C
      • Part of subcall function 0269B4AA: Sleep.KERNEL32(000000FF), ref: 0269B694
      • Part of subcall function 0269B4AA: CloseHandle.KERNEL32 ref: 0269B697
      • Part of subcall function 0269B4AA: IsWellKnownSid.ADVAPI32(027F1EC0,00000016), ref: 0269B6E5
      • Part of subcall function 0269B4AA: CreateEventW.KERNEL32(026A49B4,00000001,00000000), ref: 0269B7B4
      • Part of subcall function 0269B4AA: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0269B7CD
      • Part of subcall function 0269B4AA: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 0269B7DF
      • Part of subcall function 0269B4AA: CloseHandle.KERNEL32(00000000), ref: 0269B7F6
      • Part of subcall function 0269B4AA: CloseHandle.KERNEL32(?), ref: 0269B7FC
      • Part of subcall function 0269B4AA: CloseHandle.KERNEL32(?), ref: 0269B802
    • Sleep.KERNEL32(000000FF), ref: 0269B8D8
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268ECD7, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 223
    APIs
      • Part of subcall function 0267BA34: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 0267BA5A
      • Part of subcall function 02683A22: select.WS2_32(00000000,?,00000000,00000000), ref: 02683A81
      • Part of subcall function 02683A22: recv.WS2_32(?,?,?,00000000), ref: 02683A91
    • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0268EDB2
    • memcpy.MSVCRT ref: 0268EDEA
    • FreeAddrInfoW.WS2_32(?), ref: 0268EDF8
    • memset.MSVCRT ref: 0268EE13
      • Part of subcall function 0268EC55: getpeername.WS2_32(?,?,?), ref: 0268EC79
      • Part of subcall function 0268EC55: getsockname.WS2_32(?,?,?), ref: 0268EC91
      • Part of subcall function 0268EC55: send.WS2_32(00000000,00000000,00000008,00000000), ref: 0268ECC2
      • Part of subcall function 02683BBE: socket.WS2_32(?,00000001,00000006), ref: 02683BCA
      • Part of subcall function 02683BBE: bind.WS2_32 ref: 02683BE7
      • Part of subcall function 02683BBE: listen.WS2_32(?,00000001), ref: 02683BF4
      • Part of subcall function 02683BBE: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,0268EE5F,?,?,?), ref: 02683BFE
      • Part of subcall function 02683BBE: closesocket.WS2_32 ref: 02683C07
      • Part of subcall function 02683BBE: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,0268EE5F,?,?,?), ref: 02683C0E
      • Part of subcall function 02683D73: accept.WS2_32(?,00000000), ref: 02683D94
      • Part of subcall function 02683AD3: socket.WS2_32(?,00000001,00000006), ref: 02683ADF
      • Part of subcall function 02683AD3: connect.WS2_32 ref: 02683AFC
      • Part of subcall function 02683AD3: closesocket.WS2_32 ref: 02683B07
      • Part of subcall function 0267C06E: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0267C082
      • Part of subcall function 02683C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02683C44
      • Part of subcall function 02683C1C: recv.WS2_32(?,?,00000400,00000000), ref: 02683C70
      • Part of subcall function 02683C1C: send.WS2_32(?,?,?,00000000), ref: 02683C92
      • Part of subcall function 02683C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02683CBF
      • Part of subcall function 02683D9E: shutdown.WS2_32(?,00000002), ref: 02683DA9
      • Part of subcall function 02683D9E: closesocket.WS2_32 ref: 02683DB0
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268547E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
    APIs
      • Part of subcall function 0269868E: EnterCriticalSection.KERNEL32(026A5AA4,?,0269AA5B,?,0269ADD5,?,?,?,00000001), ref: 0269869E
      • Part of subcall function 0269868E: LeaveCriticalSection.KERNEL32(026A5AA4,?,0269AA5B,?,0269ADD5,?,?,?,00000001), ref: 026986C4
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 026854CE
    • GetProcAddress.KERNEL32(?,GetProductInfo), ref: 026854DE
    • GetSystemDefaultUILanguage.KERNEL32(?,?,?,026851C2), ref: 02685519
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02691B04, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 02691B17
    • lstrcpyA.KERNEL32(?,0266C28A,00000000,02691DA8,?,?,?,02691DA8,?,?,?,?,?,?,?,0269A7AA), ref: 02691BAE
    • lstrcpynA.KERNEL32(?,?\C,00000003,?,0266C28A,00000000,02691DA8,?,?,?,02691DA8), ref: 02691BC4
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02684FD0, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77
    APIs
    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 02684FEE
    • VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 0268505B
      • Part of subcall function 02679E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 02679E9D
      • Part of subcall function 02679E88: StrCmpIW.SHLWAPI ref: 02679EA7
    Strings
    • \StringFileInfo\%04x%04x\%s, xrefs: 02685030
    • \VarFileInfo\Translation, xrefs: 02684FE7
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02691285, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44
    APIs
    • GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 0269129A
    • GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 026912A5
      • Part of subcall function 026912E6: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 02691304
      • Part of subcall function 026912E6: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 0269130F
      • Part of subcall function 026912E6: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 0269131A
      • Part of subcall function 026912E6: lstrcmpiW.KERNEL32(?), ref: 026913A7
      • Part of subcall function 026912E6: memcpy.MSVCRT ref: 026913CA
      • Part of subcall function 026912E6: CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 026913F5
      • Part of subcall function 026912E6: memcpy.MSVCRT ref: 02691423
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267A64B, Relevance: 8.0, APIs: 5, Instructions: 86
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,02677F4D,00000001,?,00000001,?), ref: 0267A655
    • memcpy.MSVCRT ref: 0267A6D1
    • memcpy.MSVCRT ref: 0267A6E5
    • memcpy.MSVCRT ref: 0267A70F
    • LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,02677F4D,00000001,?,00000001,?), ref: 0267A735
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026893A8, Relevance: 7.9, APIs: 5, Instructions: 107
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0268A111), ref: 026893BE
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0268A111), ref: 026894E9
      • Part of subcall function 02681A4F: memcmp.MSVCRT ref: 02681A6B
    • memcpy.MSVCRT ref: 02689419
    • LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0268A111,?,00000002), ref: 02689429
      • Part of subcall function 0268B7FF: EnterCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B80C
      • Part of subcall function 0268B7FF: LeaveCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B81A
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0268945D
      • Part of subcall function 02696875: GetSystemTime.KERNEL32 ref: 0269687F
      • Part of subcall function 02681728: memcpy.MSVCRT ref: 02681771
      • Part of subcall function 02681858: memcpy.MSVCRT ref: 02681935
      • Part of subcall function 02681858: memcpy.MSVCRT ref: 02681956
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268C318, Relevance: 7.9, APIs: 5, Instructions: 249
    APIs
    • memcmp.MSVCRT ref: 0268C385
    • memcpy.MSVCRT ref: 0268C486
      • Part of subcall function 0267BB55: connect.WS2_32(?,?), ref: 0267BB93
      • Part of subcall function 0267BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0267BBA2
      • Part of subcall function 0267BB55: WSASetLastError.WS2_32(?,?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0267BBC0
      • Part of subcall function 0267BB55: WSAGetLastError.WS2_32(?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0267BBC2
      • Part of subcall function 0267BB55: WSASetLastError.WS2_32(00000000), ref: 0267BC00
    • memcmp.MSVCRT ref: 0268C583
      • Part of subcall function 0267BEC0: WSAGetLastError.WS2_32 ref: 0267BEF6
      • Part of subcall function 0267BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 0267BF3E
      • Part of subcall function 0268C0DA: memcmp.MSVCRT ref: 0268C11A
      • Part of subcall function 0269DABF: memset.MSVCRT ref: 0269DACF
      • Part of subcall function 0269DABF: memcpy.MSVCRT ref: 0269DAF8
    • memset.MSVCRT ref: 0268C5E0
    • memcpy.MSVCRT ref: 0268C5F1
      • Part of subcall function 0269DB11: memcpy.MSVCRT ref: 0269DB22
      • Part of subcall function 0268C02F: memcmp.MSVCRT ref: 0268C06B
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02683C1C, Relevance: 7.8, APIs: 4, Instructions: 68
    APIs
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02683C44
    • recv.WS2_32(?,?,00000400,00000000), ref: 02683C70
    • send.WS2_32(?,?,?,00000000), ref: 02683C92
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02683CBF
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02678CBF, Relevance: 7.7, APIs: 4, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,02682B51,00000005,00007530,?,00000000,00000000), ref: 02678CC7
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 02678CEB
    • CloseHandle.KERNEL32 ref: 02678CFB
      • Part of subcall function 026824F3: HeapAlloc.KERNEL32(00000000,?,?,?,02676328,?,?,02698D10,?,?,?,?,0000FFFF), ref: 0268251D
      • Part of subcall function 026824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,02676328,?,?,02698D10,?,?,?,?,0000FFFF), ref: 02682530
    • LeaveCriticalSection.KERNEL32(?,?,?,?,02682B51,00000005,00007530,?,00000000,00000000), ref: 02678D2B
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026827B5, Relevance: 7.7, APIs: 5, Instructions: 69
    APIs
    • EnterCriticalSection.KERNEL32(026A5AA4), ref: 026827D6
    • LeaveCriticalSection.KERNEL32(026A5AA4), ref: 026827FC
      • Part of subcall function 0268275F: InitializeCriticalSection.KERNEL32(026A50C8), ref: 02682764
      • Part of subcall function 0268275F: memset.MSVCRT ref: 02682773
    • EnterCriticalSection.KERNEL32(026A50C8), ref: 02682807
    • LeaveCriticalSection.KERNEL32(026A50C8), ref: 0268287F
      • Part of subcall function 0268B1FD: PathRenameExtensionW.SHLWAPI ref: 0268B26F
      • Part of subcall function 0268B286: memset.MSVCRT ref: 0268B42B
      • Part of subcall function 0268B286: memcpy.MSVCRT ref: 0268B457
      • Part of subcall function 0268B286: CreateFileW.KERNEL32(0266AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0268B55C
      • Part of subcall function 0268B286: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0268B578
    • Sleep.KERNEL32(000007D0), ref: 02682872
      • Part of subcall function 0268B61E: memset.MSVCRT ref: 0268B640
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026946D9, Relevance: 7.7, APIs: 5, Instructions: 217
    APIs
    • LoadLibraryW.KERNEL32 ref: 02694736
    • GetProcAddress.KERNEL32 ref: 0269475E
    • StrChrA.SHLWAPI(?,00000040), ref: 02694885
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • StrChrW.SHLWAPI(?,00000040,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,00000000), ref: 02694866
      • Part of subcall function 0268D12D: lstrlenW.KERNEL32(0266C448), ref: 0268D149
      • Part of subcall function 0268D12D: lstrlenW.KERNEL32 ref: 0268D14F
      • Part of subcall function 0268D12D: memcpy.MSVCRT ref: 0268D173
    • FreeLibrary.KERNEL32 ref: 0269496B
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268D8E8, Relevance: 7.7, APIs: 4, Instructions: 179
    APIs
    • memcpy.MSVCRT ref: 0268DA9F
      • Part of subcall function 0268D8E8: memcpy.MSVCRT ref: 0268D8FF
      • Part of subcall function 0268D8E8: CharLowerA.USER32 ref: 0268D9CA
      • Part of subcall function 0268D8E8: CharLowerA.USER32(?), ref: 0268D9DA
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02677A78, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 167
    APIs
      • Part of subcall function 0267BDD5: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,02677A9F,?,00000005), ref: 0267BE0B
      • Part of subcall function 0267BDD5: WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,02677A9F,?,00000005), ref: 0267BE6F
    • memcmp.MSVCRT ref: 02677AB8
    • memcmp.MSVCRT ref: 02677AD0
    • memcpy.MSVCRT ref: 02677B05
      • Part of subcall function 0268DE94: memcpy.MSVCRT ref: 0268DEA1
      • Part of subcall function 0268E043: memcpy.MSVCRT ref: 0268E070
      • Part of subcall function 0268ADFE: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,02677BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0268AE37
      • Part of subcall function 0268ADFE: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,02677BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0268AE5B
      • Part of subcall function 02677A05: GetTickCount.KERNEL32 ref: 02677A12
      • Part of subcall function 0267BAC9: memset.MSVCRT ref: 0267BADE
      • Part of subcall function 0267BAC9: getsockname.WS2_32(?,02677C25), ref: 0267BAF1
      • Part of subcall function 0267C091: memcmp.MSVCRT ref: 0267C0B3
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02688DC8, Relevance: 7.6, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 02681B16: EnterCriticalSection.KERNEL32(026A5AA4,?,02688DDC,?,?,?,?,0269B233,?,00000001), ref: 02681B26
      • Part of subcall function 02681B16: LeaveCriticalSection.KERNEL32(026A5AA4,?,02688DDC,?,?,?,?,0269B233,?,00000001), ref: 02681B50
    • memset.MSVCRT ref: 02688E0A
    • memset.MSVCRT ref: 02688E16
    • memset.MSVCRT ref: 02688E22
    • InitializeCriticalSection.KERNEL32 ref: 02688E3A
    • InitializeCriticalSection.KERNEL32 ref: 02688E55
    • InitializeCriticalSection.KERNEL32 ref: 02688E92
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02696CDC, Relevance: 7.6, APIs: 4, Instructions: 207
    APIs
    • EnterCriticalSection.KERNEL32(027F27FC,3D920700), ref: 02696D43
      • Part of subcall function 02696A55: GetTickCount.KERNEL32 ref: 02696A5D
    • LeaveCriticalSection.KERNEL32(027F27FC), ref: 02696F22
      • Part of subcall function 02696BBC: IsBadReadPtr.KERNEL32 ref: 02696C88
      • Part of subcall function 02696BBC: IsBadReadPtr.KERNEL32 ref: 02696CA7
    • getservbyname.WS2_32(?,00000000), ref: 02696DBD
      • Part of subcall function 026972A6: memcpy.MSVCRT ref: 0269747A
      • Part of subcall function 026972A6: memcpy.MSVCRT ref: 0269757A
      • Part of subcall function 02696F86: memcpy.MSVCRT ref: 0269715A
      • Part of subcall function 02696F86: memcpy.MSVCRT ref: 0269725A
    • memcpy.MSVCRT ref: 02696E9C
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 026969E1: TlsAlloc.KERNEL32(027F27FC,02696EB9,?,?,?,?,027F27F0), ref: 026969EA
      • Part of subcall function 026969E1: TlsGetValue.KERNEL32(?,00000001,027F27FC), ref: 026969FC
      • Part of subcall function 026969E1: TlsSetValue.KERNEL32(?,?), ref: 02696A41
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026919B0, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 56
    APIs
    • lstrcmpA.KERNEL32(?,?\C), ref: 026919C6
    • lstrcpyW.KERNEL32(026917B0), ref: 026919DC
    • lstrcmpA.KERNEL32(?,0266C28C), ref: 026919EC
    • StrCmpNA.SHLWAPI(?,0266C284,00000002), ref: 02691A06
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02687AAA, Relevance: 7.5, APIs: 5, Instructions: 44
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 02687AC3
    • CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 02687AD4
    • CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 02687ADF
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 02687AE7
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 02687AF5
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02690B2C, Relevance: 7.5, APIs: 4, Instructions: 113
    APIs
      • Part of subcall function 02690775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0269079C
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02690B87
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 02690BF1
    • RegFlushKey.ADVAPI32(?), ref: 02690C1F
    • RegCloseKey.ADVAPI32(?), ref: 02690C26
      • Part of subcall function 02690A9D: EnterCriticalSection.KERNEL32(026A5AA4,?,?,?,02690C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02690AB3
      • Part of subcall function 02690A9D: LeaveCriticalSection.KERNEL32(026A5AA4,?,?,?,02690C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02690ADB
      • Part of subcall function 02690A9D: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 02690AF7
      • Part of subcall function 02690A9D: GetProcAddress.KERNEL32 ref: 02690AFE
      • Part of subcall function 02690A9D: RegDeleteKeyW.ADVAPI32(?), ref: 02690B20
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
      • Part of subcall function 02690755: RegFlushKey.ADVAPI32 ref: 02690765
      • Part of subcall function 02690755: RegCloseKey.ADVAPI32 ref: 0269076D
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267645E, Relevance: 7.4, APIs: 4, Instructions: 87
    APIs
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,02685B49), ref: 02676470
      • Part of subcall function 02684269: CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 0268427E
    • #2.OLEAUT32(?,00000000,?,?,?,02685B49), ref: 026764A4
    • #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,02685B49), ref: 026764D9
    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 026764F9
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02683CD5, Relevance: 7.4, APIs: 4, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 02683CFD
    • memcpy.MSVCRT ref: 02683D1A
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02683D30
    • WSASetLastError.WS2_32(0000274C,?,00000000,00000000,00000000), ref: 02683D3F
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02676E1F, Relevance: 7.4, APIs: 4, Instructions: 27
    APIs
    • GetLastError.KERNEL32(3D920680,?,0267652A), ref: 02676E21
      • Part of subcall function 0269AFD3: WaitForSingleObject.KERNEL32(00000000,0268A702), ref: 0269AFDB
    • TlsGetValue.KERNEL32(?,?,0267652A), ref: 02676E3E
    • TlsSetValue.KERNEL32(00000001), ref: 02676E50
    • SetLastError.KERNEL32(?,?,0267652A), ref: 02676E60
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268920C, Relevance: 7.3, APIs: 4, Instructions: 138
    APIs
      • Part of subcall function 02681B5D: memcmp.MSVCRT ref: 02681B69
      • Part of subcall function 02681B79: memset.MSVCRT ref: 02681B87
      • Part of subcall function 02681B79: memcpy.MSVCRT ref: 02681BA8
      • Part of subcall function 02681B79: memcpy.MSVCRT ref: 02681BCE
      • Part of subcall function 02681B79: memcpy.MSVCRT ref: 02681BF2
    • TryEnterCriticalSection.KERNEL32 ref: 02689289
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • LeaveCriticalSection.KERNEL32 ref: 02689303
    • EnterCriticalSection.KERNEL32 ref: 02689322
      • Part of subcall function 02681A4F: memcmp.MSVCRT ref: 02681A6B
    • LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 0268936E
      • Part of subcall function 02681858: memcpy.MSVCRT ref: 02681935
      • Part of subcall function 02681858: memcpy.MSVCRT ref: 02681956
      • Part of subcall function 02696875: GetSystemTime.KERNEL32 ref: 0269687F
      • Part of subcall function 02681728: memcpy.MSVCRT ref: 02681771
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026832D5, Relevance: 7.3, APIs: 4, Instructions: 120
    APIs
    • GetUserNameExW.SECUR32(00000002), ref: 02683303
    • GetSystemTime.KERNEL32 ref: 02683356
    • CharLowerW.USER32(?), ref: 026833A6
    • PathRenameExtensionW.SHLWAPI(?), ref: 026833D6
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02698AD4, Relevance: 7.3, APIs: 4, Instructions: 112
    APIs
      • Part of subcall function 02698867: EnterCriticalSection.KERNEL32(026A5AA4,027F1E90,02698AE4,?,027F1E90), ref: 02698877
      • Part of subcall function 02698867: LeaveCriticalSection.KERNEL32(026A5AA4,?,027F1E90), ref: 026988A6
      • Part of subcall function 02684FD0: VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 02684FEE
      • Part of subcall function 02684FD0: VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 0268505B
    • GetCommandLineW.KERNEL32 ref: 02698B5E
    • CommandLineToArgvW.SHELL32 ref: 02698B65
    • LocalFree.KERNEL32 ref: 02698BA5
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • GetModuleHandleW.KERNEL32(?), ref: 02698BE7
      • Part of subcall function 02698DFE: PathFindFileNameW.SHLWAPI(00000000), ref: 02698E3F
      • Part of subcall function 026983AF: InitializeCriticalSection.KERNEL32 ref: 026983CF
      • Part of subcall function 02679E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 02679E9D
      • Part of subcall function 02679E88: StrCmpIW.SHLWAPI ref: 02679EA7
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02688C4C, Relevance: 7.3, APIs: 4, Instructions: 104
    APIs
    • EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0268984D,?,?,00000000,?,?,00000590), ref: 02688C7F
      • Part of subcall function 02697CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 02697CF8
    • memcmp.MSVCRT ref: 02688CCD
      • Part of subcall function 02675A03: memcpy.MSVCRT ref: 02675A39
      • Part of subcall function 02675A03: memcpy.MSVCRT ref: 02675A4D
      • Part of subcall function 02675A03: memset.MSVCRT ref: 02675A5B
    • SetEvent.KERNEL32 ref: 02688D0E
    • LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0268984D,?,?,00000000,?,?,00000590), ref: 02688D3B
      • Part of subcall function 02699175: EnterCriticalSection.KERNEL32(?,?,?,?,02689116,?), ref: 0269917B
      • Part of subcall function 02699175: memcmp.MSVCRT ref: 026991A7
      • Part of subcall function 02699175: memcpy.MSVCRT ref: 026991F2
      • Part of subcall function 02699175: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 026991FE
      • Part of subcall function 0268920C: TryEnterCriticalSection.KERNEL32 ref: 02689289
      • Part of subcall function 0268920C: LeaveCriticalSection.KERNEL32 ref: 02689303
      • Part of subcall function 0268920C: EnterCriticalSection.KERNEL32 ref: 02689322
      • Part of subcall function 0268920C: LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 0268936E
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026A294A, Relevance: 7.3, APIs: 4, Instructions: 91
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,026A3210), ref: 026A297C
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 026A299C
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
      • Part of subcall function 0269D990: memset.MSVCRT ref: 0269D9D3
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
      • Part of subcall function 0268222C: memcpy.MSVCRT ref: 02682268
      • Part of subcall function 0268222C: memcpy.MSVCRT ref: 0268227D
      • Part of subcall function 0268222C: memcpy.MSVCRT ref: 026822BA
      • Part of subcall function 0268222C: memcpy.MSVCRT ref: 026822F2
    • memset.MSVCRT ref: 026A2A39
    • memcpy.MSVCRT ref: 026A2A4B
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269D090, Relevance: 7.2, APIs: 4, Instructions: 65
    APIs
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 0269D0BF
    • GetLastError.KERNEL32(?,?,?,00000000,3D94878D,00000000,3D94878D,026979EF,?,?,?,?,00000000,?,?,0000203A), ref: 0269D0C5
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • memcpy.MSVCRT ref: 0269D0F0
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 0269D109
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02697D1D, Relevance: 7.2, APIs: 4, Instructions: 62
    APIs
      • Part of subcall function 0268B7FF: EnterCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B80C
      • Part of subcall function 0268B7FF: LeaveCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B81A
    • QueryPerformanceCounter.KERNEL32 ref: 02697D3C
    • GetTickCount.KERNEL32 ref: 02697D49
      • Part of subcall function 02681B16: EnterCriticalSection.KERNEL32(026A5AA4,?,02688DDC,?,?,?,?,0269B233,?,00000001), ref: 02681B26
      • Part of subcall function 02681B16: LeaveCriticalSection.KERNEL32(026A5AA4,?,02688DDC,?,?,?,?,0269B233,?,00000001), ref: 02681B50
      • Part of subcall function 026993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 02699433
      • Part of subcall function 026993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 02699458
    • memset.MSVCRT ref: 02697D9D
    • memcpy.MSVCRT ref: 02697DAD
      • Part of subcall function 02699393: CryptDestroyHash.ADVAPI32 ref: 026993AB
      • Part of subcall function 02699393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 026993BC
      • Part of subcall function 0269946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 026994AA
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267987E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 02679894
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
    • memcmp.MSVCRT ref: 026798B6
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
    • lstrcmpiW.KERNEL32(00000000,000000FF), ref: 0267990F
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 026798DF
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026790A3, Relevance: 7.2, APIs: 4, Instructions: 56
    APIs
    • PathSkipRootW.SHLWAPI ref: 026790CD
    • GetFileAttributesW.KERNEL32(00000000), ref: 026790FA
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0267910E
    • SetLastError.KERNEL32(00000050,?,?,00000000), ref: 02679131
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268B161, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02674B40, Relevance: 7.2, APIs: 4, Instructions: 48
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 026754F7
    • UnhandledExceptionFilter.KERNEL32(02646DB4), ref: 02675502
    • GetCurrentProcess.KERNEL32 ref: 0267550D
    • TerminateProcess.KERNEL32 ref: 02675514
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268A343, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133
    APIs
      • Part of subcall function 02679219: CharLowerW.USER32(?), ref: 026792D4
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0268A47D
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 0268A4BD
      • Part of subcall function 02679BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 02679C2E
      • Part of subcall function 02679BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 02679C75
      • Part of subcall function 02679BC4: SetEvent.KERNEL32 ref: 02679C84
      • Part of subcall function 02679BC4: WaitForSingleObject.KERNEL32 ref: 02679C95
      • Part of subcall function 02679BC4: CharToOemW.USER32 ref: 02679D26
      • Part of subcall function 02679BC4: CharToOemW.USER32 ref: 02679D36
      • Part of subcall function 02679BC4: ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 02679D9A
      • Part of subcall function 0269D5A0: EnterCriticalSection.KERNEL32(026A5AA4,00000000,?,?,026793C9), ref: 0269D5B6
      • Part of subcall function 0269D5A0: LeaveCriticalSection.KERNEL32(026A5AA4,?,?,026793C9), ref: 0269D5DC
      • Part of subcall function 0269D5A0: CreateMutexW.KERNEL32(026A49B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 0269D5EE
      • Part of subcall function 0267766D: ReleaseMutex.KERNEL32 ref: 02677671
      • Part of subcall function 0267766D: CloseHandle.KERNEL32 ref: 02677678
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0268A4D0
      • Part of subcall function 0267AF99: GetCurrentThread.KERNEL32 ref: 0267AFAD
      • Part of subcall function 0267AF99: OpenThreadToken.ADVAPI32 ref: 0267AFB4
      • Part of subcall function 0267AF99: GetCurrentProcess.KERNEL32 ref: 0267AFC4
      • Part of subcall function 0267AF99: OpenProcessToken.ADVAPI32 ref: 0267AFCB
      • Part of subcall function 0267AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0267AFEC
      • Part of subcall function 0267AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0267B001
      • Part of subcall function 0267AF99: GetLastError.KERNEL32 ref: 0267B00B
      • Part of subcall function 0267AF99: CloseHandle.KERNEL32(00000001), ref: 0267B01C
      • Part of subcall function 02679395: memcpy.MSVCRT ref: 026793B5
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02686772, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
    APIs
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000), ref: 026867A1
    • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 026867C1
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 026867F2
      • Part of subcall function 02686BD0: memcmp.MSVCRT ref: 02686BE9
      • Part of subcall function 02686BD0: memcmp.MSVCRT ref: 02686C45
      • Part of subcall function 02686BD0: memcmp.MSVCRT ref: 02686CAB
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 026825A7: memcpy.MSVCRT ref: 026825C6
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02687B2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
    APIs
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
    • lstrcatW.KERNEL32(?,.dat), ref: 02687BA0
    • lstrlenW.KERNEL32 ref: 02687BB5
      • Part of subcall function 026883CA: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 026883E6
      • Part of subcall function 026883CA: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02688409
      • Part of subcall function 026883CA: CloseHandle.KERNEL32 ref: 02688416
      • Part of subcall function 02695E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 02695E26
      • Part of subcall function 02695E1D: DeleteFileW.KERNEL32 ref: 02695E2D
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    Strings
    • .dat, xrefs: 02687B94
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 02687B5E
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267B9AF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
    APIs
    • shutdown.WS2_32(?,00000001), ref: 0267B9BD
    • WSAGetLastError.WS2_32(?,00000020,?,00000001,?,?,?,?,?,?,?,02686970,?,?,?,00002710), ref: 0267B9DE
    • WSASetLastError.WS2_32(00000000,?,00002710,?,?,00000020,?,00000001), ref: 0267BA23
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267C208, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
    APIs
      • Part of subcall function 0267B764: EnterCriticalSection.KERNEL32(026A5AA4,?,0267B826,?,0269C86A,0268C4AB,0268C4AB,?,0268C4AB,?,00000001), ref: 0267B774
      • Part of subcall function 0267B764: LeaveCriticalSection.KERNEL32(026A5AA4,?,0267B826,?,0269C86A,0268C4AB,0268C4AB,?,0268C4AB,?,00000001), ref: 0267B79E
    • WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 0267C22E
    • lstrcpyA.KERNEL32(?,0:0,?,?,00000000,?,?,?,?,?,?,02686A4A), ref: 0267C23E
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267BDD5, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63
    APIs
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,02677A9F,?,00000005), ref: 0267BE0B
    • WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,02677A9F,?,00000005), ref: 0267BE6F
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269D027, Relevance: 6.6, APIs: 2, Strings: 1, Instructions: 47
    APIs
    • memset.MSVCRT ref: 0269D03A
    • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0269D05C
      • Part of subcall function 0269D133: SetLastError.KERNEL32(00000008,?,?,00000000,0269D06E,?,?,00000000), ref: 0269D15C
      • Part of subcall function 0269D133: memcpy.MSVCRT ref: 0269D17C
      • Part of subcall function 0269D133: memcpy.MSVCRT ref: 0269D1B4
      • Part of subcall function 0269D133: memcpy.MSVCRT ref: 0269D1CC
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026777BB, Relevance: 6.5, APIs: 5, Instructions: 207
    APIs
    • memset.MSVCRT ref: 0267785D
      • Part of subcall function 02681B5D: memcmp.MSVCRT ref: 02681B69
      • Part of subcall function 026819AE: memcmp.MSVCRT ref: 02681A24
      • Part of subcall function 02681821: memcpy.MSVCRT ref: 02681848
      • Part of subcall function 02681728: memcpy.MSVCRT ref: 02681771
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • memset.MSVCRT ref: 026778F1
    • memcpy.MSVCRT ref: 02677904
    • memcpy.MSVCRT ref: 02677926
    • memcpy.MSVCRT ref: 02677946
      • Part of subcall function 0268B7FF: EnterCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B80C
      • Part of subcall function 0268B7FF: LeaveCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B81A
      • Part of subcall function 02688F55: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,0268914A,?,?,?,?,?,?,00000000,?), ref: 02688FAF
      • Part of subcall function 02688F55: SetEvent.KERNEL32 ref: 0268900A
      • Part of subcall function 02688F55: LeaveCriticalSection.KERNEL32 ref: 02689017
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267950C, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46
    APIs
      • Part of subcall function 02681FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 02681FFF
      • Part of subcall function 02681FEC: GetLastError.KERNEL32(?,026A49A8,00000000,?,?,0267AF07,?,00000008,?,?,?,?,?,00000000,0269AE13), ref: 02682009
      • Part of subcall function 02681FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 02682031
    • EqualSid.ADVAPI32(?,5B867A00), ref: 0267952F
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 0267B1DE: LoadLibraryA.KERNEL32(userenv.dll), ref: 0267B1EE
      • Part of subcall function 0267B1DE: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0267B20C
      • Part of subcall function 0267B1DE: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0267B218
      • Part of subcall function 0267B1DE: memset.MSVCRT ref: 0267B258
      • Part of subcall function 0267B1DE: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 0267B2A5
      • Part of subcall function 0267B1DE: CloseHandle.KERNEL32(?), ref: 0267B2B9
      • Part of subcall function 0267B1DE: CloseHandle.KERNEL32(?), ref: 0267B2BF
      • Part of subcall function 0267B1DE: FreeLibrary.KERNEL32 ref: 0267B2D3
    • CloseHandle.KERNEL32(00000001), ref: 02679576
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268BE6E, Relevance: 6.4, APIs: 5, Instructions: 154
    APIs
      • Part of subcall function 02681B16: EnterCriticalSection.KERNEL32(026A5AA4,?,02688DDC,?,?,?,?,0269B233,?,00000001), ref: 02681B26
      • Part of subcall function 02681B16: LeaveCriticalSection.KERNEL32(026A5AA4,?,02688DDC,?,?,?,?,0269B233,?,00000001), ref: 02681B50
    • memcmp.MSVCRT ref: 0268BE99
      • Part of subcall function 02696875: GetSystemTime.KERNEL32 ref: 0269687F
    • memcmp.MSVCRT ref: 0268BEF8
      • Part of subcall function 02682543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7,?,@echo off%sdel /F "%s"), ref: 0268256D
      • Part of subcall function 02682543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7), ref: 02682580
    • memset.MSVCRT ref: 0268BF8A
    • memcpy.MSVCRT ref: 0268BFB7
    • memcmp.MSVCRT ref: 0268BFEE
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02681781, Relevance: 6.4, APIs: 4, Instructions: 62
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02690FB2, Relevance: 6.3, APIs: 4, Instructions: 168
    APIs
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
      • Part of subcall function 02697C35: memset.MSVCRT ref: 02697C5D
    • memcpy.MSVCRT ref: 02691167
      • Part of subcall function 02697CAE: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 02697CBE
    • memcpy.MSVCRT ref: 026910E2
    • memcpy.MSVCRT ref: 026910FA
      • Part of subcall function 02697DC3: memcpy.MSVCRT ref: 02697DE3
      • Part of subcall function 02697DC3: memcpy.MSVCRT ref: 02697E0F
    • memcpy.MSVCRT ref: 02691156
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02695465, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91
    APIs
      • Part of subcall function 02679F04: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 02679F19
      • Part of subcall function 02679F04: lstrcmpA.KERNEL32(Basic ,?,026954A4,00000006,Authorization,?,?,?), ref: 02679F23
    • StrChrA.SHLWAPI(?,0000003A), ref: 026954F6
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026A2F3B, Relevance: 6.3, APIs: 4, Instructions: 118
    APIs
    • memset.MSVCRT ref: 026A2F5F
    • memcpy.MSVCRT ref: 026A2FBF
    • memcpy.MSVCRT ref: 026A2FD7
      • Part of subcall function 02682070: memset.MSVCRT ref: 02682084
      • Part of subcall function 0269A7D7: memset.MSVCRT ref: 0269A862
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
    • memcpy.MSVCRT ref: 026A304D
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02695CA4, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 48
    APIs
    • GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 02695CB1
    • CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 02695CD1
      • Part of subcall function 02695934: CloseHandle.KERNEL32 ref: 02695940
      • Part of subcall function 02695BE4: memcpy.MSVCRT ref: 02695C25
      • Part of subcall function 02695BE4: memcpy.MSVCRT ref: 02695C38
      • Part of subcall function 02695BE4: memcpy.MSVCRT ref: 02695C4B
      • Part of subcall function 02695BE4: memcpy.MSVCRT ref: 02695C56
      • Part of subcall function 02695BE4: GetFileTime.KERNEL32(?,?,?), ref: 02695C7A
      • Part of subcall function 02695BE4: memcpy.MSVCRT ref: 02695C90
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267CE23, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 47
    APIs
      • Part of subcall function 0267C942: EnterCriticalSection.KERNEL32(026A5AA4,?,0267CE31,027F1E90,0269D393), ref: 0267C952
      • Part of subcall function 0267C942: LeaveCriticalSection.KERNEL32(026A5AA4,?,0267CE31,027F1E90,0269D393), ref: 0267C987
    • VerQueryValueW.VERSION(?,0266AE74,?,?,027F1E90,0269D393), ref: 0267CE44
    • GetModuleHandleW.KERNEL32(?), ref: 0267CE85
      • Part of subcall function 0267CE9F: PathFindFileNameW.SHLWAPI(00000000), ref: 0267CEE3
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268222C, Relevance: 6.2, APIs: 4, Instructions: 77
    APIs
    • memcpy.MSVCRT ref: 02682268
    • memcpy.MSVCRT ref: 0268227D
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
    • memcpy.MSVCRT ref: 026822BA
    • memcpy.MSVCRT ref: 026822F2
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269D133, Relevance: 6.2, APIs: 4, Instructions: 70
    APIs
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • SetLastError.KERNEL32(00000008,?,?,00000000,0269D06E,?,?,00000000), ref: 0269D15C
    • memcpy.MSVCRT ref: 0269D17C
    • memcpy.MSVCRT ref: 0269D1B4
    • memcpy.MSVCRT ref: 0269D1CC
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02681B79, Relevance: 6.2, APIs: 4, Instructions: 63
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02699175, Relevance: 6.2, APIs: 4, Instructions: 60
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,02689116,?), ref: 0269917B
    • memcmp.MSVCRT ref: 026991A7
    • memcpy.MSVCRT ref: 026991F2
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 026991FE
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269FEDF, Relevance: 6.2, APIs: 4, Instructions: 39
    APIs
    • memset.MSVCRT ref: 0269FEF5
    • InitializeCriticalSection.KERNEL32(026A5050), ref: 0269FF05
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
    • memset.MSVCRT ref: 0269FF34
    • InitializeCriticalSection.KERNEL32(026A5030), ref: 0269FF3E
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0266CAB0, Relevance: 6.1, APIs: 4, Instructions: 130
    APIs
    • VirtualAlloc.KERNEL32(00000000,00006000,00003000,00000040), ref: 0266CAC5
    • LoadLibraryA.KERNEL32 ref: 0266CBAE
    • GetProcAddress.KERNEL32(00000000), ref: 0266CBD8
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0266CC0A
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02682F98, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 111
    APIs
      • Part of subcall function 026826C5: memset.MSVCRT ref: 026826D5
    • lstrlenA.KERNEL32(?), ref: 0268304D
    • lstrlenA.KERNEL32 ref: 0268305C
      • Part of subcall function 0268D8E8: memcpy.MSVCRT ref: 0268D8FF
      • Part of subcall function 0268D8E8: CharLowerA.USER32 ref: 0268D9CA
      • Part of subcall function 0268D8E8: CharLowerA.USER32(?), ref: 0268D9DA
      • Part of subcall function 0268D8E8: memcpy.MSVCRT ref: 0268DA9F
      • Part of subcall function 0268260E: memcpy.MSVCRT ref: 02682621
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268C63D, Relevance: 6.1, APIs: 4, Instructions: 108
    APIs
      • Part of subcall function 0269601D: FreeAddrInfoW.WS2_32 ref: 0269602C
      • Part of subcall function 0269601D: memset.MSVCRT ref: 02696042
    • getaddrinfo.WS2_32(?,00000000), ref: 0268C675
    • memset.MSVCRT ref: 0268C6BB
    • memcpy.MSVCRT ref: 0268C6CE
      • Part of subcall function 0267BB55: connect.WS2_32(?,?), ref: 0267BB93
      • Part of subcall function 0267BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0267BBA2
      • Part of subcall function 0267BB55: WSASetLastError.WS2_32(?,?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0267BBC0
      • Part of subcall function 0267BB55: WSAGetLastError.WS2_32(?,?,?,0268C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0267BBC2
      • Part of subcall function 0267BB55: WSASetLastError.WS2_32(00000000), ref: 0267BC00
      • Part of subcall function 0267B979: shutdown.WS2_32(?,00000002), ref: 0267B987
      • Part of subcall function 0267B979: closesocket.WS2_32 ref: 0267B990
      • Part of subcall function 0267B979: WSACloseEvent.WS2_32 ref: 0267B9A3
    • FreeAddrInfoW.WS2_32(00000000), ref: 0268C778
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269CDAD, Relevance: 6.1, APIs: 4, Instructions: 89
    APIs
    • memset.MSVCRT ref: 0269CDD2
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • InternetReadFile.WININET(026899F7,?,00001000,?), ref: 0269CE24
    • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0269CE01
      • Part of subcall function 026825D5: memcpy.MSVCRT ref: 026825FB
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,026899F7,?,00000CCA,?,?,00000001), ref: 0269CE78
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02686E45, Relevance: 6.1, APIs: 4, Instructions: 86
    APIs
      • Part of subcall function 026771D5: memcpy.MSVCRT ref: 026772E6
      • Part of subcall function 02695B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 02695B25
    • WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 02686EB2
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02686ECA
    • FlushFileBuffers.KERNEL32(?), ref: 02686EE4
    • SetEndOfFile.KERNEL32 ref: 02686EFE
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 02695ADF: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 02695AF1
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268669D, Relevance: 6.1, APIs: 4, Instructions: 77
    APIs
    • GetTickCount.KERNEL32 ref: 026866A8
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 026866BA
    • memcmp.MSVCRT ref: 026866F4
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 02686760
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268BA48, Relevance: 6.1, APIs: 4, Instructions: 60
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 0268BA66
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000), ref: 0268BA9B
    • RegCloseKey.ADVAPI32(?), ref: 0268BAAA
    • RegCloseKey.ADVAPI32(?), ref: 0268BAC5
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268660E, Relevance: 6.1, APIs: 4, Instructions: 55
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,026868D1,?,?,?,?,00000002), ref: 02686619
    • GetTickCount.KERNEL32 ref: 0268664A
    • memcpy.MSVCRT ref: 02686681
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,026868D1,?,?,?,?,00000002), ref: 0268668D
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267760D, Relevance: 6.0, APIs: 4, Instructions: 39
    APIs
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 02677622
    • TranslateMessage.USER32 ref: 02677646
    • DispatchMessageW.USER32 ref: 02677651
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 02677661
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268A6E2, Relevance: 6.0, APIs: 4, Instructions: 38
    APIs
      • Part of subcall function 02676A4D: TlsSetValue.KERNEL32(00000001,0268A6E8), ref: 02676A5A
      • Part of subcall function 0269C09D: CreateMutexW.KERNEL32(026A49B4,00000000), ref: 0269C0BF
      • Part of subcall function 0269AFD3: WaitForSingleObject.KERNEL32(00000000,0268A702), ref: 0269AFDB
    • GetCurrentThread.KERNEL32 ref: 0268A70A
    • SetThreadPriority.KERNEL32 ref: 0268A711
    • WaitForSingleObject.KERNEL32(00001388), ref: 0268A723
      • Part of subcall function 02675B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02675BC1
      • Part of subcall function 02675B9B: Process32FirstW.KERNEL32 ref: 02675BE6
      • Part of subcall function 02675B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 02675C3D
      • Part of subcall function 02675B9B: CloseHandle.KERNEL32 ref: 02675C5B
      • Part of subcall function 02675B9B: GetLengthSid.ADVAPI32 ref: 02675C77
      • Part of subcall function 02675B9B: memcmp.MSVCRT ref: 02675C8F
      • Part of subcall function 02675B9B: CloseHandle.KERNEL32(?), ref: 02675D07
      • Part of subcall function 02675B9B: Process32NextW.KERNEL32(?,?), ref: 02675D13
      • Part of subcall function 02675B9B: CloseHandle.KERNEL32 ref: 02675D26
    • WaitForSingleObject.KERNEL32(00001388), ref: 0268A73C
      • Part of subcall function 0267766D: ReleaseMutex.KERNEL32 ref: 02677671
      • Part of subcall function 0267766D: CloseHandle.KERNEL32 ref: 02677678
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269C3C1, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 0269C3D1
    • EnterCriticalSection.KERNEL32(?,?,00007530), ref: 0269C3DF
    • LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 0269C3F4
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 0269C3FE
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02688F55, Relevance: 6.0, APIs: 3, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,0268914A,?,?,?,?,?,?,00000000,?), ref: 02688FAF
    • LeaveCriticalSection.KERNEL32 ref: 02689017
      • Part of subcall function 02688A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02688A52
      • Part of subcall function 02682543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7,?,@echo off%sdel /F "%s"), ref: 0268256D
      • Part of subcall function 02682543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7), ref: 02682580
    • SetEvent.KERNEL32 ref: 0268900A
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268EC55, Relevance: 6.0, APIs: 3, Instructions: 51
    APIs
    • getpeername.WS2_32(?,?,?), ref: 0268EC79
    • getsockname.WS2_32(?,?,?), ref: 0268EC91
    • send.WS2_32(00000000,00000000,00000008,00000000), ref: 0268ECC2
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02683AD3, Relevance: 6.0, APIs: 3, Instructions: 30
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02676EA5, Relevance: 5.9, APIs: 3, Instructions: 10
    APIs
    • GetLastError.KERNEL32(?,02676577), ref: 02676EA6
    • TlsSetValue.KERNEL32(00000000), ref: 02676EB6
    • SetLastError.KERNEL32(?,?,02676577), ref: 02676EBD
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02694C13, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138
    APIs
      • Part of subcall function 02694BC8: StrCmpNIA.SHLWAPI ref: 02694BDF
    • StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 02694D7B
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026A258D, Relevance: 5.7, APIs: 3, Instructions: 83
    APIs
      • Part of subcall function 02697ED8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 02697EEF
      • Part of subcall function 02697ED8: CloseHandle.KERNEL32 ref: 02697F0E
    • GetFileSizeEx.KERNEL32(00000000), ref: 026A25C4
      • Part of subcall function 02697F3D: UnmapViewOfFile.KERNEL32 ref: 02697F49
      • Part of subcall function 02697F3D: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000001), ref: 02697F60
      • Part of subcall function 02695B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 02695B25
    • SetEndOfFile.KERNEL32 ref: 026A263A
    • FlushFileBuffers.KERNEL32(?), ref: 026A2645
      • Part of subcall function 02695934: CloseHandle.KERNEL32 ref: 02695940
      • Part of subcall function 02695B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02695B87
      • Part of subcall function 026A2474: GetFileAttributesW.KERNEL32 ref: 026A2485
      • Part of subcall function 026A2474: PathRemoveFileSpecW.SHLWAPI(?), ref: 026A24BA
      • Part of subcall function 026A2474: MoveFileExW.KERNEL32(?,?,00000001), ref: 026A2501
      • Part of subcall function 026A2474: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 026A251A
      • Part of subcall function 026A2474: Sleep.KERNEL32(00001388), ref: 026A255D
      • Part of subcall function 026A2474: FlushFileBuffers.KERNEL32 ref: 026A256B
      • Part of subcall function 02697E98: UnmapViewOfFile.KERNEL32 ref: 02697EA4
      • Part of subcall function 02697E98: CloseHandle.KERNEL32 ref: 02697EB7
      • Part of subcall function 02697E98: CloseHandle.KERNEL32 ref: 02697ECD
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02683A22, Relevance: 5.7, APIs: 2, Instructions: 57
    APIs
    • select.WS2_32(00000000,?,00000000,00000000), ref: 02683A81
    • recv.WS2_32(?,?,?,00000000), ref: 02683A91
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02699B45, Relevance: 5.7, APIs: 3, Instructions: 56
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 02699B46
    • VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 02699B7D
      • Part of subcall function 02699A67: memset.MSVCRT ref: 02699A78
      • Part of subcall function 02699821: GetCurrentProcess.KERNEL32 ref: 02699824
      • Part of subcall function 02699821: VirtualProtect.KERNEL32(3D920000,=::=::\,00000020), ref: 02699845
      • Part of subcall function 02699821: FlushInstructionCache.KERNEL32(?,3D920000,=::=::\), ref: 0269984E
    • ResumeThread.KERNEL32(?), ref: 02699BBE
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269D4EF, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 52
    APIs
    • memset.MSVCRT ref: 0269D506
      • Part of subcall function 0269BC89: memcpy.MSVCRT ref: 0269BCA4
      • Part of subcall function 0269BC89: StringFromGUID2.OLE32 ref: 0269BD4A
      • Part of subcall function 0268204E: memcpy.MSVCRT ref: 0268205C
      • Part of subcall function 0269570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0269ABEA,0269ABEA), ref: 0269573C
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02678FE0
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 02678FEA
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679033
      • Part of subcall function 02678F6F: memcpy.MSVCRT ref: 02679060
      • Part of subcall function 02678F6F: PathRemoveBackslashW.SHLWAPI ref: 0267906A
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0269D610, Relevance: 5.7, APIs: 3, Instructions: 51
    APIs
    • EnterCriticalSection.KERNEL32(026A5AA4,?,00000001,?,?,0269D824,?,?,?,00000001), ref: 0269D62C
    • LeaveCriticalSection.KERNEL32(026A5AA4,?,00000001,?,?,0269D824,?,?,?,00000001), ref: 0269D653
      • Part of subcall function 0269D4EF: memset.MSVCRT ref: 0269D506
      • Part of subcall function 026993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 02699433
      • Part of subcall function 026993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 02699458
      • Part of subcall function 0269946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 026994AA
    • _ultow.MSVCRT ref: 0269D69A
      • Part of subcall function 02699393: CryptDestroyHash.ADVAPI32 ref: 026993AB
      • Part of subcall function 02699393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 026993BC
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02697B26, Relevance: 5.6, APIs: 3, Instructions: 48
    APIs
    • CloseHandle.KERNEL32(?), ref: 02697B37
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • InternetQueryOptionA.WININET(?,00000015,?,?), ref: 02697B77
    • InternetCloseHandle.WININET(?), ref: 02697B82
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02681FEC, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 02681FFF
    • GetLastError.KERNEL32(?,026A49A8,00000000,?,?,0267AF07,?,00000008,?,?,?,?,?,00000000,0269AE13), ref: 02682009
      • Part of subcall function 026824DA: HeapAlloc.KERNEL32(00000008,?,?,0267B076,?,?,?,00000000,?,?,00000000,0269AA69,?,0269ADD5), ref: 026824EB
    • GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 02682031
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267AEE3, Relevance: 5.6, APIs: 3, Instructions: 42
    APIs
    • OpenProcessToken.ADVAPI32(?,00000008), ref: 0267AEF5
      • Part of subcall function 02681FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 02681FFF
      • Part of subcall function 02681FEC: GetLastError.KERNEL32(?,026A49A8,00000000,?,?,0267AF07,?,00000008,?,?,?,?,?,00000000,0269AE13), ref: 02682009
      • Part of subcall function 02681FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 02682031
    • GetTokenInformation.ADVAPI32(?,0000000C,026A49A8,00000004), ref: 0267AF1D
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • CloseHandle.KERNEL32(?), ref: 0267AF33
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268A755, Relevance: 5.6, APIs: 3, Instructions: 16
    APIs
    • PathFindFileNameW.SHLWAPI(000001ED), ref: 0268A759
    • PathRemoveExtensionW.SHLWAPI ref: 0268A76D
    • CharUpperW.USER32 ref: 0268A777
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268D12D, Relevance: 5.6, APIs: 3, Instructions: 40
    APIs
    • lstrlenW.KERNEL32(0266C448), ref: 0268D149
    • lstrlenW.KERNEL32 ref: 0268D14F
      • Part of subcall function 02682543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7,?,@echo off%sdel /F "%s"), ref: 0268256D
      • Part of subcall function 02682543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7), ref: 02682580
    • memcpy.MSVCRT ref: 0268D173
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02682543, Relevance: 5.6, APIs: 2, Instructions: 32
    APIs
    • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7), ref: 02682580
      • Part of subcall function 02682456: EnterCriticalSection.KERNEL32(026A5AA4,00000028,026824C9,?,0269D211,?,?,00000000,?,?,00000001), ref: 02682466
      • Part of subcall function 02682456: LeaveCriticalSection.KERNEL32(026A5AA4,?,0269D211,?,?,00000000,?,?,00000001), ref: 02682490
    • HeapAlloc.KERNEL32(00000008,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7,?,@echo off%sdel /F "%s"), ref: 0268256D
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02684EC0, Relevance: 5.5, APIs: 3, Instructions: 93
    APIs
      • Part of subcall function 026849CD: EnterCriticalSection.KERNEL32(026A5AA4,027F1E90,02684ECC,027F1E90), ref: 026849DD
      • Part of subcall function 026849CD: LeaveCriticalSection.KERNEL32(026A5AA4,?,?,?,?,?,?,?,?,?,?,?,?,027F1EF0,0269D345), ref: 02684A05
    • PathFindFileNameW.SHLWAPI(027F1E90), ref: 02684ED2
      • Part of subcall function 02679E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 02679E9D
      • Part of subcall function 02679E88: StrCmpIW.SHLWAPI ref: 02679EA7
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • InitializeCriticalSection.KERNEL32 ref: 02684F44
      • Part of subcall function 02676D72: EnterCriticalSection.KERNEL32(026A468C,00000000,02684F6E,?,000000FF), ref: 02676D7E
      • Part of subcall function 02676D72: LeaveCriticalSection.KERNEL32(026A468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,027F1EF0), ref: 02676D8E
      • Part of subcall function 02676D9C: LeaveCriticalSection.KERNEL32(026A468C,02676E01,00000001,00000000,00000000,?,02684F82,00000001,00000000,?,000000FF), ref: 02676DA6
      • Part of subcall function 02699DDC: GetCurrentThreadId.KERNEL32 ref: 02699DED
      • Part of subcall function 02699DDC: memcpy.MSVCRT ref: 02699F56
      • Part of subcall function 02699DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 02699FE2
      • Part of subcall function 02699DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 02699FEC
      • Part of subcall function 02676DAD: LeaveCriticalSection.KERNEL32(026A468C,?,02676E13,00000001,00000000,00000000,?,02684F82,00000001,00000000,?,000000FF), ref: 02676DBA
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    • DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,027F1EF0), ref: 02684FBB
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026993C4, Relevance: 5.5, APIs: 2, Instructions: 68
    APIs
      • Part of subcall function 0269931E: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 02699336
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 02699433
    • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 02699458
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02677D03, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 65
    APIs
      • Part of subcall function 02678CBF: EnterCriticalSection.KERNEL32(?,?,?,02682B51,00000005,00007530,?,00000000,00000000), ref: 02678CC7
      • Part of subcall function 02678CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 02678CEB
      • Part of subcall function 02678CBF: CloseHandle.KERNEL32 ref: 02678CFB
      • Part of subcall function 02678CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,02682B51,00000005,00007530,?,00000000,00000000), ref: 02678D2B
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,0268979E,?,?,?,00000001), ref: 02677D24
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,0268979E,?,?,?,00000001), ref: 02677D40
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
      • Part of subcall function 02678D34: EnterCriticalSection.KERNEL32(027F1F34,027F1F28,?,?,0268A99B,00000000,0268A6E2,00000000,?,00000000,?,?,?,0269B2E2,?,00000001), ref: 02678D3D
      • Part of subcall function 02678D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 02678D76
      • Part of subcall function 02678D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0268A99B,00000000,00000000,00000002), ref: 02678D95
      • Part of subcall function 02678D34: GetLastError.KERNEL32(?,000000FF,0268A99B,00000000,00000000,00000002,?,?,0268A99B,00000000,0268A6E2,00000000,?,00000000), ref: 02678D9F
      • Part of subcall function 02678D34: TerminateThread.KERNEL32 ref: 02678DA7
      • Part of subcall function 02678D34: CloseHandle.KERNEL32 ref: 02678DAE
      • Part of subcall function 02678D34: LeaveCriticalSection.KERNEL32(027F1F34,?,0268A99B,00000000,0268A6E2,00000000,?,00000000,?,?,?,0269B2E2,?,00000001), ref: 02678DC3
      • Part of subcall function 02678D34: ResumeThread.KERNEL32 ref: 02678DDC
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026883CA, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 026883E6
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02688409
    • CloseHandle.KERNEL32 ref: 02688416
      • Part of subcall function 02695E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 02695E26
      • Part of subcall function 02695E1D: DeleteFileW.KERNEL32 ref: 02695E2D
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026969E1, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • TlsAlloc.KERNEL32(027F27FC,02696EB9,?,?,?,?,027F27F0), ref: 026969EA
    • TlsGetValue.KERNEL32(?,00000001,027F27FC), ref: 026969FC
    • TlsSetValue.KERNEL32(?,?), ref: 02696A41
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02679E88, Relevance: 5.5, APIs: 2, Instructions: 26
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02679F04, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26
    APIs
    • StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 02679F19
    • lstrcmpA.KERNEL32(Basic ,?,026954A4,00000006,Authorization,?,?,?), ref: 02679F23
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026769DF, Relevance: 5.4, APIs: 3, Instructions: 24
    APIs
    • memset.MSVCRT ref: 026769F9
    • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,027F1EF0), ref: 02676A02
    • InitializeCriticalSection.KERNEL32(026A468C), ref: 02676A12
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02697E98, Relevance: 5.4, APIs: 3, Instructions: 21
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268B7BD, Relevance: 5.4, APIs: 3, Instructions: 20
    APIs
    • InitializeCriticalSection.KERNEL32(026A47FC), ref: 0268B7C7
    • QueryPerformanceCounter.KERNEL32 ref: 0268B7D1
    • GetTickCount.KERNEL32 ref: 0268B7DB
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268B7FF, Relevance: 5.3, APIs: 2, Instructions: 14
    APIs
      • Part of subcall function 0268B64D: EnterCriticalSection.KERNEL32(026A5AA4,?,0268B806,?,?,026959A9,00000000), ref: 0268B65D
      • Part of subcall function 0268B64D: LeaveCriticalSection.KERNEL32(026A5AA4,?,?,026959A9,00000000), ref: 0268B687
    • EnterCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B80C
    • LeaveCriticalSection.KERNEL32(026A47FC,?,?,026959A9,00000000), ref: 0268B81A
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0267766D, Relevance: 5.3, APIs: 2, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 026A14F4, Relevance: 5.2, APIs: 4, Instructions: 191
    APIs
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • memcpy.MSVCRT ref: 026A1657
    • memcpy.MSVCRT ref: 026A166A
    • memcpy.MSVCRT ref: 026A168B
      • Part of subcall function 02694C13: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 02694D7B
      • Part of subcall function 02682543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7,?,@echo off%sdel /F "%s"), ref: 0268256D
      • Part of subcall function 02682543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0268D89F,?,?,?,00000000,00000000,00000000,0268D869,?,0267B3C7), ref: 02682580
    • memcpy.MSVCRT ref: 026A16FD
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
      • Part of subcall function 026825A7: memcpy.MSVCRT ref: 026825C6
      • Part of subcall function 026A1070: memmove.MSVCRT ref: 026A12E1
      • Part of subcall function 026A1070: memcpy.MSVCRT ref: 026A12F0
      • Part of subcall function 026A1364: memcpy.MSVCRT ref: 026A13D9
      • Part of subcall function 026A1364: memmove.MSVCRT ref: 026A149F
      • Part of subcall function 026A1364: memcpy.MSVCRT ref: 026A14AE
      • Part of subcall function 0268BAD5: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?), ref: 0268BB42
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 0268204E, Relevance: 5.1, APIs: 1, Instructions: 12
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02690755, Relevance: 5.1, APIs: 2, Instructions: 12
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02695E1D, Relevance: 5.1, APIs: 2, Instructions: 12
    APIs
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 02695E26
    • DeleteFileW.KERNEL32 ref: 02695E2D
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true
    Function 02684AA6, Relevance: 5.1, APIs: 4, Instructions: 65
    APIs
    • EnterCriticalSection.KERNEL32(00000000,026A30F0,00000038,02684BB2,00000000,?), ref: 02684ACC
    • memcmp.MSVCRT ref: 02684AE3
      • Part of subcall function 026824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0269D211,?,?,00000000,?,?,00000001), ref: 026824D2
    • memcpy.MSVCRT ref: 02684B11
    • LeaveCriticalSection.KERNEL32(00000000), ref: 02684B68
      • Part of subcall function 02682593: HeapFree.KERNEL32(00000000,027F1E90,0269D2D1,?,?,00000000,?,?,00000001), ref: 026825A0
    Memory Dump Source
    • Source File: 00000006.00000002.680187437.02640000.00000040.sdmp, Offset: 02640000, based on PE: true

    Analysis Process: ctfmon.exe PID: 1768 Parent PID: 244

    Executed Functions
    Function 00BEACAD, Relevance: 28.4, APIs: 11, Strings: 3, Instructions: 166
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 00BEACF4
      • Part of subcall function 00BE01EA: LoadLibraryA.KERNEL32 ref: 00BE023A
      • Part of subcall function 00BED1E0: InitializeCriticalSection.KERNEL32(00BF5AA4), ref: 00BED207
      • Part of subcall function 00BED1E0: InitializeCriticalSection.KERNEL32 ref: 00BED218
      • Part of subcall function 00BED1E0: memset.MSVCRT ref: 00BED229
      • Part of subcall function 00BED1E0: TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 00BED240
      • Part of subcall function 00BED1E0: GetModuleHandleW.KERNEL32(00000000), ref: 00BED25C
      • Part of subcall function 00BED1E0: GetModuleHandleW.KERNEL32 ref: 00BED272
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BEAD59
    • Process32FirstW.KERNEL32 ref: 00BEAD74
    • PathFindFileNameW.SHLWAPI ref: 00BEAD87
    • StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 00BEAD99
    • Process32NextW.KERNEL32(?,?), ref: 00BEADA9
    • CloseHandle.KERNEL32 ref: 00BEADB4
    • WSAStartup.WS2_32(00000202), ref: 00BEADC4
    • CreateEventW.KERNEL32(00BF49B4,00000001,00000000,00000000), ref: 00BEADEC
      • Part of subcall function 00BCAEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 00BCAEF5
      • Part of subcall function 00BCAEE3: GetTokenInformation.ADVAPI32(?,0000000C,00BF49A8,00000004), ref: 00BCAF1D
      • Part of subcall function 00BCAEE3: CloseHandle.KERNEL32(?), ref: 00BCAF33
    • GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 00BEAE22
      • Part of subcall function 00BEAA9A: GetTempPathW.KERNEL32(00000104), ref: 00BEAAB7
      • Part of subcall function 00BEAA9A: GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 00BEAACF
      • Part of subcall function 00BEAA9A: PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 00BEAADA
      • Part of subcall function 00BEAA9A: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00BEAB00
    • GetCurrentProcessId.KERNEL32 ref: 00BEAE4D
      • Part of subcall function 00BEAB23: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000), ref: 00BEAB64
      • Part of subcall function 00BEAB23: lstrcmpiW.KERNEL32 ref: 00BEAB93
      • Part of subcall function 00BEABBF: lstrcatW.KERNEL32(?,.dat), ref: 00BEAC32
      • Part of subcall function 00BEABBF: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BEAC57
      • Part of subcall function 00BEABBF: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00BEAC75
      • Part of subcall function 00BEABBF: CloseHandle.KERNEL32 ref: 00BEAC82
      • Part of subcall function 00BDC8A1: IsBadReadPtr.KERNEL32 ref: 00BDC8E0
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE985F, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 173
    APIs
    • memset.MSVCRT ref: 00BE990F
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00BE9920
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00BE9954
    • memset.MSVCRT ref: 00BE9994
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00BE99A5
    • VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00BE99E5
    • memset.MSVCRT ref: 00BE9A50
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC8D34, Relevance: 14.8, APIs: 8, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(00E81F44,00E81F38,?,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000,?,?,?,00BEB2E2,?,00000001), ref: 00BC8D3D
    • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BC8D76
    • DuplicateHandle.KERNEL32(000000FF,?,000000FF,00BDA99B,00000000,00000000,00000002), ref: 00BC8D95
    • GetLastError.KERNEL32(?,000000FF,00BDA99B,00000000,00000000,00000002,?,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000), ref: 00BC8D9F
    • TerminateThread.KERNEL32 ref: 00BC8DA7
    • CloseHandle.KERNEL32 ref: 00BC8DAE
      • Part of subcall function 00BD24F3: HeapAlloc.KERNEL32(00000000,?,?,?,00BC6328,?,?,00BE8D10,?,?,?,?,0000FFFF), ref: 00BD251D
      • Part of subcall function 00BD24F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00BC6328,?,?,00BE8D10,?,?,?,?,0000FFFF), ref: 00BD2530
    • LeaveCriticalSection.KERNEL32(00E81F44,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000,?,?,?,00BEB2E2,?,00000001), ref: 00BC8DC3
    • ResumeThread.KERNEL32 ref: 00BC8DDC
      • Part of subcall function 00BD2543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7,?,@echo off%sdel /F "%s"), ref: 00BD256D
      • Part of subcall function 00BD2543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7), ref: 00BD2580
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE9BE6, Relevance: 14.3, APIs: 8, Instructions: 160
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00BE9BEC
    • memcpy.MSVCRT ref: 00BE9C39
    • GetThreadContext.KERNEL32(?,00000010), ref: 00BE9CAF
    • SetThreadContext.KERNEL32(?,?), ref: 00BE9D1A
    • GetCurrentProcess.KERNEL32 ref: 00BE9D33
    • VirtualProtect.KERNEL32(?,0000007C,?), ref: 00BE9D58
    • FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00BE9D6A
      • Part of subcall function 00BE9A67: memset.MSVCRT ref: 00BE9A78
      • Part of subcall function 00BE9821: GetCurrentProcess.KERNEL32 ref: 00BE9824
      • Part of subcall function 00BE9821: VirtualProtect.KERNEL32(3D920000,=::=::\,00000020), ref: 00BE9845
      • Part of subcall function 00BE9821: FlushInstructionCache.KERNEL32(?,3D920000,=::=::\), ref: 00BE984E
    • ResumeThread.KERNEL32(?), ref: 00BE9DAB
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BE9B45: GetCurrentThreadId.KERNEL32 ref: 00BE9B46
      • Part of subcall function 00BE9B45: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00BE9B7D
      • Part of subcall function 00BE9B45: ResumeThread.KERNEL32(?), ref: 00BE9BBE
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD1F4F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 65
    APIs
    • InitializeSecurityDescriptor.ADVAPI32(00BF49C0,00000001), ref: 00BD1F5F
    • SetSecurityDescriptorDacl.ADVAPI32(00BF49C0,00000001,00000000,00000000), ref: 00BD1F70
    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00BD1F86
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00BD1FA2
    • SetSecurityDescriptorSacl.ADVAPI32(00BF49C0,?,?,00000001), ref: 00BD1FB6
    • LocalFree.KERNEL32(?), ref: 00BD1FC8
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEABBF, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 79
    APIs
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
    • lstrcatW.KERNEL32(?,.dat), ref: 00BEAC32
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BEAC57
    • ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00BEAC75
    • CloseHandle.KERNEL32 ref: 00BEAC82
      • Part of subcall function 00BED2D7: EnterCriticalSection.KERNEL32(00E81E90,?), ref: 00BED2EB
      • Part of subcall function 00BED2D7: GetFileVersionInfoSizeW.VERSION(00E81EF0), ref: 00BED30C
      • Part of subcall function 00BED2D7: GetFileVersionInfoW.VERSION(00E81EF0,00000000), ref: 00BED32A
      • Part of subcall function 00BED2D7: LeaveCriticalSection.KERNEL32(00E81E90,00000001,00000001,00000001,00000001), ref: 00BED413
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00BEABF1
    • .dat, xrefs: 00BEAC26
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD31F3, Relevance: 10.8, APIs: 6, Instructions: 91
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00BD3205
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00BD3223
    • CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00BD3230
    • PFXExportCertStoreEx.CRYPT32(?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00BD3264
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00BD3296
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BD32D5: GetUserNameExW.SECUR32(00000002), ref: 00BD3303
      • Part of subcall function 00BD32D5: GetSystemTime.KERNEL32 ref: 00BD3356
      • Part of subcall function 00BD32D5: CharLowerW.USER32(?), ref: 00BD33A6
      • Part of subcall function 00BD32D5: PathRenameExtensionW.SHLWAPI(?), ref: 00BD33D6
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00BD32C5
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BED2D7, Relevance: 10.3, APIs: 4, Strings: 1, Instructions: 113
    APIs
    • EnterCriticalSection.KERNEL32(00E81E90,?), ref: 00BED2EB
      • Part of subcall function 00BDBDA7: GetModuleHandleW.KERNEL32 ref: 00BDBDC3
      • Part of subcall function 00BDBDA7: GetModuleHandleW.KERNEL32 ref: 00BDBDFE
    • GetFileVersionInfoSizeW.VERSION(00E81EF0), ref: 00BED30C
    • GetFileVersionInfoW.VERSION(00E81EF0,00000000), ref: 00BED32A
      • Part of subcall function 00BD4EC0: PathFindFileNameW.SHLWAPI(00E81E90), ref: 00BD4ED2
      • Part of subcall function 00BD4EC0: InitializeCriticalSection.KERNEL32 ref: 00BD4F44
      • Part of subcall function 00BD4EC0: DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00E81EF0), ref: 00BD4FBB
      • Part of subcall function 00BCA90A: InitializeCriticalSection.KERNEL32 ref: 00BCA938
      • Part of subcall function 00BCA90A: GetModuleHandleW.KERNEL32 ref: 00BCA976
      • Part of subcall function 00BEC7B5: InitializeCriticalSection.KERNEL32 ref: 00BEC7CA
      • Part of subcall function 00BE68C4: EnterCriticalSection.KERNEL32(00BF5AA4,00E81E90,00BED364,00000001,00000001), ref: 00BE68D4
      • Part of subcall function 00BE68C4: LeaveCriticalSection.KERNEL32(00BF5AA4), ref: 00BE68FC
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
      • Part of subcall function 00BE8AD4: GetCommandLineW.KERNEL32 ref: 00BE8B5E
      • Part of subcall function 00BE8AD4: CommandLineToArgvW.SHELL32 ref: 00BE8B65
      • Part of subcall function 00BE8AD4: LocalFree.KERNEL32 ref: 00BE8BA5
      • Part of subcall function 00BE8AD4: GetModuleHandleW.KERNEL32(?), ref: 00BE8BE7
      • Part of subcall function 00BCCE23: VerQueryValueW.VERSION(?,00BBAE74,?,?,00E81E90,00BED393), ref: 00BCCE44
      • Part of subcall function 00BCCE23: GetModuleHandleW.KERNEL32(?), ref: 00BCCE85
      • Part of subcall function 00BEFE99: GetModuleHandleW.KERNEL32 ref: 00BEFEB6
      • Part of subcall function 00BDB000: EnterCriticalSection.KERNEL32(00BF5AA4,00E81E90,00BED39D), ref: 00BDB010
      • Part of subcall function 00BDB000: LeaveCriticalSection.KERNEL32(00BF5AA4), ref: 00BDB038
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • LeaveCriticalSection.KERNEL32(00E81E90,00000001,00000001,00000001,00000001), ref: 00BED413
      • Part of subcall function 00BC6D72: EnterCriticalSection.KERNEL32(00BF468C,00000000,00BD4F6E,?,000000FF), ref: 00BC6D7E
      • Part of subcall function 00BC6D72: LeaveCriticalSection.KERNEL32(00BF468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00E81EF0), ref: 00BC6D8E
      • Part of subcall function 00BC6D9C: LeaveCriticalSection.KERNEL32(00BF468C,00BC6E01,00000001,00000000,00000000,?,00BD4F82,00000001,00000000,?,000000FF), ref: 00BC6DA6
      • Part of subcall function 00BC6DAD: LeaveCriticalSection.KERNEL32(00BF468C,?,00BC6E13,00000001,00000000,00000000,?,00BD4F82,00000001,00000000,?,000000FF), ref: 00BC6DBA
      • Part of subcall function 00BE699E: memset.MSVCRT ref: 00BE69C6
      • Part of subcall function 00BE699E: InitializeCriticalSection.KERNEL32 ref: 00BE69D3
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE9DDC, Relevance: 9.5, APIs: 4, Instructions: 217
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00BE9DED
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
      • Part of subcall function 00BE985F: memset.MSVCRT ref: 00BE990F
      • Part of subcall function 00BE985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00BE9920
      • Part of subcall function 00BE985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00BE9954
      • Part of subcall function 00BE985F: memset.MSVCRT ref: 00BE9994
      • Part of subcall function 00BE985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00BE99A5
      • Part of subcall function 00BE985F: VirtualAlloc.KERNEL32(?,=::=::\,00003000,00000040), ref: 00BE99E5
      • Part of subcall function 00BE985F: memset.MSVCRT ref: 00BE9A50
      • Part of subcall function 00BE64A4: SetLastError.KERNEL32(0000000D), ref: 00BE64DF
    • memcpy.MSVCRT ref: 00BE9F56
    • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00BE9FE2
    • GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00BE9FEC
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BE9A67: memset.MSVCRT ref: 00BE9A78
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BED5A0, Relevance: 9.2, APIs: 3, Strings: 1, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00BF5AA4,00000000,?,?,00BC93C9), ref: 00BED5B6
    • LeaveCriticalSection.KERNEL32(00BF5AA4,?,?,00BC93C9), ref: 00BED5DC
      • Part of subcall function 00BED4EF: memset.MSVCRT ref: 00BED506
    • CreateMutexW.KERNEL32(00BF49B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00BED5EE
      • Part of subcall function 00BC75E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BC75ED
      • Part of subcall function 00BC75E7: CloseHandle.KERNEL32 ref: 00BC75FF
    Strings
    • Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00BED5E3
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE9821, Relevance: 8.4, APIs: 3, Strings: 1, Instructions: 28
    APIs
    • GetCurrentProcess.KERNEL32 ref: 00BE9824
    • VirtualProtect.KERNEL32(3D920000,=::=::\,00000020), ref: 00BE9845
    • FlushInstructionCache.KERNEL32(?,3D920000,=::=::\), ref: 00BE984E
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCAF41, Relevance: 7.2, APIs: 4, Instructions: 39
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00BCAF51
    • Thread32First.KERNEL32 ref: 00BCAF6C
    • Thread32Next.KERNEL32(?,?), ref: 00BCAF7F
    • CloseHandle.KERNEL32 ref: 00BCAF8A
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE9ADD, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 34
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00BE9AEE
    • VirtualProtect.KERNEL32(3D920000,00010000,00000040,?), ref: 00BE9B34
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE394D, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00053883,00000000), ref: 00BE3964
    • WaitForSingleObject.KERNEL32(?,00003A98), ref: 00BE3976
    • TerminateThread.KERNEL32(?,00000000), ref: 00BE3982
    • CloseHandle.KERNEL32 ref: 00BE3989
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE07EE, Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 30
    APIs
      • Part of subcall function 00BE07B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00BE07D8
    • RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00BE0823
      • Part of subcall function 00BE0755: RegFlushKey.ADVAPI32 ref: 00BE0765
      • Part of subcall function 00BE0755: RegCloseKey.ADVAPI32 ref: 00BE076D
    Strings
    • Software\Microsoft\Tivyikdiy, xrefs: 00BE0803
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD2498, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 9
    APIs
    • HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 00BD24A1
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD342D, Relevance: 3.1, APIs: 2, Instructions: 79
    APIs
      • Part of subcall function 00BC6E1F: GetLastError.KERNEL32(3D920680,?,00BC652A), ref: 00BC6E21
      • Part of subcall function 00BC6E1F: TlsGetValue.KERNEL32(?,?,00BC652A), ref: 00BC6E3E
      • Part of subcall function 00BC6E1F: TlsSetValue.KERNEL32(00000001), ref: 00BC6E50
      • Part of subcall function 00BC6E1F: SetLastError.KERNEL32(?,?,00BC652A), ref: 00BC6E60
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 00BD3465
      • Part of subcall function 00BEC012: CreateMutexW.KERNEL32(00BF49B4,00000001), ref: 00BEC058
      • Part of subcall function 00BEC012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00BEC064
      • Part of subcall function 00BEC012: CloseHandle.KERNEL32 ref: 00BEC072
      • Part of subcall function 00BCC5A8: TlsGetValue.KERNEL32(00000015,?,00BD349E), ref: 00BCC5B1
      • Part of subcall function 00BEAEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00BEAECF
      • Part of subcall function 00BEAEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00BEAF0A
      • Part of subcall function 00BEAEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00BEAF4A
      • Part of subcall function 00BEAEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00BEAF6D
      • Part of subcall function 00BEAEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00BEAFBD
    • CloseHandle.KERNEL32 ref: 00BD34DA
      • Part of subcall function 00BCAF41: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00BCAF51
      • Part of subcall function 00BCAF41: Thread32First.KERNEL32 ref: 00BCAF6C
      • Part of subcall function 00BCAF41: Thread32Next.KERNEL32(?,?), ref: 00BCAF7F
      • Part of subcall function 00BCAF41: CloseHandle.KERNEL32 ref: 00BCAF8A
      • Part of subcall function 00BC6EA5: GetLastError.KERNEL32(?,00BC6577), ref: 00BC6EA6
      • Part of subcall function 00BC6EA5: TlsSetValue.KERNEL32(00000000), ref: 00BC6EB6
      • Part of subcall function 00BC6EA5: SetLastError.KERNEL32(?,?,00BC6577), ref: 00BC6EBD
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEC09D, Relevance: 2.8, APIs: 1, Instructions: 25
    APIs
    • CreateMutexW.KERNEL32(00BF49B4,00000000), ref: 00BEC0BF
      • Part of subcall function 00BC75E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BC75ED
      • Part of subcall function 00BC75E7: CloseHandle.KERNEL32 ref: 00BC75FF
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE08A8, Relevance: 2.2, APIs: 1, Instructions: 69
    APIs
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
      • Part of subcall function 00BE083C: RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00BE0850
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BE0903
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE01EA, Relevance: 2.2, APIs: 1, Instructions: 68
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE07B0, Relevance: 2.1, APIs: 1, Instructions: 29
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00BE07D8
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE083C, Relevance: 1.9, APIs: 1, Instructions: 8
    APIs
    • RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00BE0850
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Non-executed Functions
    Function 00BD3BBE, Relevance: 10.9, APIs: 6, Instructions: 39
    APIs
    • socket.WS2_32(?,00000001,00000006), ref: 00BD3BCA
    • bind.WS2_32 ref: 00BD3BE7
    • listen.WS2_32(?,00000001), ref: 00BD3BF4
    • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00BDEE5F,?,?,?), ref: 00BD3BFE
    • closesocket.WS2_32 ref: 00BD3C07
    • WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00BDEE5F,?,?,?), ref: 00BD3C0E
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCBC0C, Relevance: 7.4, APIs: 4, Instructions: 54
    APIs
      • Part of subcall function 00BCB7D0: socket.WS2_32(?,?,00000006), ref: 00BCB804
    • bind.WS2_32(?,00BCBCEA), ref: 00BCBC53
    • listen.WS2_32(?,00000014), ref: 00BCBC68
    • WSAGetLastError.WS2_32(00000000,?,00BCBCEA,?,?,?,?,00000000), ref: 00BCBC76
      • Part of subcall function 00BCB979: shutdown.WS2_32(?,00000002), ref: 00BCB987
      • Part of subcall function 00BCB979: closesocket.WS2_32 ref: 00BCB990
      • Part of subcall function 00BCB979: WSACloseEvent.WS2_32 ref: 00BCB9A3
    • WSASetLastError.WS2_32(?,?,00BCBCEA,?,?,?,?,00000000), ref: 00BCBC86
      • Part of subcall function 00BCB928: WSACreateEvent.WS2_32(00000000,?,00BCBB6E,00000033,00000000,?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003), ref: 00BCB93E
      • Part of subcall function 00BCB928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00BCB954
      • Part of subcall function 00BCB928: WSACloseEvent.WS2_32 ref: 00BCB968
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD3DB8, Relevance: 5.6, APIs: 3, Instructions: 34
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEC192, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103
    APIs
    • StrStrIW.SHLWAPI(tellerplus,00E81E90), ref: 00BEC1A4
    • StrStrIW.SHLWAPI(bancline), ref: 00BEC1B9
    • StrStrIW.SHLWAPI(fidelity), ref: 00BEC1CE
    • StrStrIW.SHLWAPI(micrsolv), ref: 00BEC1E3
    • StrStrIW.SHLWAPI(bankman), ref: 00BEC1F8
    • StrStrIW.SHLWAPI(vantiv), ref: 00BEC20D
    • StrStrIW.SHLWAPI(episys), ref: 00BEC222
    • StrStrIW.SHLWAPI(jack henry), ref: 00BEC237
    • StrStrIW.SHLWAPI(cruisenet), ref: 00BEC24C
    • StrStrIW.SHLWAPI(gplusmain), ref: 00BEC261
    • StrStrIW.SHLWAPI(launchpadshell.exe), ref: 00BEC276
    • StrStrIW.SHLWAPI(dirclt32.exe), ref: 00BEC28B
    • StrStrIW.SHLWAPI(wtng.exe), ref: 00BEC29C
    • StrStrIW.SHLWAPI(prologue.exe), ref: 00BEC2AD
    • StrStrIW.SHLWAPI(silverlake), ref: 00BEC2BE
    • StrStrIW.SHLWAPI(pcsws.exe), ref: 00BEC2CF
    • StrStrIW.SHLWAPI(v48d0250s1), ref: 00BEC2E0
    • StrStrIW.SHLWAPI(fdmaster.exe), ref: 00BEC2F1
    • StrStrIW.SHLWAPI(fastdoc), ref: 00BEC302
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC7FA8, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151
    APIs
    • LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00BC7FBA
    • GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00BC7FD2
    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BC8011
    • CreateCompatibleDC.GDI32 ref: 00BC8022
    • LoadCursorW.USER32(00000000,00007F00), ref: 00BC8038
    • GetIconInfo.USER32 ref: 00BC804C
    • GetCursorPos.USER32(?), ref: 00BC805B
    • GetDeviceCaps.GDI32(?,00000008), ref: 00BC8072
    • GetDeviceCaps.GDI32(?,0000000A), ref: 00BC807B
    • CreateCompatibleBitmap.GDI32(?,?), ref: 00BC8087
    • SelectObject.GDI32 ref: 00BC8095
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 00BC80B6
    • DrawIcon.USER32(?,?,?,?), ref: 00BC80E8
      • Part of subcall function 00BE1285: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00BE129A
      • Part of subcall function 00BE1285: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00BE12A5
    • SelectObject.GDI32(?,?), ref: 00BC8104
    • DeleteObject.GDI32 ref: 00BC810B
    • DeleteDC.GDI32 ref: 00BC8112
    • DeleteDC.GDI32 ref: 00BC8119
    • FreeLibrary.KERNEL32(?), ref: 00BC8129
    • GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00BC813F
    • FreeLibrary.KERNEL32(?), ref: 00BC8153
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEB4AA, Relevance: 42.5, APIs: 19, Strings: 2, Instructions: 267
    APIs
      • Part of subcall function 00BD8432: CreateFileW.KERNEL32(00E81EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BD844B
      • Part of subcall function 00BD8432: GetFileSizeEx.KERNEL32 ref: 00BD845E
      • Part of subcall function 00BD8432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00BD8484
      • Part of subcall function 00BD8432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00BD849C
      • Part of subcall function 00BD8432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BD84BA
      • Part of subcall function 00BD8432: CloseHandle.KERNEL32 ref: 00BD84C3
    • CreateMutexW.KERNEL32(00BF49B4,00000001), ref: 00BEB550
    • GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,00BEB8C7), ref: 00BEB560
    • CloseHandle.KERNEL32 ref: 00BEB56E
    • CloseHandle.KERNEL32 ref: 00BEB697
      • Part of subcall function 00BEAFE8: memcpy.MSVCRT ref: 00BEAFF8
    • lstrlenW.KERNEL32 ref: 00BEB5D0
      • Part of subcall function 00BC5B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BC5BC1
      • Part of subcall function 00BC5B9B: Process32FirstW.KERNEL32 ref: 00BC5BE6
      • Part of subcall function 00BC5B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00BC5C3D
      • Part of subcall function 00BC5B9B: CloseHandle.KERNEL32 ref: 00BC5C5B
      • Part of subcall function 00BC5B9B: GetLengthSid.ADVAPI32 ref: 00BC5C77
      • Part of subcall function 00BC5B9B: memcmp.MSVCRT ref: 00BC5C8F
      • Part of subcall function 00BC5B9B: CloseHandle.KERNEL32(?), ref: 00BC5D07
      • Part of subcall function 00BC5B9B: Process32NextW.KERNEL32(?,?), ref: 00BC5D13
      • Part of subcall function 00BC5B9B: CloseHandle.KERNEL32 ref: 00BC5D26
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00BEB615
    • OpenEventW.KERNEL32(00000002,00000000), ref: 00BEB63B
    • SetEvent.KERNEL32 ref: 00BEB648
    • CloseHandle.KERNEL32 ref: 00BEB64F
    • Sleep.KERNEL32(00007530), ref: 00BEB674
      • Part of subcall function 00BCAF99: GetCurrentThread.KERNEL32 ref: 00BCAFAD
      • Part of subcall function 00BCAF99: OpenThreadToken.ADVAPI32 ref: 00BCAFB4
      • Part of subcall function 00BCAF99: GetCurrentProcess.KERNEL32 ref: 00BCAFC4
      • Part of subcall function 00BCAF99: OpenProcessToken.ADVAPI32 ref: 00BCAFCB
      • Part of subcall function 00BCAF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00BCAFEC
      • Part of subcall function 00BCAF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00BCB001
      • Part of subcall function 00BCAF99: GetLastError.KERNEL32 ref: 00BCB00B
      • Part of subcall function 00BCAF99: CloseHandle.KERNEL32(00000001), ref: 00BCB01C
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 00BEB68C
    • Sleep.KERNEL32(000000FF), ref: 00BEB694
    • IsWellKnownSid.ADVAPI32(00E81EC0,00000016), ref: 00BEB6E5
    • CreateEventW.KERNEL32(00BF49B4,00000001,00000000), ref: 00BEB7B4
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BEB7CD
    • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 00BEB7DF
    • CloseHandle.KERNEL32(00000000), ref: 00BEB7F6
    • CloseHandle.KERNEL32(?), ref: 00BEB7FC
    • CloseHandle.KERNEL32(?), ref: 00BEB802
      • Part of subcall function 00BC766D: ReleaseMutex.KERNEL32 ref: 00BC7671
      • Part of subcall function 00BC766D: CloseHandle.KERNEL32 ref: 00BC7678
      • Part of subcall function 00BD1DFA: VirtualProtect.KERNEL32(00BC96C7,?,00000040), ref: 00BD1E12
      • Part of subcall function 00BD1DFA: VirtualProtect.KERNEL32(00BC96C7,?,?), ref: 00BD1E85
      • Part of subcall function 00BC96C7: FreeLibrary.KERNEL32(00000003), ref: 00BC96B9
      • Part of subcall function 00BEBC89: memcpy.MSVCRT ref: 00BEBCA4
      • Part of subcall function 00BEBC89: StringFromGUID2.OLE32 ref: 00BEBD4A
      • Part of subcall function 00BC9931: LoadLibraryW.KERNEL32 ref: 00BC9953
      • Part of subcall function 00BC9931: GetProcAddress.KERNEL32 ref: 00BC9977
      • Part of subcall function 00BC9931: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 00BC99AF
      • Part of subcall function 00BC9931: lstrlenW.KERNEL32 ref: 00BC99C7
      • Part of subcall function 00BC9931: StrCmpNIW.SHLWAPI ref: 00BC99DB
      • Part of subcall function 00BC9931: lstrlenW.KERNEL32 ref: 00BC99F1
      • Part of subcall function 00BC9931: memcpy.MSVCRT ref: 00BC99FD
      • Part of subcall function 00BC9931: FreeLibrary.KERNEL32 ref: 00BC9A13
      • Part of subcall function 00BC9931: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00BC9A52
      • Part of subcall function 00BC9931: NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00BC9A8E
      • Part of subcall function 00BC9931: NetApiBufferFree.NETAPI32(?), ref: 00BC9B39
      • Part of subcall function 00BC9931: NetApiBufferFree.NETAPI32(00000000), ref: 00BC9B4B
      • Part of subcall function 00BC9931: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00BC9B6A
      • Part of subcall function 00BCB314: CharToOemW.USER32(00E81EF0), ref: 00BCB325
      • Part of subcall function 00BF2AC0: GetCommandLineW.KERNEL32 ref: 00BF2ADA
      • Part of subcall function 00BF2AC0: CommandLineToArgvW.SHELL32 ref: 00BF2AE1
      • Part of subcall function 00BF2AC0: StrCmpNW.SHLWAPI(?,00BBCA4C,00000002), ref: 00BF2B07
      • Part of subcall function 00BF2AC0: LocalFree.KERNEL32 ref: 00BF2B33
      • Part of subcall function 00BF2AC0: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00BF2B70
      • Part of subcall function 00BF2AC0: memcpy.MSVCRT ref: 00BF2B83
      • Part of subcall function 00BF2AC0: UnmapViewOfFile.KERNEL32 ref: 00BF2BBC
      • Part of subcall function 00BF2AC0: memcpy.MSVCRT ref: 00BF2BDF
      • Part of subcall function 00BF2AC0: CloseHandle.KERNEL32 ref: 00BF2BF8
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BEC09D: CreateMutexW.KERNEL32(00BF49B4,00000000), ref: 00BEC0BF
      • Part of subcall function 00BC987E: memcpy.MSVCRT ref: 00BC9894
      • Part of subcall function 00BC987E: memcmp.MSVCRT ref: 00BC98B6
      • Part of subcall function 00BC987E: lstrcmpiW.KERNEL32(00000000,000000FF), ref: 00BC990F
      • Part of subcall function 00BD84D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BD84E4
      • Part of subcall function 00BD84D3: CloseHandle.KERNEL32 ref: 00BD84F3
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00BEB779
    • SeShutdownPrivilege, xrefs: 00BEB676
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD2593, Relevance: 35.4, APIs: 1, Instructions: 7
    APIs
    • HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC9931, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205
    APIs
    • LoadLibraryW.KERNEL32 ref: 00BC9953
    • GetProcAddress.KERNEL32 ref: 00BC9977
    • SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 00BC99AF
    • lstrlenW.KERNEL32 ref: 00BC99C7
    • StrCmpNIW.SHLWAPI ref: 00BC99DB
    • lstrlenW.KERNEL32 ref: 00BC99F1
    • memcpy.MSVCRT ref: 00BC99FD
    • FreeLibrary.KERNEL32 ref: 00BC9A13
    • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00BC9A52
    • NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00BC9A8E
      • Part of subcall function 00BEB31B: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00BEB32F
      • Part of subcall function 00BEB31B: PathUnquoteSpacesW.SHLWAPI ref: 00BEB394
      • Part of subcall function 00BEB31B: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00BEB3A3
      • Part of subcall function 00BEB31B: LocalFree.KERNEL32(00000001), ref: 00BEB3B7
    • NetApiBufferFree.NETAPI32(?), ref: 00BC9B39
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
      • Part of subcall function 00BC90A3: PathSkipRootW.SHLWAPI ref: 00BC90CD
      • Part of subcall function 00BC90A3: GetFileAttributesW.KERNEL32(00000000), ref: 00BC90FA
      • Part of subcall function 00BC90A3: CreateDirectoryW.KERNEL32(?,00000000), ref: 00BC910E
      • Part of subcall function 00BC90A3: SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00BC9131
      • Part of subcall function 00BC9583: LoadLibraryW.KERNEL32 ref: 00BC95A7
      • Part of subcall function 00BC9583: GetProcAddress.KERNEL32 ref: 00BC95D5
      • Part of subcall function 00BC9583: GetProcAddress.KERNEL32 ref: 00BC95EF
      • Part of subcall function 00BC9583: GetProcAddress.KERNEL32 ref: 00BC960B
      • Part of subcall function 00BC9583: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00BC9638
      • Part of subcall function 00BC9583: FreeLibrary.KERNEL32(00000003), ref: 00BC96B9
    • NetApiBufferFree.NETAPI32(00000000), ref: 00BC9B4B
    • SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00BC9B6A
      • Part of subcall function 00BE038C: CreateDirectoryW.KERNEL32(?,00000000), ref: 00BE0405
      • Part of subcall function 00BE038C: SetFileAttributesW.KERNEL32(?), ref: 00BE0424
      • Part of subcall function 00BE038C: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00BE043B
      • Part of subcall function 00BE038C: GetLastError.KERNEL32 ref: 00BE0448
      • Part of subcall function 00BE038C: CloseHandle.KERNEL32 ref: 00BE0481
      • Part of subcall function 00BF258D: GetFileSizeEx.KERNEL32(00000000), ref: 00BF25C4
      • Part of subcall function 00BF258D: SetEndOfFile.KERNEL32 ref: 00BF263A
      • Part of subcall function 00BF258D: FlushFileBuffers.KERNEL32(?), ref: 00BF2645
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEF887, Relevance: 27.2, APIs: 18, Instructions: 215
    APIs
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF8AB
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF8CB
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF8E4
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF8FD
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF916
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF92F
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF94C
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF969
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF986
    • GetProcAddress.KERNEL32(00BEFEC7,?), ref: 00BEF9A3
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF9C0
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF9DD
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEF9FA
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEFA17
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEFA34
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEFA51
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEFA6E
    • GetProcAddress.KERNEL32(00BEFEC7), ref: 00BEFA8B
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCB1DE, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89
    APIs
    • LoadLibraryA.KERNEL32(userenv.dll), ref: 00BCB1EE
    • GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00BCB20C
    • GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00BCB218
    • memset.MSVCRT ref: 00BCB258
    • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 00BCB2A5
    • CloseHandle.KERNEL32(?), ref: 00BCB2B9
    • CloseHandle.KERNEL32(?), ref: 00BCB2BF
    • FreeLibrary.KERNEL32 ref: 00BCB2D3
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCA01E, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 260
    APIs
      • Part of subcall function 00BDD189: lstrlenW.KERNEL32 ref: 00BDD190
      • Part of subcall function 00BDD189: memcpy.MSVCRT ref: 00BDD21E
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • getpeername.WS2_32 ref: 00BCA254
      • Part of subcall function 00BCC091: memcmp.MSVCRT ref: 00BCC0B3
      • Part of subcall function 00BC9E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00BC9E9D
      • Part of subcall function 00BC9E88: StrCmpIW.SHLWAPI ref: 00BC9EA7
      • Part of subcall function 00BCB764: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BCB826,?,00BEC86A,00BDC4AB,00BDC4AB,?,00BDC4AB,?,00000001), ref: 00BCB774
      • Part of subcall function 00BCB764: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BCB826,?,00BEC86A,00BDC4AB,00BDC4AB,?,00BDC4AB,?,00000001), ref: 00BCB79E
    • WSAAddressToStringW.WS2_32(?,?,00000000), ref: 00BCA2CC
    • lstrcpyW.KERNEL32(?,0:0), ref: 00BCA2E0
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCB365, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 110
    APIs
      • Part of subcall function 00BE5947: GetTempPathW.KERNEL32(00000104,?), ref: 00BE5962
      • Part of subcall function 00BE5947: PathAddBackslashW.SHLWAPI(?), ref: 00BE598C
      • Part of subcall function 00BE5947: CreateDirectoryW.KERNEL32(?), ref: 00BE5A44
      • Part of subcall function 00BE5947: SetFileAttributesW.KERNEL32(?), ref: 00BE5A55
      • Part of subcall function 00BE5947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00BE5A6E
      • Part of subcall function 00BE5947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00BE5A7F
    • CharToOemW.USER32 ref: 00BCB3AB
    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00BCB3E2
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • CloseHandle.KERNEL32(000000FF), ref: 00BCB40A
    • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00BCB44C
    • memset.MSVCRT ref: 00BCB461
    • CloseHandle.KERNEL32(000000FF), ref: 00BCB49C
      • Part of subcall function 00BE5E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00BE5E26
      • Part of subcall function 00BE5E1D: DeleteFileW.KERNEL32 ref: 00BE5E2D
      • Part of subcall function 00BE5934: CloseHandle.KERNEL32 ref: 00BE5940
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE1A52, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60
    APIs
    • LoadLibraryW.KERNEL32(cabinet.dll), ref: 00BE1A66
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    • GetProcAddress.KERNEL32(?,FCICreate), ref: 00BE1A95
    • GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00BE1AA4
    • GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00BE1AB3
    • GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00BE1AC2
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • FreeLibrary.KERNEL32 ref: 00BE1AF7
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDBBB1, Relevance: 21.3, APIs: 12, Instructions: 150
    APIs
      • Part of subcall function 00BD84FB: memchr.MSVCRT ref: 00BD853B
      • Part of subcall function 00BD84FB: memcmp.MSVCRT ref: 00BD855A
    • VirtualProtect.KERNEL32(?,?,00000080,?), ref: 00BDBC21
    • VirtualProtect.KERNEL32(?,?,00000000,?), ref: 00BDBD99
      • Part of subcall function 00BD2633: memcmp.MSVCRT ref: 00BD2653
      • Part of subcall function 00BD25A7: memcpy.MSVCRT ref: 00BD25C6
    • GetCurrentThread.KERNEL32 ref: 00BDBCBE
    • GetThreadPriority.KERNEL32 ref: 00BDBCC7
    • SetThreadPriority.KERNEL32(?,0000000F), ref: 00BDBCD2
    • Sleep.KERNEL32(00000000), ref: 00BDBCDA
    • memcpy.MSVCRT ref: 00BDBCE9
    • FlushInstructionCache.KERNEL32(000000FF,?,?), ref: 00BDBCFA
    • SetThreadPriority.KERNEL32 ref: 00BDBD02
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • GetTickCount.KERNEL32 ref: 00BDBD3C
    • GetTickCount.KERNEL32 ref: 00BDBD4F
    • Sleep.KERNEL32(00000000), ref: 00BDBD61
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD9516, Relevance: 21.3, APIs: 14, Instructions: 290
    APIs
    • Sleep.KERNEL32(00003A98), ref: 00BD952D
      • Part of subcall function 00BC8C74: InitializeCriticalSection.KERNEL32 ref: 00BC8C7B
    • InitializeCriticalSection.KERNEL32 ref: 00BD9591
    • memset.MSVCRT ref: 00BD95A8
    • InitializeCriticalSection.KERNEL32 ref: 00BD95C2
      • Part of subcall function 00BDAAA2: memset.MSVCRT ref: 00BDAAB9
      • Part of subcall function 00BDAAA2: memset.MSVCRT ref: 00BDAB8D
    • InitializeCriticalSection.KERNEL32 ref: 00BD961C
    • memset.MSVCRT ref: 00BD9627
    • memset.MSVCRT ref: 00BD9635
      • Part of subcall function 00BD6431: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00BD6531
      • Part of subcall function 00BD6431: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00BD6572
      • Part of subcall function 00BD6431: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD6581
      • Part of subcall function 00BD6431: SetEvent.KERNEL32 ref: 00BD6591
      • Part of subcall function 00BD6431: GetExitCodeThread.KERNEL32 ref: 00BD65A5
      • Part of subcall function 00BD6431: CloseHandle.KERNEL32 ref: 00BD65BB
      • Part of subcall function 00BD8626: getsockopt.WS2_32(?,0000FFFF,00001008,00BB9417,00BB9417), ref: 00BD86B2
      • Part of subcall function 00BD8626: GetHandleInformation.KERNEL32 ref: 00BD86C4
      • Part of subcall function 00BD8626: socket.WS2_32(?,00000001,00000006), ref: 00BD86F7
      • Part of subcall function 00BD8626: socket.WS2_32(?,00000002,00000011), ref: 00BD8708
      • Part of subcall function 00BD8626: closesocket.WS2_32(?), ref: 00BD8727
      • Part of subcall function 00BD8626: closesocket.WS2_32 ref: 00BD872E
      • Part of subcall function 00BD8626: memset.MSVCRT ref: 00BD87F2
      • Part of subcall function 00BD8626: memcpy.MSVCRT ref: 00BD8902
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 00BD96AB
      • Part of subcall function 00BC8CBF: EnterCriticalSection.KERNEL32(?,?,?,00BD2B51,00000005,00007530,?,00000000,00000000), ref: 00BC8CC7
      • Part of subcall function 00BC8CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00BC8CEB
      • Part of subcall function 00BC8CBF: CloseHandle.KERNEL32 ref: 00BC8CFB
      • Part of subcall function 00BC8CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00BD2B51,00000005,00007530,?,00000000,00000000), ref: 00BC8D2B
      • Part of subcall function 00BD8A6A: EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00BD8A9B
      • Part of subcall function 00BD8A6A: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00BD8B2D
      • Part of subcall function 00BD8A6A: SetEvent.KERNEL32 ref: 00BD8B80
      • Part of subcall function 00BD8A6A: SetEvent.KERNEL32 ref: 00BD8BB9
      • Part of subcall function 00BD8A6A: LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00BD8C3E
      • Part of subcall function 00BC7D03: EnterCriticalSection.KERNEL32(?,?,?,?,?,00BD979E,?,?,?,00000001), ref: 00BC7D24
      • Part of subcall function 00BC7D03: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00BD979E,?,?,?,00000001), ref: 00BC7D40
      • Part of subcall function 00BC58AE: memset.MSVCRT ref: 00BC59CD
      • Part of subcall function 00BC58AE: memcpy.MSVCRT ref: 00BC59E0
      • Part of subcall function 00BC58AE: memcpy.MSVCRT ref: 00BC59F6
      • Part of subcall function 00BCBD24: accept.WS2_32(?,?), ref: 00BCBD45
      • Part of subcall function 00BCBD24: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00BCBD57
      • Part of subcall function 00BCBD24: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 00BCBD88
      • Part of subcall function 00BCBD24: shutdown.WS2_32(?,00000002), ref: 00BCBDA0
      • Part of subcall function 00BCBD24: closesocket.WS2_32 ref: 00BCBDA7
      • Part of subcall function 00BCBD24: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 00BCBDAE
      • Part of subcall function 00BD8C4C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00BD984D,?,?,00000000,?,?,00000590), ref: 00BD8C7F
      • Part of subcall function 00BD8C4C: memcmp.MSVCRT ref: 00BD8CCD
      • Part of subcall function 00BD8C4C: SetEvent.KERNEL32 ref: 00BD8D0E
      • Part of subcall function 00BD8C4C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00BD984D,?,?,00000000,?,?,00000590), ref: 00BD8D3B
      • Part of subcall function 00BC8DE6: EnterCriticalSection.KERNEL32(00E81F44,?,?,?,00BEB2F2,?,?,00000001), ref: 00BC8DEF
      • Part of subcall function 00BC8DE6: LeaveCriticalSection.KERNEL32(00E81F44,?,?,?,00BEB2F2,?,?,00000001), ref: 00BC8DF9
      • Part of subcall function 00BC8DE6: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00BC8E1F
      • Part of subcall function 00BC8DE6: EnterCriticalSection.KERNEL32(00E81F44,?,?,?,00BEB2F2,?,?,00000001), ref: 00BC8E37
      • Part of subcall function 00BC8DE6: LeaveCriticalSection.KERNEL32(00E81F44,?,?,?,00BEB2F2,?,?,00000001), ref: 00BC8E41
    • CloseHandle.KERNEL32(00000000), ref: 00BD98AA
    • CloseHandle.KERNEL32(00000000), ref: 00BD98B7
      • Part of subcall function 00BD6865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00BD6B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00BD686E
      • Part of subcall function 00BD6865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00BD6B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00BD68A5
    • DeleteCriticalSection.KERNEL32 ref: 00BD98CD
      • Part of subcall function 00BDABB8: memset.MSVCRT ref: 00BDABC8
    • DeleteCriticalSection.KERNEL32 ref: 00BD98EC
    • CloseHandle.KERNEL32(00000000), ref: 00BD98F9
    • DeleteCriticalSection.KERNEL32 ref: 00BD9903
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BC8C8F: CloseHandle.KERNEL32 ref: 00BC8C9F
      • Part of subcall function 00BC8C8F: DeleteCriticalSection.KERNEL32(?,?,00E81F38,00BEB303,?,?,00000001), ref: 00BC8CB6
      • Part of subcall function 00BD94FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00BD9503
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE12E6, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 140
    APIs
    • GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00BE1304
    • GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00BE130F
    • GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00BE131A
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    • lstrcmpiW.KERNEL32(?), ref: 00BE13A7
    • memcpy.MSVCRT ref: 00BE13CA
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 00BE13F5
    • memcpy.MSVCRT ref: 00BE1423
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BF2D17, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107
    APIs
    • memcpy.MSVCRT ref: 00BF2D3D
    • CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 00BF2D5E
    • MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 00BF2D76
      • Part of subcall function 00BF2922: UnmapViewOfFile.KERNEL32 ref: 00BF292E
      • Part of subcall function 00BF2922: CloseHandle.KERNEL32 ref: 00BF293F
    • memset.MSVCRT ref: 00BF2DCB
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000004,00000000,00000000,00000000,00000000), ref: 00BF2E04
      • Part of subcall function 00BF294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00BF3210), ref: 00BF297C
      • Part of subcall function 00BF294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00BF299C
      • Part of subcall function 00BF294A: memset.MSVCRT ref: 00BF2A39
      • Part of subcall function 00BF294A: memcpy.MSVCRT ref: 00BF2A4B
    • ResumeThread.KERNEL32(?), ref: 00BF2E27
    • CloseHandle.KERNEL32(?), ref: 00BF2E3E
    • CloseHandle.KERNEL32(?), ref: 00BF2E44
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCAF99, Relevance: 18.7, APIs: 8, Strings: 1, Instructions: 61
    APIs
    • GetCurrentThread.KERNEL32 ref: 00BCAFAD
    • OpenThreadToken.ADVAPI32 ref: 00BCAFB4
    • GetCurrentProcess.KERNEL32 ref: 00BCAFC4
    • OpenProcessToken.ADVAPI32 ref: 00BCAFCB
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00BCAFEC
    • AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00BCB001
    • GetLastError.KERNEL32 ref: 00BCB00B
    • CloseHandle.KERNEL32(00000001), ref: 00BCB01C
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC9BC4, Relevance: 18.3, APIs: 7, Strings: 2, Instructions: 147
    APIs
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00BC9C2E
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00BC9C75
    • SetEvent.KERNEL32 ref: 00BC9C84
    • WaitForSingleObject.KERNEL32 ref: 00BC9C95
      • Part of subcall function 00BDA9C2: Sleep.KERNEL32(000001F4), ref: 00BDAA6D
      • Part of subcall function 00BC913F: FindFirstFileW.KERNEL32(?), ref: 00BC9170
      • Part of subcall function 00BC913F: FindNextFileW.KERNEL32(?,?), ref: 00BC91C2
      • Part of subcall function 00BC913F: FindClose.KERNEL32 ref: 00BC91CD
      • Part of subcall function 00BC913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 00BC91D9
      • Part of subcall function 00BC913F: RemoveDirectoryW.KERNEL32 ref: 00BC91E0
      • Part of subcall function 00BE0B2C: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BE0B87
      • Part of subcall function 00BE0B2C: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BE0BF1
      • Part of subcall function 00BE0B2C: RegFlushKey.ADVAPI32(?), ref: 00BE0C1F
      • Part of subcall function 00BE0B2C: RegCloseKey.ADVAPI32(?), ref: 00BE0C26
    • CharToOemW.USER32 ref: 00BC9D26
    • CharToOemW.USER32 ref: 00BC9D36
    • ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00BC9D9A
      • Part of subcall function 00BCB365: CharToOemW.USER32 ref: 00BCB3AB
      • Part of subcall function 00BCB365: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00BCB3E2
      • Part of subcall function 00BCB365: CloseHandle.KERNEL32(000000FF), ref: 00BCB40A
      • Part of subcall function 00BCB365: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00BCB44C
      • Part of subcall function 00BCB365: memset.MSVCRT ref: 00BCB461
      • Part of subcall function 00BCB365: CloseHandle.KERNEL32(000000FF), ref: 00BCB49C
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00BC9C4B
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00BC9BFE
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD5528, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184
    APIs
    • GetLogicalDrives.KERNEL32 ref: 00BD553C
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    • SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000), ref: 00BD5581
    • PathGetDriveNumberW.SHLWAPI ref: 00BD5593
    • lstrcpyW.KERNEL32(?,00BBAACC), ref: 00BD55A7
    • GetDriveTypeW.KERNEL32 ref: 00BD5610
    • GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000105), ref: 00BD5671
    • CharUpperW.USER32(00000000), ref: 00BD568D
    • lstrcmpW.KERNEL32 ref: 00BD56B0
    • GetDiskFreeSpaceExW.KERNEL32(?,00000000), ref: 00BD56EE
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE621D, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00BE6283
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    • FindFirstFileW.KERNEL32 ref: 00BE62F1
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00BE634A
    • FindClose.KERNEL32 ref: 00BE6453
      • Part of subcall function 00BE5AB0: GetFileSizeEx.KERNEL32 ref: 00BE5ABB
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    • SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00BE63BB
      • Part of subcall function 00BE5B34: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00BE5B46
    • CloseHandle.KERNEL32 ref: 00BE63F5
      • Part of subcall function 00BE5934: CloseHandle.KERNEL32 ref: 00BE5940
    • FindNextFileW.KERNEL32 ref: 00BE6429
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BE5E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00BE5E26
      • Part of subcall function 00BE5E1D: DeleteFileW.KERNEL32 ref: 00BE5E2D
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00BE6256
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BECCA8, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 76
    APIs
      • Part of subcall function 00BECB85: InternetCloseHandle.WININET ref: 00BECB99
    • HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,00BBC9E0,?,00000000), ref: 00BECCE9
    • HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 00BECD0C
    • HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 00BECD4E
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC5B9B, Relevance: 16.2, APIs: 9, Instructions: 132
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BC5BC1
    • Process32FirstW.KERNEL32 ref: 00BC5BE6
      • Part of subcall function 00BEC012: CreateMutexW.KERNEL32(00BF49B4,00000001), ref: 00BEC058
      • Part of subcall function 00BEC012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00BEC064
      • Part of subcall function 00BEC012: CloseHandle.KERNEL32 ref: 00BEC072
    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00BC5C3D
    • CloseHandle.KERNEL32(?), ref: 00BC5D07
      • Part of subcall function 00BCAEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 00BCAEF5
      • Part of subcall function 00BCAEE3: GetTokenInformation.ADVAPI32(?,0000000C,00BF49A8,00000004), ref: 00BCAF1D
      • Part of subcall function 00BCAEE3: CloseHandle.KERNEL32(?), ref: 00BCAF33
    • CloseHandle.KERNEL32 ref: 00BC5C5B
    • GetLengthSid.ADVAPI32 ref: 00BC5C77
    • memcmp.MSVCRT ref: 00BC5C8F
      • Part of subcall function 00BD2543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7,?,@echo off%sdel /F "%s"), ref: 00BD256D
      • Part of subcall function 00BD2543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7), ref: 00BD2580
      • Part of subcall function 00BC5B0B: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00BC5B19
      • Part of subcall function 00BC5B0B: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00BC5B5A
      • Part of subcall function 00BC5B0B: WaitForSingleObject.KERNEL32(?,00002710), ref: 00BC5B6C
      • Part of subcall function 00BC5B0B: CloseHandle.KERNEL32 ref: 00BC5B73
      • Part of subcall function 00BC5B0B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00BC5B85
      • Part of subcall function 00BC5B0B: CloseHandle.KERNEL32 ref: 00BC5B8C
    • Process32NextW.KERNEL32(?,?), ref: 00BC5D13
    • CloseHandle.KERNEL32 ref: 00BC5D26
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCC9BF, Relevance: 16.0, APIs: 9, Instructions: 113
    APIs
    • GetProcAddress.KERNEL32(?), ref: 00BCC9E1
    • GetProcAddress.KERNEL32(?,?), ref: 00BCCA03
    • GetProcAddress.KERNEL32(?,?), ref: 00BCCA1E
    • GetProcAddress.KERNEL32(?,?), ref: 00BCCA39
    • GetProcAddress.KERNEL32(?,?), ref: 00BCCA54
    • GetProcAddress.KERNEL32(?), ref: 00BCCA6F
    • GetProcAddress.KERNEL32(?), ref: 00BCCA8E
    • GetProcAddress.KERNEL32(?), ref: 00BCCAAD
    • GetProcAddress.KERNEL32(?), ref: 00BCCACC
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BF2AC0, Relevance: 16.0, APIs: 9, Instructions: 103
    APIs
    • GetCommandLineW.KERNEL32 ref: 00BF2ADA
    • CommandLineToArgvW.SHELL32 ref: 00BF2AE1
    • StrCmpNW.SHLWAPI(?,00BBCA4C,00000002), ref: 00BF2B07
    • LocalFree.KERNEL32 ref: 00BF2B33
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00BF2B70
    • memcpy.MSVCRT ref: 00BF2B83
      • Part of subcall function 00BDE043: memcpy.MSVCRT ref: 00BDE070
    • UnmapViewOfFile.KERNEL32 ref: 00BF2BBC
    • CloseHandle.KERNEL32 ref: 00BF2BF8
      • Part of subcall function 00BF2F3B: memset.MSVCRT ref: 00BF2F5F
      • Part of subcall function 00BF2F3B: memcpy.MSVCRT ref: 00BF2FBF
      • Part of subcall function 00BF2F3B: memcpy.MSVCRT ref: 00BF2FD7
      • Part of subcall function 00BF2F3B: memcpy.MSVCRT ref: 00BF304D
    • memcpy.MSVCRT ref: 00BF2BDF
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BECE98, Relevance: 16.0, APIs: 9, Instructions: 98
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00BECEB9
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • CloseHandle.KERNEL32 ref: 00BECEDE
    • SetLastError.KERNEL32(00000008,?,?,?,?,00BD79D8,?,?,?,?), ref: 00BECEE6
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00BECF03
    • InternetReadFile.WININET(?,?,00001000), ref: 00BECF21
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00BECF56
    • FlushFileBuffers.KERNEL32 ref: 00BECF6F
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • CloseHandle.KERNEL32 ref: 00BECF82
    • SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,00BD79D8,?,?,?,?), ref: 00BECF9D
      • Part of subcall function 00BE5E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00BE5E26
      • Part of subcall function 00BE5E1D: DeleteFileW.KERNEL32 ref: 00BE5E2D
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD5AC1, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230
    APIs
      • Part of subcall function 00BD41F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00BD4206
      • Part of subcall function 00BC645E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00BD5B49), ref: 00BC6470
      • Part of subcall function 00BC645E: #2.OLEAUT32(?,00000000,?,?,?,00BD5B49), ref: 00BC64A4
      • Part of subcall function 00BC645E: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00BD5B49), ref: 00BC64D9
      • Part of subcall function 00BC645E: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00BC64F9
    • #2.OLEAUT32(WQL), ref: 00BD5BAF
    • #2.OLEAUT32 ref: 00BD5BCB
    • #6.OLEAUT32(?,?,00000030,00000000), ref: 00BD5BFB
    • #9.OLEAUT32(?,?,00000000,00000000), ref: 00BD5C6C
      • Part of subcall function 00BC6433: #6.OLEAUT32(?,00000000,00BD5CA3), ref: 00BC6450
      • Part of subcall function 00BC6433: CoUninitialize.OLE32 ref: 00BD4244
    • memcpy.MSVCRT ref: 00BD5D45
    • memcpy.MSVCRT ref: 00BD5D57
    • memcpy.MSVCRT ref: 00BD5D69
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDAEA2, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 119
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00BC7E45,?,?,?,00000000), ref: 00BDAEAE
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00BDAEE7
    • CloseHandle.KERNEL32 ref: 00BDAEFA
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • memcpy.MSVCRT ref: 00BDAF1D
    • memset.MSVCRT ref: 00BDAF37
    • memcpy.MSVCRT ref: 00BDAF7D
    • memset.MSVCRT ref: 00BDAF9B
      • Part of subcall function 00BC8CBF: EnterCriticalSection.KERNEL32(?,?,?,00BD2B51,00000005,00007530,?,00000000,00000000), ref: 00BC8CC7
      • Part of subcall function 00BC8CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00BC8CEB
      • Part of subcall function 00BC8CBF: CloseHandle.KERNEL32 ref: 00BC8CFB
      • Part of subcall function 00BC8CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00BD2B51,00000005,00007530,?,00000000,00000000), ref: 00BC8D2B
      • Part of subcall function 00BC8D34: EnterCriticalSection.KERNEL32(00E81F44,00E81F38,?,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000,?,?,?,00BEB2E2,?,00000001), ref: 00BC8D3D
      • Part of subcall function 00BC8D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BC8D76
      • Part of subcall function 00BC8D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00BDA99B,00000000,00000000,00000002), ref: 00BC8D95
      • Part of subcall function 00BC8D34: GetLastError.KERNEL32(?,000000FF,00BDA99B,00000000,00000000,00000002,?,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000), ref: 00BC8D9F
      • Part of subcall function 00BC8D34: TerminateThread.KERNEL32 ref: 00BC8DA7
      • Part of subcall function 00BC8D34: CloseHandle.KERNEL32 ref: 00BC8DAE
      • Part of subcall function 00BC8D34: LeaveCriticalSection.KERNEL32(00E81F44,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000,?,?,?,00BEB2E2,?,00000001), ref: 00BC8DC3
      • Part of subcall function 00BC8D34: ResumeThread.KERNEL32 ref: 00BC8DDC
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00BC7E45,?,?,?,00000000), ref: 00BDAFEF
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD8626, Relevance: 15.0, APIs: 8, Instructions: 327
    APIs
      • Part of subcall function 00BED9E1: memset.MSVCRT ref: 00BED9F0
      • Part of subcall function 00BED9E1: memcpy.MSVCRT ref: 00BEDA17
      • Part of subcall function 00BD41F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00BD4206
    • getsockopt.WS2_32(?,0000FFFF,00001008,00BB9417,00BB9417), ref: 00BD86B2
    • GetHandleInformation.KERNEL32 ref: 00BD86C4
      • Part of subcall function 00BCB764: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BCB826,?,00BEC86A,00BDC4AB,00BDC4AB,?,00BDC4AB,?,00000001), ref: 00BCB774
      • Part of subcall function 00BCB764: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BCB826,?,00BEC86A,00BDC4AB,00BDC4AB,?,00BDC4AB,?,00000001), ref: 00BCB79E
    • socket.WS2_32(?,00000001,00000006), ref: 00BD86F7
    • socket.WS2_32(?,00000002,00000011), ref: 00BD8708
    • closesocket.WS2_32(?), ref: 00BD8727
    • closesocket.WS2_32 ref: 00BD872E
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • memset.MSVCRT ref: 00BD87F2
      • Part of subcall function 00BCBC0C: bind.WS2_32(?,00BCBCEA), ref: 00BCBC53
      • Part of subcall function 00BCBC0C: listen.WS2_32(?,00000014), ref: 00BCBC68
      • Part of subcall function 00BCBC0C: WSAGetLastError.WS2_32(00000000,?,00BCBCEA,?,?,?,?,00000000), ref: 00BCBC76
      • Part of subcall function 00BCBC0C: WSASetLastError.WS2_32(?,?,00BCBCEA,?,?,?,?,00000000), ref: 00BCBC86
      • Part of subcall function 00BCBC93: memset.MSVCRT ref: 00BCBCA9
      • Part of subcall function 00BCBC93: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 00BCBCEE
      • Part of subcall function 00BD8A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD8A52
    • memcpy.MSVCRT ref: 00BD8902
      • Part of subcall function 00BCBAC9: memset.MSVCRT ref: 00BCBADE
      • Part of subcall function 00BCBAC9: getsockname.WS2_32(?,00BC7C25), ref: 00BCBAF1
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDE133, Relevance: 15.0, APIs: 8, Instructions: 103
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC8E53, Relevance: 14.9, APIs: 5, Strings: 2, Instructions: 95
    APIs
    • EnterCriticalSection.KERNEL32(00BF5AA4,?,00BF4DF4,00000000,00000006,00BEBD7A,00BF4DF4,-00000258,?,00000000), ref: 00BC8E6A
    • LeaveCriticalSection.KERNEL32(00BF5AA4,?,00000000), ref: 00BC8E9D
      • Part of subcall function 00BD1E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00BD1EA2
      • Part of subcall function 00BD1E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00BD1EAE
      • Part of subcall function 00BD1E94: SetLastError.KERNEL32(00000001,00BC8F04,00BF47C0,?,00BF4DF4,00000000,00000006,00BEBD7A,00BF4DF4,-00000258,?,00000000), ref: 00BD1EC6
    • CoTaskMemFree.OLE32(?), ref: 00BC8F36
    • PathRemoveBackslashW.SHLWAPI(00000006), ref: 00BC8F44
    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00BC8F5C
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD2BE5, Relevance: 14.5, APIs: 6, Strings: 1, Instructions: 115
    APIs
    • lstrlenA.KERNEL32(?,?), ref: 00BD2C1E
    • CreateMutexW.KERNEL32(00BF49B4,00000001), ref: 00BD2C76
    • GetLastError.KERNEL32(?,?,?,?,?), ref: 00BD2C86
    • CloseHandle.KERNEL32 ref: 00BD2C94
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    • memcpy.MSVCRT ref: 00BD2CBE
    • memcpy.MSVCRT ref: 00BD2CD2
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BCB2E5: CreateThread.KERNEL32(00000000,00000000,00BC9DBA,?), ref: 00BCB2F6
      • Part of subcall function 00BCB2E5: CloseHandle.KERNEL32 ref: 00BCB301
      • Part of subcall function 00BC766D: ReleaseMutex.KERNEL32 ref: 00BC7671
      • Part of subcall function 00BC766D: CloseHandle.KERNEL32 ref: 00BC7678
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC8F6F, Relevance: 14.4, APIs: 5, Instructions: 98
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD6431, Relevance: 14.4, APIs: 6, Strings: 1, Instructions: 160
    APIs
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00BD6531
      • Part of subcall function 00BD6865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00BD6B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00BD686E
      • Part of subcall function 00BD6865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00BD6B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00BD68A5
      • Part of subcall function 00BDB7FF: EnterCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB80C
      • Part of subcall function 00BDB7FF: LeaveCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB81A
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00BD6572
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD6581
    • SetEvent.KERNEL32 ref: 00BD6591
    • GetExitCodeThread.KERNEL32 ref: 00BD65A5
    • CloseHandle.KERNEL32 ref: 00BD65BB
      • Part of subcall function 00BC8D34: EnterCriticalSection.KERNEL32(00E81F44,00E81F38,?,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000,?,?,?,00BEB2E2,?,00000001), ref: 00BC8D3D
      • Part of subcall function 00BC8D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BC8D76
      • Part of subcall function 00BC8D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00BDA99B,00000000,00000000,00000002), ref: 00BC8D95
      • Part of subcall function 00BC8D34: GetLastError.KERNEL32(?,000000FF,00BDA99B,00000000,00000000,00000002,?,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000), ref: 00BC8D9F
      • Part of subcall function 00BC8D34: TerminateThread.KERNEL32 ref: 00BC8DA7
      • Part of subcall function 00BC8D34: CloseHandle.KERNEL32 ref: 00BC8DAE
      • Part of subcall function 00BC8D34: LeaveCriticalSection.KERNEL32(00E81F44,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000,?,?,?,00BEB2E2,?,00000001), ref: 00BC8DC3
      • Part of subcall function 00BC8D34: ResumeThread.KERNEL32 ref: 00BC8DDC
      • Part of subcall function 00BD6BD0: memcmp.MSVCRT ref: 00BD6BE9
      • Part of subcall function 00BD6BD0: memcmp.MSVCRT ref: 00BD6C45
      • Part of subcall function 00BD6BD0: memcmp.MSVCRT ref: 00BD6CAB
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BEB0EA: memcpy.MSVCRT ref: 00BEB110
      • Part of subcall function 00BEB0EA: memset.MSVCRT ref: 00BEB1B3
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE6067, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 134
    APIs
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
      • Part of subcall function 00BD25A7: memcpy.MSVCRT ref: 00BD25C6
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00BE6103
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00BE617B
    • GetLastError.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000,?,?,?,?,00000000,3D94878D), ref: 00BE6188
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00BE61B2
    • FlushFileBuffers.KERNEL32 ref: 00BE61CC
    • CloseHandle.KERNEL32 ref: 00BE61D3
      • Part of subcall function 00BE5E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00BE5E26
      • Part of subcall function 00BE5E1D: DeleteFileW.KERNEL32 ref: 00BE5E2D
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00BE60D6
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC9583, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107
    APIs
    • LoadLibraryW.KERNEL32 ref: 00BC95A7
    • GetProcAddress.KERNEL32 ref: 00BC95D5
    • GetProcAddress.KERNEL32 ref: 00BC95EF
    • GetProcAddress.KERNEL32 ref: 00BC960B
    • FreeLibrary.KERNEL32(00000003), ref: 00BC96B9
      • Part of subcall function 00BCAF99: GetCurrentThread.KERNEL32 ref: 00BCAFAD
      • Part of subcall function 00BCAF99: OpenThreadToken.ADVAPI32 ref: 00BCAFB4
      • Part of subcall function 00BCAF99: GetCurrentProcess.KERNEL32 ref: 00BCAFC4
      • Part of subcall function 00BCAF99: OpenProcessToken.ADVAPI32 ref: 00BCAFCB
      • Part of subcall function 00BCAF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00BCAFEC
      • Part of subcall function 00BCAF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00BCB001
      • Part of subcall function 00BCAF99: GetLastError.KERNEL32 ref: 00BCB00B
      • Part of subcall function 00BCAF99: CloseHandle.KERNEL32(00000001), ref: 00BCB01C
    • WTSGetActiveConsoleSessionId.KERNEL32 ref: 00BC9638
      • Part of subcall function 00BC950C: EqualSid.ADVAPI32(?,5B867A00), ref: 00BC952F
      • Part of subcall function 00BC950C: CloseHandle.KERNEL32(00000001), ref: 00BC9576
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE5D0E, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 89
    APIs
    • memcpy.MSVCRT ref: 00BE5D6C
    • memcpy.MSVCRT ref: 00BE5D81
    • memcpy.MSVCRT ref: 00BE5D96
    • memcpy.MSVCRT ref: 00BE5DA5
      • Part of subcall function 00BE58ED: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BE5BB2,?,00BE5C0A,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 00BE58FD
      • Part of subcall function 00BE58ED: LeaveCriticalSection.KERNEL32(00BF5AA4,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,00BEA856), ref: 00BE592C
      • Part of subcall function 00BD1E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00BD1EA2
      • Part of subcall function 00BD1E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00BD1EAE
      • Part of subcall function 00BD1E94: SetLastError.KERNEL32(00000001,00BC8F04,00BF47C0,?,00BF4DF4,00000000,00000006,00BEBD7A,00BF4DF4,-00000258,?,00000000), ref: 00BD1EC6
    • SetFileTime.KERNEL32(?,?,?,?), ref: 00BE5E0A
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BF2474, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88
    APIs
    • GetFileAttributesW.KERNEL32 ref: 00BF2485
    • FlushFileBuffers.KERNEL32 ref: 00BF256B
      • Part of subcall function 00BC913F: FindFirstFileW.KERNEL32(?), ref: 00BC9170
      • Part of subcall function 00BC913F: FindNextFileW.KERNEL32(?,?), ref: 00BC91C2
      • Part of subcall function 00BC913F: FindClose.KERNEL32 ref: 00BC91CD
      • Part of subcall function 00BC913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 00BC91D9
      • Part of subcall function 00BC913F: RemoveDirectoryW.KERNEL32 ref: 00BC91E0
      • Part of subcall function 00BE5E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00BE5E26
      • Part of subcall function 00BE5E1D: DeleteFileW.KERNEL32 ref: 00BE5E2D
    • PathRemoveFileSpecW.SHLWAPI(?), ref: 00BF24BA
      • Part of subcall function 00BE5947: GetTempPathW.KERNEL32(00000104,?), ref: 00BE5962
      • Part of subcall function 00BE5947: PathAddBackslashW.SHLWAPI(?), ref: 00BE598C
      • Part of subcall function 00BE5947: CreateDirectoryW.KERNEL32(?), ref: 00BE5A44
      • Part of subcall function 00BE5947: SetFileAttributesW.KERNEL32(?), ref: 00BE5A55
      • Part of subcall function 00BE5947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00BE5A6E
      • Part of subcall function 00BE5947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00BE5A7F
    • MoveFileExW.KERNEL32(?,?,00000001), ref: 00BF2501
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00BF251A
      • Part of subcall function 00BE5B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00BE5B87
      • Part of subcall function 00BE5934: CloseHandle.KERNEL32 ref: 00BE5940
    • Sleep.KERNEL32(00001388), ref: 00BF255D
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE5BE4, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 83
    APIs
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00BE5BEB
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE0A9D, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(00BF5AA4,?,?,?,00BE0C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00BE0AB3
    • LeaveCriticalSection.KERNEL32(00BF5AA4,?,?,?,00BE0C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00BE0ADB
    • GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00BE0AF7
    • GetProcAddress.KERNEL32 ref: 00BE0AFE
    • RegDeleteKeyW.ADVAPI32(?), ref: 00BE0B20
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDA782, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145
    APIs
      • Part of subcall function 00BC6A4D: TlsSetValue.KERNEL32(00000001,00BDA796), ref: 00BC6A5A
    • GetCurrentThread.KERNEL32 ref: 00BDA799
    • SetThreadPriority.KERNEL32 ref: 00BDA7A0
      • Part of subcall function 00BEC09D: CreateMutexW.KERNEL32(00BF49B4,00000000), ref: 00BEC0BF
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
      • Part of subcall function 00BDA755: PathFindFileNameW.SHLWAPI(000001ED), ref: 00BDA759
      • Part of subcall function 00BDA755: PathRemoveExtensionW.SHLWAPI ref: 00BDA76D
      • Part of subcall function 00BDA755: CharUpperW.USER32 ref: 00BDA777
    • PathQuoteSpacesW.SHLWAPI ref: 00BDA83E
      • Part of subcall function 00BEAFD3: WaitForSingleObject.KERNEL32(00000000,00BDA849), ref: 00BEAFDB
    • WaitForSingleObject.KERNEL32 ref: 00BDA879
    • StrCmpW.SHLWAPI ref: 00BDA8D7
      • Part of subcall function 00BE07B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00BE07D8
    • RegSetValueExW.ADVAPI32(000000FF,?,00000000,00000001), ref: 00BDA938
      • Part of subcall function 00BE0755: RegFlushKey.ADVAPI32 ref: 00BE0765
      • Part of subcall function 00BE0755: RegCloseKey.ADVAPI32 ref: 00BE076D
    • WaitForSingleObject.KERNEL32 ref: 00BDA959
      • Part of subcall function 00BC766D: ReleaseMutex.KERNEL32 ref: 00BC7671
      • Part of subcall function 00BC766D: CloseHandle.KERNEL32 ref: 00BC7678
      • Part of subcall function 00BDB7FF: EnterCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB80C
      • Part of subcall function 00BDB7FF: LeaveCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB81A
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00BDA7EC
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD9EBF, Relevance: 13.8, APIs: 9, Instructions: 261
    APIs
    • GetTickCount.KERNEL32 ref: 00BD9ECE
    • EnterCriticalSection.KERNEL32 ref: 00BD9EE3
    • WaitForSingleObject.KERNEL32(?,000927C0), ref: 00BD9F28
    • GetTickCount.KERNEL32 ref: 00BD9F3B
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BE6875: GetSystemTime.KERNEL32 ref: 00BE687F
      • Part of subcall function 00BD94FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00BD9503
    • GetTickCount.KERNEL32 ref: 00BDA135
      • Part of subcall function 00BD1B5D: memcmp.MSVCRT ref: 00BD1B69
      • Part of subcall function 00BD93A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00BDA111), ref: 00BD93BE
      • Part of subcall function 00BD93A8: memcpy.MSVCRT ref: 00BD9419
      • Part of subcall function 00BD93A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00BDA111,?,00000002), ref: 00BD9429
      • Part of subcall function 00BD93A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00BD945D
      • Part of subcall function 00BD93A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00BDA111), ref: 00BD94E9
      • Part of subcall function 00BD9A6F: memset.MSVCRT ref: 00BD9B47
      • Part of subcall function 00BD9A6F: memcpy.MSVCRT ref: 00BD9BA2
      • Part of subcall function 00BD9A6F: memcmp.MSVCRT ref: 00BD9C1B
      • Part of subcall function 00BD9A6F: memcpy.MSVCRT ref: 00BD9C6F
      • Part of subcall function 00BD9A6F: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00BD9D42
      • Part of subcall function 00BD9A6F: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00BD9D60
    • GetTickCount.KERNEL32 ref: 00BDA16E
    • LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 00BDA191
      • Part of subcall function 00BDB7FF: EnterCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB80C
      • Part of subcall function 00BDB7FF: LeaveCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB81A
    • WaitForSingleObject.KERNEL32(?,-001B7740), ref: 00BDA1B6
    • LeaveCriticalSection.KERNEL32 ref: 00BDA1CC
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD9A6F, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326
    APIs
      • Part of subcall function 00BDCAF1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00BDCB1D
      • Part of subcall function 00BDCAF1: GetSystemTime.KERNEL32(?), ref: 00BDCB54
      • Part of subcall function 00BDCAF1: Sleep.KERNEL32(000005DC), ref: 00BDCB6D
      • Part of subcall function 00BDCAF1: WaitForSingleObject.KERNEL32(?,000005DC), ref: 00BDCB76
      • Part of subcall function 00BDCAF1: lstrcpyA.KERNEL32 ref: 00BDCBD4
      • Part of subcall function 00BD163A: memcmp.MSVCRT ref: 00BD1698
      • Part of subcall function 00BD163A: memcpy.MSVCRT ref: 00BD16D6
      • Part of subcall function 00BEAFE8: memcpy.MSVCRT ref: 00BEAFF8
      • Part of subcall function 00BD1781: memset.MSVCRT ref: 00BD1794
      • Part of subcall function 00BD1781: memcpy.MSVCRT ref: 00BD17AF
      • Part of subcall function 00BD1781: memcpy.MSVCRT ref: 00BD17D7
      • Part of subcall function 00BD1781: memcpy.MSVCRT ref: 00BD17FB
    • memset.MSVCRT ref: 00BD9B47
      • Part of subcall function 00BD93A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00BDA111), ref: 00BD93BE
      • Part of subcall function 00BD93A8: memcpy.MSVCRT ref: 00BD9419
      • Part of subcall function 00BD93A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00BDA111,?,00000002), ref: 00BD9429
      • Part of subcall function 00BD93A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00BD945D
      • Part of subcall function 00BD93A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00BDA111), ref: 00BD94E9
      • Part of subcall function 00BD1B16: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BD8DDC,?,?,?,?,00BEB233,?,00000001), ref: 00BD1B26
      • Part of subcall function 00BD1B16: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BD8DDC,?,?,?,?,00BEB233,?,00000001), ref: 00BD1B50
    • memcpy.MSVCRT ref: 00BD9BA2
      • Part of subcall function 00BD94FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00BD9503
    • memcmp.MSVCRT ref: 00BD9C1B
      • Part of subcall function 00BD2543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7,?,@echo off%sdel /F "%s"), ref: 00BD256D
      • Part of subcall function 00BD2543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7), ref: 00BD2580
    • memcpy.MSVCRT ref: 00BD9C6F
      • Part of subcall function 00BD1A4F: memcmp.MSVCRT ref: 00BD1A6B
      • Part of subcall function 00BD1B5D: memcmp.MSVCRT ref: 00BD1B69
      • Part of subcall function 00BDB7FF: EnterCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB80C
      • Part of subcall function 00BDB7FF: LeaveCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB81A
      • Part of subcall function 00BC7E58: memcpy.MSVCRT ref: 00BC7E70
    • EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00BD9D42
    • LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00BD9D60
      • Part of subcall function 00BD1821: memcpy.MSVCRT ref: 00BD1848
      • Part of subcall function 00BD1728: memcpy.MSVCRT ref: 00BD1771
      • Part of subcall function 00BD19AE: memcmp.MSVCRT ref: 00BD1A24
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BC4C10: _errno.MSVCRT ref: 00BC4C2B
      • Part of subcall function 00BC4C10: _errno.MSVCRT ref: 00BC4C5D
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BF1CCA, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 193
    APIs
    • EnterCriticalSection.KERNEL32(00BF5AA4,?,?,?,?,?,?,?,?,?,?), ref: 00BF1CE8
    • LeaveCriticalSection.KERNEL32(00BF5AA4,?,?,?,?,?,?,?,?,?), ref: 00BF1D12
      • Part of subcall function 00BEFEDF: memset.MSVCRT ref: 00BEFEF5
      • Part of subcall function 00BEFEDF: InitializeCriticalSection.KERNEL32(00BF5050), ref: 00BEFF05
      • Part of subcall function 00BEFEDF: memset.MSVCRT ref: 00BEFF34
      • Part of subcall function 00BEFEDF: InitializeCriticalSection.KERNEL32(00BF5030), ref: 00BEFF3E
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
      • Part of subcall function 00BC9FB3: memcpy.MSVCRT ref: 00BC9FE9
    • memcmp.MSVCRT ref: 00BF1E03
    • memcmp.MSVCRT ref: 00BF1E34
      • Part of subcall function 00BC9F5F: memcpy.MSVCRT ref: 00BC9F99
    • EnterCriticalSection.KERNEL32(00BF5050), ref: 00BF1EA7
      • Part of subcall function 00BEFFD8: GetTickCount.KERNEL32 ref: 00BEFFDF
      • Part of subcall function 00BF03D0: EnterCriticalSection.KERNEL32(00BF5030,00BF506C,?,?,00BF5050), ref: 00BF03E3
      • Part of subcall function 00BF03D0: LeaveCriticalSection.KERNEL32(00BF5030,?,?,00BF5050), ref: 00BF0559
      • Part of subcall function 00BF061B: EnterCriticalSection.KERNEL32(00E827E8,?,?,?,?,00BF5050), ref: 00BF06F5
      • Part of subcall function 00BF061B: LeaveCriticalSection.KERNEL32(00E827E8,000000FF,00000000,?,?,?,?,00BF5050), ref: 00BF071D
    • LeaveCriticalSection.KERNEL32(00BF5050,00BF506C,00BF506C,00BF506C), ref: 00BF1EF7
      • Part of subcall function 00BEDD3E: lstrlenA.KERNEL32(?,?,?,?,?,?,00BF506C,?,?,00BF5050), ref: 00BEDD52
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCB02B, Relevance: 12.5, APIs: 7, Instructions: 73
    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000008), ref: 00BCB03B
    • GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000), ref: 00BCB054
    • GetLastError.KERNEL32(?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5,?,?,?,00000001), ref: 00BCB05E
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    • GetTokenInformation.ADVAPI32(?,00000019,?,?), ref: 00BCB089
    • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BCB095
    • GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BCB0AC
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • CloseHandle.KERNEL32(?), ref: 00BCB0D8
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCC39C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001), ref: 00BCC3C0
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 00BCC40C
      • Part of subcall function 00BCBEC0: WSAGetLastError.WS2_32 ref: 00BCBEF6
      • Part of subcall function 00BCBEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 00BCBF3E
    • WSAGetLastError.WS2_32(?,00000800,?,00000000,?), ref: 00BCC4EC
    • shutdown.WS2_32(?,00000001), ref: 00BCC517
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00BCC540
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 00BCC594
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEC592, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
    APIs
    • EnterCriticalSection.KERNEL32(00E827E8,?,3D920600,?), ref: 00BEC5BC
    • LeaveCriticalSection.KERNEL32(00E827E8,?,3D920600,?), ref: 00BEC66C
      • Part of subcall function 00BC7FA8: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00BC7FBA
      • Part of subcall function 00BC7FA8: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00BC7FD2
      • Part of subcall function 00BC7FA8: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BC8011
      • Part of subcall function 00BC7FA8: CreateCompatibleDC.GDI32 ref: 00BC8022
      • Part of subcall function 00BC7FA8: LoadCursorW.USER32(00000000,00007F00), ref: 00BC8038
      • Part of subcall function 00BC7FA8: GetIconInfo.USER32 ref: 00BC804C
      • Part of subcall function 00BC7FA8: GetCursorPos.USER32(?), ref: 00BC805B
      • Part of subcall function 00BC7FA8: GetDeviceCaps.GDI32(?,00000008), ref: 00BC8072
      • Part of subcall function 00BC7FA8: GetDeviceCaps.GDI32(?,0000000A), ref: 00BC807B
      • Part of subcall function 00BC7FA8: CreateCompatibleBitmap.GDI32(?,?), ref: 00BC8087
      • Part of subcall function 00BC7FA8: SelectObject.GDI32 ref: 00BC8095
      • Part of subcall function 00BC7FA8: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 00BC80B6
      • Part of subcall function 00BC7FA8: DrawIcon.USER32(?,?,?,?), ref: 00BC80E8
      • Part of subcall function 00BC7FA8: SelectObject.GDI32(?,?), ref: 00BC8104
      • Part of subcall function 00BC7FA8: DeleteObject.GDI32 ref: 00BC810B
      • Part of subcall function 00BC7FA8: DeleteDC.GDI32 ref: 00BC8112
      • Part of subcall function 00BC7FA8: DeleteDC.GDI32 ref: 00BC8119
      • Part of subcall function 00BC7FA8: FreeLibrary.KERNEL32(?), ref: 00BC8129
      • Part of subcall function 00BC7FA8: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00BC813F
      • Part of subcall function 00BC7FA8: FreeLibrary.KERNEL32(?), ref: 00BC8153
    • GetTickCount.KERNEL32 ref: 00BEC616
    • GetCurrentProcessId.KERNEL32 ref: 00BEC61D
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • GetKeyboardState.USER32 ref: 00BEC688
    • ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 00BEC6AB
      • Part of subcall function 00BEC410: EnterCriticalSection.KERNEL32(00E827E8,00E827E8,?,?,?,00BEC6E4,?,?,?,?,?,00000009,00000000,?,?,3D920600), ref: 00BEC42A
      • Part of subcall function 00BEC410: memcpy.MSVCRT ref: 00BEC49B
      • Part of subcall function 00BEC410: memcpy.MSVCRT ref: 00BEC4BF
      • Part of subcall function 00BEC410: memcpy.MSVCRT ref: 00BEC4D6
      • Part of subcall function 00BEC410: memcpy.MSVCRT ref: 00BEC4F6
      • Part of subcall function 00BEC410: LeaveCriticalSection.KERNEL32(00E827E8,?,3D920600,?), ref: 00BEC511
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD59B7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95
    APIs
    • memset.MSVCRT ref: 00BD59C8
    • GlobalMemoryStatusEx.KERNEL32 ref: 00BD59DF
    • GetNativeSystemInfo.KERNEL32 ref: 00BD5A10
      • Part of subcall function 00BE0775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BE079C
    • GetSystemMetrics.USER32(0000004F), ref: 00BD5A9D
      • Part of subcall function 00BE0A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00BE0A3A
      • Part of subcall function 00BE0755: RegFlushKey.ADVAPI32 ref: 00BE0765
      • Part of subcall function 00BE0755: RegCloseKey.ADVAPI32 ref: 00BE076D
    • GetSystemMetrics.USER32(00000050), ref: 00BD5A90
    • GetSystemMetrics.USER32(0000004E), ref: 00BD5A97
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEB31B, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 61
    APIs
    • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00BEB32F
    • PathUnquoteSpacesW.SHLWAPI ref: 00BEB394
    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00BEB3A3
    • LocalFree.KERNEL32(00000001), ref: 00BEB3B7
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 00BEB34C
    • ProfileImagePath, xrefs: 00BEB378
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEAA9A, Relevance: 12.2, APIs: 4, Strings: 2, Instructions: 49
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 00BEAAB7
    • GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 00BEAACF
    • PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 00BEAADA
      • Part of subcall function 00BC8E53: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BF4DF4,00000000,00000006,00BEBD7A,00BF4DF4,-00000258,?,00000000), ref: 00BC8E6A
      • Part of subcall function 00BC8E53: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00000000), ref: 00BC8E9D
      • Part of subcall function 00BC8E53: CoTaskMemFree.OLE32(?), ref: 00BC8F36
      • Part of subcall function 00BC8E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00BC8F44
      • Part of subcall function 00BC8E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00BC8F5C
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00BEAB00
      • Part of subcall function 00BC9F5F: memcpy.MSVCRT ref: 00BC9F99
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00BEAAE0
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00BEAAC2, 00BEAACD, 00BEAAD9
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD52AC, Relevance: 12.1, APIs: 8, Instructions: 147
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00BD52E3
    • GetCommandLineW.KERNEL32 ref: 00BD5304
      • Part of subcall function 00BE11D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BE11FF
      • Part of subcall function 00BE11D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00BE1234
    • GetUserNameExW.SECUR32(00000002,?,?,?,?,?,00000104), ref: 00BD533C
    • GetProcessTimes.KERNEL32(000000FF), ref: 00BD5372
    • GetUserDefaultUILanguage.KERNEL32 ref: 00BD53E4
    • memcpy.MSVCRT ref: 00BD5418
    • memcpy.MSVCRT ref: 00BD542D
    • memcpy.MSVCRT ref: 00BD5443
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE5947, Relevance: 11.3, APIs: 6, Instructions: 130
    APIs
    • GetTempPathW.KERNEL32(00000104,?), ref: 00BE5962
    • PathAddBackslashW.SHLWAPI(?), ref: 00BE598C
      • Part of subcall function 00BDB7FF: EnterCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB80C
      • Part of subcall function 00BDB7FF: LeaveCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB81A
    • CreateDirectoryW.KERNEL32(?), ref: 00BE5A44
    • SetFileAttributesW.KERNEL32(?), ref: 00BE5A55
    • CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00BE5A6E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00BE5A7F
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD8432, Relevance: 10.9, APIs: 6, Instructions: 66
    APIs
    • CreateFileW.KERNEL32(00E81EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BD844B
    • GetFileSizeEx.KERNEL32 ref: 00BD845E
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00BD8484
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00BD849C
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BD84BA
    • CloseHandle.KERNEL32 ref: 00BD84C3
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEBD59, Relevance: 10.9, APIs: 6, Instructions: 57
    APIs
      • Part of subcall function 00BC8E53: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BF4DF4,00000000,00000006,00BEBD7A,00BF4DF4,-00000258,?,00000000), ref: 00BC8E6A
      • Part of subcall function 00BC8E53: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00000000), ref: 00BC8E9D
      • Part of subcall function 00BC8E53: CoTaskMemFree.OLE32(?), ref: 00BC8F36
      • Part of subcall function 00BC8E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00BC8F44
      • Part of subcall function 00BC8E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00BC8F5C
    • PathRemoveBackslashW.SHLWAPI(-00000258), ref: 00BEBD85
    • PathRemoveFileSpecW.SHLWAPI(-00000258), ref: 00BEBD92
    • PathAddBackslashW.SHLWAPI(-00000258), ref: 00BEBDA3
    • GetVolumeNameForVolumeMountPointW.KERNEL32(-00000258,-00000050,00000064), ref: 00BEBDB6
    • CLSIDFromString.OLE32(-0000003C,00BF4DF4,?,00000000), ref: 00BEBDD2
    • memset.MSVCRT ref: 00BEBDE4
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDFE5C, Relevance: 10.9, APIs: 6, Instructions: 197
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00BDFEC2
    • memcpy.MSVCRT ref: 00BDFEDC
    • VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00BDFEEF
    • memset.MSVCRT ref: 00BDFF46
    • memcpy.MSVCRT ref: 00BDFF5A
    • VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00BE0049
      • Part of subcall function 00BE01EA: LoadLibraryA.KERNEL32 ref: 00BE023A
      • Part of subcall function 00BE0370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BE037F
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BED1E0, Relevance: 10.7, APIs: 6, Instructions: 74
    APIs
    • InitializeCriticalSection.KERNEL32(00BF5AA4), ref: 00BED207
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • InitializeCriticalSection.KERNEL32 ref: 00BED218
    • memset.MSVCRT ref: 00BED229
    • TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 00BED240
    • GetModuleHandleW.KERNEL32(00000000), ref: 00BED25C
    • GetModuleHandleW.KERNEL32 ref: 00BED272
      • Part of subcall function 00BECAF0: EnterCriticalSection.KERNEL32(00BF5AA4,7C80E4DD,00BED280,?,?,?,00000000,?,?,00000001), ref: 00BECB00
      • Part of subcall function 00BECAF0: LeaveCriticalSection.KERNEL32(00BF5AA4,?,?,?,00000000,?,?,00000001), ref: 00BECB28
      • Part of subcall function 00BED2B1: TlsFree.KERNEL32(00000015), ref: 00BED2BD
      • Part of subcall function 00BED2B1: DeleteCriticalSection.KERNEL32(00E81E90,00000000,00BED2A8,00E81E90,?,?,00000000,?,?,00000001), ref: 00BED2C4
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCBD24, Relevance: 10.7, APIs: 6, Instructions: 65
    APIs
    • accept.WS2_32(?,?), ref: 00BCBD45
    • WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00BCBD57
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 00BCBDAE
      • Part of subcall function 00BCB928: WSACreateEvent.WS2_32(00000000,?,00BCBB6E,00000033,00000000,?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003), ref: 00BCB93E
      • Part of subcall function 00BCB928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00BCB954
      • Part of subcall function 00BCB928: WSACloseEvent.WS2_32 ref: 00BCB968
      • Part of subcall function 00BCB864: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 00BCB89E
      • Part of subcall function 00BCB864: memset.MSVCRT ref: 00BCB8B2
    • WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 00BCBD88
    • shutdown.WS2_32(?,00000002), ref: 00BCBDA0
    • closesocket.WS2_32 ref: 00BCBDA7
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC5B0B, Relevance: 10.7, APIs: 6, Instructions: 60
    APIs
    • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00BC5B19
      • Part of subcall function 00BEAEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00BEAECF
      • Part of subcall function 00BEAEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00BEAF0A
      • Part of subcall function 00BEAEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00BEAF4A
      • Part of subcall function 00BEAEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00BEAF6D
      • Part of subcall function 00BEAEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00BEAFBD
    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00BC5B5A
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 00BC5B6C
    • CloseHandle.KERNEL32 ref: 00BC5B73
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00BC5B85
    • CloseHandle.KERNEL32 ref: 00BC5B8C
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD2D1D, Relevance: 10.6, APIs: 7, Instructions: 146
    APIs
      • Part of subcall function 00BC6A4D: TlsSetValue.KERNEL32(00000001,00BDA796), ref: 00BC6A5A
      • Part of subcall function 00BEC09D: CreateMutexW.KERNEL32(00BF49B4,00000000), ref: 00BEC0BF
    • GetCurrentThread.KERNEL32 ref: 00BD2D49
    • SetThreadPriority.KERNEL32 ref: 00BD2D50
      • Part of subcall function 00BEAFD3: WaitForSingleObject.KERNEL32(00000000,00BDA849), ref: 00BEAFDB
    • memset.MSVCRT ref: 00BD2D92
    • lstrlenA.KERNEL32(00000000), ref: 00BD2DA9
      • Part of subcall function 00BD26C5: memset.MSVCRT ref: 00BD26D5
      • Part of subcall function 00BE621D: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00BE6283
      • Part of subcall function 00BE621D: FindFirstFileW.KERNEL32 ref: 00BE62F1
      • Part of subcall function 00BE621D: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00BE634A
      • Part of subcall function 00BE621D: SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00BE63BB
      • Part of subcall function 00BE621D: CloseHandle.KERNEL32 ref: 00BE63F5
      • Part of subcall function 00BE621D: FindNextFileW.KERNEL32 ref: 00BE6429
      • Part of subcall function 00BE621D: FindClose.KERNEL32 ref: 00BE6453
    • memset.MSVCRT ref: 00BD2E6F
    • memcpy.MSVCRT ref: 00BD2E7F
      • Part of subcall function 00BD2BE5: lstrlenA.KERNEL32(?,?), ref: 00BD2C1E
      • Part of subcall function 00BD2BE5: CreateMutexW.KERNEL32(00BF49B4,00000001), ref: 00BD2C76
      • Part of subcall function 00BD2BE5: GetLastError.KERNEL32(?,?,?,?,?), ref: 00BD2C86
      • Part of subcall function 00BD2BE5: CloseHandle.KERNEL32 ref: 00BD2C94
      • Part of subcall function 00BD2BE5: memcpy.MSVCRT ref: 00BD2CBE
      • Part of subcall function 00BD2BE5: memcpy.MSVCRT ref: 00BD2CD2
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • WaitForSingleObject.KERNEL32(00007530), ref: 00BD2EA9
      • Part of subcall function 00BC766D: ReleaseMutex.KERNEL32 ref: 00BC7671
      • Part of subcall function 00BC766D: CloseHandle.KERNEL32 ref: 00BC7678
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD1E94, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27
    APIs
    • GetModuleHandleW.KERNEL32(shell32.dll), ref: 00BD1EA2
    • GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00BD1EAE
    • SetLastError.KERNEL32(00000001,00BC8F04,00BF47C0,?,00BF4DF4,00000000,00000006,00BEBD7A,00BF4DF4,-00000258,?,00000000), ref: 00BD1EC6
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE8000, Relevance: 10.6, APIs: 7, Instructions: 126
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00BE8037
    • WSASetLastError.WS2_32(00000008), ref: 00BE8046
    • memcpy.MSVCRT ref: 00BE8063
    • memcpy.MSVCRT ref: 00BE8075
    • WSASetLastError.WS2_32(00000008,?,?,?), ref: 00BE80DF
    • WSAGetLastError.WS2_32(?,?,?), ref: 00BE80FB
      • Part of subcall function 00BE8325: RegisterWaitForSingleObject.KERNEL32(?,?,00BE8164,?,000000FF,00000004), ref: 00BE838A
    • WSASetLastError.WS2_32(00000008,?,00000000,?,?,?,?,?), ref: 00BE8124
      • Part of subcall function 00BDCC4F: memcpy.MSVCRT ref: 00BDCC64
      • Part of subcall function 00BDCC4F: SetEvent.KERNEL32 ref: 00BDCC74
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCB0E5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
    APIs
    • memset.MSVCRT ref: 00BCB106
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,00000000), ref: 00BCB13E
    • memcpy.MSVCRT ref: 00BCB159
    • CloseHandle.KERNEL32(?), ref: 00BCB16E
    • CloseHandle.KERNEL32(00000000), ref: 00BCB174
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDB286, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 295
    APIs
      • Part of subcall function 00BEC09D: CreateMutexW.KERNEL32(00BF49B4,00000000), ref: 00BEC0BF
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
      • Part of subcall function 00BD8432: CreateFileW.KERNEL32(00E81EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BD844B
      • Part of subcall function 00BD8432: GetFileSizeEx.KERNEL32 ref: 00BD845E
      • Part of subcall function 00BD8432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00BD8484
      • Part of subcall function 00BD8432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00BD849C
      • Part of subcall function 00BD8432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BD84BA
      • Part of subcall function 00BD8432: CloseHandle.KERNEL32 ref: 00BD84C3
    • memset.MSVCRT ref: 00BDB42B
    • memcpy.MSVCRT ref: 00BDB457
      • Part of subcall function 00BE6875: GetSystemTime.KERNEL32 ref: 00BE687F
      • Part of subcall function 00BD24F3: HeapAlloc.KERNEL32(00000000,?,?,?,00BC6328,?,?,00BE8D10,?,?,?,?,0000FFFF), ref: 00BD251D
      • Part of subcall function 00BD24F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00BC6328,?,?,00BE8D10,?,?,?,?,0000FFFF), ref: 00BD2530
      • Part of subcall function 00BC71D5: memcpy.MSVCRT ref: 00BC72E6
    • CreateFileW.KERNEL32(00BBAF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00BDB55C
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00BDB578
      • Part of subcall function 00BE5934: CloseHandle.KERNEL32 ref: 00BE5940
      • Part of subcall function 00BC766D: ReleaseMutex.KERNEL32 ref: 00BC7671
      • Part of subcall function 00BC766D: CloseHandle.KERNEL32 ref: 00BC7678
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BDB161: memset.MSVCRT ref: 00BDB170
      • Part of subcall function 00BDB161: memset.MSVCRT ref: 00BDB1B3
      • Part of subcall function 00BDB161: memset.MSVCRT ref: 00BDB1E9
      • Part of subcall function 00BE0370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BE037F
      • Part of subcall function 00BDFE5C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00BDFEC2
      • Part of subcall function 00BDFE5C: memcpy.MSVCRT ref: 00BDFEDC
      • Part of subcall function 00BDFE5C: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00BDFEEF
      • Part of subcall function 00BDFE5C: memset.MSVCRT ref: 00BDFF46
      • Part of subcall function 00BDFE5C: memcpy.MSVCRT ref: 00BDFF5A
      • Part of subcall function 00BDFE5C: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00BE0049
      • Part of subcall function 00BC73E0: memcmp.MSVCRT ref: 00BC7489
      • Part of subcall function 00BD84D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BD84E4
      • Part of subcall function 00BD84D3: CloseHandle.KERNEL32 ref: 00BD84F3
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCC8CD, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46
    APIs
    • LoadLibraryW.KERNEL32(urlmon.dll), ref: 00BCC8D4
    • GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 00BCC8EA
    • FreeLibrary.KERNEL32 ref: 00BCC935
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD1ED5, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00BF5AA4,?,?,00BEAA21,?,00BEADD5,?,?,?,00000001), ref: 00BD1EE6
    • LeaveCriticalSection.KERNEL32(00BF5AA4,?,?,00BEAA21,?,00BEADD5,?,?,?,00000001), ref: 00BD1F0E
      • Part of subcall function 00BD1E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00BD1EA2
      • Part of subcall function 00BD1E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00BD1EAE
      • Part of subcall function 00BD1E94: SetLastError.KERNEL32(00000001,00BC8F04,00BF47C0,?,00BF4DF4,00000000,00000006,00BEBD7A,00BF4DF4,-00000258,?,00000000), ref: 00BD1EC6
    • IsWow64Process.KERNEL32(000000FF), ref: 00BD1F37
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD24C1, Relevance: 9.9, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00BD2456: EnterCriticalSection.KERNEL32(00BF5AA4,00000028,00BD24C9,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD2466
      • Part of subcall function 00BD2456: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD2490
    • HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE9516, Relevance: 9.6, APIs: 5, Instructions: 138
    APIs
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    • FindFirstFileW.KERNEL32 ref: 00BE9555
    • SetLastError.KERNEL32(?,?,?,?,?,?,00BBAB64), ref: 00BE9680
      • Part of subcall function 00BE96F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00BE9722
      • Part of subcall function 00BE96F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00BE9741
    • FindNextFileW.KERNEL32(?,?), ref: 00BE964A
    • GetLastError.KERNEL32(?,?,?,?,00BBAB64), ref: 00BE9663
    • FindClose.KERNEL32 ref: 00BE9679
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCC0C5, Relevance: 9.5, APIs: 5, Instructions: 71
    APIs
      • Part of subcall function 00BCB764: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BCB826,?,00BEC86A,00BDC4AB,00BDC4AB,?,00BDC4AB,?,00000001), ref: 00BCB774
      • Part of subcall function 00BCB764: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BCB826,?,00BEC86A,00BDC4AB,00BDC4AB,?,00BDC4AB,?,00000001), ref: 00BCB79E
    • socket.WS2_32(?,00000002,00000000), ref: 00BCC0DF
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00BCC112
    • WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,00000000,?,?), ref: 00BCC119
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 00BCC14D
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • closesocket.WS2_32 ref: 00BCC15D
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC913F, Relevance: 9.5, APIs: 5, Instructions: 59
    APIs
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    • FindFirstFileW.KERNEL32(?), ref: 00BC9170
      • Part of subcall function 00BE5E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00BE5E26
      • Part of subcall function 00BE5E1D: DeleteFileW.KERNEL32 ref: 00BE5E2D
    • FindNextFileW.KERNEL32(?,?), ref: 00BC91C2
    • FindClose.KERNEL32 ref: 00BC91CD
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 00BC91D9
    • RemoveDirectoryW.KERNEL32 ref: 00BC91E0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE038C, Relevance: 9.4, APIs: 5, Instructions: 89
    APIs
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00BE0405
    • SetFileAttributesW.KERNEL32(?), ref: 00BE0424
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00BE043B
    • GetLastError.KERNEL32 ref: 00BE0448
    • CloseHandle.KERNEL32 ref: 00BE0481
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEC410, Relevance: 9.2, APIs: 6, Instructions: 88
    APIs
    • EnterCriticalSection.KERNEL32(00E827E8,00E827E8,?,?,?,00BEC6E4,?,?,?,?,?,00000009,00000000,?,?,3D920600), ref: 00BEC42A
    • LeaveCriticalSection.KERNEL32(00E827E8,?,3D920600,?), ref: 00BEC511
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • memcpy.MSVCRT ref: 00BEC49B
    • memcpy.MSVCRT ref: 00BEC4BF
    • memcpy.MSVCRT ref: 00BEC4D6
    • memcpy.MSVCRT ref: 00BEC4F6
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD4BDB, Relevance: 9.2, APIs: 6, Instructions: 229
    APIs
    • PathFindFileNameW.SHLWAPI(?), ref: 00BD4C02
      • Part of subcall function 00BC9E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00BC9E9D
      • Part of subcall function 00BC9E88: StrCmpIW.SHLWAPI ref: 00BC9EA7
    • CreateFileW.KERNEL32(?,80000000,00000007,?,00000003,00000080), ref: 00BD4C31
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • SetLastError.KERNEL32(00000057,?,?,00000003,00000080), ref: 00BD4C96
      • Part of subcall function 00BE5B34: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00BE5B46
      • Part of subcall function 00BE5934: CloseHandle.KERNEL32 ref: 00BE5940
    • CharLowerW.USER32 ref: 00BD4CF6
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
      • Part of subcall function 00BE868E: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BEAA5B,?,00BEADD5,?,?,?,00000001), ref: 00BE869E
      • Part of subcall function 00BE868E: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BEAA5B,?,00BEADD5,?,?,?,00000001), ref: 00BE86C4
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    • memcmp.MSVCRT ref: 00BD4E48
    • GetTickCount.KERNEL32 ref: 00BD4E55
      • Part of subcall function 00BE07EE: RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00BE0823
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BE5AB0: GetFileSizeEx.KERNEL32 ref: 00BE5ABB
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEAEB1, Relevance: 9.2, APIs: 5, Instructions: 109
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00BEAECF
      • Part of subcall function 00BDC90D: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00BDC93C
      • Part of subcall function 00BDC90D: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00BDC97B
      • Part of subcall function 00BDC90D: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00BDC9A2
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00BEAF0A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00BEAF4A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00BEAF6D
      • Part of subcall function 00BEA976: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00BEA999
      • Part of subcall function 00BEA976: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00BEA9B1
      • Part of subcall function 00BEA976: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00BEA9CC
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00BEAFBD
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDCAF1, Relevance: 9.2, APIs: 5, Instructions: 88
    APIs
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00BDCB1D
      • Part of subcall function 00BCC830: HttpQueryInfoA.WININET(00BDCB41,40000009,?,?,00000000), ref: 00BCC897
      • Part of subcall function 00BCC830: memset.MSVCRT ref: 00BCC8AD
    • GetSystemTime.KERNEL32(?), ref: 00BDCB54
      • Part of subcall function 00BDB7FF: EnterCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB80C
      • Part of subcall function 00BDB7FF: LeaveCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB81A
    • Sleep.KERNEL32(000005DC), ref: 00BDCB6D
    • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00BDCB76
    • lstrcpyA.KERNEL32 ref: 00BDCBD4
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCBB55, Relevance: 9.2, APIs: 5, Instructions: 69
    APIs
      • Part of subcall function 00BCB7D0: socket.WS2_32(?,?,00000006), ref: 00BCB804
    • connect.WS2_32(?,?), ref: 00BCBB93
    • WSAGetLastError.WS2_32(?,00000000,?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00BCBBA2
    • WSASetLastError.WS2_32(00000000), ref: 00BCBC00
      • Part of subcall function 00BCB979: shutdown.WS2_32(?,00000002), ref: 00BCB987
      • Part of subcall function 00BCB979: closesocket.WS2_32 ref: 00BCB990
      • Part of subcall function 00BCB979: WSACloseEvent.WS2_32 ref: 00BCB9A3
      • Part of subcall function 00BCB928: WSACreateEvent.WS2_32(00000000,?,00BCBB6E,00000033,00000000,?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003), ref: 00BCB93E
      • Part of subcall function 00BCB928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00BCB954
      • Part of subcall function 00BCB928: WSACloseEvent.WS2_32 ref: 00BCB968
    • WSASetLastError.WS2_32(?,?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00BCBBC0
    • WSAGetLastError.WS2_32(?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00BCBBC2
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC8DE6, Relevance: 9.1, APIs: 5, Instructions: 49
    APIs
    • EnterCriticalSection.KERNEL32(00E81F44,?,?,?,00BEB2F2,?,?,00000001), ref: 00BC8DEF
    • LeaveCriticalSection.KERNEL32(00E81F44,?,?,?,00BEB2F2,?,?,00000001), ref: 00BC8DF9
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00BC8E1F
    • EnterCriticalSection.KERNEL32(00E81F44,?,?,?,00BEB2F2,?,?,00000001), ref: 00BC8E37
    • LeaveCriticalSection.KERNEL32(00E81F44,?,?,?,00BEB2F2,?,?,00000001), ref: 00BC8E41
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC861E, Relevance: 9.1, APIs: 6, Instructions: 145
    APIs
    • memset.MSVCRT ref: 00BC865F
      • Part of subcall function 00BC9F5F: memcpy.MSVCRT ref: 00BC9F99
    • CharLowerW.USER32 ref: 00BC86A3
    • CharUpperW.USER32(?,?,00000001), ref: 00BC86B4
    • CharLowerW.USER32 ref: 00BC86C8
    • CharUpperW.USER32(?,00000001), ref: 00BC86D2
    • memcmp.MSVCRT ref: 00BC86E7
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE8164, Relevance: 9.1, APIs: 6, Instructions: 141
    APIs
      • Part of subcall function 00BC6A4D: TlsSetValue.KERNEL32(00000001,00BDA796), ref: 00BC6A5A
      • Part of subcall function 00BDCC26: ResetEvent.KERNEL32 ref: 00BDCC42
    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000), ref: 00BE81AA
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00BE81B4
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00BE82BD
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00BE82C6
    • UnregisterWait.KERNEL32(?), ref: 00BE82EB
    • TlsSetValue.KERNEL32(00000000), ref: 00BE8316
      • Part of subcall function 00BDCC4F: memcpy.MSVCRT ref: 00BDCC64
      • Part of subcall function 00BDCC4F: SetEvent.KERNEL32 ref: 00BDCC74
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEBDF6, Relevance: 9.1, APIs: 5, Instructions: 172
    APIs
    • memset.MSVCRT ref: 00BEBE2B
    • GetComputerNameW.KERNEL32 ref: 00BEBE5F
    • GetVersionExW.KERNEL32 ref: 00BEBE88
    • memset.MSVCRT ref: 00BEBEA7
      • Part of subcall function 00BE0775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BE079C
      • Part of subcall function 00BE0755: RegFlushKey.ADVAPI32 ref: 00BE0765
      • Part of subcall function 00BE0755: RegCloseKey.ADVAPI32 ref: 00BE076D
      • Part of subcall function 00BE93C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00BE9433
      • Part of subcall function 00BE93C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00BE9458
    • memset.MSVCRT ref: 00BEBFAC
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BE9393: CryptDestroyHash.ADVAPI32 ref: 00BE93AB
      • Part of subcall function 00BE9393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BE93BC
      • Part of subcall function 00BE946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00BE94AA
      • Part of subcall function 00BE0A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00BE0A3A
      • Part of subcall function 00BE08A8: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BE0903
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEFC6E, Relevance: 9.1, APIs: 6, Instructions: 79
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000004,00BEFD90,00000000,?,?,?,?,?,?,?,00BEEA72), ref: 00BEFC78
    • HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 00BEFCB2
    • HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,00BEFD90,00000000), ref: 00BEFCCF
    • HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,00BEFD90,00000000), ref: 00BEFCF7
    • memcpy.MSVCRT ref: 00BEFD07
      • Part of subcall function 00BC6D72: EnterCriticalSection.KERNEL32(00BF468C,00000000,00BD4F6E,?,000000FF), ref: 00BC6D7E
      • Part of subcall function 00BC6D72: LeaveCriticalSection.KERNEL32(00BF468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00E81EF0), ref: 00BC6D8E
      • Part of subcall function 00BE9DDC: GetCurrentThreadId.KERNEL32 ref: 00BE9DED
      • Part of subcall function 00BE9DDC: memcpy.MSVCRT ref: 00BE9F56
      • Part of subcall function 00BE9DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00BE9FE2
      • Part of subcall function 00BE9DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00BE9FEC
      • Part of subcall function 00BC6D9C: LeaveCriticalSection.KERNEL32(00BF468C,00BC6E01,00000001,00000000,00000000,?,00BD4F82,00000001,00000000,?,000000FF), ref: 00BC6DA6
      • Part of subcall function 00BC6DAD: LeaveCriticalSection.KERNEL32(00BF468C,?,00BC6E13,00000001,00000000,00000000,?,00BD4F82,00000001,00000000,?,000000FF), ref: 00BC6DBA
    • LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,00BEFD90,00000000), ref: 00BEFD4B
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD8A6A, Relevance: 9.1, APIs: 5, Instructions: 137
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00BD8A9B
      • Part of subcall function 00BE7CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00BE7CF8
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00BD8B2D
      • Part of subcall function 00BD8626: getsockopt.WS2_32(?,0000FFFF,00001008,00BB9417,00BB9417), ref: 00BD86B2
      • Part of subcall function 00BD8626: GetHandleInformation.KERNEL32 ref: 00BD86C4
      • Part of subcall function 00BD8626: socket.WS2_32(?,00000001,00000006), ref: 00BD86F7
      • Part of subcall function 00BD8626: socket.WS2_32(?,00000002,00000011), ref: 00BD8708
      • Part of subcall function 00BD8626: closesocket.WS2_32(?), ref: 00BD8727
      • Part of subcall function 00BD8626: closesocket.WS2_32 ref: 00BD872E
      • Part of subcall function 00BD8626: memset.MSVCRT ref: 00BD87F2
      • Part of subcall function 00BD8626: memcpy.MSVCRT ref: 00BD8902
    • SetEvent.KERNEL32 ref: 00BD8B80
    • SetEvent.KERNEL32 ref: 00BD8BB9
      • Part of subcall function 00BE7CD3: SetEvent.KERNEL32 ref: 00BE7CE3
    • LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00BD8C3E
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEB838, Relevance: 9.1, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 00BEACAD: GetModuleHandleW.KERNEL32(00000000), ref: 00BEACF4
      • Part of subcall function 00BEACAD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BEAD59
      • Part of subcall function 00BEACAD: Process32FirstW.KERNEL32 ref: 00BEAD74
      • Part of subcall function 00BEACAD: PathFindFileNameW.SHLWAPI ref: 00BEAD87
      • Part of subcall function 00BEACAD: StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 00BEAD99
      • Part of subcall function 00BEACAD: Process32NextW.KERNEL32(?,?), ref: 00BEADA9
      • Part of subcall function 00BEACAD: CloseHandle.KERNEL32 ref: 00BEADB4
      • Part of subcall function 00BEACAD: WSAStartup.WS2_32(00000202), ref: 00BEADC4
      • Part of subcall function 00BEACAD: CreateEventW.KERNEL32(00BF49B4,00000001,00000000,00000000), ref: 00BEADEC
      • Part of subcall function 00BEACAD: GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 00BEAE22
      • Part of subcall function 00BEACAD: GetCurrentProcessId.KERNEL32 ref: 00BEAE4D
    • SetErrorMode.KERNEL32(00008007), ref: 00BEB851
    • GetCommandLineW.KERNEL32 ref: 00BEB85D
    • CommandLineToArgvW.SHELL32 ref: 00BEB864
    • LocalFree.KERNEL32 ref: 00BEB8A1
    • ExitProcess.KERNEL32(00000001), ref: 00BEB8B2
      • Part of subcall function 00BEB4AA: CreateMutexW.KERNEL32(00BF49B4,00000001), ref: 00BEB550
      • Part of subcall function 00BEB4AA: GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,00BEB8C7), ref: 00BEB560
      • Part of subcall function 00BEB4AA: CloseHandle.KERNEL32 ref: 00BEB56E
      • Part of subcall function 00BEB4AA: lstrlenW.KERNEL32 ref: 00BEB5D0
      • Part of subcall function 00BEB4AA: ExitWindowsEx.USER32(00000014,80000000), ref: 00BEB615
      • Part of subcall function 00BEB4AA: OpenEventW.KERNEL32(00000002,00000000), ref: 00BEB63B
      • Part of subcall function 00BEB4AA: SetEvent.KERNEL32 ref: 00BEB648
      • Part of subcall function 00BEB4AA: CloseHandle.KERNEL32 ref: 00BEB64F
      • Part of subcall function 00BEB4AA: Sleep.KERNEL32(00007530), ref: 00BEB674
      • Part of subcall function 00BEB4AA: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 00BEB68C
      • Part of subcall function 00BEB4AA: Sleep.KERNEL32(000000FF), ref: 00BEB694
      • Part of subcall function 00BEB4AA: CloseHandle.KERNEL32 ref: 00BEB697
      • Part of subcall function 00BEB4AA: IsWellKnownSid.ADVAPI32(00E81EC0,00000016), ref: 00BEB6E5
      • Part of subcall function 00BEB4AA: CreateEventW.KERNEL32(00BF49B4,00000001,00000000), ref: 00BEB7B4
      • Part of subcall function 00BEB4AA: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BEB7CD
      • Part of subcall function 00BEB4AA: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 00BEB7DF
      • Part of subcall function 00BEB4AA: CloseHandle.KERNEL32(00000000), ref: 00BEB7F6
      • Part of subcall function 00BEB4AA: CloseHandle.KERNEL32(?), ref: 00BEB7FC
      • Part of subcall function 00BEB4AA: CloseHandle.KERNEL32(?), ref: 00BEB802
    • Sleep.KERNEL32(000000FF), ref: 00BEB8D8
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDECD7, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 223
    APIs
      • Part of subcall function 00BCBA34: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 00BCBA5A
      • Part of subcall function 00BD3A22: select.WS2_32(00000000,?,00000000,00000000), ref: 00BD3A81
      • Part of subcall function 00BD3A22: recv.WS2_32(?,?,?,00000000), ref: 00BD3A91
    • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00BDEDB2
    • memcpy.MSVCRT ref: 00BDEDEA
    • FreeAddrInfoW.WS2_32(?), ref: 00BDEDF8
    • memset.MSVCRT ref: 00BDEE13
      • Part of subcall function 00BDEC55: getpeername.WS2_32(?,?,?), ref: 00BDEC79
      • Part of subcall function 00BDEC55: getsockname.WS2_32(?,?,?), ref: 00BDEC91
      • Part of subcall function 00BDEC55: send.WS2_32(00000000,00000000,00000008,00000000), ref: 00BDECC2
      • Part of subcall function 00BD3BBE: socket.WS2_32(?,00000001,00000006), ref: 00BD3BCA
      • Part of subcall function 00BD3BBE: bind.WS2_32 ref: 00BD3BE7
      • Part of subcall function 00BD3BBE: listen.WS2_32(?,00000001), ref: 00BD3BF4
      • Part of subcall function 00BD3BBE: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00BDEE5F,?,?,?), ref: 00BD3BFE
      • Part of subcall function 00BD3BBE: closesocket.WS2_32 ref: 00BD3C07
      • Part of subcall function 00BD3BBE: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00BDEE5F,?,?,?), ref: 00BD3C0E
      • Part of subcall function 00BD3D73: accept.WS2_32(?,00000000), ref: 00BD3D94
      • Part of subcall function 00BD3AD3: socket.WS2_32(?,00000001,00000006), ref: 00BD3ADF
      • Part of subcall function 00BD3AD3: connect.WS2_32 ref: 00BD3AFC
      • Part of subcall function 00BD3AD3: closesocket.WS2_32 ref: 00BD3B07
      • Part of subcall function 00BCC06E: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00BCC082
      • Part of subcall function 00BD3C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00BD3C44
      • Part of subcall function 00BD3C1C: recv.WS2_32(?,?,00000400,00000000), ref: 00BD3C70
      • Part of subcall function 00BD3C1C: send.WS2_32(?,?,?,00000000), ref: 00BD3C92
      • Part of subcall function 00BD3C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00BD3CBF
      • Part of subcall function 00BD3D9E: shutdown.WS2_32(?,00000002), ref: 00BD3DA9
      • Part of subcall function 00BD3D9E: closesocket.WS2_32 ref: 00BD3DB0
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD547E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
    APIs
      • Part of subcall function 00BE868E: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BEAA5B,?,00BEADD5,?,?,?,00000001), ref: 00BE869E
      • Part of subcall function 00BE868E: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BEAA5B,?,00BEADD5,?,?,?,00000001), ref: 00BE86C4
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00BD54CE
    • GetProcAddress.KERNEL32(?,GetProductInfo), ref: 00BD54DE
    • GetSystemDefaultUILanguage.KERNEL32(?,?,?,00BD51C2), ref: 00BD5519
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE1B04, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 00BE1B17
    • lstrcpyA.KERNEL32(?,00BBC28A,00000000,00BE1DA8,?,?,?,00BE1DA8,?,?,?,?,?,?,?,00BEA7AA), ref: 00BE1BAE
    • lstrcpynA.KERNEL32(?,?\C,00000003,?,00BBC28A,00000000,00BE1DA8,?,?,?,00BE1DA8), ref: 00BE1BC4
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD4FD0, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77
    APIs
    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00BD4FEE
    • VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 00BD505B
      • Part of subcall function 00BC9E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00BC9E9D
      • Part of subcall function 00BC9E88: StrCmpIW.SHLWAPI ref: 00BC9EA7
    Strings
    • \VarFileInfo\Translation, xrefs: 00BD4FE7
    • \StringFileInfo\%04x%04x\%s, xrefs: 00BD5030
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE1285, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44
    APIs
    • GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00BE129A
    • GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00BE12A5
      • Part of subcall function 00BE12E6: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00BE1304
      • Part of subcall function 00BE12E6: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00BE130F
      • Part of subcall function 00BE12E6: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00BE131A
      • Part of subcall function 00BE12E6: lstrcmpiW.KERNEL32(?), ref: 00BE13A7
      • Part of subcall function 00BE12E6: memcpy.MSVCRT ref: 00BE13CA
      • Part of subcall function 00BE12E6: CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 00BE13F5
      • Part of subcall function 00BE12E6: memcpy.MSVCRT ref: 00BE1423
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD93A8, Relevance: 7.9, APIs: 5, Instructions: 107
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00BDA111), ref: 00BD93BE
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00BDA111), ref: 00BD94E9
      • Part of subcall function 00BD1A4F: memcmp.MSVCRT ref: 00BD1A6B
    • memcpy.MSVCRT ref: 00BD9419
    • LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00BDA111,?,00000002), ref: 00BD9429
      • Part of subcall function 00BDB7FF: EnterCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB80C
      • Part of subcall function 00BDB7FF: LeaveCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB81A
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00BD945D
      • Part of subcall function 00BE6875: GetSystemTime.KERNEL32 ref: 00BE687F
      • Part of subcall function 00BD1728: memcpy.MSVCRT ref: 00BD1771
      • Part of subcall function 00BD1858: memcpy.MSVCRT ref: 00BD1935
      • Part of subcall function 00BD1858: memcpy.MSVCRT ref: 00BD1956
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD3C1C, Relevance: 7.8, APIs: 4, Instructions: 68
    APIs
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00BD3C44
    • recv.WS2_32(?,?,00000400,00000000), ref: 00BD3C70
    • send.WS2_32(?,?,?,00000000), ref: 00BD3C92
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00BD3CBF
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC8CBF, Relevance: 7.7, APIs: 4, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,00BD2B51,00000005,00007530,?,00000000,00000000), ref: 00BC8CC7
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00BC8CEB
    • CloseHandle.KERNEL32 ref: 00BC8CFB
      • Part of subcall function 00BD24F3: HeapAlloc.KERNEL32(00000000,?,?,?,00BC6328,?,?,00BE8D10,?,?,?,?,0000FFFF), ref: 00BD251D
      • Part of subcall function 00BD24F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00BC6328,?,?,00BE8D10,?,?,?,?,0000FFFF), ref: 00BD2530
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00BD2B51,00000005,00007530,?,00000000,00000000), ref: 00BC8D2B
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCA64B, Relevance: 7.7, APIs: 5, Instructions: 86
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00BC7F4D,00000001,?,00000001,?), ref: 00BCA655
    • memcpy.MSVCRT ref: 00BCA6D1
    • memcpy.MSVCRT ref: 00BCA6E5
    • memcpy.MSVCRT ref: 00BCA70F
    • LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00BC7F4D,00000001,?,00000001,?), ref: 00BCA735
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD27B5, Relevance: 7.7, APIs: 5, Instructions: 69
    APIs
    • EnterCriticalSection.KERNEL32(00BF5AA4), ref: 00BD27D6
    • LeaveCriticalSection.KERNEL32(00BF5AA4), ref: 00BD27FC
      • Part of subcall function 00BD275F: InitializeCriticalSection.KERNEL32(00BF50C8), ref: 00BD2764
      • Part of subcall function 00BD275F: memset.MSVCRT ref: 00BD2773
    • EnterCriticalSection.KERNEL32(00BF50C8), ref: 00BD2807
    • LeaveCriticalSection.KERNEL32(00BF50C8), ref: 00BD287F
      • Part of subcall function 00BDB1FD: PathRenameExtensionW.SHLWAPI ref: 00BDB26F
      • Part of subcall function 00BDB286: memset.MSVCRT ref: 00BDB42B
      • Part of subcall function 00BDB286: memcpy.MSVCRT ref: 00BDB457
      • Part of subcall function 00BDB286: CreateFileW.KERNEL32(00BBAF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00BDB55C
      • Part of subcall function 00BDB286: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00BDB578
    • Sleep.KERNEL32(000007D0), ref: 00BD2872
      • Part of subcall function 00BDB61E: memset.MSVCRT ref: 00BDB640
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE46D9, Relevance: 7.7, APIs: 5, Instructions: 217
    APIs
    • LoadLibraryW.KERNEL32 ref: 00BE4736
    • GetProcAddress.KERNEL32 ref: 00BE475E
    • StrChrA.SHLWAPI(?,00000040), ref: 00BE4885
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • StrChrW.SHLWAPI(?,00000040,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,00000000), ref: 00BE4866
      • Part of subcall function 00BDD12D: lstrlenW.KERNEL32(00BBC448), ref: 00BDD149
      • Part of subcall function 00BDD12D: lstrlenW.KERNEL32 ref: 00BDD14F
      • Part of subcall function 00BDD12D: memcpy.MSVCRT ref: 00BDD173
    • FreeLibrary.KERNEL32 ref: 00BE496B
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDD8E8, Relevance: 7.7, APIs: 4, Instructions: 179
    APIs
    • memcpy.MSVCRT ref: 00BDDA9F
      • Part of subcall function 00BDD8E8: memcpy.MSVCRT ref: 00BDD8FF
      • Part of subcall function 00BDD8E8: CharLowerA.USER32 ref: 00BDD9CA
      • Part of subcall function 00BDD8E8: CharLowerA.USER32(?), ref: 00BDD9DA
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC7A78, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 167
    APIs
      • Part of subcall function 00BCBDD5: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00BC7A9F,?,00000005), ref: 00BCBE0B
      • Part of subcall function 00BCBDD5: WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00BC7A9F,?,00000005), ref: 00BCBE6F
    • memcmp.MSVCRT ref: 00BC7AB8
    • memcmp.MSVCRT ref: 00BC7AD0
    • memcpy.MSVCRT ref: 00BC7B05
      • Part of subcall function 00BDDE94: memcpy.MSVCRT ref: 00BDDEA1
      • Part of subcall function 00BDE043: memcpy.MSVCRT ref: 00BDE070
      • Part of subcall function 00BDADFE: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00BC7BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00BDAE37
      • Part of subcall function 00BDADFE: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00BC7BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00BDAE5B
      • Part of subcall function 00BC7A05: GetTickCount.KERNEL32 ref: 00BC7A12
      • Part of subcall function 00BCBAC9: memset.MSVCRT ref: 00BCBADE
      • Part of subcall function 00BCBAC9: getsockname.WS2_32(?,00BC7C25), ref: 00BCBAF1
      • Part of subcall function 00BCC091: memcmp.MSVCRT ref: 00BCC0B3
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD8DC8, Relevance: 7.6, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 00BD1B16: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BD8DDC,?,?,?,?,00BEB233,?,00000001), ref: 00BD1B26
      • Part of subcall function 00BD1B16: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BD8DDC,?,?,?,?,00BEB233,?,00000001), ref: 00BD1B50
    • memset.MSVCRT ref: 00BD8E0A
    • memset.MSVCRT ref: 00BD8E16
    • memset.MSVCRT ref: 00BD8E22
    • InitializeCriticalSection.KERNEL32 ref: 00BD8E3A
    • InitializeCriticalSection.KERNEL32 ref: 00BD8E55
    • InitializeCriticalSection.KERNEL32 ref: 00BD8E92
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE6CDC, Relevance: 7.6, APIs: 4, Instructions: 207
    APIs
    • EnterCriticalSection.KERNEL32(00E8282C,3D920700), ref: 00BE6D43
      • Part of subcall function 00BE6A55: GetTickCount.KERNEL32 ref: 00BE6A5D
    • LeaveCriticalSection.KERNEL32(00E8282C), ref: 00BE6F22
      • Part of subcall function 00BE6BBC: IsBadReadPtr.KERNEL32 ref: 00BE6C88
      • Part of subcall function 00BE6BBC: IsBadReadPtr.KERNEL32 ref: 00BE6CA7
    • getservbyname.WS2_32(?,00000000), ref: 00BE6DBD
      • Part of subcall function 00BE72A6: memcpy.MSVCRT ref: 00BE747A
      • Part of subcall function 00BE72A6: memcpy.MSVCRT ref: 00BE757A
      • Part of subcall function 00BE6F86: memcpy.MSVCRT ref: 00BE715A
      • Part of subcall function 00BE6F86: memcpy.MSVCRT ref: 00BE725A
    • memcpy.MSVCRT ref: 00BE6E9C
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BE69E1: TlsAlloc.KERNEL32(00E8282C,00BE6EB9,?,?,?,?,00E82820), ref: 00BE69EA
      • Part of subcall function 00BE69E1: TlsGetValue.KERNEL32(?,00000001,00E8282C), ref: 00BE69FC
      • Part of subcall function 00BE69E1: TlsSetValue.KERNEL32(?,?), ref: 00BE6A41
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE19B0, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 56
    APIs
    • lstrcmpA.KERNEL32(?,?\C), ref: 00BE19C6
    • lstrcpyW.KERNEL32(00BE17B0), ref: 00BE19DC
    • lstrcmpA.KERNEL32(?,00BBC28C), ref: 00BE19EC
    • StrCmpNA.SHLWAPI(?,00BBC284,00000002), ref: 00BE1A06
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD7AAA, Relevance: 7.5, APIs: 5, Instructions: 44
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00BD7AC3
    • CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00BD7AD4
    • CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00BD7ADF
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00BD7AE7
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00BD7AF5
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE0B2C, Relevance: 7.5, APIs: 4, Instructions: 113
    APIs
      • Part of subcall function 00BE0775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BE079C
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BE0B87
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BE0BF1
    • RegFlushKey.ADVAPI32(?), ref: 00BE0C1F
    • RegCloseKey.ADVAPI32(?), ref: 00BE0C26
      • Part of subcall function 00BE0A9D: EnterCriticalSection.KERNEL32(00BF5AA4,?,?,?,00BE0C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00BE0AB3
      • Part of subcall function 00BE0A9D: LeaveCriticalSection.KERNEL32(00BF5AA4,?,?,?,00BE0C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00BE0ADB
      • Part of subcall function 00BE0A9D: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00BE0AF7
      • Part of subcall function 00BE0A9D: GetProcAddress.KERNEL32 ref: 00BE0AFE
      • Part of subcall function 00BE0A9D: RegDeleteKeyW.ADVAPI32(?), ref: 00BE0B20
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
      • Part of subcall function 00BE0755: RegFlushKey.ADVAPI32 ref: 00BE0765
      • Part of subcall function 00BE0755: RegCloseKey.ADVAPI32 ref: 00BE076D
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC645E, Relevance: 7.4, APIs: 4, Instructions: 87
    APIs
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00BD5B49), ref: 00BC6470
      • Part of subcall function 00BD4269: CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 00BD427E
    • #2.OLEAUT32(?,00000000,?,?,?,00BD5B49), ref: 00BC64A4
    • #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00BD5B49), ref: 00BC64D9
    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00BC64F9
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD3CD5, Relevance: 7.4, APIs: 4, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00BD3CFD
    • memcpy.MSVCRT ref: 00BD3D1A
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00BD3D30
    • WSASetLastError.WS2_32(0000274C,?,00000000,00000000,00000000), ref: 00BD3D3F
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD920C, Relevance: 7.3, APIs: 4, Instructions: 138
    APIs
      • Part of subcall function 00BD1B5D: memcmp.MSVCRT ref: 00BD1B69
      • Part of subcall function 00BD1B79: memset.MSVCRT ref: 00BD1B87
      • Part of subcall function 00BD1B79: memcpy.MSVCRT ref: 00BD1BA8
      • Part of subcall function 00BD1B79: memcpy.MSVCRT ref: 00BD1BCE
      • Part of subcall function 00BD1B79: memcpy.MSVCRT ref: 00BD1BF2
    • TryEnterCriticalSection.KERNEL32 ref: 00BD9289
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • LeaveCriticalSection.KERNEL32 ref: 00BD9303
    • EnterCriticalSection.KERNEL32 ref: 00BD9322
      • Part of subcall function 00BD1A4F: memcmp.MSVCRT ref: 00BD1A6B
    • LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 00BD936E
      • Part of subcall function 00BD1858: memcpy.MSVCRT ref: 00BD1935
      • Part of subcall function 00BD1858: memcpy.MSVCRT ref: 00BD1956
      • Part of subcall function 00BE6875: GetSystemTime.KERNEL32 ref: 00BE687F
      • Part of subcall function 00BD1728: memcpy.MSVCRT ref: 00BD1771
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD32D5, Relevance: 7.3, APIs: 4, Instructions: 120
    APIs
    • GetUserNameExW.SECUR32(00000002), ref: 00BD3303
    • GetSystemTime.KERNEL32 ref: 00BD3356
    • CharLowerW.USER32(?), ref: 00BD33A6
    • PathRenameExtensionW.SHLWAPI(?), ref: 00BD33D6
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE8AD4, Relevance: 7.3, APIs: 4, Instructions: 112
    APIs
      • Part of subcall function 00BE8867: EnterCriticalSection.KERNEL32(00BF5AA4,00E81E90,00BE8AE4,?,00E81E90), ref: 00BE8877
      • Part of subcall function 00BE8867: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00E81E90), ref: 00BE88A6
      • Part of subcall function 00BD4FD0: VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00BD4FEE
      • Part of subcall function 00BD4FD0: VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 00BD505B
    • GetCommandLineW.KERNEL32 ref: 00BE8B5E
    • CommandLineToArgvW.SHELL32 ref: 00BE8B65
    • LocalFree.KERNEL32 ref: 00BE8BA5
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • GetModuleHandleW.KERNEL32(?), ref: 00BE8BE7
      • Part of subcall function 00BE8DFE: PathFindFileNameW.SHLWAPI(00000000), ref: 00BE8E3F
      • Part of subcall function 00BE83AF: InitializeCriticalSection.KERNEL32 ref: 00BE83CF
      • Part of subcall function 00BC9E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00BC9E9D
      • Part of subcall function 00BC9E88: StrCmpIW.SHLWAPI ref: 00BC9EA7
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD8C4C, Relevance: 7.3, APIs: 4, Instructions: 104
    APIs
    • EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00BD984D,?,?,00000000,?,?,00000590), ref: 00BD8C7F
      • Part of subcall function 00BE7CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00BE7CF8
    • memcmp.MSVCRT ref: 00BD8CCD
      • Part of subcall function 00BC5A03: memcpy.MSVCRT ref: 00BC5A39
      • Part of subcall function 00BC5A03: memcpy.MSVCRT ref: 00BC5A4D
      • Part of subcall function 00BC5A03: memset.MSVCRT ref: 00BC5A5B
    • SetEvent.KERNEL32 ref: 00BD8D0E
    • LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00BD984D,?,?,00000000,?,?,00000590), ref: 00BD8D3B
      • Part of subcall function 00BE9175: EnterCriticalSection.KERNEL32(?,?,?,?,00BD9116,?), ref: 00BE917B
      • Part of subcall function 00BE9175: memcmp.MSVCRT ref: 00BE91A7
      • Part of subcall function 00BE9175: memcpy.MSVCRT ref: 00BE91F2
      • Part of subcall function 00BE9175: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00BE91FE
      • Part of subcall function 00BD920C: TryEnterCriticalSection.KERNEL32 ref: 00BD9289
      • Part of subcall function 00BD920C: LeaveCriticalSection.KERNEL32 ref: 00BD9303
      • Part of subcall function 00BD920C: EnterCriticalSection.KERNEL32 ref: 00BD9322
      • Part of subcall function 00BD920C: LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 00BD936E
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BF294A, Relevance: 7.3, APIs: 4, Instructions: 91
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00BF3210), ref: 00BF297C
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00BF299C
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
      • Part of subcall function 00BED990: memset.MSVCRT ref: 00BED9D3
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
      • Part of subcall function 00BD222C: memcpy.MSVCRT ref: 00BD2268
      • Part of subcall function 00BD222C: memcpy.MSVCRT ref: 00BD227D
      • Part of subcall function 00BD222C: memcpy.MSVCRT ref: 00BD22BA
      • Part of subcall function 00BD222C: memcpy.MSVCRT ref: 00BD22F2
    • memset.MSVCRT ref: 00BF2A39
    • memcpy.MSVCRT ref: 00BF2A4B
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BED090, Relevance: 7.2, APIs: 4, Instructions: 65
    APIs
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00BED0BF
    • GetLastError.KERNEL32(?,?,?,00000000,3D94878D,00000000,3D94878D,00BE79EF,?,?,?,?,00000000,?,?,0000203A), ref: 00BED0C5
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    • memcpy.MSVCRT ref: 00BED0F0
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00BED109
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE7D1D, Relevance: 7.2, APIs: 4, Instructions: 62
    APIs
      • Part of subcall function 00BDB7FF: EnterCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB80C
      • Part of subcall function 00BDB7FF: LeaveCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB81A
    • QueryPerformanceCounter.KERNEL32 ref: 00BE7D3C
    • GetTickCount.KERNEL32 ref: 00BE7D49
      • Part of subcall function 00BD1B16: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BD8DDC,?,?,?,?,00BEB233,?,00000001), ref: 00BD1B26
      • Part of subcall function 00BD1B16: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BD8DDC,?,?,?,?,00BEB233,?,00000001), ref: 00BD1B50
      • Part of subcall function 00BE93C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00BE9433
      • Part of subcall function 00BE93C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00BE9458
    • memset.MSVCRT ref: 00BE7D9D
    • memcpy.MSVCRT ref: 00BE7DAD
      • Part of subcall function 00BE9393: CryptDestroyHash.ADVAPI32 ref: 00BE93AB
      • Part of subcall function 00BE9393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BE93BC
      • Part of subcall function 00BE946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00BE94AA
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC987E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00BC9894
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
    • memcmp.MSVCRT ref: 00BC98B6
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
    • lstrcmpiW.KERNEL32(00000000,000000FF), ref: 00BC990F
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00BC98DF
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC90A3, Relevance: 7.2, APIs: 4, Instructions: 56
    APIs
    • PathSkipRootW.SHLWAPI ref: 00BC90CD
    • GetFileAttributesW.KERNEL32(00000000), ref: 00BC90FA
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00BC910E
    • SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00BC9131
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDB161, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC4B40, Relevance: 7.2, APIs: 4, Instructions: 48
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BC54F7
    • UnhandledExceptionFilter.KERNEL32(00B96DB4), ref: 00BC5502
    • GetCurrentProcess.KERNEL32 ref: 00BC550D
    • TerminateProcess.KERNEL32 ref: 00BC5514
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDA343, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133
    APIs
      • Part of subcall function 00BC9219: CharLowerW.USER32(?), ref: 00BC92D4
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00BDA47D
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 00BDA4BD
      • Part of subcall function 00BC9BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00BC9C2E
      • Part of subcall function 00BC9BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00BC9C75
      • Part of subcall function 00BC9BC4: SetEvent.KERNEL32 ref: 00BC9C84
      • Part of subcall function 00BC9BC4: WaitForSingleObject.KERNEL32 ref: 00BC9C95
      • Part of subcall function 00BC9BC4: CharToOemW.USER32 ref: 00BC9D26
      • Part of subcall function 00BC9BC4: CharToOemW.USER32 ref: 00BC9D36
      • Part of subcall function 00BC9BC4: ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00BC9D9A
      • Part of subcall function 00BED5A0: EnterCriticalSection.KERNEL32(00BF5AA4,00000000,?,?,00BC93C9), ref: 00BED5B6
      • Part of subcall function 00BED5A0: LeaveCriticalSection.KERNEL32(00BF5AA4,?,?,00BC93C9), ref: 00BED5DC
      • Part of subcall function 00BED5A0: CreateMutexW.KERNEL32(00BF49B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00BED5EE
      • Part of subcall function 00BC766D: ReleaseMutex.KERNEL32 ref: 00BC7671
      • Part of subcall function 00BC766D: CloseHandle.KERNEL32 ref: 00BC7678
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00BDA4D0
      • Part of subcall function 00BCAF99: GetCurrentThread.KERNEL32 ref: 00BCAFAD
      • Part of subcall function 00BCAF99: OpenThreadToken.ADVAPI32 ref: 00BCAFB4
      • Part of subcall function 00BCAF99: GetCurrentProcess.KERNEL32 ref: 00BCAFC4
      • Part of subcall function 00BCAF99: OpenProcessToken.ADVAPI32 ref: 00BCAFCB
      • Part of subcall function 00BCAF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00BCAFEC
      • Part of subcall function 00BCAF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00BCB001
      • Part of subcall function 00BCAF99: GetLastError.KERNEL32 ref: 00BCB00B
      • Part of subcall function 00BCAF99: CloseHandle.KERNEL32(00000001), ref: 00BCB01C
      • Part of subcall function 00BC9395: memcpy.MSVCRT ref: 00BC93B5
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC6E1F, Relevance: 7.1, APIs: 4, Instructions: 27
    APIs
    • GetLastError.KERNEL32(3D920680,?,00BC652A), ref: 00BC6E21
      • Part of subcall function 00BEAFD3: WaitForSingleObject.KERNEL32(00000000,00BDA849), ref: 00BEAFDB
    • TlsGetValue.KERNEL32(?,?,00BC652A), ref: 00BC6E3E
    • TlsSetValue.KERNEL32(00000001), ref: 00BC6E50
    • SetLastError.KERNEL32(?,?,00BC652A), ref: 00BC6E60
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD7B2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
    APIs
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
    • lstrcatW.KERNEL32(?,.dat), ref: 00BD7BA0
    • lstrlenW.KERNEL32 ref: 00BD7BB5
      • Part of subcall function 00BD83CA: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00BD83E6
      • Part of subcall function 00BD83CA: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00BD8409
      • Part of subcall function 00BD83CA: CloseHandle.KERNEL32 ref: 00BD8416
      • Part of subcall function 00BE5E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00BE5E26
      • Part of subcall function 00BE5E1D: DeleteFileW.KERNEL32 ref: 00BE5E2D
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00BD7B5E
    • .dat, xrefs: 00BD7B94
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCB9AF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
    APIs
    • shutdown.WS2_32(?,00000001), ref: 00BCB9BD
    • WSAGetLastError.WS2_32(?,00000020,?,00000001,?,?,?,?,?,?,?,00BD6970,?,?,?,00002710), ref: 00BCB9DE
    • WSASetLastError.WS2_32(00000000,?,00002710,?,?,00000020,?,00000001), ref: 00BCBA23
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCC208, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
    APIs
      • Part of subcall function 00BCB764: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BCB826,?,00BEC86A,00BDC4AB,00BDC4AB,?,00BDC4AB,?,00000001), ref: 00BCB774
      • Part of subcall function 00BCB764: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BCB826,?,00BEC86A,00BDC4AB,00BDC4AB,?,00BDC4AB,?,00000001), ref: 00BCB79E
    • WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 00BCC22E
    • lstrcpyA.KERNEL32(?,0:0,?,?,00000000,?,?,?,?,?,?,00BD6A4A), ref: 00BCC23E
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCBDD5, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63
    APIs
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00BC7A9F,?,00000005), ref: 00BCBE0B
    • WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00BC7A9F,?,00000005), ref: 00BCBE6F
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDC318, Relevance: 6.5, APIs: 5, Instructions: 249
    APIs
    • memcmp.MSVCRT ref: 00BDC385
    • memcpy.MSVCRT ref: 00BDC486
      • Part of subcall function 00BCBB55: connect.WS2_32(?,?), ref: 00BCBB93
      • Part of subcall function 00BCBB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00BCBBA2
      • Part of subcall function 00BCBB55: WSASetLastError.WS2_32(?,?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00BCBBC0
      • Part of subcall function 00BCBB55: WSAGetLastError.WS2_32(?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00BCBBC2
      • Part of subcall function 00BCBB55: WSASetLastError.WS2_32(00000000), ref: 00BCBC00
    • memcmp.MSVCRT ref: 00BDC583
      • Part of subcall function 00BCBEC0: WSAGetLastError.WS2_32 ref: 00BCBEF6
      • Part of subcall function 00BCBEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 00BCBF3E
      • Part of subcall function 00BDC0DA: memcmp.MSVCRT ref: 00BDC11A
      • Part of subcall function 00BEDABF: memset.MSVCRT ref: 00BEDACF
      • Part of subcall function 00BEDABF: memcpy.MSVCRT ref: 00BEDAF8
    • memset.MSVCRT ref: 00BDC5E0
    • memcpy.MSVCRT ref: 00BDC5F1
      • Part of subcall function 00BEDB11: memcpy.MSVCRT ref: 00BEDB22
      • Part of subcall function 00BDC02F: memcmp.MSVCRT ref: 00BDC06B
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC77BB, Relevance: 6.5, APIs: 5, Instructions: 207
    APIs
    • memset.MSVCRT ref: 00BC785D
      • Part of subcall function 00BD1B5D: memcmp.MSVCRT ref: 00BD1B69
      • Part of subcall function 00BD19AE: memcmp.MSVCRT ref: 00BD1A24
      • Part of subcall function 00BD1821: memcpy.MSVCRT ref: 00BD1848
      • Part of subcall function 00BD1728: memcpy.MSVCRT ref: 00BD1771
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • memset.MSVCRT ref: 00BC78F1
    • memcpy.MSVCRT ref: 00BC7904
    • memcpy.MSVCRT ref: 00BC7926
    • memcpy.MSVCRT ref: 00BC7946
      • Part of subcall function 00BDB7FF: EnterCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB80C
      • Part of subcall function 00BDB7FF: LeaveCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB81A
      • Part of subcall function 00BD8F55: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,00BD914A,?,?,?,?,?,?,00000000,?), ref: 00BD8FAF
      • Part of subcall function 00BD8F55: SetEvent.KERNEL32 ref: 00BD900A
      • Part of subcall function 00BD8F55: LeaveCriticalSection.KERNEL32 ref: 00BD9017
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BED027, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47
    APIs
    • memset.MSVCRT ref: 00BED03A
    • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00BED05C
      • Part of subcall function 00BED133: SetLastError.KERNEL32(00000008,?,?,00000000,00BED06E,?,?,00000000), ref: 00BED15C
      • Part of subcall function 00BED133: memcpy.MSVCRT ref: 00BED17C
      • Part of subcall function 00BED133: memcpy.MSVCRT ref: 00BED1B4
      • Part of subcall function 00BED133: memcpy.MSVCRT ref: 00BED1CC
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC950C, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46
    APIs
      • Part of subcall function 00BD1FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00BD1FFF
      • Part of subcall function 00BD1FEC: GetLastError.KERNEL32(?,00BF49A8,00000000,?,?,00BCAF07,?,00000008,?,?,?,?,?,00000000,00BEAE13), ref: 00BD2009
      • Part of subcall function 00BD1FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00BD2031
    • EqualSid.ADVAPI32(?,5B867A00), ref: 00BC952F
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BCB1DE: LoadLibraryA.KERNEL32(userenv.dll), ref: 00BCB1EE
      • Part of subcall function 00BCB1DE: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00BCB20C
      • Part of subcall function 00BCB1DE: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00BCB218
      • Part of subcall function 00BCB1DE: memset.MSVCRT ref: 00BCB258
      • Part of subcall function 00BCB1DE: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 00BCB2A5
      • Part of subcall function 00BCB1DE: CloseHandle.KERNEL32(?), ref: 00BCB2B9
      • Part of subcall function 00BCB1DE: CloseHandle.KERNEL32(?), ref: 00BCB2BF
      • Part of subcall function 00BCB1DE: FreeLibrary.KERNEL32 ref: 00BCB2D3
    • CloseHandle.KERNEL32(00000001), ref: 00BC9576
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDBE6E, Relevance: 6.4, APIs: 5, Instructions: 154
    APIs
      • Part of subcall function 00BD1B16: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BD8DDC,?,?,?,?,00BEB233,?,00000001), ref: 00BD1B26
      • Part of subcall function 00BD1B16: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BD8DDC,?,?,?,?,00BEB233,?,00000001), ref: 00BD1B50
    • memcmp.MSVCRT ref: 00BDBE99
      • Part of subcall function 00BE6875: GetSystemTime.KERNEL32 ref: 00BE687F
    • memcmp.MSVCRT ref: 00BDBEF8
      • Part of subcall function 00BD2543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7,?,@echo off%sdel /F "%s"), ref: 00BD256D
      • Part of subcall function 00BD2543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7), ref: 00BD2580
    • memset.MSVCRT ref: 00BDBF8A
    • memcpy.MSVCRT ref: 00BDBFB7
    • memcmp.MSVCRT ref: 00BDBFEE
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD1781, Relevance: 6.4, APIs: 4, Instructions: 62
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE0FB2, Relevance: 6.3, APIs: 4, Instructions: 168
    APIs
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
      • Part of subcall function 00BE7C35: memset.MSVCRT ref: 00BE7C5D
    • memcpy.MSVCRT ref: 00BE1167
      • Part of subcall function 00BE7CAE: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00BE7CBE
    • memcpy.MSVCRT ref: 00BE10E2
    • memcpy.MSVCRT ref: 00BE10FA
      • Part of subcall function 00BE7DC3: memcpy.MSVCRT ref: 00BE7DE3
      • Part of subcall function 00BE7DC3: memcpy.MSVCRT ref: 00BE7E0F
    • memcpy.MSVCRT ref: 00BE1156
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE5465, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91
    APIs
      • Part of subcall function 00BC9F04: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00BC9F19
      • Part of subcall function 00BC9F04: lstrcmpA.KERNEL32(Basic ,?,00BE54A4,00000006,Authorization,?,?,?), ref: 00BC9F23
    • StrChrA.SHLWAPI(?,0000003A), ref: 00BE54F6
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BF2F3B, Relevance: 6.3, APIs: 4, Instructions: 118
    APIs
    • memset.MSVCRT ref: 00BF2F5F
    • memcpy.MSVCRT ref: 00BF2FBF
    • memcpy.MSVCRT ref: 00BF2FD7
      • Part of subcall function 00BD2070: memset.MSVCRT ref: 00BD2084
      • Part of subcall function 00BEA7D7: memset.MSVCRT ref: 00BEA862
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
    • memcpy.MSVCRT ref: 00BF304D
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE5CA4, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 48
    APIs
    • GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00BE5CB1
    • CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00BE5CD1
      • Part of subcall function 00BE5934: CloseHandle.KERNEL32 ref: 00BE5940
      • Part of subcall function 00BE5BE4: memcpy.MSVCRT ref: 00BE5C25
      • Part of subcall function 00BE5BE4: memcpy.MSVCRT ref: 00BE5C38
      • Part of subcall function 00BE5BE4: memcpy.MSVCRT ref: 00BE5C4B
      • Part of subcall function 00BE5BE4: memcpy.MSVCRT ref: 00BE5C56
      • Part of subcall function 00BE5BE4: GetFileTime.KERNEL32(?,?,?), ref: 00BE5C7A
      • Part of subcall function 00BE5BE4: memcpy.MSVCRT ref: 00BE5C90
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCCE23, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 47
    APIs
      • Part of subcall function 00BCC942: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BCCE31,00E81E90,00BED393), ref: 00BCC952
      • Part of subcall function 00BCC942: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BCCE31,00E81E90,00BED393), ref: 00BCC987
    • VerQueryValueW.VERSION(?,00BBAE74,?,?,00E81E90,00BED393), ref: 00BCCE44
    • GetModuleHandleW.KERNEL32(?), ref: 00BCCE85
      • Part of subcall function 00BCCE9F: PathFindFileNameW.SHLWAPI(00000000), ref: 00BCCEE3
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEC370, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 38
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00BEC38D
    • CreateThread.KERNEL32(00000000,00000000,00BEC3C1,00E827E8), ref: 00BEC3AA
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD222C, Relevance: 6.2, APIs: 4, Instructions: 77
    APIs
    • memcpy.MSVCRT ref: 00BD2268
    • memcpy.MSVCRT ref: 00BD227D
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
    • memcpy.MSVCRT ref: 00BD22BA
    • memcpy.MSVCRT ref: 00BD22F2
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BED133, Relevance: 6.2, APIs: 4, Instructions: 70
    APIs
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    • SetLastError.KERNEL32(00000008,?,?,00000000,00BED06E,?,?,00000000), ref: 00BED15C
    • memcpy.MSVCRT ref: 00BED17C
    • memcpy.MSVCRT ref: 00BED1B4
    • memcpy.MSVCRT ref: 00BED1CC
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD1B79, Relevance: 6.2, APIs: 4, Instructions: 63
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE9175, Relevance: 6.2, APIs: 4, Instructions: 60
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00BD9116,?), ref: 00BE917B
    • memcmp.MSVCRT ref: 00BE91A7
    • memcpy.MSVCRT ref: 00BE91F2
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00BE91FE
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEFEDF, Relevance: 6.2, APIs: 4, Instructions: 39
    APIs
    • memset.MSVCRT ref: 00BEFEF5
    • InitializeCriticalSection.KERNEL32(00BF5050), ref: 00BEFF05
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
    • memset.MSVCRT ref: 00BEFF34
    • InitializeCriticalSection.KERNEL32(00BF5030), ref: 00BEFF3E
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEE5A7, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 141
    APIs
    • memcpy.MSVCRT ref: 00BEE6C6
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00BEE6E5
      • Part of subcall function 00BC6E6B: GetLastError.KERNEL32(?,00000000,00BEEC5C,?,00000000), ref: 00BC6E6D
      • Part of subcall function 00BC6E6B: TlsGetValue.KERNEL32(?,?,00000000), ref: 00BC6E8A
      • Part of subcall function 00BC6E6B: SetLastError.KERNEL32(?,?,00000000,00BEEC5C,?,00000000), ref: 00BC6E9A
      • Part of subcall function 00BC6E1F: GetLastError.KERNEL32(3D920680,?,00BC652A), ref: 00BC6E21
      • Part of subcall function 00BC6E1F: TlsGetValue.KERNEL32(?,?,00BC652A), ref: 00BC6E3E
      • Part of subcall function 00BC6E1F: TlsSetValue.KERNEL32(00000001), ref: 00BC6E50
      • Part of subcall function 00BC6E1F: SetLastError.KERNEL32(?,?,00BC652A), ref: 00BC6E60
      • Part of subcall function 00BC6EA5: GetLastError.KERNEL32(?,00BC6577), ref: 00BC6EA6
      • Part of subcall function 00BC6EA5: TlsSetValue.KERNEL32(00000000), ref: 00BC6EB6
      • Part of subcall function 00BC6EA5: SetLastError.KERNEL32(?,?,00BC6577), ref: 00BC6EBD
      • Part of subcall function 00BE8439: EnterCriticalSection.KERNEL32(00000014,?,?,?,?,00BCCC4B,00000003,?,00000000,00000000), ref: 00BE8450
      • Part of subcall function 00BE8439: LeaveCriticalSection.KERNEL32(00000014,?,?,00000000,?,?,?,?,00BCCC4B,00000003,?,00000000,00000000), ref: 00BE84AB
      • Part of subcall function 00BEF270: SetLastError.KERNEL32(00000008), ref: 00BEF383
      • Part of subcall function 00BE84BE: EnterCriticalSection.KERNEL32(00000014,?,?,?,00000000,00BE8A35,00000003,?), ref: 00BE84D8
      • Part of subcall function 00BE84BE: LeaveCriticalSection.KERNEL32(00000014,?,?,?,?,?,?,00000000,00BE8A35,00000003,?), ref: 00BE8507
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BBCAB0, Relevance: 6.1, APIs: 4, Instructions: 130
    APIs
    • VirtualAlloc.KERNEL32(00000000,00006000,00003000,00000040), ref: 00BBCAC5
    • LoadLibraryA.KERNEL32 ref: 00BBCBAE
    • GetProcAddress.KERNEL32(00000000), ref: 00BBCBD8
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BBCC0A
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD2F98, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 111
    APIs
      • Part of subcall function 00BD26C5: memset.MSVCRT ref: 00BD26D5
    • lstrlenA.KERNEL32(?), ref: 00BD304D
    • lstrlenA.KERNEL32 ref: 00BD305C
      • Part of subcall function 00BDD8E8: memcpy.MSVCRT ref: 00BDD8FF
      • Part of subcall function 00BDD8E8: CharLowerA.USER32 ref: 00BDD9CA
      • Part of subcall function 00BDD8E8: CharLowerA.USER32(?), ref: 00BDD9DA
      • Part of subcall function 00BDD8E8: memcpy.MSVCRT ref: 00BDDA9F
      • Part of subcall function 00BD260E: memcpy.MSVCRT ref: 00BD2621
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDC63D, Relevance: 6.1, APIs: 4, Instructions: 108
    APIs
      • Part of subcall function 00BE601D: FreeAddrInfoW.WS2_32 ref: 00BE602C
      • Part of subcall function 00BE601D: memset.MSVCRT ref: 00BE6042
    • getaddrinfo.WS2_32(?,00000000), ref: 00BDC675
    • memset.MSVCRT ref: 00BDC6BB
    • memcpy.MSVCRT ref: 00BDC6CE
      • Part of subcall function 00BCBB55: connect.WS2_32(?,?), ref: 00BCBB93
      • Part of subcall function 00BCBB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00BCBBA2
      • Part of subcall function 00BCBB55: WSASetLastError.WS2_32(?,?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00BCBBC0
      • Part of subcall function 00BCBB55: WSAGetLastError.WS2_32(?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00BCBBC2
      • Part of subcall function 00BCBB55: WSASetLastError.WS2_32(00000000), ref: 00BCBC00
      • Part of subcall function 00BCB979: shutdown.WS2_32(?,00000002), ref: 00BCB987
      • Part of subcall function 00BCB979: closesocket.WS2_32 ref: 00BCB990
      • Part of subcall function 00BCB979: WSACloseEvent.WS2_32 ref: 00BCB9A3
    • FreeAddrInfoW.WS2_32(00000000), ref: 00BDC778
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BECDAD, Relevance: 6.1, APIs: 4, Instructions: 89
    APIs
    • memset.MSVCRT ref: 00BECDD2
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • InternetReadFile.WININET(00BD99F7,?,00001000,?), ref: 00BECE24
    • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00BECE01
      • Part of subcall function 00BD25D5: memcpy.MSVCRT ref: 00BD25FB
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,00BD99F7,?,00000CCA,?,?,00000001), ref: 00BECE78
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD6E45, Relevance: 6.1, APIs: 4, Instructions: 86
    APIs
      • Part of subcall function 00BC71D5: memcpy.MSVCRT ref: 00BC72E6
      • Part of subcall function 00BE5B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00BE5B25
    • WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00BD6EB2
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00BD6ECA
    • FlushFileBuffers.KERNEL32(?), ref: 00BD6EE4
    • SetEndOfFile.KERNEL32 ref: 00BD6EFE
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BE5ADF: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00BE5AF1
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD669D, Relevance: 6.1, APIs: 4, Instructions: 77
    APIs
    • GetTickCount.KERNEL32 ref: 00BD66A8
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 00BD66BA
    • memcmp.MSVCRT ref: 00BD66F4
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00BD6760
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCBF70, Relevance: 6.1, APIs: 4, Instructions: 75
    APIs
    • WSAEventSelect.WS2_32(?,?,?), ref: 00BCBF85
    • WaitForMultipleObjects.KERNEL32(?,00000001,00000000,?), ref: 00BCBFBA
    • WSAEventSelect.WS2_32 ref: 00BCC008
    • WSASetLastError.WS2_32(?,?,?,?,?,00000001,00000000,?,?,?,?), ref: 00BCC01B
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDBA48, Relevance: 6.1, APIs: 4, Instructions: 60
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 00BDBA66
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000), ref: 00BDBA9B
    • RegCloseKey.ADVAPI32(?), ref: 00BDBAAA
    • RegCloseKey.ADVAPI32(?), ref: 00BDBAC5
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD660E, Relevance: 6.1, APIs: 4, Instructions: 55
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,00BD68D1,?,?,?,?,00000002), ref: 00BD6619
    • GetTickCount.KERNEL32 ref: 00BD664A
    • memcpy.MSVCRT ref: 00BD6681
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00BD68D1,?,?,?,?,00000002), ref: 00BD668D
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD512B, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • GetTickCount.KERNEL32 ref: 00BD5138
    • GetLastInputInfo.USER32(?), ref: 00BD514B
    • GetLocalTime.KERNEL32 ref: 00BD516F
      • Part of subcall function 00BE6891: SystemTimeToFileTime.KERNEL32 ref: 00BE689B
    • GetTimeZoneInformation.KERNEL32 ref: 00BD5187
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC760D, Relevance: 6.0, APIs: 4, Instructions: 39
    APIs
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00BC7622
    • TranslateMessage.USER32 ref: 00BC7646
    • DispatchMessageW.USER32 ref: 00BC7651
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BC7661
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDA6E2, Relevance: 6.0, APIs: 4, Instructions: 38
    APIs
      • Part of subcall function 00BC6A4D: TlsSetValue.KERNEL32(00000001,00BDA796), ref: 00BC6A5A
      • Part of subcall function 00BEC09D: CreateMutexW.KERNEL32(00BF49B4,00000000), ref: 00BEC0BF
      • Part of subcall function 00BEAFD3: WaitForSingleObject.KERNEL32(00000000,00BDA849), ref: 00BEAFDB
    • GetCurrentThread.KERNEL32 ref: 00BDA70A
    • SetThreadPriority.KERNEL32 ref: 00BDA711
    • WaitForSingleObject.KERNEL32(00001388), ref: 00BDA723
      • Part of subcall function 00BC5B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BC5BC1
      • Part of subcall function 00BC5B9B: Process32FirstW.KERNEL32 ref: 00BC5BE6
      • Part of subcall function 00BC5B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00BC5C3D
      • Part of subcall function 00BC5B9B: CloseHandle.KERNEL32 ref: 00BC5C5B
      • Part of subcall function 00BC5B9B: GetLengthSid.ADVAPI32 ref: 00BC5C77
      • Part of subcall function 00BC5B9B: memcmp.MSVCRT ref: 00BC5C8F
      • Part of subcall function 00BC5B9B: CloseHandle.KERNEL32(?), ref: 00BC5D07
      • Part of subcall function 00BC5B9B: Process32NextW.KERNEL32(?,?), ref: 00BC5D13
      • Part of subcall function 00BC5B9B: CloseHandle.KERNEL32 ref: 00BC5D26
    • WaitForSingleObject.KERNEL32(00001388), ref: 00BDA73C
      • Part of subcall function 00BC766D: ReleaseMutex.KERNEL32 ref: 00BC7671
      • Part of subcall function 00BC766D: CloseHandle.KERNEL32 ref: 00BC7678
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEC3C1, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 00BEC3D1
    • EnterCriticalSection.KERNEL32(?,?,00007530), ref: 00BEC3DF
    • LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 00BEC3F4
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 00BEC3FE
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD8F55, Relevance: 6.0, APIs: 3, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,00BD914A,?,?,?,?,?,?,00000000,?), ref: 00BD8FAF
    • LeaveCriticalSection.KERNEL32 ref: 00BD9017
      • Part of subcall function 00BD8A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD8A52
      • Part of subcall function 00BD2543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7,?,@echo off%sdel /F "%s"), ref: 00BD256D
      • Part of subcall function 00BD2543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7), ref: 00BD2580
    • SetEvent.KERNEL32 ref: 00BD900A
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDEC55, Relevance: 6.0, APIs: 3, Instructions: 51
    APIs
    • getpeername.WS2_32(?,?,?), ref: 00BDEC79
    • getsockname.WS2_32(?,?,?), ref: 00BDEC91
    • send.WS2_32(00000000,00000000,00000008,00000000), ref: 00BDECC2
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD3AD3, Relevance: 6.0, APIs: 3, Instructions: 30
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCB979, Relevance: 6.0, APIs: 3, Instructions: 17
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCB928, Relevance: 5.8, APIs: 3, Instructions: 30
    APIs
    • WSACreateEvent.WS2_32(00000000,?,00BCBB6E,00000033,00000000,?,?,?,00BDC4F0,?,00003A98,?,00000000,?,00000003), ref: 00BCB93E
    • WSAEventSelect.WS2_32(?,?,00000033), ref: 00BCB954
    • WSACloseEvent.WS2_32 ref: 00BCB968
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE68C4, Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 17
    APIs
    • EnterCriticalSection.KERNEL32(00BF5AA4,00E81E90,00BED364,00000001,00000001), ref: 00BE68D4
    • LeaveCriticalSection.KERNEL32(00BF5AA4), ref: 00BE68FC
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE4C13, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138
    APIs
      • Part of subcall function 00BE4BC8: StrCmpNIA.SHLWAPI ref: 00BE4BDF
    • StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00BE4D7B
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BF258D, Relevance: 5.7, APIs: 3, Instructions: 83
    APIs
      • Part of subcall function 00BE7ED8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00BE7EEF
      • Part of subcall function 00BE7ED8: CloseHandle.KERNEL32 ref: 00BE7F0E
    • GetFileSizeEx.KERNEL32(00000000), ref: 00BF25C4
      • Part of subcall function 00BE7F3D: UnmapViewOfFile.KERNEL32 ref: 00BE7F49
      • Part of subcall function 00BE7F3D: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000001), ref: 00BE7F60
      • Part of subcall function 00BE5B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00BE5B25
    • SetEndOfFile.KERNEL32 ref: 00BF263A
    • FlushFileBuffers.KERNEL32(?), ref: 00BF2645
      • Part of subcall function 00BE5934: CloseHandle.KERNEL32 ref: 00BE5940
      • Part of subcall function 00BE5B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00BE5B87
      • Part of subcall function 00BF2474: GetFileAttributesW.KERNEL32 ref: 00BF2485
      • Part of subcall function 00BF2474: PathRemoveFileSpecW.SHLWAPI(?), ref: 00BF24BA
      • Part of subcall function 00BF2474: MoveFileExW.KERNEL32(?,?,00000001), ref: 00BF2501
      • Part of subcall function 00BF2474: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00BF251A
      • Part of subcall function 00BF2474: Sleep.KERNEL32(00001388), ref: 00BF255D
      • Part of subcall function 00BF2474: FlushFileBuffers.KERNEL32 ref: 00BF256B
      • Part of subcall function 00BE7E98: UnmapViewOfFile.KERNEL32 ref: 00BE7EA4
      • Part of subcall function 00BE7E98: CloseHandle.KERNEL32 ref: 00BE7EB7
      • Part of subcall function 00BE7E98: CloseHandle.KERNEL32 ref: 00BE7ECD
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD3A22, Relevance: 5.7, APIs: 2, Instructions: 57
    APIs
    • select.WS2_32(00000000,?,00000000,00000000), ref: 00BD3A81
    • recv.WS2_32(?,?,?,00000000), ref: 00BD3A91
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE9B45, Relevance: 5.7, APIs: 3, Instructions: 56
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00BE9B46
    • VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00BE9B7D
      • Part of subcall function 00BE9A67: memset.MSVCRT ref: 00BE9A78
      • Part of subcall function 00BE9821: GetCurrentProcess.KERNEL32 ref: 00BE9824
      • Part of subcall function 00BE9821: VirtualProtect.KERNEL32(3D920000,=::=::\,00000020), ref: 00BE9845
      • Part of subcall function 00BE9821: FlushInstructionCache.KERNEL32(?,3D920000,=::=::\), ref: 00BE984E
    • ResumeThread.KERNEL32(?), ref: 00BE9BBE
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BED4EF, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 52
    APIs
    • memset.MSVCRT ref: 00BED506
      • Part of subcall function 00BEBC89: memcpy.MSVCRT ref: 00BEBCA4
      • Part of subcall function 00BEBC89: StringFromGUID2.OLE32 ref: 00BEBD4A
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
      • Part of subcall function 00BE570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00BEABEA,00BEABEA), ref: 00BE573C
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC8FE0
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC8FEA
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9033
      • Part of subcall function 00BC8F6F: memcpy.MSVCRT ref: 00BC9060
      • Part of subcall function 00BC8F6F: PathRemoveBackslashW.SHLWAPI ref: 00BC906A
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BED610, Relevance: 5.7, APIs: 3, Instructions: 51
    APIs
    • EnterCriticalSection.KERNEL32(00BF5AA4,?,00000001,?,?,00BED824,?,?,?,00000001), ref: 00BED62C
    • LeaveCriticalSection.KERNEL32(00BF5AA4,?,00000001,?,?,00BED824,?,?,?,00000001), ref: 00BED653
      • Part of subcall function 00BED4EF: memset.MSVCRT ref: 00BED506
      • Part of subcall function 00BE93C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00BE9433
      • Part of subcall function 00BE93C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00BE9458
      • Part of subcall function 00BE946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00BE94AA
    • _ultow.MSVCRT ref: 00BED69A
      • Part of subcall function 00BE9393: CryptDestroyHash.ADVAPI32 ref: 00BE93AB
      • Part of subcall function 00BE9393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BE93BC
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE7B26, Relevance: 5.6, APIs: 3, Instructions: 48
    APIs
    • CloseHandle.KERNEL32(?), ref: 00BE7B37
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00BE7B77
    • InternetCloseHandle.WININET(?), ref: 00BE7B82
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEA976, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00BEA999
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00BEA9B1
    • DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00BEA9CC
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD1FEC, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00BD1FFF
    • GetLastError.KERNEL32(?,00BF49A8,00000000,?,?,00BCAF07,?,00000008,?,?,?,?,?,00000000,00BEAE13), ref: 00BD2009
      • Part of subcall function 00BD24DA: HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    • GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00BD2031
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BCAEE3, Relevance: 5.6, APIs: 3, Instructions: 42
    APIs
    • OpenProcessToken.ADVAPI32(?,00000008), ref: 00BCAEF5
      • Part of subcall function 00BD1FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00BD1FFF
      • Part of subcall function 00BD1FEC: GetLastError.KERNEL32(?,00BF49A8,00000000,?,?,00BCAF07,?,00000008,?,?,?,?,?,00000000,00BEAE13), ref: 00BD2009
      • Part of subcall function 00BD1FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00BD2031
    • GetTokenInformation.ADVAPI32(?,0000000C,00BF49A8,00000004), ref: 00BCAF1D
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • CloseHandle.KERNEL32(?), ref: 00BCAF33
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEC012, Relevance: 5.6, APIs: 3, Instructions: 37
    APIs
      • Part of subcall function 00BD204E: memcpy.MSVCRT ref: 00BD205C
      • Part of subcall function 00BEBC89: memcpy.MSVCRT ref: 00BEBCA4
      • Part of subcall function 00BEBC89: StringFromGUID2.OLE32 ref: 00BEBD4A
    • CreateMutexW.KERNEL32(00BF49B4,00000001), ref: 00BEC058
    • GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00BEC064
    • CloseHandle.KERNEL32 ref: 00BEC072
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDA755, Relevance: 5.6, APIs: 3, Instructions: 16
    APIs
    • PathFindFileNameW.SHLWAPI(000001ED), ref: 00BDA759
    • PathRemoveExtensionW.SHLWAPI ref: 00BDA76D
    • CharUpperW.USER32 ref: 00BDA777
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDD12D, Relevance: 5.6, APIs: 3, Instructions: 40
    APIs
    • lstrlenW.KERNEL32(00BBC448), ref: 00BDD149
    • lstrlenW.KERNEL32 ref: 00BDD14F
      • Part of subcall function 00BD2543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7,?,@echo off%sdel /F "%s"), ref: 00BD256D
      • Part of subcall function 00BD2543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7), ref: 00BD2580
    • memcpy.MSVCRT ref: 00BDD173
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD2543, Relevance: 5.6, APIs: 2, Instructions: 32
    APIs
    • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7), ref: 00BD2580
      • Part of subcall function 00BD2456: EnterCriticalSection.KERNEL32(00BF5AA4,00000028,00BD24C9,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD2466
      • Part of subcall function 00BD2456: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD2490
    • HeapAlloc.KERNEL32(00000008,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7,?,@echo off%sdel /F "%s"), ref: 00BD256D
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC6EA5, Relevance: 5.6, APIs: 3, Instructions: 10
    APIs
    • GetLastError.KERNEL32(?,00BC6577), ref: 00BC6EA6
    • TlsSetValue.KERNEL32(00000000), ref: 00BC6EB6
    • SetLastError.KERNEL32(?,?,00BC6577), ref: 00BC6EBD
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE86CC, Relevance: 5.5, APIs: 3, Instructions: 115
    APIs
    • GetVersionExW.KERNEL32(00BF4858), ref: 00BE86E6
    • GetNativeSystemInfo.KERNEL32(000000FF), ref: 00BE8822
    • memset.MSVCRT ref: 00BE8857
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BF061B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 105
    APIs
      • Part of subcall function 00BE3704: strtoul.MSVCRT ref: 00BE37FC
      • Part of subcall function 00BEC0DB: EnterCriticalSection.KERNEL32(00BF5AA4,00E81E90,00BEC7BB,00E81E90,00BED34F), ref: 00BEC0EB
      • Part of subcall function 00BEC0DB: LeaveCriticalSection.KERNEL32(00BF5AA4), ref: 00BEC113
    • EnterCriticalSection.KERNEL32(00E827E8,?,?,?,?,00BF5050), ref: 00BF06F5
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • LeaveCriticalSection.KERNEL32(00E827E8,000000FF,00000000,?,?,?,?,00BF5050), ref: 00BF071D
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD4EC0, Relevance: 5.5, APIs: 3, Instructions: 93
    APIs
      • Part of subcall function 00BD49CD: EnterCriticalSection.KERNEL32(00BF5AA4,00E81E90,00BD4ECC,00E81E90), ref: 00BD49DD
      • Part of subcall function 00BD49CD: LeaveCriticalSection.KERNEL32(00BF5AA4,?,?,?,?,?,?,?,?,?,?,?,?,00E81EF0,00BED345), ref: 00BD4A05
    • PathFindFileNameW.SHLWAPI(00E81E90), ref: 00BD4ED2
      • Part of subcall function 00BC9E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00BC9E9D
      • Part of subcall function 00BC9E88: StrCmpIW.SHLWAPI ref: 00BC9EA7
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • InitializeCriticalSection.KERNEL32 ref: 00BD4F44
      • Part of subcall function 00BC6D72: EnterCriticalSection.KERNEL32(00BF468C,00000000,00BD4F6E,?,000000FF), ref: 00BC6D7E
      • Part of subcall function 00BC6D72: LeaveCriticalSection.KERNEL32(00BF468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00E81EF0), ref: 00BC6D8E
      • Part of subcall function 00BC6D9C: LeaveCriticalSection.KERNEL32(00BF468C,00BC6E01,00000001,00000000,00000000,?,00BD4F82,00000001,00000000,?,000000FF), ref: 00BC6DA6
      • Part of subcall function 00BE9DDC: GetCurrentThreadId.KERNEL32 ref: 00BE9DED
      • Part of subcall function 00BE9DDC: memcpy.MSVCRT ref: 00BE9F56
      • Part of subcall function 00BE9DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00BE9FE2
      • Part of subcall function 00BE9DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00BE9FEC
      • Part of subcall function 00BC6DAD: LeaveCriticalSection.KERNEL32(00BF468C,?,00BC6E13,00000001,00000000,00000000,?,00BD4F82,00000001,00000000,?,000000FF), ref: 00BC6DBA
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00E81EF0), ref: 00BD4FBB
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE93C4, Relevance: 5.5, APIs: 2, Instructions: 68
    APIs
      • Part of subcall function 00BE931E: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00BE9336
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00BE9433
    • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00BE9458
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC7D03, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 65
    APIs
      • Part of subcall function 00BC8CBF: EnterCriticalSection.KERNEL32(?,?,?,00BD2B51,00000005,00007530,?,00000000,00000000), ref: 00BC8CC7
      • Part of subcall function 00BC8CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00BC8CEB
      • Part of subcall function 00BC8CBF: CloseHandle.KERNEL32 ref: 00BC8CFB
      • Part of subcall function 00BC8CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00BD2B51,00000005,00007530,?,00000000,00000000), ref: 00BC8D2B
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,00BD979E,?,?,?,00000001), ref: 00BC7D24
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00BD979E,?,?,?,00000001), ref: 00BC7D40
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
      • Part of subcall function 00BC8D34: EnterCriticalSection.KERNEL32(00E81F44,00E81F38,?,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000,?,?,?,00BEB2E2,?,00000001), ref: 00BC8D3D
      • Part of subcall function 00BC8D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BC8D76
      • Part of subcall function 00BC8D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00BDA99B,00000000,00000000,00000002), ref: 00BC8D95
      • Part of subcall function 00BC8D34: GetLastError.KERNEL32(?,000000FF,00BDA99B,00000000,00000000,00000002,?,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000), ref: 00BC8D9F
      • Part of subcall function 00BC8D34: TerminateThread.KERNEL32 ref: 00BC8DA7
      • Part of subcall function 00BC8D34: CloseHandle.KERNEL32 ref: 00BC8DAE
      • Part of subcall function 00BC8D34: LeaveCriticalSection.KERNEL32(00E81F44,?,00BDA99B,00000000,00BDA6E2,00000000,?,00000000,?,?,?,00BEB2E2,?,00000001), ref: 00BC8DC3
      • Part of subcall function 00BC8D34: ResumeThread.KERNEL32 ref: 00BC8DDC
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDC90D, Relevance: 5.5, APIs: 3, Instructions: 63
    APIs
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00BDC93C
      • Part of subcall function 00BD25A7: memcpy.MSVCRT ref: 00BD25C6
    • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00BDC97B
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00BDC9A2
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE69E1, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • TlsAlloc.KERNEL32(00E8282C,00BE6EB9,?,?,?,?,00E82820), ref: 00BE69EA
    • TlsGetValue.KERNEL32(?,00000001,00E8282C), ref: 00BE69FC
    • TlsSetValue.KERNEL32(?,?), ref: 00BE6A41
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD83CA, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00BD83E6
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00BD8409
    • CloseHandle.KERNEL32 ref: 00BD8416
      • Part of subcall function 00BE5E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00BE5E26
      • Part of subcall function 00BE5E1D: DeleteFileW.KERNEL32 ref: 00BE5E2D
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC9E88, Relevance: 5.5, APIs: 2, Instructions: 26
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC9F04, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26
    APIs
    • StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00BC9F19
    • lstrcmpA.KERNEL32(Basic ,?,00BE54A4,00000006,Authorization,?,?,?), ref: 00BC9F23
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC69DF, Relevance: 5.4, APIs: 3, Instructions: 24
    APIs
    • memset.MSVCRT ref: 00BC69F9
    • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E81EF0), ref: 00BC6A02
    • InitializeCriticalSection.KERNEL32(00BF468C), ref: 00BC6A12
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE7E98, Relevance: 5.4, APIs: 3, Instructions: 21
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDB7BD, Relevance: 5.4, APIs: 3, Instructions: 20
    APIs
    • InitializeCriticalSection.KERNEL32(00BF47FC), ref: 00BDB7C7
    • QueryPerformanceCounter.KERNEL32 ref: 00BDB7D1
    • GetTickCount.KERNEL32 ref: 00BDB7DB
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BEE409, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 18
    APIs
    • EnterCriticalSection.KERNEL32(00BF5AA4,00E81E90,00BEFEA5), ref: 00BEE419
    • LeaveCriticalSection.KERNEL32(00BF5AA4), ref: 00BEE448
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BF14F4, Relevance: 5.2, APIs: 4, Instructions: 191
    APIs
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • memcpy.MSVCRT ref: 00BF1657
    • memcpy.MSVCRT ref: 00BF166A
    • memcpy.MSVCRT ref: 00BF168B
      • Part of subcall function 00BE4C13: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00BE4D7B
      • Part of subcall function 00BD2543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7,?,@echo off%sdel /F "%s"), ref: 00BD256D
      • Part of subcall function 00BD2543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00BDD89F,?,?,?,00000000,00000000,00000000,00BDD869,?,00BCB3C7), ref: 00BD2580
    • memcpy.MSVCRT ref: 00BF16FD
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
      • Part of subcall function 00BD25A7: memcpy.MSVCRT ref: 00BD25C6
      • Part of subcall function 00BF1070: memmove.MSVCRT ref: 00BF12E1
      • Part of subcall function 00BF1070: memcpy.MSVCRT ref: 00BF12F0
      • Part of subcall function 00BF1364: memcpy.MSVCRT ref: 00BF13D9
      • Part of subcall function 00BF1364: memmove.MSVCRT ref: 00BF149F
      • Part of subcall function 00BF1364: memcpy.MSVCRT ref: 00BF14AE
      • Part of subcall function 00BDBAD5: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?), ref: 00BDBB42
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BDB7FF, Relevance: 5.1, APIs: 2, Instructions: 14
    APIs
      • Part of subcall function 00BDB64D: EnterCriticalSection.KERNEL32(00BF5AA4,?,00BDB806,?,?,00BE59A9,00000000), ref: 00BDB65D
      • Part of subcall function 00BDB64D: LeaveCriticalSection.KERNEL32(00BF5AA4,?,?,00BE59A9,00000000), ref: 00BDB687
    • EnterCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB80C
    • LeaveCriticalSection.KERNEL32(00BF47FC,?,?,00BE59A9,00000000), ref: 00BDB81A
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD24DA, Relevance: 5.1, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00BD2456: EnterCriticalSection.KERNEL32(00BF5AA4,00000028,00BD24C9,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD2466
      • Part of subcall function 00BD2456: LeaveCriticalSection.KERNEL32(00BF5AA4,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD2490
    • HeapAlloc.KERNEL32(00000008,?,?,00BCB076,?,?,?,00000000,?,?,00000000,00BEAA69,?,00BEADD5), ref: 00BD24EB
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BE5E1D, Relevance: 5.1, APIs: 2, Instructions: 12
    APIs
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 00BE5E26
    • DeleteFileW.KERNEL32 ref: 00BE5E2D
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BC766D, Relevance: 5.1, APIs: 2, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true
    Function 00BD4AA6, Relevance: 5.1, APIs: 4, Instructions: 65
    APIs
    • EnterCriticalSection.KERNEL32(00000000,00BF30F0,00000038,00BD4BB2,00000000,?), ref: 00BD4ACC
    • memcmp.MSVCRT ref: 00BD4AE3
      • Part of subcall function 00BD24C1: HeapAlloc.KERNEL32(00000000,00000028,?,00BED211,?,?,00000000,?,?,00000001), ref: 00BD24D2
    • memcpy.MSVCRT ref: 00BD4B11
    • LeaveCriticalSection.KERNEL32(00000000), ref: 00BD4B68
      • Part of subcall function 00BD2593: HeapFree.KERNEL32(00000000,00E81E90,00BED2D1,?,?,00000000,?,?,00000001), ref: 00BD25A0
    Memory Dump Source
    • Source File: 00000007.00000002.681121237.00B90000.00000040.sdmp, Offset: 00B90000, based on PE: true

    Analysis Process: wscntfy.exe PID: 1796 Parent PID: 244

    Executed Functions
    Function 00B3ACAD, Relevance: 28.4, APIs: 11, Strings: 3, Instructions: 166
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 00B3ACF4
      • Part of subcall function 00B301EA: LoadLibraryA.KERNEL32 ref: 00B3023A
      • Part of subcall function 00B3D1E0: InitializeCriticalSection.KERNEL32(00B45AA4), ref: 00B3D207
      • Part of subcall function 00B3D1E0: InitializeCriticalSection.KERNEL32 ref: 00B3D218
      • Part of subcall function 00B3D1E0: memset.MSVCRT ref: 00B3D229
      • Part of subcall function 00B3D1E0: TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 00B3D240
      • Part of subcall function 00B3D1E0: GetModuleHandleW.KERNEL32(00000000), ref: 00B3D25C
      • Part of subcall function 00B3D1E0: GetModuleHandleW.KERNEL32 ref: 00B3D272
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B3AD59
    • Process32FirstW.KERNEL32 ref: 00B3AD74
    • PathFindFileNameW.SHLWAPI ref: 00B3AD87
    • StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 00B3AD99
    • Process32NextW.KERNEL32(?,?), ref: 00B3ADA9
    • CloseHandle.KERNEL32 ref: 00B3ADB4
    • WSAStartup.WS2_32(00000202), ref: 00B3ADC4
    • CreateEventW.KERNEL32(00B449B4,00000001,00000000,00000000), ref: 00B3ADEC
      • Part of subcall function 00B1AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 00B1AEF5
      • Part of subcall function 00B1AEE3: GetTokenInformation.ADVAPI32(?,0000000C,00B449A8,00000004), ref: 00B1AF1D
      • Part of subcall function 00B1AEE3: CloseHandle.KERNEL32(?), ref: 00B1AF33
    • GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 00B3AE22
      • Part of subcall function 00B3AA9A: GetTempPathW.KERNEL32(00000104), ref: 00B3AAB7
      • Part of subcall function 00B3AA9A: GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 00B3AACF
      • Part of subcall function 00B3AA9A: PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 00B3AADA
      • Part of subcall function 00B3AA9A: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00B3AB00
    • GetCurrentProcessId.KERNEL32 ref: 00B3AE4D
      • Part of subcall function 00B3AB23: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000), ref: 00B3AB64
      • Part of subcall function 00B3AB23: lstrcmpiW.KERNEL32 ref: 00B3AB93
      • Part of subcall function 00B3ABBF: lstrcatW.KERNEL32(?,.dat), ref: 00B3AC32
      • Part of subcall function 00B3ABBF: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B3AC57
      • Part of subcall function 00B3ABBF: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00B3AC75
      • Part of subcall function 00B3ABBF: CloseHandle.KERNEL32 ref: 00B3AC82
      • Part of subcall function 00B2C8A1: IsBadReadPtr.KERNEL32 ref: 00B2C8E0
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B18D34, Relevance: 14.8, APIs: 8, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(00DD28B4,00DD28A8,?,?,00B2A99B,00000000,00B2A6E2,00000000,?,00000000,?,?,?,00B3B2E2,?,00000001), ref: 00B18D3D
    • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B18D76
    • DuplicateHandle.KERNEL32(000000FF,?,000000FF,00B2A99B,00000000,00000000,00000002), ref: 00B18D95
    • GetLastError.KERNEL32(?,000000FF,00B2A99B,00000000,00000000,00000002,?,?,00B2A99B,00000000,00B2A6E2,00000000,?,00000000), ref: 00B18D9F
    • TerminateThread.KERNEL32 ref: 00B18DA7
    • CloseHandle.KERNEL32 ref: 00B18DAE
      • Part of subcall function 00B224F3: HeapAlloc.KERNEL32(00000000,?,?,?,00B16328,?,?,00B38D10,?,?,?,?,0000FFFF), ref: 00B2251D
      • Part of subcall function 00B224F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00B16328,?,?,00B38D10,?,?,?,?,0000FFFF), ref: 00B22530
    • LeaveCriticalSection.KERNEL32(00DD28B4,?,00B2A99B,00000000,00B2A6E2,00000000,?,00000000,?,?,?,00B3B2E2,?,00000001), ref: 00B18DC3
    • ResumeThread.KERNEL32 ref: 00B18DDC
      • Part of subcall function 00B22543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7,?,@echo off%sdel /F "%s"), ref: 00B2256D
      • Part of subcall function 00B22543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7), ref: 00B22580
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B39BE6, Relevance: 14.3, APIs: 8, Instructions: 160
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00B39BEC
    • memcpy.MSVCRT ref: 00B39C39
    • GetThreadContext.KERNEL32(?,00000010), ref: 00B39CAF
    • SetThreadContext.KERNEL32(?,?), ref: 00B39D1A
    • GetCurrentProcess.KERNEL32 ref: 00B39D33
    • VirtualProtect.KERNEL32(?,0000007C,?), ref: 00B39D58
    • FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00B39D6A
      • Part of subcall function 00B39A67: memset.MSVCRT ref: 00B39A78
      • Part of subcall function 00B39821: GetCurrentProcess.KERNEL32 ref: 00B39824
      • Part of subcall function 00B39821: VirtualProtect.KERNEL32(3D920000,00010000,00000020), ref: 00B39845
      • Part of subcall function 00B39821: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 00B3984E
    • ResumeThread.KERNEL32(?), ref: 00B39DAB
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B39B45: GetCurrentThreadId.KERNEL32 ref: 00B39B46
      • Part of subcall function 00B39B45: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00B39B7D
      • Part of subcall function 00B39B45: ResumeThread.KERNEL32(?), ref: 00B39BBE
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B21F4F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 65
    APIs
    • InitializeSecurityDescriptor.ADVAPI32(00B449C0,00000001), ref: 00B21F5F
    • SetSecurityDescriptorDacl.ADVAPI32(00B449C0,00000001,00000000,00000000), ref: 00B21F70
    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00B21F86
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00B21FA2
    • SetSecurityDescriptorSacl.ADVAPI32(00B449C0,?,?,00000001), ref: 00B21FB6
    • LocalFree.KERNEL32(?), ref: 00B21FC8
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3985F, Relevance: 12.6, APIs: 7, Instructions: 173
    APIs
    • memset.MSVCRT ref: 00B3990F
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00B39920
    • VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00B39954
    • memset.MSVCRT ref: 00B39994
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00B399A5
    • VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00B399E5
    • memset.MSVCRT ref: 00B39A50
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3ABBF, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 79
    APIs
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
    • lstrcatW.KERNEL32(?,.dat), ref: 00B3AC32
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B3AC57
    • ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 00B3AC75
    • CloseHandle.KERNEL32 ref: 00B3AC82
      • Part of subcall function 00B3D2D7: EnterCriticalSection.KERNEL32(00DD1E90,?), ref: 00B3D2EB
      • Part of subcall function 00B3D2D7: GetFileVersionInfoSizeW.VERSION(00DD1EF0), ref: 00B3D30C
      • Part of subcall function 00B3D2D7: GetFileVersionInfoW.VERSION(00DD1EF0,00000000), ref: 00B3D32A
      • Part of subcall function 00B3D2D7: LeaveCriticalSection.KERNEL32(00DD1E90,00000001,00000001,00000001,00000001), ref: 00B3D413
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B3ABF1
    • .dat, xrefs: 00B3AC26
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B39DDC, Relevance: 9.5, APIs: 4, Instructions: 217
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00B39DED
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
      • Part of subcall function 00B3985F: memset.MSVCRT ref: 00B3990F
      • Part of subcall function 00B3985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00B39920
      • Part of subcall function 00B3985F: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00B39954
      • Part of subcall function 00B3985F: memset.MSVCRT ref: 00B39994
      • Part of subcall function 00B3985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00B399A5
      • Part of subcall function 00B3985F: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00B399E5
      • Part of subcall function 00B3985F: memset.MSVCRT ref: 00B39A50
      • Part of subcall function 00B364A4: SetLastError.KERNEL32(0000000D), ref: 00B364DF
    • memcpy.MSVCRT ref: 00B39F56
    • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00B39FE2
    • GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00B39FEC
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B39A67: memset.MSVCRT ref: 00B39A78
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3D5A0, Relevance: 9.2, APIs: 3, Strings: 1, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00B45AA4,00000000,?,?,00B193C9), ref: 00B3D5B6
    • LeaveCriticalSection.KERNEL32(00B45AA4,?,?,00B193C9), ref: 00B3D5DC
      • Part of subcall function 00B3D4EF: memset.MSVCRT ref: 00B3D506
    • CreateMutexW.KERNEL32(00B449B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00B3D5EE
      • Part of subcall function 00B175E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B175ED
      • Part of subcall function 00B175E7: CloseHandle.KERNEL32 ref: 00B175FF
    Strings
    • Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 00B3D5E3
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B346D9, Relevance: 7.7, APIs: 5, Instructions: 217
    APIs
    • LoadLibraryW.KERNEL32 ref: 00B34736
    • GetProcAddress.KERNEL32 ref: 00B3475E
    • StrChrA.SHLWAPI(?,00000040), ref: 00B34885
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • StrChrW.SHLWAPI(?,00000040,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,00000000), ref: 00B34866
      • Part of subcall function 00B2D12D: lstrlenW.KERNEL32(00B0C448), ref: 00B2D149
      • Part of subcall function 00B2D12D: lstrlenW.KERNEL32 ref: 00B2D14F
      • Part of subcall function 00B2D12D: memcpy.MSVCRT ref: 00B2D173
    • FreeLibrary.KERNEL32 ref: 00B3496B
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3D2D7, Relevance: 7.3, APIs: 4, Instructions: 113
    APIs
    • EnterCriticalSection.KERNEL32(00DD1E90,?), ref: 00B3D2EB
      • Part of subcall function 00B2BDA7: GetModuleHandleW.KERNEL32 ref: 00B2BDC3
      • Part of subcall function 00B2BDA7: GetModuleHandleW.KERNEL32 ref: 00B2BDFE
    • GetFileVersionInfoSizeW.VERSION(00DD1EF0), ref: 00B3D30C
    • GetFileVersionInfoW.VERSION(00DD1EF0,00000000), ref: 00B3D32A
      • Part of subcall function 00B24EC0: PathFindFileNameW.SHLWAPI(00DD1E90), ref: 00B24ED2
      • Part of subcall function 00B24EC0: InitializeCriticalSection.KERNEL32 ref: 00B24F44
      • Part of subcall function 00B24EC0: DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00B24FBB
      • Part of subcall function 00B1A90A: InitializeCriticalSection.KERNEL32 ref: 00B1A938
      • Part of subcall function 00B1A90A: GetModuleHandleW.KERNEL32 ref: 00B1A976
      • Part of subcall function 00B3C7B5: InitializeCriticalSection.KERNEL32 ref: 00B3C7CA
      • Part of subcall function 00B368C4: EnterCriticalSection.KERNEL32(00B45AA4,00DD1E90,00B3D364,00000001,00000001), ref: 00B368D4
      • Part of subcall function 00B368C4: LeaveCriticalSection.KERNEL32(00B45AA4), ref: 00B368FC
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
      • Part of subcall function 00B38AD4: GetCommandLineW.KERNEL32 ref: 00B38B5E
      • Part of subcall function 00B38AD4: CommandLineToArgvW.SHELL32 ref: 00B38B65
      • Part of subcall function 00B38AD4: LocalFree.KERNEL32 ref: 00B38BA5
      • Part of subcall function 00B38AD4: GetModuleHandleW.KERNEL32(?), ref: 00B38BE7
      • Part of subcall function 00B1CE23: VerQueryValueW.VERSION(?,00B0AE74,?,?,00DD1E90,00B3D393), ref: 00B1CE44
      • Part of subcall function 00B1CE23: GetModuleHandleW.KERNEL32(?), ref: 00B1CE85
      • Part of subcall function 00B3FE99: GetModuleHandleW.KERNEL32 ref: 00B3FEB6
      • Part of subcall function 00B2B000: EnterCriticalSection.KERNEL32(00B45AA4,00DD1E90,00B3D39D), ref: 00B2B010
      • Part of subcall function 00B2B000: LeaveCriticalSection.KERNEL32(00B45AA4), ref: 00B2B038
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • LeaveCriticalSection.KERNEL32(00DD1E90,00000001,00000001,00000001,00000001), ref: 00B3D413
      • Part of subcall function 00B16D72: EnterCriticalSection.KERNEL32(00B4468C,00000000,00B24F6E,?,000000FF), ref: 00B16D7E
      • Part of subcall function 00B16D72: LeaveCriticalSection.KERNEL32(00B4468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00B16D8E
      • Part of subcall function 00B16D9C: LeaveCriticalSection.KERNEL32(00B4468C,00B16E01,00000001,00000000,00000000,?,00B24F82,00000001,00000000,?,000000FF), ref: 00B16DA6
      • Part of subcall function 00B16DAD: LeaveCriticalSection.KERNEL32(00B4468C,?,00B16E13,00000001,00000000,00000000,?,00B24F82,00000001,00000000,?,000000FF), ref: 00B16DBA
      • Part of subcall function 00B3699E: memset.MSVCRT ref: 00B369C6
      • Part of subcall function 00B3699E: InitializeCriticalSection.KERNEL32 ref: 00B369D3
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1AF41, Relevance: 7.2, APIs: 4, Instructions: 39
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B1AF51
    • Thread32First.KERNEL32 ref: 00B1AF6C
    • Thread32Next.KERNEL32(?,?), ref: 00B1AF7F
    • CloseHandle.KERNEL32 ref: 00B1AF8A
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3394D, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00053883,00000000), ref: 00B33964
    • WaitForSingleObject.KERNEL32(?,00003A98), ref: 00B33976
    • TerminateThread.KERNEL32(?,00000000), ref: 00B33982
    • CloseHandle.KERNEL32 ref: 00B33989
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B39821, Relevance: 5.6, APIs: 3, Instructions: 28
    APIs
    • GetCurrentProcess.KERNEL32 ref: 00B39824
    • VirtualProtect.KERNEL32(3D920000,00010000,00000020), ref: 00B39845
    • FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 00B3984E
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B307EE, Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 30
    APIs
      • Part of subcall function 00B307B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00B307D8
    • RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00B30823
      • Part of subcall function 00B30755: RegFlushKey.ADVAPI32 ref: 00B30765
      • Part of subcall function 00B30755: RegCloseKey.ADVAPI32 ref: 00B3076D
    Strings
    • Software\Microsoft\Tivyikdiy, xrefs: 00B30803
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B39ADD, Relevance: 3.7, APIs: 2, Instructions: 34
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00B39AEE
    • VirtualProtect.KERNEL32(3D920000,00010000,00000040,?), ref: 00B39B34
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2342D, Relevance: 3.1, APIs: 2, Instructions: 79
    APIs
      • Part of subcall function 00B16E1F: GetLastError.KERNEL32(3D920680,?,00B1652A), ref: 00B16E21
      • Part of subcall function 00B16E1F: TlsGetValue.KERNEL32(?,?,00B1652A), ref: 00B16E3E
      • Part of subcall function 00B16E1F: TlsSetValue.KERNEL32(00000001), ref: 00B16E50
      • Part of subcall function 00B16E1F: SetLastError.KERNEL32(?,?,00B1652A), ref: 00B16E60
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 00B23465
      • Part of subcall function 00B3C012: CreateMutexW.KERNEL32(00B449B4,00000001), ref: 00B3C058
      • Part of subcall function 00B3C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00B3C064
      • Part of subcall function 00B3C012: CloseHandle.KERNEL32 ref: 00B3C072
      • Part of subcall function 00B1C5A8: TlsGetValue.KERNEL32(?,?,00B2349E), ref: 00B1C5B1
      • Part of subcall function 00B3AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B3AECF
      • Part of subcall function 00B3AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B3AF0A
      • Part of subcall function 00B3AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B3AF4A
      • Part of subcall function 00B3AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B3AF6D
      • Part of subcall function 00B3AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B3AFBD
    • CloseHandle.KERNEL32 ref: 00B234DA
      • Part of subcall function 00B1AF41: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B1AF51
      • Part of subcall function 00B1AF41: Thread32First.KERNEL32 ref: 00B1AF6C
      • Part of subcall function 00B1AF41: Thread32Next.KERNEL32(?,?), ref: 00B1AF7F
      • Part of subcall function 00B1AF41: CloseHandle.KERNEL32 ref: 00B1AF8A
      • Part of subcall function 00B16EA5: GetLastError.KERNEL32(?,00B16577), ref: 00B16EA6
      • Part of subcall function 00B16EA5: TlsSetValue.KERNEL32(00000000), ref: 00B16EB6
      • Part of subcall function 00B16EA5: SetLastError.KERNEL32(?,?,00B16577), ref: 00B16EBD
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3C09D, Relevance: 2.8, APIs: 1, Instructions: 25
    APIs
    • CreateMutexW.KERNEL32(00B449B4,00000000), ref: 00B3C0BF
      • Part of subcall function 00B175E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B175ED
      • Part of subcall function 00B175E7: CloseHandle.KERNEL32 ref: 00B175FF
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B24269, Relevance: 2.5, APIs: 1, Instructions: 20
    APIs
    • CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 00B2427E
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B241F9, Relevance: 2.5, APIs: 1, Instructions: 10
    APIs
    • CoInitializeEx.OLE32(00000000,00000000), ref: 00B24206
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B308A8, Relevance: 2.2, APIs: 1, Instructions: 69
    APIs
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
      • Part of subcall function 00B3083C: RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00B30850
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B30903
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B301EA, Relevance: 2.2, APIs: 1, Instructions: 68
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B307B0, Relevance: 2.1, APIs: 1, Instructions: 29
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00B307D8
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3094D, Relevance: 2.0, APIs: 1, Instructions: 60
    APIs
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00B30971
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B22498, Relevance: 1.9, APIs: 1, Instructions: 9
    APIs
    • HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 00B224A1
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3083C, Relevance: 1.9, APIs: 1, Instructions: 8
    APIs
    • RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00B30850
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B33E4D, Relevance: 1.5, APIs: 1, Instructions: 202
    APIs
      • Part of subcall function 00B24269: CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 00B2427E
    • lstrlenW.KERNEL32(00000000), ref: 00B33F89
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B33CD3: lstrlenW.KERNEL32(?), ref: 00B33E1B
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Non-executed Functions
    Function 00B23BBE, Relevance: 10.9, APIs: 6, Instructions: 39
    APIs
    • socket.WS2_32(?,00000001,00000006), ref: 00B23BCA
    • bind.WS2_32 ref: 00B23BE7
    • listen.WS2_32(?,00000001), ref: 00B23BF4
    • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00B2EE5F,?,?,?), ref: 00B23BFE
    • closesocket.WS2_32 ref: 00B23C07
    • WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00B2EE5F,?,?,?), ref: 00B23C0E
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1BC0C, Relevance: 7.4, APIs: 4, Instructions: 54
    APIs
      • Part of subcall function 00B1B7D0: socket.WS2_32(?,?,00000006), ref: 00B1B804
    • bind.WS2_32(?,00B1BCEA), ref: 00B1BC53
    • listen.WS2_32(?,00000014), ref: 00B1BC68
    • WSAGetLastError.WS2_32(00000000,?,00B1BCEA,?,?,?,?,00000000), ref: 00B1BC76
      • Part of subcall function 00B1B979: shutdown.WS2_32(?,00000002), ref: 00B1B987
      • Part of subcall function 00B1B979: closesocket.WS2_32 ref: 00B1B990
      • Part of subcall function 00B1B979: WSACloseEvent.WS2_32 ref: 00B1B9A3
    • WSASetLastError.WS2_32(?,?,00B1BCEA,?,?,?,?,00000000), ref: 00B1BC86
      • Part of subcall function 00B1B928: WSACreateEvent.WS2_32(00000000,?,00B1BB6E,00000033,00000000,?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003), ref: 00B1B93E
      • Part of subcall function 00B1B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00B1B954
      • Part of subcall function 00B1B928: WSACloseEvent.WS2_32 ref: 00B1B968
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B23DB8, Relevance: 5.6, APIs: 3, Instructions: 34
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3C192, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103
    APIs
    • StrStrIW.SHLWAPI(tellerplus,00DD1E90), ref: 00B3C1A4
    • StrStrIW.SHLWAPI(bancline), ref: 00B3C1B9
    • StrStrIW.SHLWAPI(fidelity), ref: 00B3C1CE
    • StrStrIW.SHLWAPI(micrsolv), ref: 00B3C1E3
    • StrStrIW.SHLWAPI(bankman), ref: 00B3C1F8
    • StrStrIW.SHLWAPI(vantiv), ref: 00B3C20D
    • StrStrIW.SHLWAPI(episys), ref: 00B3C222
    • StrStrIW.SHLWAPI(jack henry), ref: 00B3C237
    • StrStrIW.SHLWAPI(cruisenet), ref: 00B3C24C
    • StrStrIW.SHLWAPI(gplusmain), ref: 00B3C261
    • StrStrIW.SHLWAPI(launchpadshell.exe), ref: 00B3C276
    • StrStrIW.SHLWAPI(dirclt32.exe), ref: 00B3C28B
    • StrStrIW.SHLWAPI(wtng.exe), ref: 00B3C29C
    • StrStrIW.SHLWAPI(prologue.exe), ref: 00B3C2AD
    • StrStrIW.SHLWAPI(silverlake), ref: 00B3C2BE
    • StrStrIW.SHLWAPI(pcsws.exe), ref: 00B3C2CF
    • StrStrIW.SHLWAPI(v48d0250s1), ref: 00B3C2E0
    • StrStrIW.SHLWAPI(fdmaster.exe), ref: 00B3C2F1
    • StrStrIW.SHLWAPI(fastdoc), ref: 00B3C302
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B17FA8, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151
    APIs
    • LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00B17FBA
    • GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00B17FD2
    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B18011
    • CreateCompatibleDC.GDI32 ref: 00B18022
    • LoadCursorW.USER32(00000000,00007F00), ref: 00B18038
    • GetIconInfo.USER32 ref: 00B1804C
    • GetCursorPos.USER32(?), ref: 00B1805B
    • GetDeviceCaps.GDI32(?,00000008), ref: 00B18072
    • GetDeviceCaps.GDI32(?,0000000A), ref: 00B1807B
    • CreateCompatibleBitmap.GDI32(?,?), ref: 00B18087
    • SelectObject.GDI32 ref: 00B18095
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 00B180B6
    • DrawIcon.USER32(?,?,?,?), ref: 00B180E8
      • Part of subcall function 00B31285: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00B3129A
      • Part of subcall function 00B31285: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00B312A5
    • SelectObject.GDI32(?,?), ref: 00B18104
    • DeleteObject.GDI32 ref: 00B1810B
    • DeleteDC.GDI32 ref: 00B18112
    • DeleteDC.GDI32 ref: 00B18119
    • FreeLibrary.KERNEL32(?), ref: 00B18129
    • GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00B1813F
    • FreeLibrary.KERNEL32(?), ref: 00B18153
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3B4AA, Relevance: 42.5, APIs: 19, Strings: 2, Instructions: 267
    APIs
      • Part of subcall function 00B28432: CreateFileW.KERNEL32(00DD1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B2844B
      • Part of subcall function 00B28432: GetFileSizeEx.KERNEL32 ref: 00B2845E
      • Part of subcall function 00B28432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B28484
      • Part of subcall function 00B28432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00B2849C
      • Part of subcall function 00B28432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B284BA
      • Part of subcall function 00B28432: CloseHandle.KERNEL32 ref: 00B284C3
    • CreateMutexW.KERNEL32(00B449B4,00000001), ref: 00B3B550
    • GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,00B3B8C7), ref: 00B3B560
    • CloseHandle.KERNEL32 ref: 00B3B56E
    • CloseHandle.KERNEL32 ref: 00B3B697
      • Part of subcall function 00B3AFE8: memcpy.MSVCRT ref: 00B3AFF8
    • lstrlenW.KERNEL32 ref: 00B3B5D0
      • Part of subcall function 00B15B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B15BC1
      • Part of subcall function 00B15B9B: Process32FirstW.KERNEL32 ref: 00B15BE6
      • Part of subcall function 00B15B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00B15C3D
      • Part of subcall function 00B15B9B: CloseHandle.KERNEL32 ref: 00B15C5B
      • Part of subcall function 00B15B9B: GetLengthSid.ADVAPI32 ref: 00B15C77
      • Part of subcall function 00B15B9B: memcmp.MSVCRT ref: 00B15C8F
      • Part of subcall function 00B15B9B: CloseHandle.KERNEL32(?), ref: 00B15D07
      • Part of subcall function 00B15B9B: Process32NextW.KERNEL32(?,?), ref: 00B15D13
      • Part of subcall function 00B15B9B: CloseHandle.KERNEL32 ref: 00B15D26
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00B3B615
    • OpenEventW.KERNEL32(00000002,00000000), ref: 00B3B63B
    • SetEvent.KERNEL32 ref: 00B3B648
    • CloseHandle.KERNEL32 ref: 00B3B64F
    • Sleep.KERNEL32(00007530), ref: 00B3B674
      • Part of subcall function 00B1AF99: GetCurrentThread.KERNEL32 ref: 00B1AFAD
      • Part of subcall function 00B1AF99: OpenThreadToken.ADVAPI32 ref: 00B1AFB4
      • Part of subcall function 00B1AF99: GetCurrentProcess.KERNEL32 ref: 00B1AFC4
      • Part of subcall function 00B1AF99: OpenProcessToken.ADVAPI32 ref: 00B1AFCB
      • Part of subcall function 00B1AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00B1AFEC
      • Part of subcall function 00B1AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00B1B001
      • Part of subcall function 00B1AF99: GetLastError.KERNEL32 ref: 00B1B00B
      • Part of subcall function 00B1AF99: CloseHandle.KERNEL32(00000001), ref: 00B1B01C
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 00B3B68C
    • Sleep.KERNEL32(000000FF), ref: 00B3B694
    • IsWellKnownSid.ADVAPI32(00DD1EC0,00000016), ref: 00B3B6E5
    • CreateEventW.KERNEL32(00B449B4,00000001,00000000), ref: 00B3B7B4
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B3B7CD
    • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 00B3B7DF
    • CloseHandle.KERNEL32(00000000), ref: 00B3B7F6
    • CloseHandle.KERNEL32(?), ref: 00B3B7FC
    • CloseHandle.KERNEL32(?), ref: 00B3B802
      • Part of subcall function 00B1766D: ReleaseMutex.KERNEL32 ref: 00B17671
      • Part of subcall function 00B1766D: CloseHandle.KERNEL32 ref: 00B17678
      • Part of subcall function 00B21DFA: VirtualProtect.KERNEL32(00B196C7,?,00000040), ref: 00B21E12
      • Part of subcall function 00B21DFA: VirtualProtect.KERNEL32(00B196C7,?,?), ref: 00B21E85
      • Part of subcall function 00B196C7: FreeLibrary.KERNEL32(00000003), ref: 00B196B9
      • Part of subcall function 00B3BC89: memcpy.MSVCRT ref: 00B3BCA4
      • Part of subcall function 00B3BC89: StringFromGUID2.OLE32 ref: 00B3BD4A
      • Part of subcall function 00B19931: LoadLibraryW.KERNEL32 ref: 00B19953
      • Part of subcall function 00B19931: GetProcAddress.KERNEL32 ref: 00B19977
      • Part of subcall function 00B19931: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 00B199AF
      • Part of subcall function 00B19931: lstrlenW.KERNEL32 ref: 00B199C7
      • Part of subcall function 00B19931: StrCmpNIW.SHLWAPI ref: 00B199DB
      • Part of subcall function 00B19931: lstrlenW.KERNEL32 ref: 00B199F1
      • Part of subcall function 00B19931: memcpy.MSVCRT ref: 00B199FD
      • Part of subcall function 00B19931: FreeLibrary.KERNEL32 ref: 00B19A13
      • Part of subcall function 00B19931: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00B19A52
      • Part of subcall function 00B19931: NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00B19A8E
      • Part of subcall function 00B19931: NetApiBufferFree.NETAPI32(?), ref: 00B19B39
      • Part of subcall function 00B19931: NetApiBufferFree.NETAPI32(00000000), ref: 00B19B4B
      • Part of subcall function 00B19931: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00B19B6A
      • Part of subcall function 00B1B314: CharToOemW.USER32(00DD1EF0), ref: 00B1B325
      • Part of subcall function 00B42AC0: GetCommandLineW.KERNEL32 ref: 00B42ADA
      • Part of subcall function 00B42AC0: CommandLineToArgvW.SHELL32 ref: 00B42AE1
      • Part of subcall function 00B42AC0: StrCmpNW.SHLWAPI(?,00B0CA4C,00000002), ref: 00B42B07
      • Part of subcall function 00B42AC0: LocalFree.KERNEL32 ref: 00B42B33
      • Part of subcall function 00B42AC0: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00B42B70
      • Part of subcall function 00B42AC0: memcpy.MSVCRT ref: 00B42B83
      • Part of subcall function 00B42AC0: UnmapViewOfFile.KERNEL32 ref: 00B42BBC
      • Part of subcall function 00B42AC0: memcpy.MSVCRT ref: 00B42BDF
      • Part of subcall function 00B42AC0: CloseHandle.KERNEL32 ref: 00B42BF8
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B3C09D: CreateMutexW.KERNEL32(00B449B4,00000000), ref: 00B3C0BF
      • Part of subcall function 00B1987E: memcpy.MSVCRT ref: 00B19894
      • Part of subcall function 00B1987E: memcmp.MSVCRT ref: 00B198B6
      • Part of subcall function 00B1987E: lstrcmpiW.KERNEL32(00000000,000000FF), ref: 00B1990F
      • Part of subcall function 00B284D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B284E4
      • Part of subcall function 00B284D3: CloseHandle.KERNEL32 ref: 00B284F3
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00B3B779
    • SeShutdownPrivilege, xrefs: 00B3B676
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B22593, Relevance: 35.4, APIs: 1, Instructions: 7
    APIs
    • HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B19931, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205
    APIs
    • LoadLibraryW.KERNEL32 ref: 00B19953
    • GetProcAddress.KERNEL32 ref: 00B19977
    • SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 00B199AF
    • lstrlenW.KERNEL32 ref: 00B199C7
    • StrCmpNIW.SHLWAPI ref: 00B199DB
    • lstrlenW.KERNEL32 ref: 00B199F1
    • memcpy.MSVCRT ref: 00B199FD
    • FreeLibrary.KERNEL32 ref: 00B19A13
    • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00B19A52
    • NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00B19A8E
      • Part of subcall function 00B3B31B: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00B3B32F
      • Part of subcall function 00B3B31B: PathUnquoteSpacesW.SHLWAPI ref: 00B3B394
      • Part of subcall function 00B3B31B: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00B3B3A3
      • Part of subcall function 00B3B31B: LocalFree.KERNEL32(00000001), ref: 00B3B3B7
    • NetApiBufferFree.NETAPI32(?), ref: 00B19B39
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
      • Part of subcall function 00B190A3: PathSkipRootW.SHLWAPI ref: 00B190CD
      • Part of subcall function 00B190A3: GetFileAttributesW.KERNEL32(00000000), ref: 00B190FA
      • Part of subcall function 00B190A3: CreateDirectoryW.KERNEL32(?,00000000), ref: 00B1910E
      • Part of subcall function 00B190A3: SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00B19131
      • Part of subcall function 00B19583: LoadLibraryW.KERNEL32 ref: 00B195A7
      • Part of subcall function 00B19583: GetProcAddress.KERNEL32 ref: 00B195D5
      • Part of subcall function 00B19583: GetProcAddress.KERNEL32 ref: 00B195EF
      • Part of subcall function 00B19583: GetProcAddress.KERNEL32 ref: 00B1960B
      • Part of subcall function 00B19583: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00B19638
      • Part of subcall function 00B19583: FreeLibrary.KERNEL32(00000003), ref: 00B196B9
    • NetApiBufferFree.NETAPI32(00000000), ref: 00B19B4B
    • SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00B19B6A
      • Part of subcall function 00B3038C: CreateDirectoryW.KERNEL32(?,00000000), ref: 00B30405
      • Part of subcall function 00B3038C: SetFileAttributesW.KERNEL32(?), ref: 00B30424
      • Part of subcall function 00B3038C: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00B3043B
      • Part of subcall function 00B3038C: GetLastError.KERNEL32 ref: 00B30448
      • Part of subcall function 00B3038C: CloseHandle.KERNEL32 ref: 00B30481
      • Part of subcall function 00B4258D: GetFileSizeEx.KERNEL32(00000000), ref: 00B425C4
      • Part of subcall function 00B4258D: SetEndOfFile.KERNEL32 ref: 00B4263A
      • Part of subcall function 00B4258D: FlushFileBuffers.KERNEL32(?), ref: 00B42645
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3F887, Relevance: 27.2, APIs: 18, Instructions: 215
    APIs
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F8AB
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F8CB
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F8E4
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F8FD
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F916
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F92F
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F94C
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F969
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F986
    • GetProcAddress.KERNEL32(00B3FEC7,?), ref: 00B3F9A3
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F9C0
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F9DD
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3F9FA
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3FA17
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3FA34
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3FA51
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3FA6E
    • GetProcAddress.KERNEL32(00B3FEC7), ref: 00B3FA8B
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1B1DE, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89
    APIs
    • LoadLibraryA.KERNEL32(userenv.dll), ref: 00B1B1EE
    • GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00B1B20C
    • GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00B1B218
    • memset.MSVCRT ref: 00B1B258
    • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 00B1B2A5
    • CloseHandle.KERNEL32(?), ref: 00B1B2B9
    • CloseHandle.KERNEL32(?), ref: 00B1B2BF
    • FreeLibrary.KERNEL32 ref: 00B1B2D3
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1A01E, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 260
    APIs
      • Part of subcall function 00B2D189: lstrlenW.KERNEL32 ref: 00B2D190
      • Part of subcall function 00B2D189: memcpy.MSVCRT ref: 00B2D21E
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • getpeername.WS2_32 ref: 00B1A254
      • Part of subcall function 00B1C091: memcmp.MSVCRT ref: 00B1C0B3
      • Part of subcall function 00B19E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B19E9D
      • Part of subcall function 00B19E88: StrCmpIW.SHLWAPI ref: 00B19EA7
      • Part of subcall function 00B1B764: EnterCriticalSection.KERNEL32(00B45AA4,?,00B1B826,?,00B3C86A,00B2C4AB,00B2C4AB,?,00B2C4AB,?,00000001), ref: 00B1B774
      • Part of subcall function 00B1B764: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B1B826,?,00B3C86A,00B2C4AB,00B2C4AB,?,00B2C4AB,?,00000001), ref: 00B1B79E
    • WSAAddressToStringW.WS2_32(?,?,00000000), ref: 00B1A2CC
    • lstrcpyW.KERNEL32(?,0:0), ref: 00B1A2E0
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1B365, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 110
    APIs
      • Part of subcall function 00B35947: GetTempPathW.KERNEL32(00000104,?), ref: 00B35962
      • Part of subcall function 00B35947: PathAddBackslashW.SHLWAPI(?), ref: 00B3598C
      • Part of subcall function 00B35947: CreateDirectoryW.KERNEL32(?), ref: 00B35A44
      • Part of subcall function 00B35947: SetFileAttributesW.KERNEL32(?), ref: 00B35A55
      • Part of subcall function 00B35947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00B35A6E
      • Part of subcall function 00B35947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00B35A7F
    • CharToOemW.USER32 ref: 00B1B3AB
    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00B1B3E2
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • CloseHandle.KERNEL32(000000FF), ref: 00B1B40A
    • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00B1B44C
    • memset.MSVCRT ref: 00B1B461
    • CloseHandle.KERNEL32(000000FF), ref: 00B1B49C
      • Part of subcall function 00B35E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B35E26
      • Part of subcall function 00B35E1D: DeleteFileW.KERNEL32 ref: 00B35E2D
      • Part of subcall function 00B35934: CloseHandle.KERNEL32 ref: 00B35940
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B31A52, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60
    APIs
    • LoadLibraryW.KERNEL32(cabinet.dll), ref: 00B31A66
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    • GetProcAddress.KERNEL32(?,FCICreate), ref: 00B31A95
    • GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00B31AA4
    • GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00B31AB3
    • GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00B31AC2
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • FreeLibrary.KERNEL32 ref: 00B31AF7
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2BBB1, Relevance: 21.3, APIs: 12, Instructions: 150
    APIs
      • Part of subcall function 00B284FB: memchr.MSVCRT ref: 00B2853B
      • Part of subcall function 00B284FB: memcmp.MSVCRT ref: 00B2855A
    • VirtualProtect.KERNEL32(?,?,00000080,?), ref: 00B2BC21
    • VirtualProtect.KERNEL32(?,?,00000000,?), ref: 00B2BD99
      • Part of subcall function 00B22633: memcmp.MSVCRT ref: 00B22653
      • Part of subcall function 00B225A7: memcpy.MSVCRT ref: 00B225C6
    • GetCurrentThread.KERNEL32 ref: 00B2BCBE
    • GetThreadPriority.KERNEL32 ref: 00B2BCC7
    • SetThreadPriority.KERNEL32(?,0000000F), ref: 00B2BCD2
    • Sleep.KERNEL32(00000000), ref: 00B2BCDA
    • memcpy.MSVCRT ref: 00B2BCE9
    • FlushInstructionCache.KERNEL32(000000FF,?,?), ref: 00B2BCFA
    • SetThreadPriority.KERNEL32 ref: 00B2BD02
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • GetTickCount.KERNEL32 ref: 00B2BD3C
    • GetTickCount.KERNEL32 ref: 00B2BD4F
    • Sleep.KERNEL32(00000000), ref: 00B2BD61
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B29516, Relevance: 21.3, APIs: 14, Instructions: 290
    APIs
    • Sleep.KERNEL32(00003A98), ref: 00B2952D
      • Part of subcall function 00B18C74: InitializeCriticalSection.KERNEL32 ref: 00B18C7B
    • InitializeCriticalSection.KERNEL32 ref: 00B29591
    • memset.MSVCRT ref: 00B295A8
    • InitializeCriticalSection.KERNEL32 ref: 00B295C2
      • Part of subcall function 00B2AAA2: memset.MSVCRT ref: 00B2AAB9
      • Part of subcall function 00B2AAA2: memset.MSVCRT ref: 00B2AB8D
    • InitializeCriticalSection.KERNEL32 ref: 00B2961C
    • memset.MSVCRT ref: 00B29627
    • memset.MSVCRT ref: 00B29635
      • Part of subcall function 00B26431: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00B26531
      • Part of subcall function 00B26431: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00B26572
      • Part of subcall function 00B26431: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B26581
      • Part of subcall function 00B26431: SetEvent.KERNEL32 ref: 00B26591
      • Part of subcall function 00B26431: GetExitCodeThread.KERNEL32 ref: 00B265A5
      • Part of subcall function 00B26431: CloseHandle.KERNEL32 ref: 00B265BB
      • Part of subcall function 00B28626: getsockopt.WS2_32(?,0000FFFF,00001008,00B09417,00B09417), ref: 00B286B2
      • Part of subcall function 00B28626: GetHandleInformation.KERNEL32 ref: 00B286C4
      • Part of subcall function 00B28626: socket.WS2_32(?,00000001,00000006), ref: 00B286F7
      • Part of subcall function 00B28626: socket.WS2_32(?,00000002,00000011), ref: 00B28708
      • Part of subcall function 00B28626: closesocket.WS2_32(?), ref: 00B28727
      • Part of subcall function 00B28626: closesocket.WS2_32 ref: 00B2872E
      • Part of subcall function 00B28626: memset.MSVCRT ref: 00B287F2
      • Part of subcall function 00B28626: memcpy.MSVCRT ref: 00B28902
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 00B296AB
      • Part of subcall function 00B18CBF: EnterCriticalSection.KERNEL32(?,?,?,00B22B51,00000005,00007530,?,00000000,00000000), ref: 00B18CC7
      • Part of subcall function 00B18CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B18CEB
      • Part of subcall function 00B18CBF: CloseHandle.KERNEL32 ref: 00B18CFB
      • Part of subcall function 00B18CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00B22B51,00000005,00007530,?,00000000,00000000), ref: 00B18D2B
      • Part of subcall function 00B28A6A: EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00B28A9B
      • Part of subcall function 00B28A6A: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00B28B2D
      • Part of subcall function 00B28A6A: SetEvent.KERNEL32 ref: 00B28B80
      • Part of subcall function 00B28A6A: SetEvent.KERNEL32 ref: 00B28BB9
      • Part of subcall function 00B28A6A: LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00B28C3E
      • Part of subcall function 00B17D03: EnterCriticalSection.KERNEL32(?,?,?,?,?,00B2979E,?,?,?,00000001), ref: 00B17D24
      • Part of subcall function 00B17D03: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00B2979E,?,?,?,00000001), ref: 00B17D40
      • Part of subcall function 00B158AE: memset.MSVCRT ref: 00B159CD
      • Part of subcall function 00B158AE: memcpy.MSVCRT ref: 00B159E0
      • Part of subcall function 00B158AE: memcpy.MSVCRT ref: 00B159F6
      • Part of subcall function 00B1BD24: accept.WS2_32(?,?), ref: 00B1BD45
      • Part of subcall function 00B1BD24: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00B1BD57
      • Part of subcall function 00B1BD24: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 00B1BD88
      • Part of subcall function 00B1BD24: shutdown.WS2_32(?,00000002), ref: 00B1BDA0
      • Part of subcall function 00B1BD24: closesocket.WS2_32 ref: 00B1BDA7
      • Part of subcall function 00B1BD24: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 00B1BDAE
      • Part of subcall function 00B28C4C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00B2984D,?,?,00000000,?,?,00000590), ref: 00B28C7F
      • Part of subcall function 00B28C4C: memcmp.MSVCRT ref: 00B28CCD
      • Part of subcall function 00B28C4C: SetEvent.KERNEL32 ref: 00B28D0E
      • Part of subcall function 00B28C4C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00B2984D,?,?,00000000,?,?,00000590), ref: 00B28D3B
      • Part of subcall function 00B18DE6: EnterCriticalSection.KERNEL32(00DD28B4,?,?,?,00B3B2F2,?,?,00000001), ref: 00B18DEF
      • Part of subcall function 00B18DE6: LeaveCriticalSection.KERNEL32(00DD28B4,?,?,?,00B3B2F2,?,?,00000001), ref: 00B18DF9
      • Part of subcall function 00B18DE6: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00B18E1F
      • Part of subcall function 00B18DE6: EnterCriticalSection.KERNEL32(00DD28B4,?,?,?,00B3B2F2,?,?,00000001), ref: 00B18E37
      • Part of subcall function 00B18DE6: LeaveCriticalSection.KERNEL32(00DD28B4,?,?,?,00B3B2F2,?,?,00000001), ref: 00B18E41
    • CloseHandle.KERNEL32(00000000), ref: 00B298AA
    • CloseHandle.KERNEL32(00000000), ref: 00B298B7
      • Part of subcall function 00B26865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00B26B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00B2686E
      • Part of subcall function 00B26865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00B26B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00B268A5
    • DeleteCriticalSection.KERNEL32 ref: 00B298CD
      • Part of subcall function 00B2ABB8: memset.MSVCRT ref: 00B2ABC8
    • DeleteCriticalSection.KERNEL32 ref: 00B298EC
    • CloseHandle.KERNEL32(00000000), ref: 00B298F9
    • DeleteCriticalSection.KERNEL32 ref: 00B29903
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B18C8F: CloseHandle.KERNEL32 ref: 00B18C9F
      • Part of subcall function 00B18C8F: DeleteCriticalSection.KERNEL32(?,?,00DD28A8,00B3B303,?,?,00000001), ref: 00B18CB6
      • Part of subcall function 00B294FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B29503
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B312E6, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 140
    APIs
    • GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00B31304
    • GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00B3130F
    • GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00B3131A
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    • lstrcmpiW.KERNEL32(?), ref: 00B313A7
    • memcpy.MSVCRT ref: 00B313CA
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 00B313F5
    • memcpy.MSVCRT ref: 00B31423
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B42D17, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107
    APIs
    • memcpy.MSVCRT ref: 00B42D3D
    • CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 00B42D5E
    • MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 00B42D76
      • Part of subcall function 00B42922: UnmapViewOfFile.KERNEL32 ref: 00B4292E
      • Part of subcall function 00B42922: CloseHandle.KERNEL32 ref: 00B4293F
    • memset.MSVCRT ref: 00B42DCB
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000004,00000000,00000000,00000000,00000000), ref: 00B42E04
      • Part of subcall function 00B4294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00B43210), ref: 00B4297C
      • Part of subcall function 00B4294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00B4299C
      • Part of subcall function 00B4294A: memset.MSVCRT ref: 00B42A39
      • Part of subcall function 00B4294A: memcpy.MSVCRT ref: 00B42A4B
    • ResumeThread.KERNEL32(?), ref: 00B42E27
    • CloseHandle.KERNEL32(?), ref: 00B42E3E
    • CloseHandle.KERNEL32(?), ref: 00B42E44
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1AF99, Relevance: 18.7, APIs: 8, Strings: 1, Instructions: 61
    APIs
    • GetCurrentThread.KERNEL32 ref: 00B1AFAD
    • OpenThreadToken.ADVAPI32 ref: 00B1AFB4
    • GetCurrentProcess.KERNEL32 ref: 00B1AFC4
    • OpenProcessToken.ADVAPI32 ref: 00B1AFCB
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00B1AFEC
    • AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00B1B001
    • GetLastError.KERNEL32 ref: 00B1B00B
    • CloseHandle.KERNEL32(00000001), ref: 00B1B01C
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B19BC4, Relevance: 18.3, APIs: 7, Strings: 2, Instructions: 147
    APIs
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B19C2E
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B19C75
    • SetEvent.KERNEL32 ref: 00B19C84
    • WaitForSingleObject.KERNEL32 ref: 00B19C95
      • Part of subcall function 00B2A9C2: Sleep.KERNEL32(000001F4), ref: 00B2AA6D
      • Part of subcall function 00B1913F: FindFirstFileW.KERNEL32(?), ref: 00B19170
      • Part of subcall function 00B1913F: FindNextFileW.KERNEL32(?,?), ref: 00B191C2
      • Part of subcall function 00B1913F: FindClose.KERNEL32 ref: 00B191CD
      • Part of subcall function 00B1913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B191D9
      • Part of subcall function 00B1913F: RemoveDirectoryW.KERNEL32 ref: 00B191E0
      • Part of subcall function 00B30B2C: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B30B87
      • Part of subcall function 00B30B2C: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B30BF1
      • Part of subcall function 00B30B2C: RegFlushKey.ADVAPI32(?), ref: 00B30C1F
      • Part of subcall function 00B30B2C: RegCloseKey.ADVAPI32(?), ref: 00B30C26
    • CharToOemW.USER32 ref: 00B19D26
    • CharToOemW.USER32 ref: 00B19D36
    • ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00B19D9A
      • Part of subcall function 00B1B365: CharToOemW.USER32 ref: 00B1B3AB
      • Part of subcall function 00B1B365: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00B1B3E2
      • Part of subcall function 00B1B365: CloseHandle.KERNEL32(000000FF), ref: 00B1B40A
      • Part of subcall function 00B1B365: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 00B1B44C
      • Part of subcall function 00B1B365: memset.MSVCRT ref: 00B1B461
      • Part of subcall function 00B1B365: CloseHandle.KERNEL32(000000FF), ref: 00B1B49C
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B19C4B
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00B19BFE
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B25528, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184
    APIs
    • GetLogicalDrives.KERNEL32 ref: 00B2553C
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    • SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000), ref: 00B25581
    • PathGetDriveNumberW.SHLWAPI ref: 00B25593
    • lstrcpyW.KERNEL32(?,00B0AACC), ref: 00B255A7
    • GetDriveTypeW.KERNEL32 ref: 00B25610
    • GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000105), ref: 00B25671
    • CharUpperW.USER32(00000000), ref: 00B2568D
    • lstrcmpW.KERNEL32 ref: 00B256B0
    • GetDiskFreeSpaceExW.KERNEL32(?,00000000), ref: 00B256EE
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3621D, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B36283
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    • FindFirstFileW.KERNEL32 ref: 00B362F1
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B3634A
    • FindClose.KERNEL32 ref: 00B36453
      • Part of subcall function 00B35AB0: GetFileSizeEx.KERNEL32 ref: 00B35ABB
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    • SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B363BB
      • Part of subcall function 00B35B34: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00B35B46
    • CloseHandle.KERNEL32 ref: 00B363F5
      • Part of subcall function 00B35934: CloseHandle.KERNEL32 ref: 00B35940
    • FindNextFileW.KERNEL32 ref: 00B36429
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B35E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B35E26
      • Part of subcall function 00B35E1D: DeleteFileW.KERNEL32 ref: 00B35E2D
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B36256
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3CCA8, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 76
    APIs
      • Part of subcall function 00B3CB85: InternetCloseHandle.WININET ref: 00B3CB99
    • HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,00B0C9E0,?,00000000), ref: 00B3CCE9
    • HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 00B3CD0C
    • HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 00B3CD4E
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B15B9B, Relevance: 16.2, APIs: 9, Instructions: 132
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B15BC1
    • Process32FirstW.KERNEL32 ref: 00B15BE6
      • Part of subcall function 00B3C012: CreateMutexW.KERNEL32(00B449B4,00000001), ref: 00B3C058
      • Part of subcall function 00B3C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00B3C064
      • Part of subcall function 00B3C012: CloseHandle.KERNEL32 ref: 00B3C072
    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00B15C3D
    • CloseHandle.KERNEL32(?), ref: 00B15D07
      • Part of subcall function 00B1AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 00B1AEF5
      • Part of subcall function 00B1AEE3: GetTokenInformation.ADVAPI32(?,0000000C,00B449A8,00000004), ref: 00B1AF1D
      • Part of subcall function 00B1AEE3: CloseHandle.KERNEL32(?), ref: 00B1AF33
    • CloseHandle.KERNEL32 ref: 00B15C5B
    • GetLengthSid.ADVAPI32 ref: 00B15C77
    • memcmp.MSVCRT ref: 00B15C8F
      • Part of subcall function 00B22543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7,?,@echo off%sdel /F "%s"), ref: 00B2256D
      • Part of subcall function 00B22543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7), ref: 00B22580
      • Part of subcall function 00B15B0B: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00B15B19
      • Part of subcall function 00B15B0B: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00B15B5A
      • Part of subcall function 00B15B0B: WaitForSingleObject.KERNEL32(?,00002710), ref: 00B15B6C
      • Part of subcall function 00B15B0B: CloseHandle.KERNEL32 ref: 00B15B73
      • Part of subcall function 00B15B0B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B15B85
      • Part of subcall function 00B15B0B: CloseHandle.KERNEL32 ref: 00B15B8C
    • Process32NextW.KERNEL32(?,?), ref: 00B15D13
    • CloseHandle.KERNEL32 ref: 00B15D26
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1C9BF, Relevance: 16.0, APIs: 9, Instructions: 113
    APIs
    • GetProcAddress.KERNEL32(?), ref: 00B1C9E1
    • GetProcAddress.KERNEL32(?,?), ref: 00B1CA03
    • GetProcAddress.KERNEL32(?,?), ref: 00B1CA1E
    • GetProcAddress.KERNEL32(?,?), ref: 00B1CA39
    • GetProcAddress.KERNEL32(?,?), ref: 00B1CA54
    • GetProcAddress.KERNEL32(?), ref: 00B1CA6F
    • GetProcAddress.KERNEL32(?), ref: 00B1CA8E
    • GetProcAddress.KERNEL32(?), ref: 00B1CAAD
    • GetProcAddress.KERNEL32(?), ref: 00B1CACC
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B42AC0, Relevance: 16.0, APIs: 9, Instructions: 103
    APIs
    • GetCommandLineW.KERNEL32 ref: 00B42ADA
    • CommandLineToArgvW.SHELL32 ref: 00B42AE1
    • StrCmpNW.SHLWAPI(?,00B0CA4C,00000002), ref: 00B42B07
    • LocalFree.KERNEL32 ref: 00B42B33
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 00B42B70
    • memcpy.MSVCRT ref: 00B42B83
      • Part of subcall function 00B2E043: memcpy.MSVCRT ref: 00B2E070
    • UnmapViewOfFile.KERNEL32 ref: 00B42BBC
    • CloseHandle.KERNEL32 ref: 00B42BF8
      • Part of subcall function 00B42F3B: memset.MSVCRT ref: 00B42F5F
      • Part of subcall function 00B42F3B: memcpy.MSVCRT ref: 00B42FBF
      • Part of subcall function 00B42F3B: memcpy.MSVCRT ref: 00B42FD7
      • Part of subcall function 00B42F3B: memcpy.MSVCRT ref: 00B4304D
    • memcpy.MSVCRT ref: 00B42BDF
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3CE98, Relevance: 16.0, APIs: 9, Instructions: 98
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00B3CEB9
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • CloseHandle.KERNEL32 ref: 00B3CEDE
    • SetLastError.KERNEL32(00000008,?,?,?,?,00B279D8,?,?,?,?), ref: 00B3CEE6
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B3CF03
    • InternetReadFile.WININET(?,?,00001000), ref: 00B3CF21
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B3CF56
    • FlushFileBuffers.KERNEL32 ref: 00B3CF6F
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • CloseHandle.KERNEL32 ref: 00B3CF82
    • SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,00B279D8,?,?,?,?), ref: 00B3CF9D
      • Part of subcall function 00B35E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B35E26
      • Part of subcall function 00B35E1D: DeleteFileW.KERNEL32 ref: 00B35E2D
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B25AC1, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230
    APIs
      • Part of subcall function 00B241F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00B24206
      • Part of subcall function 00B1645E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00B25B49), ref: 00B16470
      • Part of subcall function 00B1645E: #2.OLEAUT32(?,00000000,?,?,?,00B25B49), ref: 00B164A4
      • Part of subcall function 00B1645E: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B25B49), ref: 00B164D9
      • Part of subcall function 00B1645E: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00B164F9
    • #2.OLEAUT32(WQL), ref: 00B25BAF
    • #2.OLEAUT32 ref: 00B25BCB
    • #6.OLEAUT32(?,?,00000030,00000000), ref: 00B25BFB
    • #9.OLEAUT32(?,?,00000000,00000000), ref: 00B25C6C
      • Part of subcall function 00B16433: #6.OLEAUT32(?,00000000,00B25CA3), ref: 00B16450
      • Part of subcall function 00B16433: CoUninitialize.OLE32 ref: 00B24244
    • memcpy.MSVCRT ref: 00B25D45
    • memcpy.MSVCRT ref: 00B25D57
    • memcpy.MSVCRT ref: 00B25D69
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B28626, Relevance: 15.0, APIs: 8, Instructions: 327
    APIs
      • Part of subcall function 00B3D9E1: memset.MSVCRT ref: 00B3D9F0
      • Part of subcall function 00B3D9E1: memcpy.MSVCRT ref: 00B3DA17
      • Part of subcall function 00B241F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00B24206
    • getsockopt.WS2_32(?,0000FFFF,00001008,00B09417,00B09417), ref: 00B286B2
    • GetHandleInformation.KERNEL32 ref: 00B286C4
      • Part of subcall function 00B1B764: EnterCriticalSection.KERNEL32(00B45AA4,?,00B1B826,?,00B3C86A,00B2C4AB,00B2C4AB,?,00B2C4AB,?,00000001), ref: 00B1B774
      • Part of subcall function 00B1B764: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B1B826,?,00B3C86A,00B2C4AB,00B2C4AB,?,00B2C4AB,?,00000001), ref: 00B1B79E
    • socket.WS2_32(?,00000001,00000006), ref: 00B286F7
    • socket.WS2_32(?,00000002,00000011), ref: 00B28708
    • closesocket.WS2_32(?), ref: 00B28727
    • closesocket.WS2_32 ref: 00B2872E
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • memset.MSVCRT ref: 00B287F2
      • Part of subcall function 00B1BC0C: bind.WS2_32(?,00B1BCEA), ref: 00B1BC53
      • Part of subcall function 00B1BC0C: listen.WS2_32(?,00000014), ref: 00B1BC68
      • Part of subcall function 00B1BC0C: WSAGetLastError.WS2_32(00000000,?,00B1BCEA,?,?,?,?,00000000), ref: 00B1BC76
      • Part of subcall function 00B1BC0C: WSASetLastError.WS2_32(?,?,00B1BCEA,?,?,?,?,00000000), ref: 00B1BC86
      • Part of subcall function 00B1BC93: memset.MSVCRT ref: 00B1BCA9
      • Part of subcall function 00B1BC93: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 00B1BCEE
      • Part of subcall function 00B28A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B28A52
    • memcpy.MSVCRT ref: 00B28902
      • Part of subcall function 00B1BAC9: memset.MSVCRT ref: 00B1BADE
      • Part of subcall function 00B1BAC9: getsockname.WS2_32(?,00B17C25), ref: 00B1BAF1
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2E133, Relevance: 15.0, APIs: 8, Instructions: 103
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B18E53, Relevance: 14.9, APIs: 5, Strings: 2, Instructions: 95
    APIs
    • EnterCriticalSection.KERNEL32(00B45AA4,?,00B44DF4,00000000,00000006,00B3BD7A,00B44DF4,-00000258,?,00000000), ref: 00B18E6A
    • LeaveCriticalSection.KERNEL32(00B45AA4,?,00000000), ref: 00B18E9D
      • Part of subcall function 00B21E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00B21EA2
      • Part of subcall function 00B21E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00B21EAE
      • Part of subcall function 00B21E94: SetLastError.KERNEL32(00000001,00B18F04,00B447C0,?,00B44DF4,00000000,00000006,00B3BD7A,00B44DF4,-00000258,?,00000000), ref: 00B21EC6
    • CoTaskMemFree.OLE32(?), ref: 00B18F36
    • PathRemoveBackslashW.SHLWAPI(00000006), ref: 00B18F44
    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00B18F5C
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B18F6F, Relevance: 14.4, APIs: 5, Instructions: 98
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B36067, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 134
    APIs
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
      • Part of subcall function 00B225A7: memcpy.MSVCRT ref: 00B225C6
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B36103
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00B3617B
    • GetLastError.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000,?,?,?,?,00000000,3D94878D), ref: 00B36188
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B361B2
    • FlushFileBuffers.KERNEL32 ref: 00B361CC
    • CloseHandle.KERNEL32 ref: 00B361D3
      • Part of subcall function 00B35E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B35E26
      • Part of subcall function 00B35E1D: DeleteFileW.KERNEL32 ref: 00B35E2D
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B360D6
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B19583, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107
    APIs
    • LoadLibraryW.KERNEL32 ref: 00B195A7
    • GetProcAddress.KERNEL32 ref: 00B195D5
    • GetProcAddress.KERNEL32 ref: 00B195EF
    • GetProcAddress.KERNEL32 ref: 00B1960B
    • FreeLibrary.KERNEL32(00000003), ref: 00B196B9
      • Part of subcall function 00B1AF99: GetCurrentThread.KERNEL32 ref: 00B1AFAD
      • Part of subcall function 00B1AF99: OpenThreadToken.ADVAPI32 ref: 00B1AFB4
      • Part of subcall function 00B1AF99: GetCurrentProcess.KERNEL32 ref: 00B1AFC4
      • Part of subcall function 00B1AF99: OpenProcessToken.ADVAPI32 ref: 00B1AFCB
      • Part of subcall function 00B1AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00B1AFEC
      • Part of subcall function 00B1AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00B1B001
      • Part of subcall function 00B1AF99: GetLastError.KERNEL32 ref: 00B1B00B
      • Part of subcall function 00B1AF99: CloseHandle.KERNEL32(00000001), ref: 00B1B01C
    • WTSGetActiveConsoleSessionId.KERNEL32 ref: 00B19638
      • Part of subcall function 00B1950C: EqualSid.ADVAPI32(?,5B867A00), ref: 00B1952F
      • Part of subcall function 00B1950C: CloseHandle.KERNEL32(00000001), ref: 00B19576
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B35D0E, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 89
    APIs
    • memcpy.MSVCRT ref: 00B35D6C
    • memcpy.MSVCRT ref: 00B35D81
    • memcpy.MSVCRT ref: 00B35D96
    • memcpy.MSVCRT ref: 00B35DA5
      • Part of subcall function 00B358ED: EnterCriticalSection.KERNEL32(00B45AA4,?,00B35BB2,?,00B35C0A,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 00B358FD
      • Part of subcall function 00B358ED: LeaveCriticalSection.KERNEL32(00B45AA4,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,00B3A856), ref: 00B3592C
      • Part of subcall function 00B21E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00B21EA2
      • Part of subcall function 00B21E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00B21EAE
      • Part of subcall function 00B21E94: SetLastError.KERNEL32(00000001,00B18F04,00B447C0,?,00B44DF4,00000000,00000006,00B3BD7A,00B44DF4,-00000258,?,00000000), ref: 00B21EC6
    • SetFileTime.KERNEL32(?,?,?,?), ref: 00B35E0A
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B42474, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88
    APIs
    • GetFileAttributesW.KERNEL32 ref: 00B42485
    • FlushFileBuffers.KERNEL32 ref: 00B4256B
      • Part of subcall function 00B1913F: FindFirstFileW.KERNEL32(?), ref: 00B19170
      • Part of subcall function 00B1913F: FindNextFileW.KERNEL32(?,?), ref: 00B191C2
      • Part of subcall function 00B1913F: FindClose.KERNEL32 ref: 00B191CD
      • Part of subcall function 00B1913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B191D9
      • Part of subcall function 00B1913F: RemoveDirectoryW.KERNEL32 ref: 00B191E0
      • Part of subcall function 00B35E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B35E26
      • Part of subcall function 00B35E1D: DeleteFileW.KERNEL32 ref: 00B35E2D
    • PathRemoveFileSpecW.SHLWAPI(?), ref: 00B424BA
      • Part of subcall function 00B35947: GetTempPathW.KERNEL32(00000104,?), ref: 00B35962
      • Part of subcall function 00B35947: PathAddBackslashW.SHLWAPI(?), ref: 00B3598C
      • Part of subcall function 00B35947: CreateDirectoryW.KERNEL32(?), ref: 00B35A44
      • Part of subcall function 00B35947: SetFileAttributesW.KERNEL32(?), ref: 00B35A55
      • Part of subcall function 00B35947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00B35A6E
      • Part of subcall function 00B35947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00B35A7F
    • MoveFileExW.KERNEL32(?,?,00000001), ref: 00B42501
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00B4251A
      • Part of subcall function 00B35B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B35B87
      • Part of subcall function 00B35934: CloseHandle.KERNEL32 ref: 00B35940
    • Sleep.KERNEL32(00001388), ref: 00B4255D
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B35BE4, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 83
    APIs
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B35BEB
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B30A9D, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(00B45AA4,?,?,?,00B30C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B30AB3
    • LeaveCriticalSection.KERNEL32(00B45AA4,?,?,?,00B30C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B30ADB
    • GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00B30AF7
    • GetProcAddress.KERNEL32 ref: 00B30AFE
    • RegDeleteKeyW.ADVAPI32(?), ref: 00B30B20
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2A782, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145
    APIs
      • Part of subcall function 00B16A4D: TlsSetValue.KERNEL32(00000001,00B2A796), ref: 00B16A5A
    • GetCurrentThread.KERNEL32 ref: 00B2A799
    • SetThreadPriority.KERNEL32 ref: 00B2A7A0
      • Part of subcall function 00B3C09D: CreateMutexW.KERNEL32(00B449B4,00000000), ref: 00B3C0BF
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
      • Part of subcall function 00B2A755: PathFindFileNameW.SHLWAPI(000001ED), ref: 00B2A759
      • Part of subcall function 00B2A755: PathRemoveExtensionW.SHLWAPI ref: 00B2A76D
      • Part of subcall function 00B2A755: CharUpperW.USER32 ref: 00B2A777
    • PathQuoteSpacesW.SHLWAPI ref: 00B2A83E
      • Part of subcall function 00B3AFD3: WaitForSingleObject.KERNEL32(00000000,00B2A849), ref: 00B3AFDB
    • WaitForSingleObject.KERNEL32 ref: 00B2A879
    • StrCmpW.SHLWAPI ref: 00B2A8D7
      • Part of subcall function 00B307B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 00B307D8
    • RegSetValueExW.ADVAPI32(000000FF,?,00000000,00000001), ref: 00B2A938
      • Part of subcall function 00B30755: RegFlushKey.ADVAPI32 ref: 00B30765
      • Part of subcall function 00B30755: RegCloseKey.ADVAPI32 ref: 00B3076D
    • WaitForSingleObject.KERNEL32 ref: 00B2A959
      • Part of subcall function 00B1766D: ReleaseMutex.KERNEL32 ref: 00B17671
      • Part of subcall function 00B1766D: CloseHandle.KERNEL32 ref: 00B17678
      • Part of subcall function 00B2B7FF: EnterCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B80C
      • Part of subcall function 00B2B7FF: LeaveCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B81A
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00B2A7EC
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B29EBF, Relevance: 13.8, APIs: 9, Instructions: 261
    APIs
    • GetTickCount.KERNEL32 ref: 00B29ECE
    • EnterCriticalSection.KERNEL32 ref: 00B29EE3
    • WaitForSingleObject.KERNEL32(?,000927C0), ref: 00B29F28
    • GetTickCount.KERNEL32 ref: 00B29F3B
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B36875: GetSystemTime.KERNEL32 ref: 00B3687F
      • Part of subcall function 00B294FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B29503
    • GetTickCount.KERNEL32 ref: 00B2A135
      • Part of subcall function 00B21B5D: memcmp.MSVCRT ref: 00B21B69
      • Part of subcall function 00B293A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B2A111), ref: 00B293BE
      • Part of subcall function 00B293A8: memcpy.MSVCRT ref: 00B29419
      • Part of subcall function 00B293A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B2A111,?,00000002), ref: 00B29429
      • Part of subcall function 00B293A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00B2945D
      • Part of subcall function 00B293A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B2A111), ref: 00B294E9
      • Part of subcall function 00B29A6F: memset.MSVCRT ref: 00B29B47
      • Part of subcall function 00B29A6F: memcpy.MSVCRT ref: 00B29BA2
      • Part of subcall function 00B29A6F: memcmp.MSVCRT ref: 00B29C1B
      • Part of subcall function 00B29A6F: memcpy.MSVCRT ref: 00B29C6F
      • Part of subcall function 00B29A6F: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00B29D42
      • Part of subcall function 00B29A6F: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00B29D60
    • GetTickCount.KERNEL32 ref: 00B2A16E
    • LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 00B2A191
      • Part of subcall function 00B2B7FF: EnterCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B80C
      • Part of subcall function 00B2B7FF: LeaveCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B81A
    • WaitForSingleObject.KERNEL32(?,-001B7740), ref: 00B2A1B6
    • LeaveCriticalSection.KERNEL32 ref: 00B2A1CC
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B29A6F, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326
    APIs
      • Part of subcall function 00B2CAF1: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B2CB1D
      • Part of subcall function 00B2CAF1: GetSystemTime.KERNEL32(?), ref: 00B2CB54
      • Part of subcall function 00B2CAF1: Sleep.KERNEL32(000005DC), ref: 00B2CB6D
      • Part of subcall function 00B2CAF1: WaitForSingleObject.KERNEL32(?,000005DC), ref: 00B2CB76
      • Part of subcall function 00B2CAF1: lstrcpyA.KERNEL32 ref: 00B2CBD4
      • Part of subcall function 00B2163A: memcmp.MSVCRT ref: 00B21698
      • Part of subcall function 00B2163A: memcpy.MSVCRT ref: 00B216D6
      • Part of subcall function 00B3AFE8: memcpy.MSVCRT ref: 00B3AFF8
      • Part of subcall function 00B21781: memset.MSVCRT ref: 00B21794
      • Part of subcall function 00B21781: memcpy.MSVCRT ref: 00B217AF
      • Part of subcall function 00B21781: memcpy.MSVCRT ref: 00B217D7
      • Part of subcall function 00B21781: memcpy.MSVCRT ref: 00B217FB
    • memset.MSVCRT ref: 00B29B47
      • Part of subcall function 00B293A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B2A111), ref: 00B293BE
      • Part of subcall function 00B293A8: memcpy.MSVCRT ref: 00B29419
      • Part of subcall function 00B293A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B2A111,?,00000002), ref: 00B29429
      • Part of subcall function 00B293A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00B2945D
      • Part of subcall function 00B293A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B2A111), ref: 00B294E9
      • Part of subcall function 00B21B16: EnterCriticalSection.KERNEL32(00B45AA4,?,00B28DDC,?,?,?,?,00B3B233,?,00000001), ref: 00B21B26
      • Part of subcall function 00B21B16: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B28DDC,?,?,?,?,00B3B233,?,00000001), ref: 00B21B50
    • memcpy.MSVCRT ref: 00B29BA2
      • Part of subcall function 00B294FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B29503
    • memcmp.MSVCRT ref: 00B29C1B
      • Part of subcall function 00B22543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7,?,@echo off%sdel /F "%s"), ref: 00B2256D
      • Part of subcall function 00B22543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7), ref: 00B22580
    • memcpy.MSVCRT ref: 00B29C6F
      • Part of subcall function 00B21A4F: memcmp.MSVCRT ref: 00B21A6B
      • Part of subcall function 00B21B5D: memcmp.MSVCRT ref: 00B21B69
      • Part of subcall function 00B2B7FF: EnterCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B80C
      • Part of subcall function 00B2B7FF: LeaveCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B81A
      • Part of subcall function 00B17E58: memcpy.MSVCRT ref: 00B17E70
    • EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00B29D42
    • LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00B29D60
      • Part of subcall function 00B21821: memcpy.MSVCRT ref: 00B21848
      • Part of subcall function 00B21728: memcpy.MSVCRT ref: 00B21771
      • Part of subcall function 00B219AE: memcmp.MSVCRT ref: 00B21A24
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B14C10: _errno.MSVCRT ref: 00B14C2B
      • Part of subcall function 00B14C10: _errno.MSVCRT ref: 00B14C5D
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B41CCA, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 193
    APIs
    • EnterCriticalSection.KERNEL32(00B45AA4,?,?,?,?,?,?,?,?,?,?), ref: 00B41CE8
    • LeaveCriticalSection.KERNEL32(00B45AA4,?,?,?,?,?,?,?,?,?), ref: 00B41D12
      • Part of subcall function 00B3FEDF: memset.MSVCRT ref: 00B3FEF5
      • Part of subcall function 00B3FEDF: InitializeCriticalSection.KERNEL32(00B45050), ref: 00B3FF05
      • Part of subcall function 00B3FEDF: memset.MSVCRT ref: 00B3FF34
      • Part of subcall function 00B3FEDF: InitializeCriticalSection.KERNEL32(00B45030), ref: 00B3FF3E
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
      • Part of subcall function 00B19FB3: memcpy.MSVCRT ref: 00B19FE9
    • memcmp.MSVCRT ref: 00B41E03
    • memcmp.MSVCRT ref: 00B41E34
      • Part of subcall function 00B19F5F: memcpy.MSVCRT ref: 00B19F99
    • EnterCriticalSection.KERNEL32(00B45050), ref: 00B41EA7
      • Part of subcall function 00B3FFD8: GetTickCount.KERNEL32 ref: 00B3FFDF
      • Part of subcall function 00B403D0: EnterCriticalSection.KERNEL32(00B45030,00B4506C,?,?,00B45050), ref: 00B403E3
      • Part of subcall function 00B403D0: LeaveCriticalSection.KERNEL32(00B45030,?,?,00B45050), ref: 00B40559
      • Part of subcall function 00B4061B: EnterCriticalSection.KERNEL32(00DD2820,?,?,?,?,00B45050), ref: 00B406F5
      • Part of subcall function 00B4061B: LeaveCriticalSection.KERNEL32(00DD2820,000000FF,00000000,?,?,?,?,00B45050), ref: 00B4071D
    • LeaveCriticalSection.KERNEL32(00B45050,00B4506C,00B4506C,00B4506C), ref: 00B41EF7
      • Part of subcall function 00B3DD3E: lstrlenA.KERNEL32(?,?,?,?,?,?,00B4506C,?,?,00B45050), ref: 00B3DD52
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1B02B, Relevance: 12.5, APIs: 7, Instructions: 73
    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000008), ref: 00B1B03B
    • GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000), ref: 00B1B054
    • GetLastError.KERNEL32(?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5,?,?,?,00000001), ref: 00B1B05E
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    • GetTokenInformation.ADVAPI32(?,00000019,?,?), ref: 00B1B089
    • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B1B095
    • GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B1B0AC
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • CloseHandle.KERNEL32(?), ref: 00B1B0D8
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1C39C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001), ref: 00B1C3C0
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 00B1C40C
      • Part of subcall function 00B1BEC0: WSAGetLastError.WS2_32 ref: 00B1BEF6
      • Part of subcall function 00B1BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 00B1BF3E
    • WSAGetLastError.WS2_32(?,00000800,?,00000000,?), ref: 00B1C4EC
    • shutdown.WS2_32(?,00000001), ref: 00B1C517
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 00B1C540
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 00B1C594
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3C592, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
    APIs
    • EnterCriticalSection.KERNEL32(00DD2820,?,3D920600,?), ref: 00B3C5BC
    • LeaveCriticalSection.KERNEL32(00DD2820,?,3D920600,?), ref: 00B3C66C
      • Part of subcall function 00B17FA8: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00B17FBA
      • Part of subcall function 00B17FA8: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00B17FD2
      • Part of subcall function 00B17FA8: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B18011
      • Part of subcall function 00B17FA8: CreateCompatibleDC.GDI32 ref: 00B18022
      • Part of subcall function 00B17FA8: LoadCursorW.USER32(00000000,00007F00), ref: 00B18038
      • Part of subcall function 00B17FA8: GetIconInfo.USER32 ref: 00B1804C
      • Part of subcall function 00B17FA8: GetCursorPos.USER32(?), ref: 00B1805B
      • Part of subcall function 00B17FA8: GetDeviceCaps.GDI32(?,00000008), ref: 00B18072
      • Part of subcall function 00B17FA8: GetDeviceCaps.GDI32(?,0000000A), ref: 00B1807B
      • Part of subcall function 00B17FA8: CreateCompatibleBitmap.GDI32(?,?), ref: 00B18087
      • Part of subcall function 00B17FA8: SelectObject.GDI32 ref: 00B18095
      • Part of subcall function 00B17FA8: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 00B180B6
      • Part of subcall function 00B17FA8: DrawIcon.USER32(?,?,?,?), ref: 00B180E8
      • Part of subcall function 00B17FA8: SelectObject.GDI32(?,?), ref: 00B18104
      • Part of subcall function 00B17FA8: DeleteObject.GDI32 ref: 00B1810B
      • Part of subcall function 00B17FA8: DeleteDC.GDI32 ref: 00B18112
      • Part of subcall function 00B17FA8: DeleteDC.GDI32 ref: 00B18119
      • Part of subcall function 00B17FA8: FreeLibrary.KERNEL32(?), ref: 00B18129
      • Part of subcall function 00B17FA8: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00B1813F
      • Part of subcall function 00B17FA8: FreeLibrary.KERNEL32(?), ref: 00B18153
    • GetTickCount.KERNEL32 ref: 00B3C616
    • GetCurrentProcessId.KERNEL32 ref: 00B3C61D
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • GetKeyboardState.USER32 ref: 00B3C688
    • ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 00B3C6AB
      • Part of subcall function 00B3C410: EnterCriticalSection.KERNEL32(00DD2820,00DD2820,?,?,?,00B3C6E4,?,?,?,?,?,00000009,00000000,?,?,3D920600), ref: 00B3C42A
      • Part of subcall function 00B3C410: memcpy.MSVCRT ref: 00B3C49B
      • Part of subcall function 00B3C410: memcpy.MSVCRT ref: 00B3C4BF
      • Part of subcall function 00B3C410: memcpy.MSVCRT ref: 00B3C4D6
      • Part of subcall function 00B3C410: memcpy.MSVCRT ref: 00B3C4F6
      • Part of subcall function 00B3C410: LeaveCriticalSection.KERNEL32(00DD2820,?,3D920600,?), ref: 00B3C511
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B259B7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95
    APIs
    • memset.MSVCRT ref: 00B259C8
    • GlobalMemoryStatusEx.KERNEL32 ref: 00B259DF
    • GetNativeSystemInfo.KERNEL32 ref: 00B25A10
      • Part of subcall function 00B30775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B3079C
    • GetSystemMetrics.USER32(0000004F), ref: 00B25A9D
      • Part of subcall function 00B30A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00B30A3A
      • Part of subcall function 00B30755: RegFlushKey.ADVAPI32 ref: 00B30765
      • Part of subcall function 00B30755: RegCloseKey.ADVAPI32 ref: 00B3076D
    • GetSystemMetrics.USER32(00000050), ref: 00B25A90
    • GetSystemMetrics.USER32(0000004E), ref: 00B25A97
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3B31B, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 61
    APIs
    • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00B3B32F
    • PathUnquoteSpacesW.SHLWAPI ref: 00B3B394
    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00B3B3A3
    • LocalFree.KERNEL32(00000001), ref: 00B3B3B7
    Strings
    • ProfileImagePath, xrefs: 00B3B378
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 00B3B34C
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3AA9A, Relevance: 12.2, APIs: 4, Strings: 2, Instructions: 49
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 00B3AAB7
    • GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 00B3AACF
    • PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 00B3AADA
      • Part of subcall function 00B18E53: EnterCriticalSection.KERNEL32(00B45AA4,?,00B44DF4,00000000,00000006,00B3BD7A,00B44DF4,-00000258,?,00000000), ref: 00B18E6A
      • Part of subcall function 00B18E53: LeaveCriticalSection.KERNEL32(00B45AA4,?,00000000), ref: 00B18E9D
      • Part of subcall function 00B18E53: CoTaskMemFree.OLE32(?), ref: 00B18F36
      • Part of subcall function 00B18E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00B18F44
      • Part of subcall function 00B18E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00B18F5C
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00B3AB00
      • Part of subcall function 00B19F5F: memcpy.MSVCRT ref: 00B19F99
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B3AAE0
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00B3AAC2, 00B3AACD, 00B3AAD9
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B252AC, Relevance: 12.1, APIs: 8, Instructions: 147
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00B252E3
    • GetCommandLineW.KERNEL32 ref: 00B25304
      • Part of subcall function 00B311D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B311FF
      • Part of subcall function 00B311D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00B31234
    • GetUserNameExW.SECUR32(00000002,?,?,?,?,?,00000104), ref: 00B2533C
    • GetProcessTimes.KERNEL32(000000FF), ref: 00B25372
    • GetUserDefaultUILanguage.KERNEL32 ref: 00B253E4
    • memcpy.MSVCRT ref: 00B25418
    • memcpy.MSVCRT ref: 00B2542D
    • memcpy.MSVCRT ref: 00B25443
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2AEA2, Relevance: 12.1, APIs: 8, Instructions: 119
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00B17E45,?,?,?,00000000), ref: 00B2AEAE
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B2AEE7
    • CloseHandle.KERNEL32 ref: 00B2AEFA
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • memcpy.MSVCRT ref: 00B2AF1D
    • memset.MSVCRT ref: 00B2AF37
    • memcpy.MSVCRT ref: 00B2AF7D
    • memset.MSVCRT ref: 00B2AF9B
      • Part of subcall function 00B18CBF: EnterCriticalSection.KERNEL32(?,?,?,00B22B51,00000005,00007530,?,00000000,00000000), ref: 00B18CC7
      • Part of subcall function 00B18CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B18CEB
      • Part of subcall function 00B18CBF: CloseHandle.KERNEL32 ref: 00B18CFB
      • Part of subcall function 00B18CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00B22B51,00000005,00007530,?,00000000,00000000), ref: 00B18D2B
      • Part of subcall function 00B18D34: EnterCriticalSection.KERNEL32(00DD28B4,00DD28A8,?,?,00B2A99B,00000000,00B2A6E2,00000000,?,00000000,?,?,?,00B3B2E2,?,00000001), ref: 00B18D3D
      • Part of subcall function 00B18D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B18D76
      • Part of subcall function 00B18D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00B2A99B,00000000,00000000,00000002), ref: 00B18D95
      • Part of subcall function 00B18D34: GetLastError.KERNEL32(?,000000FF,00B2A99B,00000000,00000000,00000002,?,?,00B2A99B,00000000,00B2A6E2,00000000,?,00000000), ref: 00B18D9F
      • Part of subcall function 00B18D34: TerminateThread.KERNEL32 ref: 00B18DA7
      • Part of subcall function 00B18D34: CloseHandle.KERNEL32 ref: 00B18DAE
      • Part of subcall function 00B18D34: LeaveCriticalSection.KERNEL32(00DD28B4,?,00B2A99B,00000000,00B2A6E2,00000000,?,00000000,?,?,?,00B3B2E2,?,00000001), ref: 00B18DC3
      • Part of subcall function 00B18D34: ResumeThread.KERNEL32 ref: 00B18DDC
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00B17E45,?,?,?,00000000), ref: 00B2AFEF
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B35947, Relevance: 11.3, APIs: 6, Instructions: 130
    APIs
    • GetTempPathW.KERNEL32(00000104,?), ref: 00B35962
    • PathAddBackslashW.SHLWAPI(?), ref: 00B3598C
      • Part of subcall function 00B2B7FF: EnterCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B80C
      • Part of subcall function 00B2B7FF: LeaveCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B81A
    • CreateDirectoryW.KERNEL32(?), ref: 00B35A44
    • SetFileAttributesW.KERNEL32(?), ref: 00B35A55
    • CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00B35A6E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00B35A7F
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B22BE5, Relevance: 11.0, APIs: 6, Instructions: 115
    APIs
    • lstrlenA.KERNEL32(?,?), ref: 00B22C1E
    • CreateMutexW.KERNEL32(00B449B4,00000001), ref: 00B22C76
    • GetLastError.KERNEL32(?,?,?,?,?), ref: 00B22C86
    • CloseHandle.KERNEL32 ref: 00B22C94
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    • memcpy.MSVCRT ref: 00B22CBE
    • memcpy.MSVCRT ref: 00B22CD2
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B1B2E5: CreateThread.KERNEL32(00000000,00000000,00B19DBA,?), ref: 00B1B2F6
      • Part of subcall function 00B1B2E5: CloseHandle.KERNEL32 ref: 00B1B301
      • Part of subcall function 00B1766D: ReleaseMutex.KERNEL32 ref: 00B17671
      • Part of subcall function 00B1766D: CloseHandle.KERNEL32 ref: 00B17678
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B28432, Relevance: 10.9, APIs: 6, Instructions: 66
    APIs
    • CreateFileW.KERNEL32(00DD1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B2844B
    • GetFileSizeEx.KERNEL32 ref: 00B2845E
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B28484
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00B2849C
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B284BA
    • CloseHandle.KERNEL32 ref: 00B284C3
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3BD59, Relevance: 10.9, APIs: 6, Instructions: 57
    APIs
      • Part of subcall function 00B18E53: EnterCriticalSection.KERNEL32(00B45AA4,?,00B44DF4,00000000,00000006,00B3BD7A,00B44DF4,-00000258,?,00000000), ref: 00B18E6A
      • Part of subcall function 00B18E53: LeaveCriticalSection.KERNEL32(00B45AA4,?,00000000), ref: 00B18E9D
      • Part of subcall function 00B18E53: CoTaskMemFree.OLE32(?), ref: 00B18F36
      • Part of subcall function 00B18E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00B18F44
      • Part of subcall function 00B18E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00B18F5C
    • PathRemoveBackslashW.SHLWAPI(-00000258), ref: 00B3BD85
    • PathRemoveFileSpecW.SHLWAPI(-00000258), ref: 00B3BD92
    • PathAddBackslashW.SHLWAPI(-00000258), ref: 00B3BDA3
    • GetVolumeNameForVolumeMountPointW.KERNEL32(-00000258,-00000050,00000064), ref: 00B3BDB6
    • CLSIDFromString.OLE32(-0000003C,00B44DF4,?,00000000), ref: 00B3BDD2
    • memset.MSVCRT ref: 00B3BDE4
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2FE5C, Relevance: 10.9, APIs: 6, Instructions: 197
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B2FEC2
    • memcpy.MSVCRT ref: 00B2FEDC
    • VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00B2FEEF
    • memset.MSVCRT ref: 00B2FF46
    • memcpy.MSVCRT ref: 00B2FF5A
    • VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00B30049
      • Part of subcall function 00B301EA: LoadLibraryA.KERNEL32 ref: 00B3023A
      • Part of subcall function 00B30370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B3037F
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B26431, Relevance: 10.8, APIs: 6, Instructions: 160
    APIs
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00B26531
      • Part of subcall function 00B26865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00B26B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00B2686E
      • Part of subcall function 00B26865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00B26B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 00B268A5
      • Part of subcall function 00B2B7FF: EnterCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B80C
      • Part of subcall function 00B2B7FF: LeaveCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B81A
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00B26572
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B26581
    • SetEvent.KERNEL32 ref: 00B26591
    • GetExitCodeThread.KERNEL32 ref: 00B265A5
    • CloseHandle.KERNEL32 ref: 00B265BB
      • Part of subcall function 00B18D34: EnterCriticalSection.KERNEL32(00DD28B4,00DD28A8,?,?,00B2A99B,00000000,00B2A6E2,00000000,?,00000000,?,?,?,00B3B2E2,?,00000001), ref: 00B18D3D
      • Part of subcall function 00B18D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B18D76
      • Part of subcall function 00B18D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,00B2A99B,00000000,00000000,00000002), ref: 00B18D95
      • Part of subcall function 00B18D34: GetLastError.KERNEL32(?,000000FF,00B2A99B,00000000,00000000,00000002,?,?,00B2A99B,00000000,00B2A6E2,00000000,?,00000000), ref: 00B18D9F
      • Part of subcall function 00B18D34: TerminateThread.KERNEL32 ref: 00B18DA7
      • Part of subcall function 00B18D34: CloseHandle.KERNEL32 ref: 00B18DAE
      • Part of subcall function 00B18D34: LeaveCriticalSection.KERNEL32(00DD28B4,?,00B2A99B,00000000,00B2A6E2,00000000,?,00000000,?,?,?,00B3B2E2,?,00000001), ref: 00B18DC3
      • Part of subcall function 00B18D34: ResumeThread.KERNEL32 ref: 00B18DDC
      • Part of subcall function 00B26BD0: memcmp.MSVCRT ref: 00B26BE9
      • Part of subcall function 00B26BD0: memcmp.MSVCRT ref: 00B26C45
      • Part of subcall function 00B26BD0: memcmp.MSVCRT ref: 00B26CAB
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B3B0EA: memcpy.MSVCRT ref: 00B3B110
      • Part of subcall function 00B3B0EA: memset.MSVCRT ref: 00B3B1B3
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B231F3, Relevance: 10.8, APIs: 6, Instructions: 91
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00B23205
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00B23223
    • CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00B23230
    • PFXExportCertStoreEx.CRYPT32(?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00B23264
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00B23296
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B232D5: GetUserNameExW.SECUR32(00000002), ref: 00B23303
      • Part of subcall function 00B232D5: GetSystemTime.KERNEL32 ref: 00B23356
      • Part of subcall function 00B232D5: CharLowerW.USER32(?), ref: 00B233A6
      • Part of subcall function 00B232D5: PathRenameExtensionW.SHLWAPI(?), ref: 00B233D6
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00B232C5
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3D1E0, Relevance: 10.7, APIs: 6, Instructions: 74
    APIs
    • InitializeCriticalSection.KERNEL32(00B45AA4), ref: 00B3D207
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • InitializeCriticalSection.KERNEL32 ref: 00B3D218
    • memset.MSVCRT ref: 00B3D229
    • TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 00B3D240
    • GetModuleHandleW.KERNEL32(00000000), ref: 00B3D25C
    • GetModuleHandleW.KERNEL32 ref: 00B3D272
      • Part of subcall function 00B3CAF0: EnterCriticalSection.KERNEL32(00B45AA4,7C80E4DD,00B3D280,?,?,?,00000000,?,?,00000001), ref: 00B3CB00
      • Part of subcall function 00B3CAF0: LeaveCriticalSection.KERNEL32(00B45AA4,?,?,?,00000000,?,?,00000001), ref: 00B3CB28
      • Part of subcall function 00B3D2B1: TlsFree.KERNEL32(?), ref: 00B3D2BD
      • Part of subcall function 00B3D2B1: DeleteCriticalSection.KERNEL32(00DD1E90,00000000,00B3D2A8,00DD1E90,?,?,00000000,?,?,00000001), ref: 00B3D2C4
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1BD24, Relevance: 10.7, APIs: 6, Instructions: 65
    APIs
    • accept.WS2_32(?,?), ref: 00B1BD45
    • WSAEventSelect.WS2_32(?,00000000,00000000), ref: 00B1BD57
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 00B1BDAE
      • Part of subcall function 00B1B928: WSACreateEvent.WS2_32(00000000,?,00B1BB6E,00000033,00000000,?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003), ref: 00B1B93E
      • Part of subcall function 00B1B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00B1B954
      • Part of subcall function 00B1B928: WSACloseEvent.WS2_32 ref: 00B1B968
      • Part of subcall function 00B1B864: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 00B1B89E
      • Part of subcall function 00B1B864: memset.MSVCRT ref: 00B1B8B2
    • WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 00B1BD88
    • shutdown.WS2_32(?,00000002), ref: 00B1BDA0
    • closesocket.WS2_32 ref: 00B1BDA7
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B15B0B, Relevance: 10.7, APIs: 6, Instructions: 60
    APIs
    • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00B15B19
      • Part of subcall function 00B3AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B3AECF
      • Part of subcall function 00B3AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B3AF0A
      • Part of subcall function 00B3AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B3AF4A
      • Part of subcall function 00B3AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B3AF6D
      • Part of subcall function 00B3AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B3AFBD
    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00B15B5A
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 00B15B6C
    • CloseHandle.KERNEL32 ref: 00B15B73
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B15B85
    • CloseHandle.KERNEL32 ref: 00B15B8C
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B22D1D, Relevance: 10.6, APIs: 7, Instructions: 146
    APIs
      • Part of subcall function 00B16A4D: TlsSetValue.KERNEL32(00000001,00B2A796), ref: 00B16A5A
      • Part of subcall function 00B3C09D: CreateMutexW.KERNEL32(00B449B4,00000000), ref: 00B3C0BF
    • GetCurrentThread.KERNEL32 ref: 00B22D49
    • SetThreadPriority.KERNEL32 ref: 00B22D50
      • Part of subcall function 00B3AFD3: WaitForSingleObject.KERNEL32(00000000,00B2A849), ref: 00B3AFDB
    • memset.MSVCRT ref: 00B22D92
    • lstrlenA.KERNEL32(00000000), ref: 00B22DA9
      • Part of subcall function 00B226C5: memset.MSVCRT ref: 00B226D5
      • Part of subcall function 00B3621D: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B36283
      • Part of subcall function 00B3621D: FindFirstFileW.KERNEL32 ref: 00B362F1
      • Part of subcall function 00B3621D: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B3634A
      • Part of subcall function 00B3621D: SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B363BB
      • Part of subcall function 00B3621D: CloseHandle.KERNEL32 ref: 00B363F5
      • Part of subcall function 00B3621D: FindNextFileW.KERNEL32 ref: 00B36429
      • Part of subcall function 00B3621D: FindClose.KERNEL32 ref: 00B36453
    • memset.MSVCRT ref: 00B22E6F
    • memcpy.MSVCRT ref: 00B22E7F
      • Part of subcall function 00B22BE5: lstrlenA.KERNEL32(?,?), ref: 00B22C1E
      • Part of subcall function 00B22BE5: CreateMutexW.KERNEL32(00B449B4,00000001), ref: 00B22C76
      • Part of subcall function 00B22BE5: GetLastError.KERNEL32(?,?,?,?,?), ref: 00B22C86
      • Part of subcall function 00B22BE5: CloseHandle.KERNEL32 ref: 00B22C94
      • Part of subcall function 00B22BE5: memcpy.MSVCRT ref: 00B22CBE
      • Part of subcall function 00B22BE5: memcpy.MSVCRT ref: 00B22CD2
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • WaitForSingleObject.KERNEL32(00007530), ref: 00B22EA9
      • Part of subcall function 00B1766D: ReleaseMutex.KERNEL32 ref: 00B17671
      • Part of subcall function 00B1766D: CloseHandle.KERNEL32 ref: 00B17678
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B21E94, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27
    APIs
    • GetModuleHandleW.KERNEL32(shell32.dll), ref: 00B21EA2
    • GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00B21EAE
    • SetLastError.KERNEL32(00000001,00B18F04,00B447C0,?,00B44DF4,00000000,00000006,00B3BD7A,00B44DF4,-00000258,?,00000000), ref: 00B21EC6
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B38000, Relevance: 10.6, APIs: 7, Instructions: 126
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B38037
    • WSASetLastError.WS2_32(00000008), ref: 00B38046
    • memcpy.MSVCRT ref: 00B38063
    • memcpy.MSVCRT ref: 00B38075
    • WSASetLastError.WS2_32(00000008,?,?,?), ref: 00B380DF
    • WSAGetLastError.WS2_32(?,?,?), ref: 00B380FB
      • Part of subcall function 00B38325: RegisterWaitForSingleObject.KERNEL32(?,?,00B38164,?,000000FF,00000004), ref: 00B3838A
    • WSASetLastError.WS2_32(00000008,?,00000000,?,?,?,?,?), ref: 00B38124
      • Part of subcall function 00B2CC4F: memcpy.MSVCRT ref: 00B2CC64
      • Part of subcall function 00B2CC4F: SetEvent.KERNEL32 ref: 00B2CC74
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1B0E5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
    APIs
    • memset.MSVCRT ref: 00B1B106
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,00000000), ref: 00B1B13E
    • memcpy.MSVCRT ref: 00B1B159
    • CloseHandle.KERNEL32(?), ref: 00B1B16E
    • CloseHandle.KERNEL32(00000000), ref: 00B1B174
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2B286, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 295
    APIs
      • Part of subcall function 00B3C09D: CreateMutexW.KERNEL32(00B449B4,00000000), ref: 00B3C0BF
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
      • Part of subcall function 00B28432: CreateFileW.KERNEL32(00DD1EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B2844B
      • Part of subcall function 00B28432: GetFileSizeEx.KERNEL32 ref: 00B2845E
      • Part of subcall function 00B28432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B28484
      • Part of subcall function 00B28432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00B2849C
      • Part of subcall function 00B28432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B284BA
      • Part of subcall function 00B28432: CloseHandle.KERNEL32 ref: 00B284C3
    • memset.MSVCRT ref: 00B2B42B
    • memcpy.MSVCRT ref: 00B2B457
      • Part of subcall function 00B36875: GetSystemTime.KERNEL32 ref: 00B3687F
      • Part of subcall function 00B224F3: HeapAlloc.KERNEL32(00000000,?,?,?,00B16328,?,?,00B38D10,?,?,?,?,0000FFFF), ref: 00B2251D
      • Part of subcall function 00B224F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00B16328,?,?,00B38D10,?,?,?,?,0000FFFF), ref: 00B22530
      • Part of subcall function 00B171D5: memcpy.MSVCRT ref: 00B172E6
    • CreateFileW.KERNEL32(00B0AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00B2B55C
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B2B578
      • Part of subcall function 00B35934: CloseHandle.KERNEL32 ref: 00B35940
      • Part of subcall function 00B1766D: ReleaseMutex.KERNEL32 ref: 00B17671
      • Part of subcall function 00B1766D: CloseHandle.KERNEL32 ref: 00B17678
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B2B161: memset.MSVCRT ref: 00B2B170
      • Part of subcall function 00B2B161: memset.MSVCRT ref: 00B2B1B3
      • Part of subcall function 00B2B161: memset.MSVCRT ref: 00B2B1E9
      • Part of subcall function 00B30370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B3037F
      • Part of subcall function 00B2FE5C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B2FEC2
      • Part of subcall function 00B2FE5C: memcpy.MSVCRT ref: 00B2FEDC
      • Part of subcall function 00B2FE5C: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 00B2FEEF
      • Part of subcall function 00B2FE5C: memset.MSVCRT ref: 00B2FF46
      • Part of subcall function 00B2FE5C: memcpy.MSVCRT ref: 00B2FF5A
      • Part of subcall function 00B2FE5C: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00B30049
      • Part of subcall function 00B173E0: memcmp.MSVCRT ref: 00B17489
      • Part of subcall function 00B284D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B284E4
      • Part of subcall function 00B284D3: CloseHandle.KERNEL32 ref: 00B284F3
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1C8CD, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46
    APIs
    • LoadLibraryW.KERNEL32(urlmon.dll), ref: 00B1C8D4
    • GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 00B1C8EA
    • FreeLibrary.KERNEL32 ref: 00B1C935
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B21ED5, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(00B45AA4,?,?,00B3AA21,?,00B3ADD5,?,?,?,00000001), ref: 00B21EE6
    • LeaveCriticalSection.KERNEL32(00B45AA4,?,?,00B3AA21,?,00B3ADD5,?,?,?,00000001), ref: 00B21F0E
      • Part of subcall function 00B21E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00B21EA2
      • Part of subcall function 00B21E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00B21EAE
      • Part of subcall function 00B21E94: SetLastError.KERNEL32(00000001,00B18F04,00B447C0,?,00B44DF4,00000000,00000006,00B3BD7A,00B44DF4,-00000258,?,00000000), ref: 00B21EC6
    • IsWow64Process.KERNEL32(000000FF), ref: 00B21F37
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B224C1, Relevance: 9.9, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00B22456: EnterCriticalSection.KERNEL32(00B45AA4,00000028,00B224C9,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B22466
      • Part of subcall function 00B22456: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B22490
    • HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B39516, Relevance: 9.6, APIs: 5, Instructions: 138
    APIs
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    • FindFirstFileW.KERNEL32 ref: 00B39555
    • SetLastError.KERNEL32(?,?,?,?,?,?,00B0AB64), ref: 00B39680
      • Part of subcall function 00B396F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00B39722
      • Part of subcall function 00B396F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00B39741
    • FindNextFileW.KERNEL32(?,?), ref: 00B3964A
    • GetLastError.KERNEL32(?,?,?,?,00B0AB64), ref: 00B39663
    • FindClose.KERNEL32 ref: 00B39679
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1C0C5, Relevance: 9.5, APIs: 5, Instructions: 71
    APIs
      • Part of subcall function 00B1B764: EnterCriticalSection.KERNEL32(00B45AA4,?,00B1B826,?,00B3C86A,00B2C4AB,00B2C4AB,?,00B2C4AB,?,00000001), ref: 00B1B774
      • Part of subcall function 00B1B764: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B1B826,?,00B3C86A,00B2C4AB,00B2C4AB,?,00B2C4AB,?,00000001), ref: 00B1B79E
    • socket.WS2_32(?,00000002,00000000), ref: 00B1C0DF
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00B1C112
    • WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,00000000,?,?), ref: 00B1C119
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 00B1C14D
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • closesocket.WS2_32 ref: 00B1C15D
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1913F, Relevance: 9.5, APIs: 5, Instructions: 59
    APIs
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    • FindFirstFileW.KERNEL32(?), ref: 00B19170
      • Part of subcall function 00B35E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B35E26
      • Part of subcall function 00B35E1D: DeleteFileW.KERNEL32 ref: 00B35E2D
    • FindNextFileW.KERNEL32(?,?), ref: 00B191C2
    • FindClose.KERNEL32 ref: 00B191CD
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 00B191D9
    • RemoveDirectoryW.KERNEL32 ref: 00B191E0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3038C, Relevance: 9.4, APIs: 5, Instructions: 89
    APIs
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B30405
    • SetFileAttributesW.KERNEL32(?), ref: 00B30424
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 00B3043B
    • GetLastError.KERNEL32 ref: 00B30448
    • CloseHandle.KERNEL32 ref: 00B30481
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3C410, Relevance: 9.2, APIs: 6, Instructions: 88
    APIs
    • EnterCriticalSection.KERNEL32(00DD2820,00DD2820,?,?,?,00B3C6E4,?,?,?,?,?,00000009,00000000,?,?,3D920600), ref: 00B3C42A
    • LeaveCriticalSection.KERNEL32(00DD2820,?,3D920600,?), ref: 00B3C511
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • memcpy.MSVCRT ref: 00B3C49B
    • memcpy.MSVCRT ref: 00B3C4BF
    • memcpy.MSVCRT ref: 00B3C4D6
    • memcpy.MSVCRT ref: 00B3C4F6
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B24BDB, Relevance: 9.2, APIs: 6, Instructions: 229
    APIs
    • PathFindFileNameW.SHLWAPI(?), ref: 00B24C02
      • Part of subcall function 00B19E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B19E9D
      • Part of subcall function 00B19E88: StrCmpIW.SHLWAPI ref: 00B19EA7
    • CreateFileW.KERNEL32(?,80000000,00000007,?,00000003,00000080), ref: 00B24C31
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • SetLastError.KERNEL32(00000057,?,?,00000003,00000080), ref: 00B24C96
      • Part of subcall function 00B35B34: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00B35B46
      • Part of subcall function 00B35934: CloseHandle.KERNEL32 ref: 00B35940
    • CharLowerW.USER32 ref: 00B24CF6
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
      • Part of subcall function 00B3868E: EnterCriticalSection.KERNEL32(00B45AA4,?,00B3AA5B,?,00B3ADD5,?,?,?,00000001), ref: 00B3869E
      • Part of subcall function 00B3868E: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B3AA5B,?,00B3ADD5,?,?,?,00000001), ref: 00B386C4
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    • memcmp.MSVCRT ref: 00B24E48
    • GetTickCount.KERNEL32 ref: 00B24E55
      • Part of subcall function 00B307EE: RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00B30823
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B35AB0: GetFileSizeEx.KERNEL32 ref: 00B35ABB
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3AEB1, Relevance: 9.2, APIs: 5, Instructions: 109
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B3AECF
      • Part of subcall function 00B2C90D: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00B2C93C
      • Part of subcall function 00B2C90D: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00B2C97B
      • Part of subcall function 00B2C90D: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B2C9A2
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B3AF0A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B3AF4A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B3AF6D
      • Part of subcall function 00B3A976: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B3A999
      • Part of subcall function 00B3A976: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B3A9B1
      • Part of subcall function 00B3A976: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00B3A9CC
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B3AFBD
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2CAF1, Relevance: 9.2, APIs: 5, Instructions: 88
    APIs
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B2CB1D
      • Part of subcall function 00B1C830: HttpQueryInfoA.WININET(00B2CB41,40000009,?,?,00000000), ref: 00B1C897
      • Part of subcall function 00B1C830: memset.MSVCRT ref: 00B1C8AD
    • GetSystemTime.KERNEL32(?), ref: 00B2CB54
      • Part of subcall function 00B2B7FF: EnterCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B80C
      • Part of subcall function 00B2B7FF: LeaveCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B81A
    • Sleep.KERNEL32(000005DC), ref: 00B2CB6D
    • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00B2CB76
    • lstrcpyA.KERNEL32 ref: 00B2CBD4
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1BB55, Relevance: 9.2, APIs: 5, Instructions: 69
    APIs
      • Part of subcall function 00B1B7D0: socket.WS2_32(?,?,00000006), ref: 00B1B804
    • connect.WS2_32(?,?), ref: 00B1BB93
    • WSAGetLastError.WS2_32(?,00000000,?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B1BBA2
    • WSASetLastError.WS2_32(00000000), ref: 00B1BC00
      • Part of subcall function 00B1B979: shutdown.WS2_32(?,00000002), ref: 00B1B987
      • Part of subcall function 00B1B979: closesocket.WS2_32 ref: 00B1B990
      • Part of subcall function 00B1B979: WSACloseEvent.WS2_32 ref: 00B1B9A3
      • Part of subcall function 00B1B928: WSACreateEvent.WS2_32(00000000,?,00B1BB6E,00000033,00000000,?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003), ref: 00B1B93E
      • Part of subcall function 00B1B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 00B1B954
      • Part of subcall function 00B1B928: WSACloseEvent.WS2_32 ref: 00B1B968
    • WSASetLastError.WS2_32(?,?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B1BBC0
    • WSAGetLastError.WS2_32(?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B1BBC2
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B18DE6, Relevance: 9.1, APIs: 5, Instructions: 49
    APIs
    • EnterCriticalSection.KERNEL32(00DD28B4,?,?,?,00B3B2F2,?,?,00000001), ref: 00B18DEF
    • LeaveCriticalSection.KERNEL32(00DD28B4,?,?,?,00B3B2F2,?,?,00000001), ref: 00B18DF9
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00B18E1F
    • EnterCriticalSection.KERNEL32(00DD28B4,?,?,?,00B3B2F2,?,?,00000001), ref: 00B18E37
    • LeaveCriticalSection.KERNEL32(00DD28B4,?,?,?,00B3B2F2,?,?,00000001), ref: 00B18E41
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1861E, Relevance: 9.1, APIs: 6, Instructions: 145
    APIs
    • memset.MSVCRT ref: 00B1865F
      • Part of subcall function 00B19F5F: memcpy.MSVCRT ref: 00B19F99
    • CharLowerW.USER32 ref: 00B186A3
    • CharUpperW.USER32(?,?,00000001), ref: 00B186B4
    • CharLowerW.USER32 ref: 00B186C8
    • CharUpperW.USER32(?,00000001), ref: 00B186D2
    • memcmp.MSVCRT ref: 00B186E7
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B38164, Relevance: 9.1, APIs: 6, Instructions: 141
    APIs
      • Part of subcall function 00B16A4D: TlsSetValue.KERNEL32(00000001,00B2A796), ref: 00B16A5A
      • Part of subcall function 00B2CC26: ResetEvent.KERNEL32 ref: 00B2CC42
    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000), ref: 00B381AA
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00B381B4
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00B382BD
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00B382C6
    • UnregisterWait.KERNEL32(?), ref: 00B382EB
    • TlsSetValue.KERNEL32(00000000), ref: 00B38316
      • Part of subcall function 00B2CC4F: memcpy.MSVCRT ref: 00B2CC64
      • Part of subcall function 00B2CC4F: SetEvent.KERNEL32 ref: 00B2CC74
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3BDF6, Relevance: 9.1, APIs: 5, Instructions: 172
    APIs
    • memset.MSVCRT ref: 00B3BE2B
    • GetComputerNameW.KERNEL32 ref: 00B3BE5F
    • GetVersionExW.KERNEL32 ref: 00B3BE88
    • memset.MSVCRT ref: 00B3BEA7
      • Part of subcall function 00B30775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B3079C
      • Part of subcall function 00B30755: RegFlushKey.ADVAPI32 ref: 00B30765
      • Part of subcall function 00B30755: RegCloseKey.ADVAPI32 ref: 00B3076D
      • Part of subcall function 00B393C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00B39433
      • Part of subcall function 00B393C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00B39458
    • memset.MSVCRT ref: 00B3BFAC
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B39393: CryptDestroyHash.ADVAPI32 ref: 00B393AB
      • Part of subcall function 00B39393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00B393BC
      • Part of subcall function 00B3946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00B394AA
      • Part of subcall function 00B30A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00B30A3A
      • Part of subcall function 00B308A8: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B30903
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3FC6E, Relevance: 9.1, APIs: 6, Instructions: 79
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000004,00B3FD90,00000000,?,?,?,?,?,?,?,00B3EA72), ref: 00B3FC78
    • HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 00B3FCB2
    • HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,00B3FD90,00000000), ref: 00B3FCCF
    • HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,00B3FD90,00000000), ref: 00B3FCF7
    • memcpy.MSVCRT ref: 00B3FD07
      • Part of subcall function 00B16D72: EnterCriticalSection.KERNEL32(00B4468C,00000000,00B24F6E,?,000000FF), ref: 00B16D7E
      • Part of subcall function 00B16D72: LeaveCriticalSection.KERNEL32(00B4468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00B16D8E
      • Part of subcall function 00B39DDC: GetCurrentThreadId.KERNEL32 ref: 00B39DED
      • Part of subcall function 00B39DDC: memcpy.MSVCRT ref: 00B39F56
      • Part of subcall function 00B39DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00B39FE2
      • Part of subcall function 00B39DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00B39FEC
      • Part of subcall function 00B16D9C: LeaveCriticalSection.KERNEL32(00B4468C,00B16E01,00000001,00000000,00000000,?,00B24F82,00000001,00000000,?,000000FF), ref: 00B16DA6
      • Part of subcall function 00B16DAD: LeaveCriticalSection.KERNEL32(00B4468C,?,00B16E13,00000001,00000000,00000000,?,00B24F82,00000001,00000000,?,000000FF), ref: 00B16DBA
    • LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,00B3FD90,00000000), ref: 00B3FD4B
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B28A6A, Relevance: 9.1, APIs: 5, Instructions: 137
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00B28A9B
      • Part of subcall function 00B37CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B37CF8
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00B28B2D
      • Part of subcall function 00B28626: getsockopt.WS2_32(?,0000FFFF,00001008,00B09417,00B09417), ref: 00B286B2
      • Part of subcall function 00B28626: GetHandleInformation.KERNEL32 ref: 00B286C4
      • Part of subcall function 00B28626: socket.WS2_32(?,00000001,00000006), ref: 00B286F7
      • Part of subcall function 00B28626: socket.WS2_32(?,00000002,00000011), ref: 00B28708
      • Part of subcall function 00B28626: closesocket.WS2_32(?), ref: 00B28727
      • Part of subcall function 00B28626: closesocket.WS2_32 ref: 00B2872E
      • Part of subcall function 00B28626: memset.MSVCRT ref: 00B287F2
      • Part of subcall function 00B28626: memcpy.MSVCRT ref: 00B28902
    • SetEvent.KERNEL32 ref: 00B28B80
    • SetEvent.KERNEL32 ref: 00B28BB9
      • Part of subcall function 00B37CD3: SetEvent.KERNEL32 ref: 00B37CE3
    • LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00B28C3E
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3B838, Relevance: 9.1, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 00B3ACAD: GetModuleHandleW.KERNEL32(00000000), ref: 00B3ACF4
      • Part of subcall function 00B3ACAD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B3AD59
      • Part of subcall function 00B3ACAD: Process32FirstW.KERNEL32 ref: 00B3AD74
      • Part of subcall function 00B3ACAD: PathFindFileNameW.SHLWAPI ref: 00B3AD87
      • Part of subcall function 00B3ACAD: StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 00B3AD99
      • Part of subcall function 00B3ACAD: Process32NextW.KERNEL32(?,?), ref: 00B3ADA9
      • Part of subcall function 00B3ACAD: CloseHandle.KERNEL32 ref: 00B3ADB4
      • Part of subcall function 00B3ACAD: WSAStartup.WS2_32(00000202), ref: 00B3ADC4
      • Part of subcall function 00B3ACAD: CreateEventW.KERNEL32(00B449B4,00000001,00000000,00000000), ref: 00B3ADEC
      • Part of subcall function 00B3ACAD: GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 00B3AE22
      • Part of subcall function 00B3ACAD: GetCurrentProcessId.KERNEL32 ref: 00B3AE4D
    • SetErrorMode.KERNEL32(00008007), ref: 00B3B851
    • GetCommandLineW.KERNEL32 ref: 00B3B85D
    • CommandLineToArgvW.SHELL32 ref: 00B3B864
    • LocalFree.KERNEL32 ref: 00B3B8A1
    • ExitProcess.KERNEL32(00000001), ref: 00B3B8B2
      • Part of subcall function 00B3B4AA: CreateMutexW.KERNEL32(00B449B4,00000001), ref: 00B3B550
      • Part of subcall function 00B3B4AA: GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,00B3B8C7), ref: 00B3B560
      • Part of subcall function 00B3B4AA: CloseHandle.KERNEL32 ref: 00B3B56E
      • Part of subcall function 00B3B4AA: lstrlenW.KERNEL32 ref: 00B3B5D0
      • Part of subcall function 00B3B4AA: ExitWindowsEx.USER32(00000014,80000000), ref: 00B3B615
      • Part of subcall function 00B3B4AA: OpenEventW.KERNEL32(00000002,00000000), ref: 00B3B63B
      • Part of subcall function 00B3B4AA: SetEvent.KERNEL32 ref: 00B3B648
      • Part of subcall function 00B3B4AA: CloseHandle.KERNEL32 ref: 00B3B64F
      • Part of subcall function 00B3B4AA: Sleep.KERNEL32(00007530), ref: 00B3B674
      • Part of subcall function 00B3B4AA: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 00B3B68C
      • Part of subcall function 00B3B4AA: Sleep.KERNEL32(000000FF), ref: 00B3B694
      • Part of subcall function 00B3B4AA: CloseHandle.KERNEL32 ref: 00B3B697
      • Part of subcall function 00B3B4AA: IsWellKnownSid.ADVAPI32(00DD1EC0,00000016), ref: 00B3B6E5
      • Part of subcall function 00B3B4AA: CreateEventW.KERNEL32(00B449B4,00000001,00000000), ref: 00B3B7B4
      • Part of subcall function 00B3B4AA: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B3B7CD
      • Part of subcall function 00B3B4AA: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 00B3B7DF
      • Part of subcall function 00B3B4AA: CloseHandle.KERNEL32(00000000), ref: 00B3B7F6
      • Part of subcall function 00B3B4AA: CloseHandle.KERNEL32(?), ref: 00B3B7FC
      • Part of subcall function 00B3B4AA: CloseHandle.KERNEL32(?), ref: 00B3B802
    • Sleep.KERNEL32(000000FF), ref: 00B3B8D8
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2ECD7, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 223
    APIs
      • Part of subcall function 00B1BA34: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 00B1BA5A
      • Part of subcall function 00B23A22: select.WS2_32(00000000,?,00000000,00000000), ref: 00B23A81
      • Part of subcall function 00B23A22: recv.WS2_32(?,?,?,00000000), ref: 00B23A91
    • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00B2EDB2
    • memcpy.MSVCRT ref: 00B2EDEA
    • FreeAddrInfoW.WS2_32(?), ref: 00B2EDF8
    • memset.MSVCRT ref: 00B2EE13
      • Part of subcall function 00B2EC55: getpeername.WS2_32(?,?,?), ref: 00B2EC79
      • Part of subcall function 00B2EC55: getsockname.WS2_32(?,?,?), ref: 00B2EC91
      • Part of subcall function 00B2EC55: send.WS2_32(00000000,00000000,00000008,00000000), ref: 00B2ECC2
      • Part of subcall function 00B23BBE: socket.WS2_32(?,00000001,00000006), ref: 00B23BCA
      • Part of subcall function 00B23BBE: bind.WS2_32 ref: 00B23BE7
      • Part of subcall function 00B23BBE: listen.WS2_32(?,00000001), ref: 00B23BF4
      • Part of subcall function 00B23BBE: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,00B2EE5F,?,?,?), ref: 00B23BFE
      • Part of subcall function 00B23BBE: closesocket.WS2_32 ref: 00B23C07
      • Part of subcall function 00B23BBE: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,00B2EE5F,?,?,?), ref: 00B23C0E
      • Part of subcall function 00B23D73: accept.WS2_32(?,00000000), ref: 00B23D94
      • Part of subcall function 00B23AD3: socket.WS2_32(?,00000001,00000006), ref: 00B23ADF
      • Part of subcall function 00B23AD3: connect.WS2_32 ref: 00B23AFC
      • Part of subcall function 00B23AD3: closesocket.WS2_32 ref: 00B23B07
      • Part of subcall function 00B1C06E: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00B1C082
      • Part of subcall function 00B23C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00B23C44
      • Part of subcall function 00B23C1C: recv.WS2_32(?,?,00000400,00000000), ref: 00B23C70
      • Part of subcall function 00B23C1C: send.WS2_32(?,?,?,00000000), ref: 00B23C92
      • Part of subcall function 00B23C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00B23CBF
      • Part of subcall function 00B23D9E: shutdown.WS2_32(?,00000002), ref: 00B23DA9
      • Part of subcall function 00B23D9E: closesocket.WS2_32 ref: 00B23DB0
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2547E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
    APIs
      • Part of subcall function 00B3868E: EnterCriticalSection.KERNEL32(00B45AA4,?,00B3AA5B,?,00B3ADD5,?,?,?,00000001), ref: 00B3869E
      • Part of subcall function 00B3868E: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B3AA5B,?,00B3ADD5,?,?,?,00000001), ref: 00B386C4
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B254CE
    • GetProcAddress.KERNEL32(?,GetProductInfo), ref: 00B254DE
    • GetSystemDefaultUILanguage.KERNEL32(?,?,?,00B251C2), ref: 00B25519
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B31B04, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 00B31B17
    • lstrcpyA.KERNEL32(?,00B0C28A,00000000,00B31DA8,?,?,?,00B31DA8,?,?,?,?,?,?,?,00B3A7AA), ref: 00B31BAE
    • lstrcpynA.KERNEL32(?,?\C,00000003,?,00B0C28A,00000000,00B31DA8,?,?,?,00B31DA8), ref: 00B31BC4
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B24FD0, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77
    APIs
    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00B24FEE
    • VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 00B2505B
      • Part of subcall function 00B19E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B19E9D
      • Part of subcall function 00B19E88: StrCmpIW.SHLWAPI ref: 00B19EA7
    Strings
    • \VarFileInfo\Translation, xrefs: 00B24FE7
    • \StringFileInfo\%04x%04x\%s, xrefs: 00B25030
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B31285, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44
    APIs
    • GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00B3129A
    • GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00B312A5
      • Part of subcall function 00B312E6: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00B31304
      • Part of subcall function 00B312E6: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00B3130F
      • Part of subcall function 00B312E6: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 00B3131A
      • Part of subcall function 00B312E6: lstrcmpiW.KERNEL32(?), ref: 00B313A7
      • Part of subcall function 00B312E6: memcpy.MSVCRT ref: 00B313CA
      • Part of subcall function 00B312E6: CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 00B313F5
      • Part of subcall function 00B312E6: memcpy.MSVCRT ref: 00B31423
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B293A8, Relevance: 7.9, APIs: 5, Instructions: 107
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B2A111), ref: 00B293BE
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B2A111), ref: 00B294E9
      • Part of subcall function 00B21A4F: memcmp.MSVCRT ref: 00B21A6B
    • memcpy.MSVCRT ref: 00B29419
    • LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B2A111,?,00000002), ref: 00B29429
      • Part of subcall function 00B2B7FF: EnterCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B80C
      • Part of subcall function 00B2B7FF: LeaveCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B81A
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 00B2945D
      • Part of subcall function 00B36875: GetSystemTime.KERNEL32 ref: 00B3687F
      • Part of subcall function 00B21728: memcpy.MSVCRT ref: 00B21771
      • Part of subcall function 00B21858: memcpy.MSVCRT ref: 00B21935
      • Part of subcall function 00B21858: memcpy.MSVCRT ref: 00B21956
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B23C1C, Relevance: 7.8, APIs: 4, Instructions: 68
    APIs
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00B23C44
    • recv.WS2_32(?,?,00000400,00000000), ref: 00B23C70
    • send.WS2_32(?,?,?,00000000), ref: 00B23C92
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00B23CBF
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B18CBF, Relevance: 7.7, APIs: 4, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,00B22B51,00000005,00007530,?,00000000,00000000), ref: 00B18CC7
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B18CEB
    • CloseHandle.KERNEL32 ref: 00B18CFB
      • Part of subcall function 00B224F3: HeapAlloc.KERNEL32(00000000,?,?,?,00B16328,?,?,00B38D10,?,?,?,?,0000FFFF), ref: 00B2251D
      • Part of subcall function 00B224F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00B16328,?,?,00B38D10,?,?,?,?,0000FFFF), ref: 00B22530
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00B22B51,00000005,00007530,?,00000000,00000000), ref: 00B18D2B
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1A64B, Relevance: 7.7, APIs: 5, Instructions: 86
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00B17F4D,00000001,?,00000001,?), ref: 00B1A655
    • memcpy.MSVCRT ref: 00B1A6D1
    • memcpy.MSVCRT ref: 00B1A6E5
    • memcpy.MSVCRT ref: 00B1A70F
    • LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00B17F4D,00000001,?,00000001,?), ref: 00B1A735
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B227B5, Relevance: 7.7, APIs: 5, Instructions: 69
    APIs
    • EnterCriticalSection.KERNEL32(00B45AA4), ref: 00B227D6
    • LeaveCriticalSection.KERNEL32(00B45AA4), ref: 00B227FC
      • Part of subcall function 00B2275F: InitializeCriticalSection.KERNEL32(00B450C8), ref: 00B22764
      • Part of subcall function 00B2275F: memset.MSVCRT ref: 00B22773
    • EnterCriticalSection.KERNEL32(00B450C8), ref: 00B22807
    • LeaveCriticalSection.KERNEL32(00B450C8), ref: 00B2287F
      • Part of subcall function 00B2B1FD: PathRenameExtensionW.SHLWAPI ref: 00B2B26F
      • Part of subcall function 00B2B286: memset.MSVCRT ref: 00B2B42B
      • Part of subcall function 00B2B286: memcpy.MSVCRT ref: 00B2B457
      • Part of subcall function 00B2B286: CreateFileW.KERNEL32(00B0AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00B2B55C
      • Part of subcall function 00B2B286: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B2B578
    • Sleep.KERNEL32(000007D0), ref: 00B22872
      • Part of subcall function 00B2B61E: memset.MSVCRT ref: 00B2B640
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2D8E8, Relevance: 7.7, APIs: 4, Instructions: 179
    APIs
    • memcpy.MSVCRT ref: 00B2DA9F
      • Part of subcall function 00B2D8E8: memcpy.MSVCRT ref: 00B2D8FF
      • Part of subcall function 00B2D8E8: CharLowerA.USER32 ref: 00B2D9CA
      • Part of subcall function 00B2D8E8: CharLowerA.USER32(?), ref: 00B2D9DA
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B17A78, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 167
    APIs
      • Part of subcall function 00B1BDD5: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00B17A9F,?,00000005), ref: 00B1BE0B
      • Part of subcall function 00B1BDD5: WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00B17A9F,?,00000005), ref: 00B1BE6F
    • memcmp.MSVCRT ref: 00B17AB8
    • memcmp.MSVCRT ref: 00B17AD0
    • memcpy.MSVCRT ref: 00B17B05
      • Part of subcall function 00B2DE94: memcpy.MSVCRT ref: 00B2DEA1
      • Part of subcall function 00B2E043: memcpy.MSVCRT ref: 00B2E070
      • Part of subcall function 00B2ADFE: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00B17BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00B2AE37
      • Part of subcall function 00B2ADFE: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00B17BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 00B2AE5B
      • Part of subcall function 00B17A05: GetTickCount.KERNEL32 ref: 00B17A12
      • Part of subcall function 00B1BAC9: memset.MSVCRT ref: 00B1BADE
      • Part of subcall function 00B1BAC9: getsockname.WS2_32(?,00B17C25), ref: 00B1BAF1
      • Part of subcall function 00B1C091: memcmp.MSVCRT ref: 00B1C0B3
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B28DC8, Relevance: 7.6, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 00B21B16: EnterCriticalSection.KERNEL32(00B45AA4,?,00B28DDC,?,?,?,?,00B3B233,?,00000001), ref: 00B21B26
      • Part of subcall function 00B21B16: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B28DDC,?,?,?,?,00B3B233,?,00000001), ref: 00B21B50
    • memset.MSVCRT ref: 00B28E0A
    • memset.MSVCRT ref: 00B28E16
    • memset.MSVCRT ref: 00B28E22
    • InitializeCriticalSection.KERNEL32 ref: 00B28E3A
    • InitializeCriticalSection.KERNEL32 ref: 00B28E55
    • InitializeCriticalSection.KERNEL32 ref: 00B28E92
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B36CDC, Relevance: 7.6, APIs: 4, Instructions: 207
    APIs
    • EnterCriticalSection.KERNEL32(00DD2864,3D920700), ref: 00B36D43
      • Part of subcall function 00B36A55: GetTickCount.KERNEL32 ref: 00B36A5D
    • LeaveCriticalSection.KERNEL32(00DD2864), ref: 00B36F22
      • Part of subcall function 00B36BBC: IsBadReadPtr.KERNEL32 ref: 00B36C88
      • Part of subcall function 00B36BBC: IsBadReadPtr.KERNEL32 ref: 00B36CA7
    • getservbyname.WS2_32(?,00000000), ref: 00B36DBD
      • Part of subcall function 00B372A6: memcpy.MSVCRT ref: 00B3747A
      • Part of subcall function 00B372A6: memcpy.MSVCRT ref: 00B3757A
      • Part of subcall function 00B36F86: memcpy.MSVCRT ref: 00B3715A
      • Part of subcall function 00B36F86: memcpy.MSVCRT ref: 00B3725A
    • memcpy.MSVCRT ref: 00B36E9C
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B369E1: TlsAlloc.KERNEL32(00DD2864,00B36EB9,?,?,?,?,00DD2858), ref: 00B369EA
      • Part of subcall function 00B369E1: TlsGetValue.KERNEL32(?,00000001,00DD2864), ref: 00B369FC
      • Part of subcall function 00B369E1: TlsSetValue.KERNEL32(?,?), ref: 00B36A41
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B319B0, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 56
    APIs
    • lstrcmpA.KERNEL32(?,?\C), ref: 00B319C6
    • lstrcpyW.KERNEL32(00B317B0), ref: 00B319DC
    • lstrcmpA.KERNEL32(?,00B0C28C), ref: 00B319EC
    • StrCmpNA.SHLWAPI(?,00B0C284,00000002), ref: 00B31A06
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B27AAA, Relevance: 7.5, APIs: 5, Instructions: 44
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00B27AC3
    • CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00B27AD4
    • CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00B27ADF
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00B27AE7
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00B27AF5
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B30B2C, Relevance: 7.5, APIs: 4, Instructions: 113
    APIs
      • Part of subcall function 00B30775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B3079C
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B30B87
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B30BF1
    • RegFlushKey.ADVAPI32(?), ref: 00B30C1F
    • RegCloseKey.ADVAPI32(?), ref: 00B30C26
      • Part of subcall function 00B30A9D: EnterCriticalSection.KERNEL32(00B45AA4,?,?,?,00B30C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B30AB3
      • Part of subcall function 00B30A9D: LeaveCriticalSection.KERNEL32(00B45AA4,?,?,?,00B30C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B30ADB
      • Part of subcall function 00B30A9D: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00B30AF7
      • Part of subcall function 00B30A9D: GetProcAddress.KERNEL32 ref: 00B30AFE
      • Part of subcall function 00B30A9D: RegDeleteKeyW.ADVAPI32(?), ref: 00B30B20
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
      • Part of subcall function 00B30755: RegFlushKey.ADVAPI32 ref: 00B30765
      • Part of subcall function 00B30755: RegCloseKey.ADVAPI32 ref: 00B3076D
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1645E, Relevance: 7.4, APIs: 4, Instructions: 87
    APIs
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00B25B49), ref: 00B16470
      • Part of subcall function 00B24269: CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 00B2427E
    • #2.OLEAUT32(?,00000000,?,?,?,00B25B49), ref: 00B164A4
    • #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B25B49), ref: 00B164D9
    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00B164F9
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B23CD5, Relevance: 7.4, APIs: 4, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00B23CFD
    • memcpy.MSVCRT ref: 00B23D1A
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00B23D30
    • WSASetLastError.WS2_32(0000274C,?,00000000,00000000,00000000), ref: 00B23D3F
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2920C, Relevance: 7.3, APIs: 4, Instructions: 138
    APIs
      • Part of subcall function 00B21B5D: memcmp.MSVCRT ref: 00B21B69
      • Part of subcall function 00B21B79: memset.MSVCRT ref: 00B21B87
      • Part of subcall function 00B21B79: memcpy.MSVCRT ref: 00B21BA8
      • Part of subcall function 00B21B79: memcpy.MSVCRT ref: 00B21BCE
      • Part of subcall function 00B21B79: memcpy.MSVCRT ref: 00B21BF2
    • TryEnterCriticalSection.KERNEL32 ref: 00B29289
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • LeaveCriticalSection.KERNEL32 ref: 00B29303
    • EnterCriticalSection.KERNEL32 ref: 00B29322
      • Part of subcall function 00B21A4F: memcmp.MSVCRT ref: 00B21A6B
    • LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 00B2936E
      • Part of subcall function 00B21858: memcpy.MSVCRT ref: 00B21935
      • Part of subcall function 00B21858: memcpy.MSVCRT ref: 00B21956
      • Part of subcall function 00B36875: GetSystemTime.KERNEL32 ref: 00B3687F
      • Part of subcall function 00B21728: memcpy.MSVCRT ref: 00B21771
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B232D5, Relevance: 7.3, APIs: 4, Instructions: 120
    APIs
    • GetUserNameExW.SECUR32(00000002), ref: 00B23303
    • GetSystemTime.KERNEL32 ref: 00B23356
    • CharLowerW.USER32(?), ref: 00B233A6
    • PathRenameExtensionW.SHLWAPI(?), ref: 00B233D6
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B38AD4, Relevance: 7.3, APIs: 4, Instructions: 112
    APIs
      • Part of subcall function 00B38867: EnterCriticalSection.KERNEL32(00B45AA4,00DD1E90,00B38AE4,?,00DD1E90), ref: 00B38877
      • Part of subcall function 00B38867: LeaveCriticalSection.KERNEL32(00B45AA4,?,00DD1E90), ref: 00B388A6
      • Part of subcall function 00B24FD0: VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00B24FEE
      • Part of subcall function 00B24FD0: VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 00B2505B
    • GetCommandLineW.KERNEL32 ref: 00B38B5E
    • CommandLineToArgvW.SHELL32 ref: 00B38B65
    • LocalFree.KERNEL32 ref: 00B38BA5
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • GetModuleHandleW.KERNEL32(?), ref: 00B38BE7
      • Part of subcall function 00B38DFE: PathFindFileNameW.SHLWAPI(00000000), ref: 00B38E3F
      • Part of subcall function 00B383AF: InitializeCriticalSection.KERNEL32 ref: 00B383CF
      • Part of subcall function 00B19E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B19E9D
      • Part of subcall function 00B19E88: StrCmpIW.SHLWAPI ref: 00B19EA7
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B28C4C, Relevance: 7.3, APIs: 4, Instructions: 104
    APIs
    • EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,00B2984D,?,?,00000000,?,?,00000590), ref: 00B28C7F
      • Part of subcall function 00B37CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B37CF8
    • memcmp.MSVCRT ref: 00B28CCD
      • Part of subcall function 00B15A03: memcpy.MSVCRT ref: 00B15A39
      • Part of subcall function 00B15A03: memcpy.MSVCRT ref: 00B15A4D
      • Part of subcall function 00B15A03: memset.MSVCRT ref: 00B15A5B
    • SetEvent.KERNEL32 ref: 00B28D0E
    • LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,00B2984D,?,?,00000000,?,?,00000590), ref: 00B28D3B
      • Part of subcall function 00B39175: EnterCriticalSection.KERNEL32(?,?,?,?,00B29116,?), ref: 00B3917B
      • Part of subcall function 00B39175: memcmp.MSVCRT ref: 00B391A7
      • Part of subcall function 00B39175: memcpy.MSVCRT ref: 00B391F2
      • Part of subcall function 00B39175: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00B391FE
      • Part of subcall function 00B2920C: TryEnterCriticalSection.KERNEL32 ref: 00B29289
      • Part of subcall function 00B2920C: LeaveCriticalSection.KERNEL32 ref: 00B29303
      • Part of subcall function 00B2920C: EnterCriticalSection.KERNEL32 ref: 00B29322
      • Part of subcall function 00B2920C: LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 00B2936E
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B4294A, Relevance: 7.3, APIs: 4, Instructions: 91
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,00B43210), ref: 00B4297C
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 00B4299C
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
      • Part of subcall function 00B3D990: memset.MSVCRT ref: 00B3D9D3
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
      • Part of subcall function 00B2222C: memcpy.MSVCRT ref: 00B22268
      • Part of subcall function 00B2222C: memcpy.MSVCRT ref: 00B2227D
      • Part of subcall function 00B2222C: memcpy.MSVCRT ref: 00B222BA
      • Part of subcall function 00B2222C: memcpy.MSVCRT ref: 00B222F2
    • memset.MSVCRT ref: 00B42A39
    • memcpy.MSVCRT ref: 00B42A4B
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3D090, Relevance: 7.2, APIs: 4, Instructions: 65
    APIs
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00B3D0BF
    • GetLastError.KERNEL32(?,?,?,00000000,3D94878D,00000000,3D94878D,00B379EF,?,?,?,?,00000000,?,?,0000203A), ref: 00B3D0C5
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    • memcpy.MSVCRT ref: 00B3D0F0
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 00B3D109
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B37D1D, Relevance: 7.2, APIs: 4, Instructions: 62
    APIs
      • Part of subcall function 00B2B7FF: EnterCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B80C
      • Part of subcall function 00B2B7FF: LeaveCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B81A
    • QueryPerformanceCounter.KERNEL32 ref: 00B37D3C
    • GetTickCount.KERNEL32 ref: 00B37D49
      • Part of subcall function 00B21B16: EnterCriticalSection.KERNEL32(00B45AA4,?,00B28DDC,?,?,?,?,00B3B233,?,00000001), ref: 00B21B26
      • Part of subcall function 00B21B16: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B28DDC,?,?,?,?,00B3B233,?,00000001), ref: 00B21B50
      • Part of subcall function 00B393C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00B39433
      • Part of subcall function 00B393C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00B39458
    • memset.MSVCRT ref: 00B37D9D
    • memcpy.MSVCRT ref: 00B37DAD
      • Part of subcall function 00B39393: CryptDestroyHash.ADVAPI32 ref: 00B393AB
      • Part of subcall function 00B39393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00B393BC
      • Part of subcall function 00B3946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00B394AA
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1987E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00B19894
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
    • memcmp.MSVCRT ref: 00B198B6
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
    • lstrcmpiW.KERNEL32(00000000,000000FF), ref: 00B1990F
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00B198DF
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B190A3, Relevance: 7.2, APIs: 4, Instructions: 56
    APIs
    • PathSkipRootW.SHLWAPI ref: 00B190CD
    • GetFileAttributesW.KERNEL32(00000000), ref: 00B190FA
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B1910E
    • SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00B19131
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2B161, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B14B40, Relevance: 7.2, APIs: 4, Instructions: 48
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B154F7
    • UnhandledExceptionFilter.KERNEL32(00AE6DB4), ref: 00B15502
    • GetCurrentProcess.KERNEL32 ref: 00B1550D
    • TerminateProcess.KERNEL32 ref: 00B15514
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2A343, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133
    APIs
      • Part of subcall function 00B19219: CharLowerW.USER32(?), ref: 00B192D4
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00B2A47D
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 00B2A4BD
      • Part of subcall function 00B19BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B19C2E
      • Part of subcall function 00B19BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00B19C75
      • Part of subcall function 00B19BC4: SetEvent.KERNEL32 ref: 00B19C84
      • Part of subcall function 00B19BC4: WaitForSingleObject.KERNEL32 ref: 00B19C95
      • Part of subcall function 00B19BC4: CharToOemW.USER32 ref: 00B19D26
      • Part of subcall function 00B19BC4: CharToOemW.USER32 ref: 00B19D36
      • Part of subcall function 00B19BC4: ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00B19D9A
      • Part of subcall function 00B3D5A0: EnterCriticalSection.KERNEL32(00B45AA4,00000000,?,?,00B193C9), ref: 00B3D5B6
      • Part of subcall function 00B3D5A0: LeaveCriticalSection.KERNEL32(00B45AA4,?,?,00B193C9), ref: 00B3D5DC
      • Part of subcall function 00B3D5A0: CreateMutexW.KERNEL32(00B449B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 00B3D5EE
      • Part of subcall function 00B1766D: ReleaseMutex.KERNEL32 ref: 00B17671
      • Part of subcall function 00B1766D: CloseHandle.KERNEL32 ref: 00B17678
    • ExitWindowsEx.USER32(00000014,80000000), ref: 00B2A4D0
      • Part of subcall function 00B1AF99: GetCurrentThread.KERNEL32 ref: 00B1AFAD
      • Part of subcall function 00B1AF99: OpenThreadToken.ADVAPI32 ref: 00B1AFB4
      • Part of subcall function 00B1AF99: GetCurrentProcess.KERNEL32 ref: 00B1AFC4
      • Part of subcall function 00B1AF99: OpenProcessToken.ADVAPI32 ref: 00B1AFCB
      • Part of subcall function 00B1AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 00B1AFEC
      • Part of subcall function 00B1AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00B1B001
      • Part of subcall function 00B1AF99: GetLastError.KERNEL32 ref: 00B1B00B
      • Part of subcall function 00B1AF99: CloseHandle.KERNEL32(00000001), ref: 00B1B01C
      • Part of subcall function 00B19395: memcpy.MSVCRT ref: 00B193B5
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B16E1F, Relevance: 7.1, APIs: 4, Instructions: 27
    APIs
    • GetLastError.KERNEL32(3D920680,?,00B1652A), ref: 00B16E21
      • Part of subcall function 00B3AFD3: WaitForSingleObject.KERNEL32(00000000,00B2A849), ref: 00B3AFDB
    • TlsGetValue.KERNEL32(?,?,00B1652A), ref: 00B16E3E
    • TlsSetValue.KERNEL32(00000001), ref: 00B16E50
    • SetLastError.KERNEL32(?,?,00B1652A), ref: 00B16E60
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B27B2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
    APIs
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
    • lstrcatW.KERNEL32(?,.dat), ref: 00B27BA0
    • lstrlenW.KERNEL32 ref: 00B27BB5
      • Part of subcall function 00B283CA: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00B283E6
      • Part of subcall function 00B283CA: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B28409
      • Part of subcall function 00B283CA: CloseHandle.KERNEL32 ref: 00B28416
      • Part of subcall function 00B35E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B35E26
      • Part of subcall function 00B35E1D: DeleteFileW.KERNEL32 ref: 00B35E2D
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00B27B5E
    • .dat, xrefs: 00B27B94
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1B9AF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
    APIs
    • shutdown.WS2_32(?,00000001), ref: 00B1B9BD
    • WSAGetLastError.WS2_32(?,00000020,?,00000001,?,?,?,?,?,?,?,00B26970,?,?,?,00002710), ref: 00B1B9DE
    • WSASetLastError.WS2_32(00000000,?,00002710,?,?,00000020,?,00000001), ref: 00B1BA23
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1C208, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
    APIs
      • Part of subcall function 00B1B764: EnterCriticalSection.KERNEL32(00B45AA4,?,00B1B826,?,00B3C86A,00B2C4AB,00B2C4AB,?,00B2C4AB,?,00000001), ref: 00B1B774
      • Part of subcall function 00B1B764: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B1B826,?,00B3C86A,00B2C4AB,00B2C4AB,?,00B2C4AB,?,00000001), ref: 00B1B79E
    • WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 00B1C22E
    • lstrcpyA.KERNEL32(?,0:0,?,?,00000000,?,?,?,?,?,?,00B26A4A), ref: 00B1C23E
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1BDD5, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63
    APIs
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00B17A9F,?,00000005), ref: 00B1BE0B
    • WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00B17A9F,?,00000005), ref: 00B1BE6F
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2C318, Relevance: 6.5, APIs: 5, Instructions: 249
    APIs
    • memcmp.MSVCRT ref: 00B2C385
    • memcpy.MSVCRT ref: 00B2C486
      • Part of subcall function 00B1BB55: connect.WS2_32(?,?), ref: 00B1BB93
      • Part of subcall function 00B1BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B1BBA2
      • Part of subcall function 00B1BB55: WSASetLastError.WS2_32(?,?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B1BBC0
      • Part of subcall function 00B1BB55: WSAGetLastError.WS2_32(?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B1BBC2
      • Part of subcall function 00B1BB55: WSASetLastError.WS2_32(00000000), ref: 00B1BC00
    • memcmp.MSVCRT ref: 00B2C583
      • Part of subcall function 00B1BEC0: WSAGetLastError.WS2_32 ref: 00B1BEF6
      • Part of subcall function 00B1BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 00B1BF3E
      • Part of subcall function 00B2C0DA: memcmp.MSVCRT ref: 00B2C11A
      • Part of subcall function 00B3DABF: memset.MSVCRT ref: 00B3DACF
      • Part of subcall function 00B3DABF: memcpy.MSVCRT ref: 00B3DAF8
    • memset.MSVCRT ref: 00B2C5E0
    • memcpy.MSVCRT ref: 00B2C5F1
      • Part of subcall function 00B3DB11: memcpy.MSVCRT ref: 00B3DB22
      • Part of subcall function 00B2C02F: memcmp.MSVCRT ref: 00B2C06B
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B177BB, Relevance: 6.5, APIs: 5, Instructions: 207
    APIs
    • memset.MSVCRT ref: 00B1785D
      • Part of subcall function 00B21B5D: memcmp.MSVCRT ref: 00B21B69
      • Part of subcall function 00B219AE: memcmp.MSVCRT ref: 00B21A24
      • Part of subcall function 00B21821: memcpy.MSVCRT ref: 00B21848
      • Part of subcall function 00B21728: memcpy.MSVCRT ref: 00B21771
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • memset.MSVCRT ref: 00B178F1
    • memcpy.MSVCRT ref: 00B17904
    • memcpy.MSVCRT ref: 00B17926
    • memcpy.MSVCRT ref: 00B17946
      • Part of subcall function 00B2B7FF: EnterCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B80C
      • Part of subcall function 00B2B7FF: LeaveCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B81A
      • Part of subcall function 00B28F55: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,00B2914A,?,?,?,?,?,?,00000000,?), ref: 00B28FAF
      • Part of subcall function 00B28F55: SetEvent.KERNEL32 ref: 00B2900A
      • Part of subcall function 00B28F55: LeaveCriticalSection.KERNEL32 ref: 00B29017
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3D027, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47
    APIs
    • memset.MSVCRT ref: 00B3D03A
    • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00B3D05C
      • Part of subcall function 00B3D133: SetLastError.KERNEL32(00000008,?,?,00000000,00B3D06E,?,?,00000000), ref: 00B3D15C
      • Part of subcall function 00B3D133: memcpy.MSVCRT ref: 00B3D17C
      • Part of subcall function 00B3D133: memcpy.MSVCRT ref: 00B3D1B4
      • Part of subcall function 00B3D133: memcpy.MSVCRT ref: 00B3D1CC
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1950C, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46
    APIs
      • Part of subcall function 00B21FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00B21FFF
      • Part of subcall function 00B21FEC: GetLastError.KERNEL32(?,00B449A8,00000000,?,?,00B1AF07,?,00000008,?,?,?,?,?,00000000,00B3AE13), ref: 00B22009
      • Part of subcall function 00B21FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00B22031
    • EqualSid.ADVAPI32(?,5B867A00), ref: 00B1952F
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B1B1DE: LoadLibraryA.KERNEL32(userenv.dll), ref: 00B1B1EE
      • Part of subcall function 00B1B1DE: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 00B1B20C
      • Part of subcall function 00B1B1DE: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00B1B218
      • Part of subcall function 00B1B1DE: memset.MSVCRT ref: 00B1B258
      • Part of subcall function 00B1B1DE: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 00B1B2A5
      • Part of subcall function 00B1B1DE: CloseHandle.KERNEL32(?), ref: 00B1B2B9
      • Part of subcall function 00B1B1DE: CloseHandle.KERNEL32(?), ref: 00B1B2BF
      • Part of subcall function 00B1B1DE: FreeLibrary.KERNEL32 ref: 00B1B2D3
    • CloseHandle.KERNEL32(00000001), ref: 00B19576
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2BE6E, Relevance: 6.4, APIs: 5, Instructions: 154
    APIs
      • Part of subcall function 00B21B16: EnterCriticalSection.KERNEL32(00B45AA4,?,00B28DDC,?,?,?,?,00B3B233,?,00000001), ref: 00B21B26
      • Part of subcall function 00B21B16: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B28DDC,?,?,?,?,00B3B233,?,00000001), ref: 00B21B50
    • memcmp.MSVCRT ref: 00B2BE99
      • Part of subcall function 00B36875: GetSystemTime.KERNEL32 ref: 00B3687F
    • memcmp.MSVCRT ref: 00B2BEF8
      • Part of subcall function 00B22543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7,?,@echo off%sdel /F "%s"), ref: 00B2256D
      • Part of subcall function 00B22543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7), ref: 00B22580
    • memset.MSVCRT ref: 00B2BF8A
    • memcpy.MSVCRT ref: 00B2BFB7
    • memcmp.MSVCRT ref: 00B2BFEE
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B21781, Relevance: 6.4, APIs: 4, Instructions: 62
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B30FB2, Relevance: 6.3, APIs: 4, Instructions: 168
    APIs
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
      • Part of subcall function 00B37C35: memset.MSVCRT ref: 00B37C5D
    • memcpy.MSVCRT ref: 00B31167
      • Part of subcall function 00B37CAE: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B37CBE
    • memcpy.MSVCRT ref: 00B310E2
    • memcpy.MSVCRT ref: 00B310FA
      • Part of subcall function 00B37DC3: memcpy.MSVCRT ref: 00B37DE3
      • Part of subcall function 00B37DC3: memcpy.MSVCRT ref: 00B37E0F
    • memcpy.MSVCRT ref: 00B31156
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B35465, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91
    APIs
      • Part of subcall function 00B19F04: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00B19F19
      • Part of subcall function 00B19F04: lstrcmpA.KERNEL32(Basic ,?,00B354A4,00000006,Authorization,?,?,?), ref: 00B19F23
    • StrChrA.SHLWAPI(?,0000003A), ref: 00B354F6
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B42F3B, Relevance: 6.3, APIs: 4, Instructions: 118
    APIs
    • memset.MSVCRT ref: 00B42F5F
    • memcpy.MSVCRT ref: 00B42FBF
    • memcpy.MSVCRT ref: 00B42FD7
      • Part of subcall function 00B22070: memset.MSVCRT ref: 00B22084
      • Part of subcall function 00B3A7D7: memset.MSVCRT ref: 00B3A862
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
    • memcpy.MSVCRT ref: 00B4304D
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B35CA4, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 48
    APIs
    • GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00B35CB1
    • CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00B35CD1
      • Part of subcall function 00B35934: CloseHandle.KERNEL32 ref: 00B35940
      • Part of subcall function 00B35BE4: memcpy.MSVCRT ref: 00B35C25
      • Part of subcall function 00B35BE4: memcpy.MSVCRT ref: 00B35C38
      • Part of subcall function 00B35BE4: memcpy.MSVCRT ref: 00B35C4B
      • Part of subcall function 00B35BE4: memcpy.MSVCRT ref: 00B35C56
      • Part of subcall function 00B35BE4: GetFileTime.KERNEL32(?,?,?), ref: 00B35C7A
      • Part of subcall function 00B35BE4: memcpy.MSVCRT ref: 00B35C90
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1CE23, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 47
    APIs
      • Part of subcall function 00B1C942: EnterCriticalSection.KERNEL32(00B45AA4,?,00B1CE31,00DD1E90,00B3D393), ref: 00B1C952
      • Part of subcall function 00B1C942: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B1CE31,00DD1E90,00B3D393), ref: 00B1C987
    • VerQueryValueW.VERSION(?,00B0AE74,?,?,00DD1E90,00B3D393), ref: 00B1CE44
    • GetModuleHandleW.KERNEL32(?), ref: 00B1CE85
      • Part of subcall function 00B1CE9F: PathFindFileNameW.SHLWAPI(00000000), ref: 00B1CEE3
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2222C, Relevance: 6.2, APIs: 4, Instructions: 77
    APIs
    • memcpy.MSVCRT ref: 00B22268
    • memcpy.MSVCRT ref: 00B2227D
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
    • memcpy.MSVCRT ref: 00B222BA
    • memcpy.MSVCRT ref: 00B222F2
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3D133, Relevance: 6.2, APIs: 4, Instructions: 70
    APIs
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    • SetLastError.KERNEL32(00000008,?,?,00000000,00B3D06E,?,?,00000000), ref: 00B3D15C
    • memcpy.MSVCRT ref: 00B3D17C
    • memcpy.MSVCRT ref: 00B3D1B4
    • memcpy.MSVCRT ref: 00B3D1CC
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B21B79, Relevance: 6.2, APIs: 4, Instructions: 63
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B39175, Relevance: 6.2, APIs: 4, Instructions: 60
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00B29116,?), ref: 00B3917B
    • memcmp.MSVCRT ref: 00B391A7
    • memcpy.MSVCRT ref: 00B391F2
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00B391FE
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3FEDF, Relevance: 6.2, APIs: 4, Instructions: 39
    APIs
    • memset.MSVCRT ref: 00B3FEF5
    • InitializeCriticalSection.KERNEL32(00B45050), ref: 00B3FF05
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
    • memset.MSVCRT ref: 00B3FF34
    • InitializeCriticalSection.KERNEL32(00B45030), ref: 00B3FF3E
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B0CAB0, Relevance: 6.1, APIs: 4, Instructions: 130
    APIs
    • VirtualAlloc.KERNEL32(00000000,00006000,00003000,00000040), ref: 00B0CAC5
    • LoadLibraryA.KERNEL32 ref: 00B0CBAE
    • GetProcAddress.KERNEL32(00000000), ref: 00B0CBD8
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B0CC0A
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B22F98, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 111
    APIs
      • Part of subcall function 00B226C5: memset.MSVCRT ref: 00B226D5
    • lstrlenA.KERNEL32(?), ref: 00B2304D
    • lstrlenA.KERNEL32 ref: 00B2305C
      • Part of subcall function 00B2D8E8: memcpy.MSVCRT ref: 00B2D8FF
      • Part of subcall function 00B2D8E8: CharLowerA.USER32 ref: 00B2D9CA
      • Part of subcall function 00B2D8E8: CharLowerA.USER32(?), ref: 00B2D9DA
      • Part of subcall function 00B2D8E8: memcpy.MSVCRT ref: 00B2DA9F
      • Part of subcall function 00B2260E: memcpy.MSVCRT ref: 00B22621
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2C63D, Relevance: 6.1, APIs: 4, Instructions: 108
    APIs
      • Part of subcall function 00B3601D: FreeAddrInfoW.WS2_32 ref: 00B3602C
      • Part of subcall function 00B3601D: memset.MSVCRT ref: 00B36042
    • getaddrinfo.WS2_32(?,00000000), ref: 00B2C675
    • memset.MSVCRT ref: 00B2C6BB
    • memcpy.MSVCRT ref: 00B2C6CE
      • Part of subcall function 00B1BB55: connect.WS2_32(?,?), ref: 00B1BB93
      • Part of subcall function 00B1BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B1BBA2
      • Part of subcall function 00B1BB55: WSASetLastError.WS2_32(?,?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B1BBC0
      • Part of subcall function 00B1BB55: WSAGetLastError.WS2_32(?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 00B1BBC2
      • Part of subcall function 00B1BB55: WSASetLastError.WS2_32(00000000), ref: 00B1BC00
      • Part of subcall function 00B1B979: shutdown.WS2_32(?,00000002), ref: 00B1B987
      • Part of subcall function 00B1B979: closesocket.WS2_32 ref: 00B1B990
      • Part of subcall function 00B1B979: WSACloseEvent.WS2_32 ref: 00B1B9A3
    • FreeAddrInfoW.WS2_32(00000000), ref: 00B2C778
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3CDAD, Relevance: 6.1, APIs: 4, Instructions: 89
    APIs
    • memset.MSVCRT ref: 00B3CDD2
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • InternetReadFile.WININET(00B299F7,?,00001000,?), ref: 00B3CE24
    • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00B3CE01
      • Part of subcall function 00B225D5: memcpy.MSVCRT ref: 00B225FB
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,00B299F7,?,00000CCA,?,?,00000001), ref: 00B3CE78
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B26E45, Relevance: 6.1, APIs: 4, Instructions: 86
    APIs
      • Part of subcall function 00B171D5: memcpy.MSVCRT ref: 00B172E6
      • Part of subcall function 00B35B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00B35B25
    • WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00B26EB2
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B26ECA
    • FlushFileBuffers.KERNEL32(?), ref: 00B26EE4
    • SetEndOfFile.KERNEL32 ref: 00B26EFE
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B35ADF: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00B35AF1
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2669D, Relevance: 6.1, APIs: 4, Instructions: 77
    APIs
    • GetTickCount.KERNEL32 ref: 00B266A8
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 00B266BA
    • memcmp.MSVCRT ref: 00B266F4
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00B26760
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1BF70, Relevance: 6.1, APIs: 4, Instructions: 75
    APIs
    • WSAEventSelect.WS2_32(?,?,?), ref: 00B1BF85
    • WaitForMultipleObjects.KERNEL32(?,00000001,00000000,?), ref: 00B1BFBA
    • WSAEventSelect.WS2_32 ref: 00B1C008
    • WSASetLastError.WS2_32(?,?,?,?,?,00000001,00000000,?,?,?,?), ref: 00B1C01B
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2BA48, Relevance: 6.1, APIs: 4, Instructions: 60
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 00B2BA66
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000), ref: 00B2BA9B
    • RegCloseKey.ADVAPI32(?), ref: 00B2BAAA
    • RegCloseKey.ADVAPI32(?), ref: 00B2BAC5
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2660E, Relevance: 6.1, APIs: 4, Instructions: 55
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,00B268D1,?,?,?,?,00000002), ref: 00B26619
    • GetTickCount.KERNEL32 ref: 00B2664A
    • memcpy.MSVCRT ref: 00B26681
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,00B268D1,?,?,?,?,00000002), ref: 00B2668D
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2512B, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • GetTickCount.KERNEL32 ref: 00B25138
    • GetLastInputInfo.USER32(?), ref: 00B2514B
    • GetLocalTime.KERNEL32 ref: 00B2516F
      • Part of subcall function 00B36891: SystemTimeToFileTime.KERNEL32 ref: 00B3689B
    • GetTimeZoneInformation.KERNEL32 ref: 00B25187
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1760D, Relevance: 6.0, APIs: 4, Instructions: 39
    APIs
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00B17622
    • TranslateMessage.USER32 ref: 00B17646
    • DispatchMessageW.USER32 ref: 00B17651
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B17661
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2A6E2, Relevance: 6.0, APIs: 4, Instructions: 38
    APIs
      • Part of subcall function 00B16A4D: TlsSetValue.KERNEL32(00000001,00B2A796), ref: 00B16A5A
      • Part of subcall function 00B3C09D: CreateMutexW.KERNEL32(00B449B4,00000000), ref: 00B3C0BF
      • Part of subcall function 00B3AFD3: WaitForSingleObject.KERNEL32(00000000,00B2A849), ref: 00B3AFDB
    • GetCurrentThread.KERNEL32 ref: 00B2A70A
    • SetThreadPriority.KERNEL32 ref: 00B2A711
    • WaitForSingleObject.KERNEL32(00001388), ref: 00B2A723
      • Part of subcall function 00B15B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B15BC1
      • Part of subcall function 00B15B9B: Process32FirstW.KERNEL32 ref: 00B15BE6
      • Part of subcall function 00B15B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00B15C3D
      • Part of subcall function 00B15B9B: CloseHandle.KERNEL32 ref: 00B15C5B
      • Part of subcall function 00B15B9B: GetLengthSid.ADVAPI32 ref: 00B15C77
      • Part of subcall function 00B15B9B: memcmp.MSVCRT ref: 00B15C8F
      • Part of subcall function 00B15B9B: CloseHandle.KERNEL32(?), ref: 00B15D07
      • Part of subcall function 00B15B9B: Process32NextW.KERNEL32(?,?), ref: 00B15D13
      • Part of subcall function 00B15B9B: CloseHandle.KERNEL32 ref: 00B15D26
    • WaitForSingleObject.KERNEL32(00001388), ref: 00B2A73C
      • Part of subcall function 00B1766D: ReleaseMutex.KERNEL32 ref: 00B17671
      • Part of subcall function 00B1766D: CloseHandle.KERNEL32 ref: 00B17678
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3C3C1, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 00B3C3D1
    • EnterCriticalSection.KERNEL32(?,?,00007530), ref: 00B3C3DF
    • LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 00B3C3F4
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 00B3C3FE
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B28F55, Relevance: 6.0, APIs: 3, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,00B2914A,?,?,?,?,?,?,00000000,?), ref: 00B28FAF
    • LeaveCriticalSection.KERNEL32 ref: 00B29017
      • Part of subcall function 00B28A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B28A52
      • Part of subcall function 00B22543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7,?,@echo off%sdel /F "%s"), ref: 00B2256D
      • Part of subcall function 00B22543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7), ref: 00B22580
    • SetEvent.KERNEL32 ref: 00B2900A
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2EC55, Relevance: 6.0, APIs: 3, Instructions: 51
    APIs
    • getpeername.WS2_32(?,?,?), ref: 00B2EC79
    • getsockname.WS2_32(?,?,?), ref: 00B2EC91
    • send.WS2_32(00000000,00000000,00000008,00000000), ref: 00B2ECC2
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B23AD3, Relevance: 6.0, APIs: 3, Instructions: 30
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1B979, Relevance: 6.0, APIs: 3, Instructions: 17
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1B928, Relevance: 5.8, APIs: 3, Instructions: 30
    APIs
    • WSACreateEvent.WS2_32(00000000,?,00B1BB6E,00000033,00000000,?,?,?,00B2C4F0,?,00003A98,?,00000000,?,00000003), ref: 00B1B93E
    • WSAEventSelect.WS2_32(?,?,00000033), ref: 00B1B954
    • WSACloseEvent.WS2_32 ref: 00B1B968
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B34C13, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138
    APIs
      • Part of subcall function 00B34BC8: StrCmpNIA.SHLWAPI ref: 00B34BDF
    • StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00B34D7B
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B4258D, Relevance: 5.7, APIs: 3, Instructions: 83
    APIs
      • Part of subcall function 00B37ED8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00B37EEF
      • Part of subcall function 00B37ED8: CloseHandle.KERNEL32 ref: 00B37F0E
    • GetFileSizeEx.KERNEL32(00000000), ref: 00B425C4
      • Part of subcall function 00B37F3D: UnmapViewOfFile.KERNEL32 ref: 00B37F49
      • Part of subcall function 00B37F3D: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000001), ref: 00B37F60
      • Part of subcall function 00B35B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00B35B25
    • SetEndOfFile.KERNEL32 ref: 00B4263A
    • FlushFileBuffers.KERNEL32(?), ref: 00B42645
      • Part of subcall function 00B35934: CloseHandle.KERNEL32 ref: 00B35940
      • Part of subcall function 00B35B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B35B87
      • Part of subcall function 00B42474: GetFileAttributesW.KERNEL32 ref: 00B42485
      • Part of subcall function 00B42474: PathRemoveFileSpecW.SHLWAPI(?), ref: 00B424BA
      • Part of subcall function 00B42474: MoveFileExW.KERNEL32(?,?,00000001), ref: 00B42501
      • Part of subcall function 00B42474: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00B4251A
      • Part of subcall function 00B42474: Sleep.KERNEL32(00001388), ref: 00B4255D
      • Part of subcall function 00B42474: FlushFileBuffers.KERNEL32 ref: 00B4256B
      • Part of subcall function 00B37E98: UnmapViewOfFile.KERNEL32 ref: 00B37EA4
      • Part of subcall function 00B37E98: CloseHandle.KERNEL32 ref: 00B37EB7
      • Part of subcall function 00B37E98: CloseHandle.KERNEL32 ref: 00B37ECD
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B23A22, Relevance: 5.7, APIs: 2, Instructions: 57
    APIs
    • select.WS2_32(00000000,?,00000000,00000000), ref: 00B23A81
    • recv.WS2_32(?,?,?,00000000), ref: 00B23A91
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B39B45, Relevance: 5.7, APIs: 3, Instructions: 56
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00B39B46
    • VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00B39B7D
      • Part of subcall function 00B39A67: memset.MSVCRT ref: 00B39A78
      • Part of subcall function 00B39821: GetCurrentProcess.KERNEL32 ref: 00B39824
      • Part of subcall function 00B39821: VirtualProtect.KERNEL32(3D920000,00010000,00000020), ref: 00B39845
      • Part of subcall function 00B39821: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 00B3984E
    • ResumeThread.KERNEL32(?), ref: 00B39BBE
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3D4EF, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 52
    APIs
    • memset.MSVCRT ref: 00B3D506
      • Part of subcall function 00B3BC89: memcpy.MSVCRT ref: 00B3BCA4
      • Part of subcall function 00B3BC89: StringFromGUID2.OLE32 ref: 00B3BD4A
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
      • Part of subcall function 00B3570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00B3ABEA,00B3ABEA), ref: 00B3573C
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B18FE0
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B18FEA
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19033
      • Part of subcall function 00B18F6F: memcpy.MSVCRT ref: 00B19060
      • Part of subcall function 00B18F6F: PathRemoveBackslashW.SHLWAPI ref: 00B1906A
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3D610, Relevance: 5.7, APIs: 3, Instructions: 51
    APIs
    • EnterCriticalSection.KERNEL32(00B45AA4,?,00000001,?,?,00B3D824,?,?,?,00000001), ref: 00B3D62C
    • LeaveCriticalSection.KERNEL32(00B45AA4,?,00000001,?,?,00B3D824,?,?,?,00000001), ref: 00B3D653
      • Part of subcall function 00B3D4EF: memset.MSVCRT ref: 00B3D506
      • Part of subcall function 00B393C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00B39433
      • Part of subcall function 00B393C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00B39458
      • Part of subcall function 00B3946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00B394AA
    • _ultow.MSVCRT ref: 00B3D69A
      • Part of subcall function 00B39393: CryptDestroyHash.ADVAPI32 ref: 00B393AB
      • Part of subcall function 00B39393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00B393BC
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B37B26, Relevance: 5.6, APIs: 3, Instructions: 48
    APIs
    • CloseHandle.KERNEL32(?), ref: 00B37B37
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00B37B77
    • InternetCloseHandle.WININET(?), ref: 00B37B82
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3A976, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 00B3A999
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B3A9B1
    • DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 00B3A9CC
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B21FEC, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00B21FFF
    • GetLastError.KERNEL32(?,00B449A8,00000000,?,?,00B1AF07,?,00000008,?,?,?,?,?,00000000,00B3AE13), ref: 00B22009
      • Part of subcall function 00B224DA: HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    • GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00B22031
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1AEE3, Relevance: 5.6, APIs: 3, Instructions: 42
    APIs
    • OpenProcessToken.ADVAPI32(?,00000008), ref: 00B1AEF5
      • Part of subcall function 00B21FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00B21FFF
      • Part of subcall function 00B21FEC: GetLastError.KERNEL32(?,00B449A8,00000000,?,?,00B1AF07,?,00000008,?,?,?,?,?,00000000,00B3AE13), ref: 00B22009
      • Part of subcall function 00B21FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00B22031
    • GetTokenInformation.ADVAPI32(?,0000000C,00B449A8,00000004), ref: 00B1AF1D
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • CloseHandle.KERNEL32(?), ref: 00B1AF33
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B3C012, Relevance: 5.6, APIs: 3, Instructions: 37
    APIs
      • Part of subcall function 00B2204E: memcpy.MSVCRT ref: 00B2205C
      • Part of subcall function 00B3BC89: memcpy.MSVCRT ref: 00B3BCA4
      • Part of subcall function 00B3BC89: StringFromGUID2.OLE32 ref: 00B3BD4A
    • CreateMutexW.KERNEL32(00B449B4,00000001), ref: 00B3C058
    • GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 00B3C064
    • CloseHandle.KERNEL32 ref: 00B3C072
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2A755, Relevance: 5.6, APIs: 3, Instructions: 16
    APIs
    • PathFindFileNameW.SHLWAPI(000001ED), ref: 00B2A759
    • PathRemoveExtensionW.SHLWAPI ref: 00B2A76D
    • CharUpperW.USER32 ref: 00B2A777
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2D12D, Relevance: 5.6, APIs: 3, Instructions: 40
    APIs
    • lstrlenW.KERNEL32(00B0C448), ref: 00B2D149
    • lstrlenW.KERNEL32 ref: 00B2D14F
      • Part of subcall function 00B22543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7,?,@echo off%sdel /F "%s"), ref: 00B2256D
      • Part of subcall function 00B22543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7), ref: 00B22580
    • memcpy.MSVCRT ref: 00B2D173
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B22543, Relevance: 5.6, APIs: 2, Instructions: 32
    APIs
    • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7), ref: 00B22580
      • Part of subcall function 00B22456: EnterCriticalSection.KERNEL32(00B45AA4,00000028,00B224C9,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B22466
      • Part of subcall function 00B22456: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B22490
    • HeapAlloc.KERNEL32(00000008,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7,?,@echo off%sdel /F "%s"), ref: 00B2256D
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B16EA5, Relevance: 5.6, APIs: 3, Instructions: 10
    APIs
    • GetLastError.KERNEL32(?,00B16577), ref: 00B16EA6
    • TlsSetValue.KERNEL32(00000000), ref: 00B16EB6
    • SetLastError.KERNEL32(?,?,00B16577), ref: 00B16EBD
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B386CC, Relevance: 5.5, APIs: 3, Instructions: 115
    APIs
    • GetVersionExW.KERNEL32(00B44858), ref: 00B386E6
    • GetNativeSystemInfo.KERNEL32(000000FF), ref: 00B38822
    • memset.MSVCRT ref: 00B38857
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B24EC0, Relevance: 5.5, APIs: 3, Instructions: 93
    APIs
      • Part of subcall function 00B249CD: EnterCriticalSection.KERNEL32(00B45AA4,00DD1E90,00B24ECC,00DD1E90), ref: 00B249DD
      • Part of subcall function 00B249CD: LeaveCriticalSection.KERNEL32(00B45AA4,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0,00B3D345), ref: 00B24A05
    • PathFindFileNameW.SHLWAPI(00DD1E90), ref: 00B24ED2
      • Part of subcall function 00B19E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00B19E9D
      • Part of subcall function 00B19E88: StrCmpIW.SHLWAPI ref: 00B19EA7
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • InitializeCriticalSection.KERNEL32 ref: 00B24F44
      • Part of subcall function 00B16D72: EnterCriticalSection.KERNEL32(00B4468C,00000000,00B24F6E,?,000000FF), ref: 00B16D7E
      • Part of subcall function 00B16D72: LeaveCriticalSection.KERNEL32(00B4468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00B16D8E
      • Part of subcall function 00B16D9C: LeaveCriticalSection.KERNEL32(00B4468C,00B16E01,00000001,00000000,00000000,?,00B24F82,00000001,00000000,?,000000FF), ref: 00B16DA6
      • Part of subcall function 00B39DDC: GetCurrentThreadId.KERNEL32 ref: 00B39DED
      • Part of subcall function 00B39DDC: memcpy.MSVCRT ref: 00B39F56
      • Part of subcall function 00B39DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00B39FE2
      • Part of subcall function 00B39DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00B39FEC
      • Part of subcall function 00B16DAD: LeaveCriticalSection.KERNEL32(00B4468C,?,00B16E13,00000001,00000000,00000000,?,00B24F82,00000001,00000000,?,000000FF), ref: 00B16DBA
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00B24FBB
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B393C4, Relevance: 5.5, APIs: 2, Instructions: 68
    APIs
      • Part of subcall function 00B3931E: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00B39336
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00B39433
    • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00B39458
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2C90D, Relevance: 5.5, APIs: 3, Instructions: 63
    APIs
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 00B2C93C
      • Part of subcall function 00B225A7: memcpy.MSVCRT ref: 00B225C6
    • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00B2C97B
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00B2C9A2
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B369E1, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • TlsAlloc.KERNEL32(00DD2864,00B36EB9,?,?,?,?,00DD2858), ref: 00B369EA
    • TlsGetValue.KERNEL32(?,00000001,00DD2864), ref: 00B369FC
    • TlsSetValue.KERNEL32(?,?), ref: 00B36A41
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B283CA, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00B283E6
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B28409
    • CloseHandle.KERNEL32 ref: 00B28416
      • Part of subcall function 00B35E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00B35E26
      • Part of subcall function 00B35E1D: DeleteFileW.KERNEL32 ref: 00B35E2D
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B19F04, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26
    APIs
    • StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00B19F19
    • lstrcmpA.KERNEL32(Basic ,?,00B354A4,00000006,Authorization,?,?,?), ref: 00B19F23
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B19E88, Relevance: 5.5, APIs: 2, Instructions: 26
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B169DF, Relevance: 5.4, APIs: 3, Instructions: 24
    APIs
    • memset.MSVCRT ref: 00B169F9
    • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DD1EF0), ref: 00B16A02
    • InitializeCriticalSection.KERNEL32(00B4468C), ref: 00B16A12
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B37E98, Relevance: 5.4, APIs: 3, Instructions: 21
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2B7BD, Relevance: 5.4, APIs: 3, Instructions: 20
    APIs
    • InitializeCriticalSection.KERNEL32(00B447FC), ref: 00B2B7C7
    • QueryPerformanceCounter.KERNEL32 ref: 00B2B7D1
    • GetTickCount.KERNEL32 ref: 00B2B7DB
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B414F4, Relevance: 5.2, APIs: 4, Instructions: 191
    APIs
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • memcpy.MSVCRT ref: 00B41657
    • memcpy.MSVCRT ref: 00B4166A
    • memcpy.MSVCRT ref: 00B4168B
      • Part of subcall function 00B34C13: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00B34D7B
      • Part of subcall function 00B22543: HeapAlloc.KERNEL32(00000008,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7,?,@echo off%sdel /F "%s"), ref: 00B2256D
      • Part of subcall function 00B22543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00B2D89F,?,?,?,00000000,00000000,00000000,00B2D869,?,00B1B3C7), ref: 00B22580
    • memcpy.MSVCRT ref: 00B416FD
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
      • Part of subcall function 00B225A7: memcpy.MSVCRT ref: 00B225C6
      • Part of subcall function 00B41070: memmove.MSVCRT ref: 00B412E1
      • Part of subcall function 00B41070: memcpy.MSVCRT ref: 00B412F0
      • Part of subcall function 00B41364: memcpy.MSVCRT ref: 00B413D9
      • Part of subcall function 00B41364: memmove.MSVCRT ref: 00B4149F
      • Part of subcall function 00B41364: memcpy.MSVCRT ref: 00B414AE
      • Part of subcall function 00B2BAD5: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?), ref: 00B2BB42
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B2B7FF, Relevance: 5.1, APIs: 2, Instructions: 14
    APIs
      • Part of subcall function 00B2B64D: EnterCriticalSection.KERNEL32(00B45AA4,?,00B2B806,?,?,00B359A9,00000000), ref: 00B2B65D
      • Part of subcall function 00B2B64D: LeaveCriticalSection.KERNEL32(00B45AA4,?,?,00B359A9,00000000), ref: 00B2B687
    • EnterCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B80C
    • LeaveCriticalSection.KERNEL32(00B447FC,?,?,00B359A9,00000000), ref: 00B2B81A
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B224DA, Relevance: 5.1, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00B22456: EnterCriticalSection.KERNEL32(00B45AA4,00000028,00B224C9,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B22466
      • Part of subcall function 00B22456: LeaveCriticalSection.KERNEL32(00B45AA4,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B22490
    • HeapAlloc.KERNEL32(00000008,?,?,00B1B076,?,?,?,00000000,?,?,00000000,00B3AA69,?,00B3ADD5), ref: 00B224EB
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B35E1D, Relevance: 5.1, APIs: 2, Instructions: 12
    APIs
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 00B35E26
    • DeleteFileW.KERNEL32 ref: 00B35E2D
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B30755, Relevance: 5.1, APIs: 2, Instructions: 12
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B1766D, Relevance: 5.1, APIs: 2, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true
    Function 00B24AA6, Relevance: 5.1, APIs: 4, Instructions: 65
    APIs
    • EnterCriticalSection.KERNEL32(00000000,00B430F0,00000038,00B24BB2,00000000,?), ref: 00B24ACC
    • memcmp.MSVCRT ref: 00B24AE3
      • Part of subcall function 00B224C1: HeapAlloc.KERNEL32(00000000,00000028,?,00B3D211,?,?,00000000,?,?,00000001), ref: 00B224D2
    • memcpy.MSVCRT ref: 00B24B11
    • LeaveCriticalSection.KERNEL32(00000000), ref: 00B24B68
      • Part of subcall function 00B22593: HeapFree.KERNEL32(00000000,00DD1E90,00B3D2D1,?,?,00000000,?,?,00000001), ref: 00B225A0
    Memory Dump Source
    • Source File: 00000008.00000002.681715581.00AE0000.00000040.sdmp, Offset: 00AE0000, based on PE: true

    Analysis Process: cmd.exe PID: 3600 Parent PID: 496

    Executed Functions
    Function 0019ACAD, Relevance: 28.4, APIs: 11, Strings: 3, Instructions: 166
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 0019ACF4
      • Part of subcall function 001901EA: LoadLibraryA.KERNEL32 ref: 0019023A
      • Part of subcall function 0019D1E0: InitializeCriticalSection.KERNEL32(001A5AA4), ref: 0019D207
      • Part of subcall function 0019D1E0: InitializeCriticalSection.KERNEL32 ref: 0019D218
      • Part of subcall function 0019D1E0: memset.MSVCRT ref: 0019D229
      • Part of subcall function 0019D1E0: TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 0019D240
      • Part of subcall function 0019D1E0: GetModuleHandleW.KERNEL32(00000000), ref: 0019D25C
      • Part of subcall function 0019D1E0: GetModuleHandleW.KERNEL32 ref: 0019D272
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0019AD59
    • Process32FirstW.KERNEL32 ref: 0019AD74
    • PathFindFileNameW.SHLWAPI ref: 0019AD87
    • StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 0019AD99
    • Process32NextW.KERNEL32(?,?), ref: 0019ADA9
    • CloseHandle.KERNEL32 ref: 0019ADB4
    • WSAStartup.WS2_32(00000202), ref: 0019ADC4
    • CreateEventW.KERNEL32(001A49B4,00000001,00000000,00000000), ref: 0019ADEC
      • Part of subcall function 0017AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 0017AEF5
      • Part of subcall function 0017AEE3: GetTokenInformation.ADVAPI32(?,0000000C,001A49A8,00000004), ref: 0017AF1D
      • Part of subcall function 0017AEE3: CloseHandle.KERNEL32(?), ref: 0017AF33
    • GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 0019AE22
      • Part of subcall function 0019AA9A: GetTempPathW.KERNEL32(00000104), ref: 0019AAB7
      • Part of subcall function 0019AA9A: GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 0019AACF
      • Part of subcall function 0019AA9A: PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 0019AADA
      • Part of subcall function 0019AA9A: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 0019AB00
    • GetCurrentProcessId.KERNEL32 ref: 0019AE4D
      • Part of subcall function 0019AB23: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000), ref: 0019AB64
      • Part of subcall function 0019AB23: lstrcmpiW.KERNEL32 ref: 0019AB93
      • Part of subcall function 0019ABBF: lstrcatW.KERNEL32(?,.dat), ref: 0019AC32
      • Part of subcall function 0019ABBF: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0019AC57
      • Part of subcall function 0019ABBF: ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 0019AC75
      • Part of subcall function 0019ABBF: CloseHandle.KERNEL32 ref: 0019AC82
      • Part of subcall function 0018C8A1: IsBadReadPtr.KERNEL32 ref: 0018C8E0
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00199BE6, Relevance: 14.3, APIs: 8, Instructions: 160
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00199BEC
    • memcpy.MSVCRT ref: 00199C39
    • GetThreadContext.KERNEL32(?,00000010), ref: 00199CAF
    • SetThreadContext.KERNEL32(?,?), ref: 00199D1A
    • GetCurrentProcess.KERNEL32 ref: 00199D33
    • VirtualProtect.KERNEL32(?,0000007C,?), ref: 00199D58
    • FlushInstructionCache.KERNEL32(?,?,0000007C), ref: 00199D6A
      • Part of subcall function 00199A67: memset.MSVCRT ref: 00199A78
      • Part of subcall function 00199821: GetCurrentProcess.KERNEL32 ref: 00199824
      • Part of subcall function 00199821: VirtualProtect.KERNEL32(3D920000,00010000,00000020), ref: 00199845
      • Part of subcall function 00199821: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 0019984E
    • ResumeThread.KERNEL32(?), ref: 00199DAB
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 00199B45: GetCurrentThreadId.KERNEL32 ref: 00199B46
      • Part of subcall function 00199B45: VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00199B7D
      • Part of subcall function 00199B45: ResumeThread.KERNEL32(?), ref: 00199BBE
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00181F4F, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 65
    APIs
    • InitializeSecurityDescriptor.ADVAPI32(001A49C0,00000001), ref: 00181F5F
    • SetSecurityDescriptorDacl.ADVAPI32(001A49C0,00000001,00000000,00000000), ref: 00181F70
    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 00181F86
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00181FA2
    • SetSecurityDescriptorSacl.ADVAPI32(001A49C0,?,?,00000001), ref: 00181FB6
    • LocalFree.KERNEL32(?), ref: 00181FC8
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019985F, Relevance: 12.6, APIs: 7, Instructions: 173
    APIs
    • memset.MSVCRT ref: 0019990F
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00199920
    • VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00199954
    • memset.MSVCRT ref: 00199994
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 001999A5
    • VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 001999E5
    • memset.MSVCRT ref: 00199A50
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019ABBF, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 79
    APIs
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
    • lstrcatW.KERNEL32(?,.dat), ref: 0019AC32
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0019AC57
    • ReadFile.KERNEL32(?,?,000001FE,?,00000000), ref: 0019AC75
    • CloseHandle.KERNEL32 ref: 0019AC82
      • Part of subcall function 0019D2D7: EnterCriticalSection.KERNEL32(00C21E90,?), ref: 0019D2EB
      • Part of subcall function 0019D2D7: GetFileVersionInfoSizeW.VERSION(00C21EF0), ref: 0019D30C
      • Part of subcall function 0019D2D7: GetFileVersionInfoW.VERSION(00C21EF0,00000000), ref: 0019D32A
      • Part of subcall function 0019D2D7: LeaveCriticalSection.KERNEL32(00C21E90,00000001,00000001,00000001,00000001), ref: 0019D413
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    Strings
    • .dat, xrefs: 0019AC26
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0019ABF1
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00199DDC, Relevance: 9.5, APIs: 4, Instructions: 217
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00199DED
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
      • Part of subcall function 0019985F: memset.MSVCRT ref: 0019990F
      • Part of subcall function 0019985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00199920
      • Part of subcall function 0019985F: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 00199954
      • Part of subcall function 0019985F: memset.MSVCRT ref: 00199994
      • Part of subcall function 0019985F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 001999A5
      • Part of subcall function 0019985F: VirtualAlloc.KERNEL32(?,00010000,00003000,00000040), ref: 001999E5
      • Part of subcall function 0019985F: memset.MSVCRT ref: 00199A50
      • Part of subcall function 001964A4: SetLastError.KERNEL32(0000000D), ref: 001964DF
    • memcpy.MSVCRT ref: 00199F56
    • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00199FE2
    • GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00199FEC
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 00199A67: memset.MSVCRT ref: 00199A78
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019D5A0, Relevance: 9.2, APIs: 3, Strings: 1, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(Function_00065AA4,00000000,?,?,001793C9), ref: 0019D5B6
    • LeaveCriticalSection.KERNEL32(Function_00065AA4,?,?,001793C9), ref: 0019D5DC
      • Part of subcall function 0019D4EF: memset.MSVCRT ref: 0019D506
    • CreateMutexW.KERNEL32(001A49B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 0019D5EE
      • Part of subcall function 001775E7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001775ED
      • Part of subcall function 001775E7: CloseHandle.KERNEL32 ref: 001775FF
    Strings
    • Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}, xrefs: 0019D5E3
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019D2D7, Relevance: 7.3, APIs: 4, Instructions: 113
    APIs
    • EnterCriticalSection.KERNEL32(00C21E90,?), ref: 0019D2EB
      • Part of subcall function 0018BDA7: GetModuleHandleW.KERNEL32 ref: 0018BDC3
      • Part of subcall function 0018BDA7: GetModuleHandleW.KERNEL32 ref: 0018BDFE
    • GetFileVersionInfoSizeW.VERSION(00C21EF0), ref: 0019D30C
    • GetFileVersionInfoW.VERSION(00C21EF0,00000000), ref: 0019D32A
      • Part of subcall function 00184EC0: PathFindFileNameW.SHLWAPI(00C21E90), ref: 00184ED2
      • Part of subcall function 00184EC0: InitializeCriticalSection.KERNEL32 ref: 00184F44
      • Part of subcall function 00184EC0: DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00C21EF0), ref: 00184FBB
      • Part of subcall function 0017A90A: InitializeCriticalSection.KERNEL32 ref: 0017A938
      • Part of subcall function 0017A90A: GetModuleHandleW.KERNEL32 ref: 0017A976
      • Part of subcall function 0019C7B5: InitializeCriticalSection.KERNEL32 ref: 0019C7CA
      • Part of subcall function 001968C4: EnterCriticalSection.KERNEL32(001A5AA4,00C21E90,0019D364,00000001,00000001), ref: 001968D4
      • Part of subcall function 001968C4: LeaveCriticalSection.KERNEL32(001A5AA4), ref: 001968FC
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
      • Part of subcall function 00198AD4: GetCommandLineW.KERNEL32 ref: 00198B5E
      • Part of subcall function 00198AD4: CommandLineToArgvW.SHELL32 ref: 00198B65
      • Part of subcall function 00198AD4: LocalFree.KERNEL32 ref: 00198BA5
      • Part of subcall function 00198AD4: GetModuleHandleW.KERNEL32(?), ref: 00198BE7
      • Part of subcall function 0017CE23: VerQueryValueW.VERSION(?,0016AE74,?,?,00C21E90,0019D393), ref: 0017CE44
      • Part of subcall function 0017CE23: GetModuleHandleW.KERNEL32(?), ref: 0017CE85
      • Part of subcall function 0019FE99: GetModuleHandleW.KERNEL32 ref: 0019FEB6
      • Part of subcall function 0018B000: EnterCriticalSection.KERNEL32(001A5AA4,00C21E90,0019D39D), ref: 0018B010
      • Part of subcall function 0018B000: LeaveCriticalSection.KERNEL32(001A5AA4), ref: 0018B038
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • LeaveCriticalSection.KERNEL32(00C21E90,00000001,00000001,00000001,00000001), ref: 0019D413
      • Part of subcall function 00176D72: EnterCriticalSection.KERNEL32(001A468C,00000000,00184F6E,?,000000FF), ref: 00176D7E
      • Part of subcall function 00176D72: LeaveCriticalSection.KERNEL32(001A468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00C21EF0), ref: 00176D8E
      • Part of subcall function 00176D9C: LeaveCriticalSection.KERNEL32(001A468C,00176E01,00000001,00000000,00000000,?,00184F82,00000001,00000000,?,000000FF), ref: 00176DA6
      • Part of subcall function 00176DAD: LeaveCriticalSection.KERNEL32(001A468C,?,00176E13,00000001,00000000,00000000,?,00184F82,00000001,00000000,?,000000FF), ref: 00176DBA
      • Part of subcall function 0019699E: memset.MSVCRT ref: 001969C6
      • Part of subcall function 0019699E: InitializeCriticalSection.KERNEL32 ref: 001969D3
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017AF41, Relevance: 7.2, APIs: 4, Instructions: 39
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0017AF51
    • Thread32First.KERNEL32 ref: 0017AF6C
    • Thread32Next.KERNEL32(?,?), ref: 0017AF7F
    • CloseHandle.KERNEL32 ref: 0017AF8A
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019394D, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00053883,00000000), ref: 00193964
    • WaitForSingleObject.KERNEL32(?,00003A98), ref: 00193976
    • TerminateThread.KERNEL32(?,00000000), ref: 00193982
    • CloseHandle.KERNEL32 ref: 00193989
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00199821, Relevance: 5.6, APIs: 3, Instructions: 28
    APIs
    • GetCurrentProcess.KERNEL32 ref: 00199824
    • VirtualProtect.KERNEL32(3D920000,00010000,00000020), ref: 00199845
    • FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 0019984E
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00199ADD, Relevance: 3.7, APIs: 2, Instructions: 34
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00199AEE
    • VirtualProtect.KERNEL32(3D920000,00010000,00000040,?), ref: 00199B34
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018342D, Relevance: 3.1, APIs: 2, Instructions: 79
    APIs
      • Part of subcall function 00176E1F: GetLastError.KERNEL32(3D920680,?,0017652A), ref: 00176E21
      • Part of subcall function 00176E1F: TlsGetValue.KERNEL32(?,?,0017652A), ref: 00176E3E
      • Part of subcall function 00176E1F: TlsSetValue.KERNEL32(00000001), ref: 00176E50
      • Part of subcall function 00176E1F: SetLastError.KERNEL32(?,?,0017652A), ref: 00176E60
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018), ref: 00183465
      • Part of subcall function 0019C012: CreateMutexW.KERNEL32(001A49B4,00000001), ref: 0019C058
      • Part of subcall function 0019C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 0019C064
      • Part of subcall function 0019C012: CloseHandle.KERNEL32 ref: 0019C072
      • Part of subcall function 0017C5A8: TlsGetValue.KERNEL32(?,?,0018349E), ref: 0017C5B1
      • Part of subcall function 0019AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0019AECF
      • Part of subcall function 0019AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0019AF0A
      • Part of subcall function 0019AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0019AF4A
      • Part of subcall function 0019AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0019AF6D
      • Part of subcall function 0019AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0019AFBD
    • CloseHandle.KERNEL32 ref: 001834DA
      • Part of subcall function 0017AF41: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0017AF51
      • Part of subcall function 0017AF41: Thread32First.KERNEL32 ref: 0017AF6C
      • Part of subcall function 0017AF41: Thread32Next.KERNEL32(?,?), ref: 0017AF7F
      • Part of subcall function 0017AF41: CloseHandle.KERNEL32 ref: 0017AF8A
      • Part of subcall function 00176EA5: GetLastError.KERNEL32(?,00176577), ref: 00176EA6
      • Part of subcall function 00176EA5: TlsSetValue.KERNEL32(00000000), ref: 00176EB6
      • Part of subcall function 00176EA5: SetLastError.KERNEL32(?,?,00176577), ref: 00176EBD
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001908A8, Relevance: 2.2, APIs: 1, Instructions: 69
    APIs
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
      • Part of subcall function 0019083C: RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00190850
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00190903
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001901EA, Relevance: 2.2, APIs: 1, Instructions: 68
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00182498, Relevance: 1.9, APIs: 1, Instructions: 9
    APIs
    • HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 001824A1
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019083C, Relevance: 1.9, APIs: 1, Instructions: 8
    APIs
    • RegQueryValueExW.ADVAPI32(?,00000010,00000000,?,?,?), ref: 00190850
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Non-executed Functions
    Function 00183BBE, Relevance: 10.9, APIs: 6, Instructions: 39
    APIs
    • socket.WS2_32(?,00000001,00000006), ref: 00183BCA
    • bind.WS2_32 ref: 00183BE7
    • listen.WS2_32(?,00000001), ref: 00183BF4
    • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,0018EE5F,?,?,?), ref: 00183BFE
    • closesocket.WS2_32 ref: 00183C07
    • WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,0018EE5F,?,?,?), ref: 00183C0E
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017BC0C, Relevance: 7.4, APIs: 4, Instructions: 54
    APIs
      • Part of subcall function 0017B7D0: socket.WS2_32(?,?,00000006), ref: 0017B804
    • bind.WS2_32(?,0017BCEA), ref: 0017BC53
    • listen.WS2_32(?,00000014), ref: 0017BC68
    • WSAGetLastError.WS2_32(00000000,?,0017BCEA,?,?,?,?,00000000), ref: 0017BC76
      • Part of subcall function 0017B979: shutdown.WS2_32(?,00000002), ref: 0017B987
      • Part of subcall function 0017B979: closesocket.WS2_32 ref: 0017B990
      • Part of subcall function 0017B979: WSACloseEvent.WS2_32 ref: 0017B9A3
    • WSASetLastError.WS2_32(?,?,0017BCEA,?,?,?,?,00000000), ref: 0017BC86
      • Part of subcall function 0017B928: WSACreateEvent.WS2_32(00000000,?,0017BB6E,00000033,00000000,?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003), ref: 0017B93E
      • Part of subcall function 0017B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0017B954
      • Part of subcall function 0017B928: WSACloseEvent.WS2_32 ref: 0017B968
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00183DB8, Relevance: 5.6, APIs: 3, Instructions: 34
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019C192, Relevance: 66.8, APIs: 19, Strings: 19, Instructions: 103
    APIs
    • StrStrIW.SHLWAPI(tellerplus,00C21E90), ref: 0019C1A4
    • StrStrIW.SHLWAPI(bancline), ref: 0019C1B9
    • StrStrIW.SHLWAPI(fidelity), ref: 0019C1CE
    • StrStrIW.SHLWAPI(micrsolv), ref: 0019C1E3
    • StrStrIW.SHLWAPI(bankman), ref: 0019C1F8
    • StrStrIW.SHLWAPI(vantiv), ref: 0019C20D
    • StrStrIW.SHLWAPI(episys), ref: 0019C222
    • StrStrIW.SHLWAPI(jack henry), ref: 0019C237
    • StrStrIW.SHLWAPI(cruisenet), ref: 0019C24C
    • StrStrIW.SHLWAPI(gplusmain), ref: 0019C261
    • StrStrIW.SHLWAPI(launchpadshell.exe), ref: 0019C276
    • StrStrIW.SHLWAPI(dirclt32.exe), ref: 0019C28B
    • StrStrIW.SHLWAPI(wtng.exe), ref: 0019C29C
    • StrStrIW.SHLWAPI(prologue.exe), ref: 0019C2AD
    • StrStrIW.SHLWAPI(silverlake), ref: 0019C2BE
    • StrStrIW.SHLWAPI(pcsws.exe), ref: 0019C2CF
    • StrStrIW.SHLWAPI(v48d0250s1), ref: 0019C2E0
    • StrStrIW.SHLWAPI(fdmaster.exe), ref: 0019C2F1
    • StrStrIW.SHLWAPI(fastdoc), ref: 0019C302
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00177FA8, Relevance: 48.4, APIs: 20, Strings: 4, Instructions: 151
    APIs
    • LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00177FBA
    • GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00177FD2
    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00178011
    • CreateCompatibleDC.GDI32 ref: 00178022
    • LoadCursorW.USER32(00000000,00007F00), ref: 00178038
    • GetIconInfo.USER32 ref: 0017804C
    • GetCursorPos.USER32(?), ref: 0017805B
    • GetDeviceCaps.GDI32(?,00000008), ref: 00178072
    • GetDeviceCaps.GDI32(?,0000000A), ref: 0017807B
    • CreateCompatibleBitmap.GDI32(?,?), ref: 00178087
    • SelectObject.GDI32 ref: 00178095
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 001780B6
    • DrawIcon.USER32(?,?,?,?), ref: 001780E8
      • Part of subcall function 00191285: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 0019129A
      • Part of subcall function 00191285: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 001912A5
    • SelectObject.GDI32(?,?), ref: 00178104
    • DeleteObject.GDI32 ref: 0017810B
    • DeleteDC.GDI32 ref: 00178112
    • DeleteDC.GDI32 ref: 00178119
    • FreeLibrary.KERNEL32(?), ref: 00178129
    • GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0017813F
    • FreeLibrary.KERNEL32(?), ref: 00178153
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019B4AA, Relevance: 42.5, APIs: 19, Strings: 2, Instructions: 267
    APIs
      • Part of subcall function 00188432: CreateFileW.KERNEL32(00C21EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0018844B
      • Part of subcall function 00188432: GetFileSizeEx.KERNEL32 ref: 0018845E
      • Part of subcall function 00188432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00188484
      • Part of subcall function 00188432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0018849C
      • Part of subcall function 00188432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 001884BA
      • Part of subcall function 00188432: CloseHandle.KERNEL32 ref: 001884C3
    • CreateMutexW.KERNEL32(001A49B4,00000001), ref: 0019B550
    • GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,0019B8C7), ref: 0019B560
    • CloseHandle.KERNEL32 ref: 0019B56E
    • CloseHandle.KERNEL32 ref: 0019B697
      • Part of subcall function 0019AFE8: memcpy.MSVCRT ref: 0019AFF8
    • lstrlenW.KERNEL32 ref: 0019B5D0
      • Part of subcall function 00175B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00175BC1
      • Part of subcall function 00175B9B: Process32FirstW.KERNEL32 ref: 00175BE6
      • Part of subcall function 00175B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00175C3D
      • Part of subcall function 00175B9B: CloseHandle.KERNEL32 ref: 00175C5B
      • Part of subcall function 00175B9B: GetLengthSid.ADVAPI32 ref: 00175C77
      • Part of subcall function 00175B9B: memcmp.MSVCRT ref: 00175C8F
      • Part of subcall function 00175B9B: CloseHandle.KERNEL32(?), ref: 00175D07
      • Part of subcall function 00175B9B: Process32NextW.KERNEL32(?,?), ref: 00175D13
      • Part of subcall function 00175B9B: CloseHandle.KERNEL32 ref: 00175D26
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0019B615
    • OpenEventW.KERNEL32(00000002,00000000), ref: 0019B63B
    • SetEvent.KERNEL32 ref: 0019B648
    • CloseHandle.KERNEL32 ref: 0019B64F
    • Sleep.KERNEL32(00007530), ref: 0019B674
      • Part of subcall function 0017AF99: GetCurrentThread.KERNEL32 ref: 0017AFAD
      • Part of subcall function 0017AF99: OpenThreadToken.ADVAPI32 ref: 0017AFB4
      • Part of subcall function 0017AF99: GetCurrentProcess.KERNEL32 ref: 0017AFC4
      • Part of subcall function 0017AF99: OpenProcessToken.ADVAPI32 ref: 0017AFCB
      • Part of subcall function 0017AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0017AFEC
      • Part of subcall function 0017AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0017B001
      • Part of subcall function 0017AF99: GetLastError.KERNEL32 ref: 0017B00B
      • Part of subcall function 0017AF99: CloseHandle.KERNEL32(00000001), ref: 0017B01C
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 0019B68C
    • Sleep.KERNEL32(000000FF), ref: 0019B694
    • IsWellKnownSid.ADVAPI32(00C21EC0,00000016), ref: 0019B6E5
    • CreateEventW.KERNEL32(001A49B4,00000001,00000000), ref: 0019B7B4
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0019B7CD
    • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 0019B7DF
    • CloseHandle.KERNEL32(00000000), ref: 0019B7F6
    • CloseHandle.KERNEL32(?), ref: 0019B7FC
    • CloseHandle.KERNEL32(?), ref: 0019B802
      • Part of subcall function 0017766D: ReleaseMutex.KERNEL32 ref: 00177671
      • Part of subcall function 0017766D: CloseHandle.KERNEL32 ref: 00177678
      • Part of subcall function 00181DFA: VirtualProtect.KERNEL32(001796C7,?,00000040), ref: 00181E12
      • Part of subcall function 00181DFA: VirtualProtect.KERNEL32(001796C7,?,?), ref: 00181E85
      • Part of subcall function 001796C7: FreeLibrary.KERNEL32(00000003), ref: 001796B9
      • Part of subcall function 0019BC89: memcpy.MSVCRT ref: 0019BCA4
      • Part of subcall function 0019BC89: StringFromGUID2.OLE32 ref: 0019BD4A
      • Part of subcall function 00179931: LoadLibraryW.KERNEL32 ref: 00179953
      • Part of subcall function 00179931: GetProcAddress.KERNEL32 ref: 00179977
      • Part of subcall function 00179931: SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 001799AF
      • Part of subcall function 00179931: lstrlenW.KERNEL32 ref: 001799C7
      • Part of subcall function 00179931: StrCmpNIW.SHLWAPI ref: 001799DB
      • Part of subcall function 00179931: lstrlenW.KERNEL32 ref: 001799F1
      • Part of subcall function 00179931: memcpy.MSVCRT ref: 001799FD
      • Part of subcall function 00179931: FreeLibrary.KERNEL32 ref: 00179A13
      • Part of subcall function 00179931: NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00179A52
      • Part of subcall function 00179931: NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00179A8E
      • Part of subcall function 00179931: NetApiBufferFree.NETAPI32(?), ref: 00179B39
      • Part of subcall function 00179931: NetApiBufferFree.NETAPI32(00000000), ref: 00179B4B
      • Part of subcall function 00179931: SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00179B6A
      • Part of subcall function 0017B314: CharToOemW.USER32(00C21EF0), ref: 0017B325
      • Part of subcall function 001A2AC0: GetCommandLineW.KERNEL32 ref: 001A2ADA
      • Part of subcall function 001A2AC0: CommandLineToArgvW.SHELL32 ref: 001A2AE1
      • Part of subcall function 001A2AC0: StrCmpNW.SHLWAPI(?,0016CA4C,00000002), ref: 001A2B07
      • Part of subcall function 001A2AC0: LocalFree.KERNEL32 ref: 001A2B33
      • Part of subcall function 001A2AC0: MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 001A2B70
      • Part of subcall function 001A2AC0: memcpy.MSVCRT ref: 001A2B83
      • Part of subcall function 001A2AC0: UnmapViewOfFile.KERNEL32 ref: 001A2BBC
      • Part of subcall function 001A2AC0: memcpy.MSVCRT ref: 001A2BDF
      • Part of subcall function 001A2AC0: CloseHandle.KERNEL32 ref: 001A2BF8
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 0019C09D: CreateMutexW.KERNEL32(001A49B4,00000000), ref: 0019C0BF
      • Part of subcall function 0017987E: memcpy.MSVCRT ref: 00179894
      • Part of subcall function 0017987E: memcmp.MSVCRT ref: 001798B6
      • Part of subcall function 0017987E: lstrcmpiW.KERNEL32(00000000,000000FF), ref: 0017990F
      • Part of subcall function 001884D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 001884E4
      • Part of subcall function 001884D3: CloseHandle.KERNEL32 ref: 001884F3
    Strings
    • SeShutdownPrivilege, xrefs: 0019B676
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0019B779
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00182593, Relevance: 35.1, APIs: 1, Instructions: 7
    APIs
    • HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00179931, Relevance: 28.4, APIs: 13, Strings: 1, Instructions: 205
    APIs
    • LoadLibraryW.KERNEL32 ref: 00179953
    • GetProcAddress.KERNEL32 ref: 00179977
    • SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001), ref: 001799AF
    • lstrlenW.KERNEL32 ref: 001799C7
    • StrCmpNIW.SHLWAPI ref: 001799DB
    • lstrlenW.KERNEL32 ref: 001799F1
    • memcpy.MSVCRT ref: 001799FD
    • FreeLibrary.KERNEL32 ref: 00179A13
    • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00179A52
    • NetUserGetInfo.NETAPI32(00000000,00000000,00000017), ref: 00179A8E
      • Part of subcall function 0019B31B: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0019B32F
      • Part of subcall function 0019B31B: PathUnquoteSpacesW.SHLWAPI ref: 0019B394
      • Part of subcall function 0019B31B: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0019B3A3
      • Part of subcall function 0019B31B: LocalFree.KERNEL32(00000001), ref: 0019B3B7
    • NetApiBufferFree.NETAPI32(?), ref: 00179B39
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
      • Part of subcall function 001790A3: PathSkipRootW.SHLWAPI ref: 001790CD
      • Part of subcall function 001790A3: GetFileAttributesW.KERNEL32(00000000), ref: 001790FA
      • Part of subcall function 001790A3: CreateDirectoryW.KERNEL32(?,00000000), ref: 0017910E
      • Part of subcall function 001790A3: SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00179131
      • Part of subcall function 00179583: LoadLibraryW.KERNEL32 ref: 001795A7
      • Part of subcall function 00179583: GetProcAddress.KERNEL32 ref: 001795D5
      • Part of subcall function 00179583: GetProcAddress.KERNEL32 ref: 001795EF
      • Part of subcall function 00179583: GetProcAddress.KERNEL32 ref: 0017960B
      • Part of subcall function 00179583: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00179638
      • Part of subcall function 00179583: FreeLibrary.KERNEL32(00000003), ref: 001796B9
    • NetApiBufferFree.NETAPI32(00000000), ref: 00179B4B
    • SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001), ref: 00179B6A
      • Part of subcall function 0019038C: CreateDirectoryW.KERNEL32(?,00000000), ref: 00190405
      • Part of subcall function 0019038C: SetFileAttributesW.KERNEL32(?), ref: 00190424
      • Part of subcall function 0019038C: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0019043B
      • Part of subcall function 0019038C: GetLastError.KERNEL32 ref: 00190448
      • Part of subcall function 0019038C: CloseHandle.KERNEL32 ref: 00190481
      • Part of subcall function 001A258D: GetFileSizeEx.KERNEL32(00000000), ref: 001A25C4
      • Part of subcall function 001A258D: SetEndOfFile.KERNEL32 ref: 001A263A
      • Part of subcall function 001A258D: FlushFileBuffers.KERNEL32(?), ref: 001A2645
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019F887, Relevance: 27.2, APIs: 18, Instructions: 215
    APIs
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F8AB
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F8CB
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F8E4
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F8FD
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F916
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F92F
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F94C
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F969
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F986
    • GetProcAddress.KERNEL32(0019FEC7,?), ref: 0019F9A3
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F9C0
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F9DD
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019F9FA
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019FA17
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019FA34
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019FA51
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019FA6E
    • GetProcAddress.KERNEL32(0019FEC7), ref: 0019FA8B
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017B1DE, Relevance: 24.3, APIs: 8, Strings: 4, Instructions: 89
    APIs
    • LoadLibraryA.KERNEL32(userenv.dll), ref: 0017B1EE
    • GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0017B20C
    • GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0017B218
    • memset.MSVCRT ref: 0017B258
    • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 0017B2A5
    • CloseHandle.KERNEL32(?), ref: 0017B2B9
    • CloseHandle.KERNEL32(?), ref: 0017B2BF
    • FreeLibrary.KERNEL32 ref: 0017B2D3
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017A01E, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 260
    APIs
      • Part of subcall function 0018D189: lstrlenW.KERNEL32 ref: 0018D190
      • Part of subcall function 0018D189: memcpy.MSVCRT ref: 0018D21E
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • getpeername.WS2_32 ref: 0017A254
      • Part of subcall function 0017C091: memcmp.MSVCRT ref: 0017C0B3
      • Part of subcall function 00179E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00179E9D
      • Part of subcall function 00179E88: StrCmpIW.SHLWAPI ref: 00179EA7
      • Part of subcall function 0017B764: EnterCriticalSection.KERNEL32(Function_00065AA4,?,0017B826,?,0019C86A,0018C4AB,0018C4AB,?,0018C4AB,?,00000001), ref: 0017B774
      • Part of subcall function 0017B764: LeaveCriticalSection.KERNEL32(Function_00065AA4,?,0017B826,?,0019C86A,0018C4AB,0018C4AB,?,0018C4AB,?,00000001), ref: 0017B79E
    • WSAAddressToStringW.WS2_32(?,?,00000000), ref: 0017A2CC
    • lstrcpyW.KERNEL32(?,0:0), ref: 0017A2E0
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017B365, Relevance: 22.5, APIs: 6, Strings: 5, Instructions: 110
    APIs
      • Part of subcall function 00195947: GetTempPathW.KERNEL32(00000104,?), ref: 00195962
      • Part of subcall function 00195947: PathAddBackslashW.SHLWAPI(?), ref: 0019598C
      • Part of subcall function 00195947: CreateDirectoryW.KERNEL32(?), ref: 00195A44
      • Part of subcall function 00195947: SetFileAttributesW.KERNEL32(?), ref: 00195A55
      • Part of subcall function 00195947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00195A6E
      • Part of subcall function 00195947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00195A7F
    • CharToOemW.USER32 ref: 0017B3AB
    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0017B3E2
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • CloseHandle.KERNEL32(000000FF), ref: 0017B40A
    • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 0017B44C
    • memset.MSVCRT ref: 0017B461
    • CloseHandle.KERNEL32(000000FF), ref: 0017B49C
      • Part of subcall function 00195E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00195E26
      • Part of subcall function 00195E1D: DeleteFileW.KERNEL32 ref: 00195E2D
      • Part of subcall function 00195934: CloseHandle.KERNEL32 ref: 00195940
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00191A52, Relevance: 22.3, APIs: 6, Strings: 5, Instructions: 60
    APIs
    • LoadLibraryW.KERNEL32(cabinet.dll), ref: 00191A66
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    • GetProcAddress.KERNEL32(?,FCICreate), ref: 00191A95
    • GetProcAddress.KERNEL32(?,FCIAddFile), ref: 00191AA4
    • GetProcAddress.KERNEL32(?,FCIFlushCabinet), ref: 00191AB3
    • GetProcAddress.KERNEL32(?,FCIDestroy), ref: 00191AC2
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • FreeLibrary.KERNEL32 ref: 00191AF7
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018BBB1, Relevance: 21.3, APIs: 12, Instructions: 150
    APIs
      • Part of subcall function 001884FB: memchr.MSVCRT ref: 0018853B
      • Part of subcall function 001884FB: memcmp.MSVCRT ref: 0018855A
    • VirtualProtect.KERNEL32(?,?,00000080,?), ref: 0018BC21
    • VirtualProtect.KERNEL32(?,?,00000000,?), ref: 0018BD99
      • Part of subcall function 00182633: memcmp.MSVCRT ref: 00182653
      • Part of subcall function 001825A7: memcpy.MSVCRT ref: 001825C6
    • GetCurrentThread.KERNEL32 ref: 0018BCBE
    • GetThreadPriority.KERNEL32 ref: 0018BCC7
    • SetThreadPriority.KERNEL32(?,0000000F), ref: 0018BCD2
    • Sleep.KERNEL32(00000000), ref: 0018BCDA
    • memcpy.MSVCRT ref: 0018BCE9
    • FlushInstructionCache.KERNEL32(000000FF,?,?), ref: 0018BCFA
    • SetThreadPriority.KERNEL32 ref: 0018BD02
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • GetTickCount.KERNEL32 ref: 0018BD3C
    • GetTickCount.KERNEL32 ref: 0018BD4F
    • Sleep.KERNEL32(00000000), ref: 0018BD61
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00189516, Relevance: 21.3, APIs: 14, Instructions: 290
    APIs
    • Sleep.KERNEL32(00003A98), ref: 0018952D
      • Part of subcall function 00178C74: InitializeCriticalSection.KERNEL32 ref: 00178C7B
    • InitializeCriticalSection.KERNEL32 ref: 00189591
    • memset.MSVCRT ref: 001895A8
    • InitializeCriticalSection.KERNEL32 ref: 001895C2
      • Part of subcall function 0018AAA2: memset.MSVCRT ref: 0018AAB9
      • Part of subcall function 0018AAA2: memset.MSVCRT ref: 0018AB8D
    • InitializeCriticalSection.KERNEL32 ref: 0018961C
    • memset.MSVCRT ref: 00189627
    • memset.MSVCRT ref: 00189635
      • Part of subcall function 00186431: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00186531
      • Part of subcall function 00186431: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00186572
      • Part of subcall function 00186431: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00186581
      • Part of subcall function 00186431: SetEvent.KERNEL32 ref: 00186591
      • Part of subcall function 00186431: GetExitCodeThread.KERNEL32 ref: 001865A5
      • Part of subcall function 00186431: CloseHandle.KERNEL32 ref: 001865BB
      • Part of subcall function 00188626: getsockopt.WS2_32(?,0000FFFF,00001008,00169417,00169417), ref: 001886B2
      • Part of subcall function 00188626: GetHandleInformation.KERNEL32 ref: 001886C4
      • Part of subcall function 00188626: socket.WS2_32(?,00000001,00000006), ref: 001886F7
      • Part of subcall function 00188626: socket.WS2_32(?,00000002,00000011), ref: 00188708
      • Part of subcall function 00188626: closesocket.WS2_32(?), ref: 00188727
      • Part of subcall function 00188626: closesocket.WS2_32 ref: 0018872E
      • Part of subcall function 00188626: memset.MSVCRT ref: 001887F2
      • Part of subcall function 00188626: memcpy.MSVCRT ref: 00188902
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,0000EA60), ref: 001896AB
      • Part of subcall function 00178CBF: EnterCriticalSection.KERNEL32(?,?,?,00182B51,00000005,00007530,?,00000000,00000000), ref: 00178CC7
      • Part of subcall function 00178CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00178CEB
      • Part of subcall function 00178CBF: CloseHandle.KERNEL32 ref: 00178CFB
      • Part of subcall function 00178CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00182B51,00000005,00007530,?,00000000,00000000), ref: 00178D2B
      • Part of subcall function 00188A6A: EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00188A9B
      • Part of subcall function 00188A6A: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00188B2D
      • Part of subcall function 00188A6A: SetEvent.KERNEL32 ref: 00188B80
      • Part of subcall function 00188A6A: SetEvent.KERNEL32 ref: 00188BB9
      • Part of subcall function 00188A6A: LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00188C3E
      • Part of subcall function 00177D03: EnterCriticalSection.KERNEL32(?,?,?,?,?,0018979E,?,?,?,00000001), ref: 00177D24
      • Part of subcall function 00177D03: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,0018979E,?,?,?,00000001), ref: 00177D40
      • Part of subcall function 001758AE: memset.MSVCRT ref: 001759CD
      • Part of subcall function 001758AE: memcpy.MSVCRT ref: 001759E0
      • Part of subcall function 001758AE: memcpy.MSVCRT ref: 001759F6
      • Part of subcall function 0017BD24: accept.WS2_32(?,?), ref: 0017BD45
      • Part of subcall function 0017BD24: WSAEventSelect.WS2_32(?,00000000,00000000), ref: 0017BD57
      • Part of subcall function 0017BD24: WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 0017BD88
      • Part of subcall function 0017BD24: shutdown.WS2_32(?,00000002), ref: 0017BDA0
      • Part of subcall function 0017BD24: closesocket.WS2_32 ref: 0017BDA7
      • Part of subcall function 0017BD24: WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 0017BDAE
      • Part of subcall function 00188C4C: EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0018984D,?,?,00000000,?,?,00000590), ref: 00188C7F
      • Part of subcall function 00188C4C: memcmp.MSVCRT ref: 00188CCD
      • Part of subcall function 00188C4C: SetEvent.KERNEL32 ref: 00188D0E
      • Part of subcall function 00188C4C: LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0018984D,?,?,00000000,?,?,00000590), ref: 00188D3B
      • Part of subcall function 00178DE6: EnterCriticalSection.KERNEL32(00C21F3C,?,?,?,0019B2F2,?,?,00000001), ref: 00178DEF
      • Part of subcall function 00178DE6: LeaveCriticalSection.KERNEL32(00C21F3C,?,?,?,0019B2F2,?,?,00000001), ref: 00178DF9
      • Part of subcall function 00178DE6: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00178E1F
      • Part of subcall function 00178DE6: EnterCriticalSection.KERNEL32(00C21F3C,?,?,?,0019B2F2,?,?,00000001), ref: 00178E37
      • Part of subcall function 00178DE6: LeaveCriticalSection.KERNEL32(00C21F3C,?,?,?,0019B2F2,?,?,00000001), ref: 00178E41
    • CloseHandle.KERNEL32(00000000), ref: 001898AA
    • CloseHandle.KERNEL32(00000000), ref: 001898B7
      • Part of subcall function 00186865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00186B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 0018686E
      • Part of subcall function 00186865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00186B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 001868A5
    • DeleteCriticalSection.KERNEL32 ref: 001898CD
      • Part of subcall function 0018ABB8: memset.MSVCRT ref: 0018ABC8
    • DeleteCriticalSection.KERNEL32 ref: 001898EC
    • CloseHandle.KERNEL32(00000000), ref: 001898F9
    • DeleteCriticalSection.KERNEL32 ref: 00189903
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 00178C8F: CloseHandle.KERNEL32 ref: 00178C9F
      • Part of subcall function 00178C8F: DeleteCriticalSection.KERNEL32(?,?,00C21F30,0019B303,?,?,00000001), ref: 00178CB6
      • Part of subcall function 001894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00189503
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001912E6, Relevance: 20.3, APIs: 7, Strings: 3, Instructions: 140
    APIs
    • GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00191304
    • GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 0019130F
    • GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 0019131A
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    • lstrcmpiW.KERNEL32(?), ref: 001913A7
    • memcpy.MSVCRT ref: 001913CA
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 001913F5
    • memcpy.MSVCRT ref: 00191423
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001A2D17, Relevance: 20.3, APIs: 8, Strings: 2, Instructions: 107
    APIs
    • memcpy.MSVCRT ref: 001A2D3D
    • CreateFileMappingW.KERNEL32(000000FF,?,08000004,00000000,00001000,00000000), ref: 001A2D5E
    • MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00001000), ref: 001A2D76
      • Part of subcall function 001A2922: UnmapViewOfFile.KERNEL32 ref: 001A292E
      • Part of subcall function 001A2922: CloseHandle.KERNEL32 ref: 001A293F
    • memset.MSVCRT ref: 001A2DCB
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000004,00000000,00000000,00000000,00000000), ref: 001A2E04
      • Part of subcall function 001A294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,001A3210), ref: 001A297C
      • Part of subcall function 001A294A: DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 001A299C
      • Part of subcall function 001A294A: memset.MSVCRT ref: 001A2A39
      • Part of subcall function 001A294A: memcpy.MSVCRT ref: 001A2A4B
    • ResumeThread.KERNEL32(?), ref: 001A2E27
    • CloseHandle.KERNEL32(?), ref: 001A2E3E
    • CloseHandle.KERNEL32(?), ref: 001A2E44
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017AF99, Relevance: 18.7, APIs: 8, Strings: 1, Instructions: 61
    APIs
    • GetCurrentThread.KERNEL32 ref: 0017AFAD
    • OpenThreadToken.ADVAPI32 ref: 0017AFB4
    • GetCurrentProcess.KERNEL32 ref: 0017AFC4
    • OpenProcessToken.ADVAPI32 ref: 0017AFCB
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0017AFEC
    • AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0017B001
    • GetLastError.KERNEL32 ref: 0017B00B
    • CloseHandle.KERNEL32(00000001), ref: 0017B01C
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00179BC4, Relevance: 18.3, APIs: 7, Strings: 2, Instructions: 147
    APIs
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00179C2E
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00179C75
    • SetEvent.KERNEL32 ref: 00179C84
    • WaitForSingleObject.KERNEL32 ref: 00179C95
      • Part of subcall function 0018A9C2: Sleep.KERNEL32(000001F4), ref: 0018AA6D
      • Part of subcall function 0017913F: FindFirstFileW.KERNEL32(?), ref: 00179170
      • Part of subcall function 0017913F: FindNextFileW.KERNEL32(?,?), ref: 001791C2
      • Part of subcall function 0017913F: FindClose.KERNEL32 ref: 001791CD
      • Part of subcall function 0017913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 001791D9
      • Part of subcall function 0017913F: RemoveDirectoryW.KERNEL32 ref: 001791E0
      • Part of subcall function 00190B2C: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00190B87
      • Part of subcall function 00190B2C: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00190BF1
      • Part of subcall function 00190B2C: RegFlushKey.ADVAPI32(?), ref: 00190C1F
      • Part of subcall function 00190B2C: RegCloseKey.ADVAPI32(?), ref: 00190C26
    • CharToOemW.USER32 ref: 00179D26
    • CharToOemW.USER32 ref: 00179D36
    • ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00179D9A
      • Part of subcall function 0017B365: CharToOemW.USER32 ref: 0017B3AB
      • Part of subcall function 0017B365: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0017B3E2
      • Part of subcall function 0017B365: CloseHandle.KERNEL32(000000FF), ref: 0017B40A
      • Part of subcall function 0017B365: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 0017B44C
      • Part of subcall function 0017B365: memset.MSVCRT ref: 0017B461
      • Part of subcall function 0017B365: CloseHandle.KERNEL32(000000FF), ref: 0017B49C
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 00179BFE
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00179C4B
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00185528, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184
    APIs
    • GetLogicalDrives.KERNEL32 ref: 0018553C
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    • SHGetFolderPathW.SHELL32(00000000,00006024,00000000,00000000), ref: 00185581
    • PathGetDriveNumberW.SHLWAPI ref: 00185593
    • lstrcpyW.KERNEL32(?,0016AACC), ref: 001855A7
    • GetDriveTypeW.KERNEL32 ref: 00185610
    • GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000105), ref: 00185671
    • CharUpperW.USER32(00000000), ref: 0018568D
    • lstrcmpW.KERNEL32 ref: 001856B0
    • GetDiskFreeSpaceExW.KERNEL32(?,00000000), ref: 001856EE
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019621D, Relevance: 16.4, APIs: 7, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00196283
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    • FindFirstFileW.KERNEL32 ref: 001962F1
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0019634A
    • FindClose.KERNEL32 ref: 00196453
      • Part of subcall function 00195AB0: GetFileSizeEx.KERNEL32 ref: 00195ABB
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    • SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 001963BB
      • Part of subcall function 00195B34: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00195B46
    • CloseHandle.KERNEL32 ref: 001963F5
      • Part of subcall function 00195934: CloseHandle.KERNEL32 ref: 00195940
    • FindNextFileW.KERNEL32 ref: 00196429
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 00195E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00195E26
      • Part of subcall function 00195E1D: DeleteFileW.KERNEL32 ref: 00195E2D
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00196256
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019CCA8, Relevance: 16.3, APIs: 3, Strings: 5, Instructions: 76
    APIs
      • Part of subcall function 0019CB85: InternetCloseHandle.WININET ref: 0019CB99
    • HttpOpenRequestA.WININET(?,?,?,HTTP/1.1,00000000,0016C9E0,?,00000000), ref: 0019CCE9
    • HttpAddRequestHeadersA.WININET(?,Connection: Close,00000013,A0000000), ref: 0019CD0C
    • HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 0019CD4E
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00175B9B, Relevance: 16.2, APIs: 9, Instructions: 132
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00175BC1
    • Process32FirstW.KERNEL32 ref: 00175BE6
      • Part of subcall function 0019C012: CreateMutexW.KERNEL32(001A49B4,00000001), ref: 0019C058
      • Part of subcall function 0019C012: GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 0019C064
      • Part of subcall function 0019C012: CloseHandle.KERNEL32 ref: 0019C072
    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00175C3D
    • CloseHandle.KERNEL32(?), ref: 00175D07
      • Part of subcall function 0017AEE3: OpenProcessToken.ADVAPI32(?,00000008), ref: 0017AEF5
      • Part of subcall function 0017AEE3: GetTokenInformation.ADVAPI32(?,0000000C,001A49A8,00000004), ref: 0017AF1D
      • Part of subcall function 0017AEE3: CloseHandle.KERNEL32(?), ref: 0017AF33
    • CloseHandle.KERNEL32 ref: 00175C5B
    • GetLengthSid.ADVAPI32 ref: 00175C77
    • memcmp.MSVCRT ref: 00175C8F
      • Part of subcall function 00182543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7,?,@echo off%sdel /F "%s"), ref: 0018256D
      • Part of subcall function 00182543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7), ref: 00182580
      • Part of subcall function 00175B0B: OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00175B19
      • Part of subcall function 00175B0B: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00175B5A
      • Part of subcall function 00175B0B: WaitForSingleObject.KERNEL32(?,00002710), ref: 00175B6C
      • Part of subcall function 00175B0B: CloseHandle.KERNEL32 ref: 00175B73
      • Part of subcall function 00175B0B: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00175B85
      • Part of subcall function 00175B0B: CloseHandle.KERNEL32 ref: 00175B8C
    • Process32NextW.KERNEL32(?,?), ref: 00175D13
    • CloseHandle.KERNEL32 ref: 00175D26
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017C9BF, Relevance: 16.0, APIs: 9, Instructions: 113
    APIs
    • GetProcAddress.KERNEL32(?), ref: 0017C9E1
    • GetProcAddress.KERNEL32(?,?), ref: 0017CA03
    • GetProcAddress.KERNEL32(?,?), ref: 0017CA1E
    • GetProcAddress.KERNEL32(?,?), ref: 0017CA39
    • GetProcAddress.KERNEL32(?,?), ref: 0017CA54
    • GetProcAddress.KERNEL32(?), ref: 0017CA6F
    • GetProcAddress.KERNEL32(?), ref: 0017CA8E
    • GetProcAddress.KERNEL32(?), ref: 0017CAAD
    • GetProcAddress.KERNEL32(?), ref: 0017CACC
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001A2AC0, Relevance: 16.0, APIs: 9, Instructions: 103
    APIs
    • GetCommandLineW.KERNEL32 ref: 001A2ADA
    • CommandLineToArgvW.SHELL32 ref: 001A2AE1
    • StrCmpNW.SHLWAPI(?,0016CA4C,00000002), ref: 001A2B07
    • LocalFree.KERNEL32 ref: 001A2B33
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00001000), ref: 001A2B70
    • memcpy.MSVCRT ref: 001A2B83
      • Part of subcall function 0018E043: memcpy.MSVCRT ref: 0018E070
    • UnmapViewOfFile.KERNEL32 ref: 001A2BBC
    • CloseHandle.KERNEL32 ref: 001A2BF8
      • Part of subcall function 001A2F3B: memset.MSVCRT ref: 001A2F5F
      • Part of subcall function 001A2F3B: memcpy.MSVCRT ref: 001A2FBF
      • Part of subcall function 001A2F3B: memcpy.MSVCRT ref: 001A2FD7
      • Part of subcall function 001A2F3B: memcpy.MSVCRT ref: 001A304D
    • memcpy.MSVCRT ref: 001A2BDF
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019CE98, Relevance: 16.0, APIs: 9, Instructions: 98
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0019CEB9
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • CloseHandle.KERNEL32 ref: 0019CEDE
    • SetLastError.KERNEL32(00000008,?,?,?,?,001879D8,?,?,?,?), ref: 0019CEE6
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0019CF03
    • InternetReadFile.WININET(?,?,00001000), ref: 0019CF21
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0019CF56
    • FlushFileBuffers.KERNEL32 ref: 0019CF6F
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • CloseHandle.KERNEL32 ref: 0019CF82
    • SetLastError.KERNEL32(00000000,?,?,00001000,?,?,?,?,001879D8,?,?,?,?), ref: 0019CF9D
      • Part of subcall function 00195E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00195E26
      • Part of subcall function 00195E1D: DeleteFileW.KERNEL32 ref: 00195E2D
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00185AC1, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 230
    APIs
      • Part of subcall function 001841F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00184206
      • Part of subcall function 0017645E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00185B49), ref: 00176470
      • Part of subcall function 0017645E: #2.OLEAUT32(?,00000000,?,?,?,00185B49), ref: 001764A4
      • Part of subcall function 0017645E: #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00185B49), ref: 001764D9
      • Part of subcall function 0017645E: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 001764F9
    • #2.OLEAUT32(WQL), ref: 00185BAF
    • #2.OLEAUT32 ref: 00185BCB
    • #6.OLEAUT32(?,?,00000030,00000000), ref: 00185BFB
    • #9.OLEAUT32(?,?,00000000,00000000), ref: 00185C6C
      • Part of subcall function 00176433: #6.OLEAUT32(?,00000000,00185CA3), ref: 00176450
      • Part of subcall function 00176433: CoUninitialize.OLE32 ref: 00184244
    • memcpy.MSVCRT ref: 00185D45
    • memcpy.MSVCRT ref: 00185D57
    • memcpy.MSVCRT ref: 00185D69
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00188626, Relevance: 15.0, APIs: 8, Instructions: 327
    APIs
      • Part of subcall function 0019D9E1: memset.MSVCRT ref: 0019D9F0
      • Part of subcall function 0019D9E1: memcpy.MSVCRT ref: 0019DA17
      • Part of subcall function 001841F9: CoInitializeEx.OLE32(00000000,00000000), ref: 00184206
    • getsockopt.WS2_32(?,0000FFFF,00001008,00169417,00169417), ref: 001886B2
    • GetHandleInformation.KERNEL32 ref: 001886C4
      • Part of subcall function 0017B764: EnterCriticalSection.KERNEL32(Function_00065AA4,?,0017B826,?,0019C86A,0018C4AB,0018C4AB,?,0018C4AB,?,00000001), ref: 0017B774
      • Part of subcall function 0017B764: LeaveCriticalSection.KERNEL32(Function_00065AA4,?,0017B826,?,0019C86A,0018C4AB,0018C4AB,?,0018C4AB,?,00000001), ref: 0017B79E
    • socket.WS2_32(?,00000001,00000006), ref: 001886F7
    • socket.WS2_32(?,00000002,00000011), ref: 00188708
    • closesocket.WS2_32(?), ref: 00188727
    • closesocket.WS2_32 ref: 0018872E
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • memset.MSVCRT ref: 001887F2
      • Part of subcall function 0017BC0C: bind.WS2_32(?,0017BCEA), ref: 0017BC53
      • Part of subcall function 0017BC0C: listen.WS2_32(?,00000014), ref: 0017BC68
      • Part of subcall function 0017BC0C: WSAGetLastError.WS2_32(00000000,?,0017BCEA,?,?,?,?,00000000), ref: 0017BC76
      • Part of subcall function 0017BC0C: WSASetLastError.WS2_32(?,?,0017BCEA,?,?,?,?,00000000), ref: 0017BC86
      • Part of subcall function 0017BC93: memset.MSVCRT ref: 0017BCA9
      • Part of subcall function 0017BC93: WSAGetLastError.WS2_32(?,?,?,?,00000000), ref: 0017BCEE
      • Part of subcall function 00188A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00188A52
    • memcpy.MSVCRT ref: 00188902
      • Part of subcall function 0017BAC9: memset.MSVCRT ref: 0017BADE
      • Part of subcall function 0017BAC9: getsockname.WS2_32(?,00177C25), ref: 0017BAF1
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018E133, Relevance: 15.0, APIs: 8, Instructions: 103
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00178E53, Relevance: 14.9, APIs: 5, Strings: 2, Instructions: 95
    APIs
    • EnterCriticalSection.KERNEL32(001A5AA4,?,001A4DF4,00000000,00000006,0019BD7A,001A4DF4,-00000258,?,00000000), ref: 00178E6A
    • LeaveCriticalSection.KERNEL32(001A5AA4,?,00000000), ref: 00178E9D
      • Part of subcall function 00181E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00181EA2
      • Part of subcall function 00181E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00181EAE
      • Part of subcall function 00181E94: SetLastError.KERNEL32(00000001,00178F04,001A47C0,?,001A4DF4,00000000,00000006,0019BD7A,001A4DF4,-00000258,?,00000000), ref: 00181EC6
    • CoTaskMemFree.OLE32(?), ref: 00178F36
    • PathRemoveBackslashW.SHLWAPI(00000006), ref: 00178F44
    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00178F5C
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00178D34, Relevance: 14.8, APIs: 8, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(00C21F3C,00C21F30,?,?,0018A99B,00000000,0018A6E2,00000000,?,00000000,?,?,?,0019B2E2,?,00000001), ref: 00178D3D
    • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00178D76
    • DuplicateHandle.KERNEL32(000000FF,?,000000FF,0018A99B,00000000,00000000,00000002), ref: 00178D95
    • GetLastError.KERNEL32(?,000000FF,0018A99B,00000000,00000000,00000002,?,?,0018A99B,00000000,0018A6E2,00000000,?,00000000), ref: 00178D9F
    • TerminateThread.KERNEL32 ref: 00178DA7
    • CloseHandle.KERNEL32 ref: 00178DAE
      • Part of subcall function 001824F3: HeapAlloc.KERNEL32(00000000,?,?,?,00176328,?,?,00198D10,?,?,?,?,0000FFFF), ref: 0018251D
      • Part of subcall function 001824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00176328,?,?,00198D10,?,?,?,?,0000FFFF), ref: 00182530
    • LeaveCriticalSection.KERNEL32(00C21F3C,?,0018A99B,00000000,0018A6E2,00000000,?,00000000,?,?,?,0019B2E2,?,00000001), ref: 00178DC3
    • ResumeThread.KERNEL32 ref: 00178DDC
      • Part of subcall function 00182543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7,?,@echo off%sdel /F "%s"), ref: 0018256D
      • Part of subcall function 00182543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7), ref: 00182580
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00178F6F, Relevance: 14.4, APIs: 5, Instructions: 98
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00196067, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 134
    APIs
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
      • Part of subcall function 001825A7: memcpy.MSVCRT ref: 001825C6
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
    • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00196103
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 0019617B
    • GetLastError.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000,?,?,?,?,00000000,3D94878D), ref: 00196188
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 001961B2
    • FlushFileBuffers.KERNEL32 ref: 001961CC
    • CloseHandle.KERNEL32 ref: 001961D3
      • Part of subcall function 00195E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00195E26
      • Part of subcall function 00195E1D: DeleteFileW.KERNEL32 ref: 00195E2D
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 001960D6
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00179583, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 107
    APIs
    • LoadLibraryW.KERNEL32 ref: 001795A7
    • GetProcAddress.KERNEL32 ref: 001795D5
    • GetProcAddress.KERNEL32 ref: 001795EF
    • GetProcAddress.KERNEL32 ref: 0017960B
    • FreeLibrary.KERNEL32(00000003), ref: 001796B9
      • Part of subcall function 0017AF99: GetCurrentThread.KERNEL32 ref: 0017AFAD
      • Part of subcall function 0017AF99: OpenThreadToken.ADVAPI32 ref: 0017AFB4
      • Part of subcall function 0017AF99: GetCurrentProcess.KERNEL32 ref: 0017AFC4
      • Part of subcall function 0017AF99: OpenProcessToken.ADVAPI32 ref: 0017AFCB
      • Part of subcall function 0017AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0017AFEC
      • Part of subcall function 0017AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0017B001
      • Part of subcall function 0017AF99: GetLastError.KERNEL32 ref: 0017B00B
      • Part of subcall function 0017AF99: CloseHandle.KERNEL32(00000001), ref: 0017B01C
    • WTSGetActiveConsoleSessionId.KERNEL32 ref: 00179638
      • Part of subcall function 0017950C: EqualSid.ADVAPI32(?,5B867A00), ref: 0017952F
      • Part of subcall function 0017950C: CloseHandle.KERNEL32(00000001), ref: 00179576
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00195D0E, Relevance: 14.3, APIs: 5, Strings: 2, Instructions: 89
    APIs
    • memcpy.MSVCRT ref: 00195D6C
    • memcpy.MSVCRT ref: 00195D81
    • memcpy.MSVCRT ref: 00195D96
    • memcpy.MSVCRT ref: 00195DA5
      • Part of subcall function 001958ED: EnterCriticalSection.KERNEL32(001A5AA4,?,00195BB2,?,00195C0A,?,?,?,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000), ref: 001958FD
      • Part of subcall function 001958ED: LeaveCriticalSection.KERNEL32(001A5AA4,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,00000000,00000000,00000000,?,00000000,?,00000002,?,C:\Documents and Settings\Administrator\Local Settings\Application Data,C:\Documents and Settings\Administrator\Local Settings\Application Data,?,0019A856), ref: 0019592C
      • Part of subcall function 00181E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00181EA2
      • Part of subcall function 00181E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00181EAE
      • Part of subcall function 00181E94: SetLastError.KERNEL32(00000001,00178F04,001A47C0,?,001A4DF4,00000000,00000006,0019BD7A,001A4DF4,-00000258,?,00000000), ref: 00181EC6
    • SetFileTime.KERNEL32(?,?,?,?), ref: 00195E0A
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001A2474, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 88
    APIs
    • GetFileAttributesW.KERNEL32 ref: 001A2485
    • FlushFileBuffers.KERNEL32 ref: 001A256B
      • Part of subcall function 0017913F: FindFirstFileW.KERNEL32(?), ref: 00179170
      • Part of subcall function 0017913F: FindNextFileW.KERNEL32(?,?), ref: 001791C2
      • Part of subcall function 0017913F: FindClose.KERNEL32 ref: 001791CD
      • Part of subcall function 0017913F: SetFileAttributesW.KERNEL32(?,00000080), ref: 001791D9
      • Part of subcall function 0017913F: RemoveDirectoryW.KERNEL32 ref: 001791E0
      • Part of subcall function 00195E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00195E26
      • Part of subcall function 00195E1D: DeleteFileW.KERNEL32 ref: 00195E2D
    • PathRemoveFileSpecW.SHLWAPI(?), ref: 001A24BA
      • Part of subcall function 00195947: GetTempPathW.KERNEL32(00000104,?), ref: 00195962
      • Part of subcall function 00195947: PathAddBackslashW.SHLWAPI(?), ref: 0019598C
      • Part of subcall function 00195947: CreateDirectoryW.KERNEL32(?), ref: 00195A44
      • Part of subcall function 00195947: SetFileAttributesW.KERNEL32(?), ref: 00195A55
      • Part of subcall function 00195947: CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00195A6E
      • Part of subcall function 00195947: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00195A7F
    • MoveFileExW.KERNEL32(?,?,00000001), ref: 001A2501
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 001A251A
      • Part of subcall function 00195B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00195B87
      • Part of subcall function 00195934: CloseHandle.KERNEL32 ref: 00195940
    • Sleep.KERNEL32(00001388), ref: 001A255D
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00195BE4, Relevance: 14.3, APIs: 6, Strings: 1, Instructions: 83
    APIs
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00195BEB
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00190A9D, Relevance: 14.2, APIs: 5, Strings: 2, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(Function_00065AA4,?,?,?,00190C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00190AB3
    • LeaveCriticalSection.KERNEL32(Function_00065AA4,?,?,?,00190C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00190ADB
    • GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00190AF7
    • GetProcAddress.KERNEL32 ref: 00190AFE
    • RegDeleteKeyW.ADVAPI32(?), ref: 00190B20
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018A782, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145
    APIs
      • Part of subcall function 00176A4D: TlsSetValue.KERNEL32(00000001,0018A796), ref: 00176A5A
    • GetCurrentThread.KERNEL32 ref: 0018A799
    • SetThreadPriority.KERNEL32 ref: 0018A7A0
      • Part of subcall function 0019C09D: CreateMutexW.KERNEL32(001A49B4,00000000), ref: 0019C0BF
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
      • Part of subcall function 0018A755: PathFindFileNameW.SHLWAPI(000001ED), ref: 0018A759
      • Part of subcall function 0018A755: PathRemoveExtensionW.SHLWAPI ref: 0018A76D
      • Part of subcall function 0018A755: CharUpperW.USER32 ref: 0018A777
    • PathQuoteSpacesW.SHLWAPI ref: 0018A83E
      • Part of subcall function 0019AFD3: WaitForSingleObject.KERNEL32(00000000,0018A849), ref: 0019AFDB
    • WaitForSingleObject.KERNEL32 ref: 0018A879
    • StrCmpW.SHLWAPI ref: 0018A8D7
      • Part of subcall function 001907B0: RegCreateKeyExW.ADVAPI32(80000001,00000102,00000000,00000000,00000000,?,00000000,?,?), ref: 001907D8
    • RegSetValueExW.ADVAPI32(000000FF,?,00000000,00000001), ref: 0018A938
      • Part of subcall function 00190755: RegFlushKey.ADVAPI32 ref: 00190765
      • Part of subcall function 00190755: RegCloseKey.ADVAPI32 ref: 0019076D
    • WaitForSingleObject.KERNEL32 ref: 0018A959
      • Part of subcall function 0017766D: ReleaseMutex.KERNEL32 ref: 00177671
      • Part of subcall function 0017766D: CloseHandle.KERNEL32 ref: 00177678
      • Part of subcall function 0018B7FF: EnterCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B80C
      • Part of subcall function 0018B7FF: LeaveCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B81A
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0018A7EC
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00189EBF, Relevance: 13.8, APIs: 9, Instructions: 261
    APIs
    • GetTickCount.KERNEL32 ref: 00189ECE
    • EnterCriticalSection.KERNEL32 ref: 00189EE3
    • WaitForSingleObject.KERNEL32(?,000927C0), ref: 00189F28
    • GetTickCount.KERNEL32 ref: 00189F3B
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 00196875: GetSystemTime.KERNEL32 ref: 0019687F
      • Part of subcall function 001894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00189503
    • GetTickCount.KERNEL32 ref: 0018A135
      • Part of subcall function 00181B5D: memcmp.MSVCRT ref: 00181B69
      • Part of subcall function 001893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0018A111), ref: 001893BE
      • Part of subcall function 001893A8: memcpy.MSVCRT ref: 00189419
      • Part of subcall function 001893A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0018A111,?,00000002), ref: 00189429
      • Part of subcall function 001893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0018945D
      • Part of subcall function 001893A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0018A111), ref: 001894E9
      • Part of subcall function 00189A6F: memset.MSVCRT ref: 00189B47
      • Part of subcall function 00189A6F: memcpy.MSVCRT ref: 00189BA2
      • Part of subcall function 00189A6F: memcmp.MSVCRT ref: 00189C1B
      • Part of subcall function 00189A6F: memcpy.MSVCRT ref: 00189C6F
      • Part of subcall function 00189A6F: EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00189D42
      • Part of subcall function 00189A6F: LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00189D60
    • GetTickCount.KERNEL32 ref: 0018A16E
    • LeaveCriticalSection.KERNEL32(?,?,00000002), ref: 0018A191
      • Part of subcall function 0018B7FF: EnterCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B80C
      • Part of subcall function 0018B7FF: LeaveCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B81A
    • WaitForSingleObject.KERNEL32(?,-001B7740), ref: 0018A1B6
    • LeaveCriticalSection.KERNEL32 ref: 0018A1CC
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00189A6F, Relevance: 13.6, APIs: 6, Strings: 1, Instructions: 326
    APIs
      • Part of subcall function 0018CAF1: WaitForSingleObject.KERNEL32(?,00000000), ref: 0018CB1D
      • Part of subcall function 0018CAF1: GetSystemTime.KERNEL32(?), ref: 0018CB54
      • Part of subcall function 0018CAF1: Sleep.KERNEL32(000005DC), ref: 0018CB6D
      • Part of subcall function 0018CAF1: WaitForSingleObject.KERNEL32(?,000005DC), ref: 0018CB76
      • Part of subcall function 0018CAF1: lstrcpyA.KERNEL32 ref: 0018CBD4
      • Part of subcall function 0018163A: memcmp.MSVCRT ref: 00181698
      • Part of subcall function 0018163A: memcpy.MSVCRT ref: 001816D6
      • Part of subcall function 0019AFE8: memcpy.MSVCRT ref: 0019AFF8
      • Part of subcall function 00181781: memset.MSVCRT ref: 00181794
      • Part of subcall function 00181781: memcpy.MSVCRT ref: 001817AF
      • Part of subcall function 00181781: memcpy.MSVCRT ref: 001817D7
      • Part of subcall function 00181781: memcpy.MSVCRT ref: 001817FB
    • memset.MSVCRT ref: 00189B47
      • Part of subcall function 001893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0018A111), ref: 001893BE
      • Part of subcall function 001893A8: memcpy.MSVCRT ref: 00189419
      • Part of subcall function 001893A8: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0018A111,?,00000002), ref: 00189429
      • Part of subcall function 001893A8: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0018945D
      • Part of subcall function 001893A8: LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0018A111), ref: 001894E9
      • Part of subcall function 00181B16: EnterCriticalSection.KERNEL32(001A5AA4,?,00188DDC,?,?,?,?,0019B233,?,00000001), ref: 00181B26
      • Part of subcall function 00181B16: LeaveCriticalSection.KERNEL32(001A5AA4,?,00188DDC,?,?,?,?,0019B233,?,00000001), ref: 00181B50
    • memcpy.MSVCRT ref: 00189BA2
      • Part of subcall function 001894FB: WaitForSingleObject.KERNEL32(?,00000000), ref: 00189503
    • memcmp.MSVCRT ref: 00189C1B
      • Part of subcall function 00182543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7,?,@echo off%sdel /F "%s"), ref: 0018256D
      • Part of subcall function 00182543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7), ref: 00182580
    • memcpy.MSVCRT ref: 00189C6F
      • Part of subcall function 00181A4F: memcmp.MSVCRT ref: 00181A6B
      • Part of subcall function 00181B5D: memcmp.MSVCRT ref: 00181B69
      • Part of subcall function 0018B7FF: EnterCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B80C
      • Part of subcall function 0018B7FF: LeaveCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B81A
      • Part of subcall function 00177E58: memcpy.MSVCRT ref: 00177E70
    • EnterCriticalSection.KERNEL32(?,?,00000FA0,?,-00001388), ref: 00189D42
    • LeaveCriticalSection.KERNEL32(?,?,?,00000FA0,?,-00001388), ref: 00189D60
      • Part of subcall function 00181821: memcpy.MSVCRT ref: 00181848
      • Part of subcall function 00181728: memcpy.MSVCRT ref: 00181771
      • Part of subcall function 001819AE: memcmp.MSVCRT ref: 00181A24
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 00174C10: _errno.MSVCRT ref: 00174C2B
      • Part of subcall function 00174C10: _errno.MSVCRT ref: 00174C5D
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001A1CCA, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 193
    APIs
    • EnterCriticalSection.KERNEL32(Function_00065AA4,?,?,?,?,?,?,?,?,?,?), ref: 001A1CE8
    • LeaveCriticalSection.KERNEL32(Function_00065AA4,?,?,?,?,?,?,?,?,?), ref: 001A1D12
      • Part of subcall function 0019FEDF: memset.MSVCRT ref: 0019FEF5
      • Part of subcall function 0019FEDF: InitializeCriticalSection.KERNEL32(001A5050), ref: 0019FF05
      • Part of subcall function 0019FEDF: memset.MSVCRT ref: 0019FF34
      • Part of subcall function 0019FEDF: InitializeCriticalSection.KERNEL32(001A5030), ref: 0019FF3E
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
      • Part of subcall function 00179FB3: memcpy.MSVCRT ref: 00179FE9
    • memcmp.MSVCRT ref: 001A1E03
    • memcmp.MSVCRT ref: 001A1E34
      • Part of subcall function 00179F5F: memcpy.MSVCRT ref: 00179F99
    • EnterCriticalSection.KERNEL32(001A5050), ref: 001A1EA7
      • Part of subcall function 0019FFD8: GetTickCount.KERNEL32 ref: 0019FFDF
      • Part of subcall function 001A03D0: EnterCriticalSection.KERNEL32(001A5030,001A506C,?,?,001A5050), ref: 001A03E3
      • Part of subcall function 001A03D0: LeaveCriticalSection.KERNEL32(001A5030,?,?,001A5050), ref: 001A0559
      • Part of subcall function 001A061B: EnterCriticalSection.KERNEL32(00C227A8,?,?,?,?,001A5050), ref: 001A06F5
      • Part of subcall function 001A061B: LeaveCriticalSection.KERNEL32(00C227A8,000000FF,00000000,?,?,?,?,001A5050), ref: 001A071D
    • LeaveCriticalSection.KERNEL32(001A5050,001A506C,001A506C,001A506C), ref: 001A1EF7
      • Part of subcall function 0019DD3E: lstrlenA.KERNEL32(?,?,?,?,?,?,001A506C,?,?,001A5050), ref: 0019DD52
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017B02B, Relevance: 12.5, APIs: 7, Instructions: 73
    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000008), ref: 0017B03B
    • GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000), ref: 0017B054
    • GetLastError.KERNEL32(?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5,?,?,?,00000001), ref: 0017B05E
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    • GetTokenInformation.ADVAPI32(?,00000019,?,?), ref: 0017B089
    • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 0017B095
    • GetSidSubAuthority.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 0017B0AC
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • CloseHandle.KERNEL32(?), ref: 0017B0D8
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017C39C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • WSASetLastError.WS2_32(00000008,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001), ref: 0017C3C0
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 0017C40C
      • Part of subcall function 0017BEC0: WSAGetLastError.WS2_32 ref: 0017BEF6
      • Part of subcall function 0017BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 0017BF3E
    • WSAGetLastError.WS2_32(?,00000800,?,00000000,?), ref: 0017C4EC
    • shutdown.WS2_32(?,00000001), ref: 0017C517
    • WaitForMultipleObjects.KERNEL32(?,?,00000000,?), ref: 0017C540
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • WSASetLastError.WS2_32(0000274C,?,?,?,?,?,?,?,?,00000000,?,?,?,00000001,?,00002710), ref: 0017C594
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019C592, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
    APIs
    • EnterCriticalSection.KERNEL32(00C227A8,?,3D920600,?), ref: 0019C5BC
    • LeaveCriticalSection.KERNEL32(00C227A8,?,3D920600,?), ref: 0019C66C
      • Part of subcall function 00177FA8: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00177FBA
      • Part of subcall function 00177FA8: GetProcAddress.KERNEL32(?,GdiplusStartup), ref: 00177FD2
      • Part of subcall function 00177FA8: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00178011
      • Part of subcall function 00177FA8: CreateCompatibleDC.GDI32 ref: 00178022
      • Part of subcall function 00177FA8: LoadCursorW.USER32(00000000,00007F00), ref: 00178038
      • Part of subcall function 00177FA8: GetIconInfo.USER32 ref: 0017804C
      • Part of subcall function 00177FA8: GetCursorPos.USER32(?), ref: 0017805B
      • Part of subcall function 00177FA8: GetDeviceCaps.GDI32(?,00000008), ref: 00178072
      • Part of subcall function 00177FA8: GetDeviceCaps.GDI32(?,0000000A), ref: 0017807B
      • Part of subcall function 00177FA8: CreateCompatibleBitmap.GDI32(?,?), ref: 00178087
      • Part of subcall function 00177FA8: SelectObject.GDI32 ref: 00178095
      • Part of subcall function 00177FA8: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 001780B6
      • Part of subcall function 00177FA8: DrawIcon.USER32(?,?,?,?), ref: 001780E8
      • Part of subcall function 00177FA8: SelectObject.GDI32(?,?), ref: 00178104
      • Part of subcall function 00177FA8: DeleteObject.GDI32 ref: 0017810B
      • Part of subcall function 00177FA8: DeleteDC.GDI32 ref: 00178112
      • Part of subcall function 00177FA8: DeleteDC.GDI32 ref: 00178119
      • Part of subcall function 00177FA8: FreeLibrary.KERNEL32(?), ref: 00178129
      • Part of subcall function 00177FA8: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0017813F
      • Part of subcall function 00177FA8: FreeLibrary.KERNEL32(?), ref: 00178153
    • GetTickCount.KERNEL32 ref: 0019C616
    • GetCurrentProcessId.KERNEL32 ref: 0019C61D
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • GetKeyboardState.USER32 ref: 0019C688
    • ToUnicode.USER32(?,?,?,?,00000009,00000000), ref: 0019C6AB
      • Part of subcall function 0019C410: EnterCriticalSection.KERNEL32(00C227A8,00C227A8,?,?,?,0019C6E4,?,?,?,?,?,00000009,00000000,?,?,3D920600), ref: 0019C42A
      • Part of subcall function 0019C410: memcpy.MSVCRT ref: 0019C49B
      • Part of subcall function 0019C410: memcpy.MSVCRT ref: 0019C4BF
      • Part of subcall function 0019C410: memcpy.MSVCRT ref: 0019C4D6
      • Part of subcall function 0019C410: memcpy.MSVCRT ref: 0019C4F6
      • Part of subcall function 0019C410: LeaveCriticalSection.KERNEL32(00C227A8,?,3D920600,?), ref: 0019C511
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001859B7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95
    APIs
    • memset.MSVCRT ref: 001859C8
    • GlobalMemoryStatusEx.KERNEL32 ref: 001859DF
    • GetNativeSystemInfo.KERNEL32 ref: 00185A10
      • Part of subcall function 00190775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0019079C
    • GetSystemMetrics.USER32(0000004F), ref: 00185A9D
      • Part of subcall function 00190A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00190A3A
      • Part of subcall function 00190755: RegFlushKey.ADVAPI32 ref: 00190765
      • Part of subcall function 00190755: RegCloseKey.ADVAPI32 ref: 0019076D
    • GetSystemMetrics.USER32(00000050), ref: 00185A90
    • GetSystemMetrics.USER32(0000004E), ref: 00185A97
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019B31B, Relevance: 12.3, APIs: 4, Strings: 2, Instructions: 61
    APIs
    • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0019B32F
    • PathUnquoteSpacesW.SHLWAPI ref: 0019B394
    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0019B3A3
    • LocalFree.KERNEL32(00000001), ref: 0019B3B7
    Strings
    • ProfileImagePath, xrefs: 0019B378
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s, xrefs: 0019B34C
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019AA9A, Relevance: 12.2, APIs: 4, Strings: 2, Instructions: 49
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 0019AAB7
    • GetLongPathNameW.KERNEL32(?,C:\Documents and Settings\Administrator\Local Settings\Temp,00000104,?,?), ref: 0019AACF
    • PathRemoveBackslashW.SHLWAPI(C:\Documents and Settings\Administrator\Local Settings\Temp), ref: 0019AADA
      • Part of subcall function 00178E53: EnterCriticalSection.KERNEL32(001A5AA4,?,001A4DF4,00000000,00000006,0019BD7A,001A4DF4,-00000258,?,00000000), ref: 00178E6A
      • Part of subcall function 00178E53: LeaveCriticalSection.KERNEL32(001A5AA4,?,00000000), ref: 00178E9D
      • Part of subcall function 00178E53: CoTaskMemFree.OLE32(?), ref: 00178F36
      • Part of subcall function 00178E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00178F44
      • Part of subcall function 00178E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00178F5C
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 0019AB00
      • Part of subcall function 00179F5F: memcpy.MSVCRT ref: 00179F99
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 0019AAC2, 0019AACD, 0019AAD9
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 0019AAE0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001852AC, Relevance: 12.1, APIs: 8, Instructions: 147
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 001852E3
    • GetCommandLineW.KERNEL32 ref: 00185304
      • Part of subcall function 001911D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001911FF
      • Part of subcall function 001911D5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000), ref: 00191234
    • GetUserNameExW.SECUR32(00000002,?,?,?,?,?,00000104), ref: 0018533C
    • GetProcessTimes.KERNEL32(000000FF), ref: 00185372
    • GetUserDefaultUILanguage.KERNEL32 ref: 001853E4
    • memcpy.MSVCRT ref: 00185418
    • memcpy.MSVCRT ref: 0018542D
    • memcpy.MSVCRT ref: 00185443
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018AEA2, Relevance: 12.1, APIs: 8, Instructions: 119
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00177E45,?,?,?,00000000), ref: 0018AEAE
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0018AEE7
    • CloseHandle.KERNEL32 ref: 0018AEFA
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • memcpy.MSVCRT ref: 0018AF1D
    • memset.MSVCRT ref: 0018AF37
    • memcpy.MSVCRT ref: 0018AF7D
    • memset.MSVCRT ref: 0018AF9B
      • Part of subcall function 00178CBF: EnterCriticalSection.KERNEL32(?,?,?,00182B51,00000005,00007530,?,00000000,00000000), ref: 00178CC7
      • Part of subcall function 00178CBF: WaitForSingleObject.KERNEL32(?,00000000), ref: 00178CEB
      • Part of subcall function 00178CBF: CloseHandle.KERNEL32 ref: 00178CFB
      • Part of subcall function 00178CBF: LeaveCriticalSection.KERNEL32(?,?,?,?,00182B51,00000005,00007530,?,00000000,00000000), ref: 00178D2B
      • Part of subcall function 00178D34: EnterCriticalSection.KERNEL32(00C21F3C,00C21F30,?,?,0018A99B,00000000,0018A6E2,00000000,?,00000000,?,?,?,0019B2E2,?,00000001), ref: 00178D3D
      • Part of subcall function 00178D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00178D76
      • Part of subcall function 00178D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0018A99B,00000000,00000000,00000002), ref: 00178D95
      • Part of subcall function 00178D34: GetLastError.KERNEL32(?,000000FF,0018A99B,00000000,00000000,00000002,?,?,0018A99B,00000000,0018A6E2,00000000,?,00000000), ref: 00178D9F
      • Part of subcall function 00178D34: TerminateThread.KERNEL32 ref: 00178DA7
      • Part of subcall function 00178D34: CloseHandle.KERNEL32 ref: 00178DAE
      • Part of subcall function 00178D34: LeaveCriticalSection.KERNEL32(00C21F3C,?,0018A99B,00000000,0018A6E2,00000000,?,00000000,?,?,?,0019B2E2,?,00000001), ref: 00178DC3
      • Part of subcall function 00178D34: ResumeThread.KERNEL32 ref: 00178DDC
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00177E45,?,?,?,00000000), ref: 0018AFEF
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00195947, Relevance: 11.3, APIs: 6, Instructions: 130
    APIs
    • GetTempPathW.KERNEL32(00000104,?), ref: 00195962
    • PathAddBackslashW.SHLWAPI(?), ref: 0019598C
      • Part of subcall function 0018B7FF: EnterCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B80C
      • Part of subcall function 0018B7FF: LeaveCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B81A
    • CreateDirectoryW.KERNEL32(?), ref: 00195A44
    • SetFileAttributesW.KERNEL32(?), ref: 00195A55
    • CreateFileW.KERNEL32(?,C0000000,?,00000000,00000001,?), ref: 00195A6E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000080,?,?,00000000), ref: 00195A7F
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00182BE5, Relevance: 11.0, APIs: 6, Instructions: 115
    APIs
    • lstrlenA.KERNEL32(?,?), ref: 00182C1E
    • CreateMutexW.KERNEL32(001A49B4,00000001), ref: 00182C76
    • GetLastError.KERNEL32(?,?,?,?,?), ref: 00182C86
    • CloseHandle.KERNEL32 ref: 00182C94
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    • memcpy.MSVCRT ref: 00182CBE
    • memcpy.MSVCRT ref: 00182CD2
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 0017B2E5: CreateThread.KERNEL32(00000000,00000000,00179DBA,?), ref: 0017B2F6
      • Part of subcall function 0017B2E5: CloseHandle.KERNEL32 ref: 0017B301
      • Part of subcall function 0017766D: ReleaseMutex.KERNEL32 ref: 00177671
      • Part of subcall function 0017766D: CloseHandle.KERNEL32 ref: 00177678
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00188432, Relevance: 10.9, APIs: 6, Instructions: 66
    APIs
    • CreateFileW.KERNEL32(00C21EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0018844B
    • GetFileSizeEx.KERNEL32 ref: 0018845E
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00188484
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0018849C
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 001884BA
    • CloseHandle.KERNEL32 ref: 001884C3
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019BD59, Relevance: 10.9, APIs: 6, Instructions: 57
    APIs
      • Part of subcall function 00178E53: EnterCriticalSection.KERNEL32(001A5AA4,?,001A4DF4,00000000,00000006,0019BD7A,001A4DF4,-00000258,?,00000000), ref: 00178E6A
      • Part of subcall function 00178E53: LeaveCriticalSection.KERNEL32(001A5AA4,?,00000000), ref: 00178E9D
      • Part of subcall function 00178E53: CoTaskMemFree.OLE32(?), ref: 00178F36
      • Part of subcall function 00178E53: PathRemoveBackslashW.SHLWAPI(00000006), ref: 00178F44
      • Part of subcall function 00178E53: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000006), ref: 00178F5C
    • PathRemoveBackslashW.SHLWAPI(-00000258), ref: 0019BD85
    • PathRemoveFileSpecW.SHLWAPI(-00000258), ref: 0019BD92
    • PathAddBackslashW.SHLWAPI(-00000258), ref: 0019BDA3
    • GetVolumeNameForVolumeMountPointW.KERNEL32(-00000258,-00000050,00000064), ref: 0019BDB6
    • CLSIDFromString.OLE32(-0000003C,001A4DF4,?,00000000), ref: 0019BDD2
    • memset.MSVCRT ref: 0019BDE4
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018FE5C, Relevance: 10.9, APIs: 6, Instructions: 197
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0018FEC2
    • memcpy.MSVCRT ref: 0018FEDC
    • VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 0018FEEF
    • memset.MSVCRT ref: 0018FF46
    • memcpy.MSVCRT ref: 0018FF5A
    • VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00190049
      • Part of subcall function 001901EA: LoadLibraryA.KERNEL32 ref: 0019023A
      • Part of subcall function 00190370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0019037F
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00186431, Relevance: 10.8, APIs: 6, Instructions: 160
    APIs
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0000002C), ref: 00186531
      • Part of subcall function 00186865: EnterCriticalSection.KERNEL32(?,?,00000000,?,00186B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 0018686E
      • Part of subcall function 00186865: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00186B6E,00000064,00000000,000000C8,00000000,?,00000001,?,0000002C), ref: 001868A5
      • Part of subcall function 0018B7FF: EnterCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B80C
      • Part of subcall function 0018B7FF: LeaveCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B81A
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,0000002C), ref: 00186572
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00186581
    • SetEvent.KERNEL32 ref: 00186591
    • GetExitCodeThread.KERNEL32 ref: 001865A5
    • CloseHandle.KERNEL32 ref: 001865BB
      • Part of subcall function 00178D34: EnterCriticalSection.KERNEL32(00C21F3C,00C21F30,?,?,0018A99B,00000000,0018A6E2,00000000,?,00000000,?,?,?,0019B2E2,?,00000001), ref: 00178D3D
      • Part of subcall function 00178D34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00178D76
      • Part of subcall function 00178D34: DuplicateHandle.KERNEL32(000000FF,?,000000FF,0018A99B,00000000,00000000,00000002), ref: 00178D95
      • Part of subcall function 00178D34: GetLastError.KERNEL32(?,000000FF,0018A99B,00000000,00000000,00000002,?,?,0018A99B,00000000,0018A6E2,00000000,?,00000000), ref: 00178D9F
      • Part of subcall function 00178D34: TerminateThread.KERNEL32 ref: 00178DA7
      • Part of subcall function 00178D34: CloseHandle.KERNEL32 ref: 00178DAE
      • Part of subcall function 00178D34: LeaveCriticalSection.KERNEL32(00C21F3C,?,0018A99B,00000000,0018A6E2,00000000,?,00000000,?,?,?,0019B2E2,?,00000001), ref: 00178DC3
      • Part of subcall function 00178D34: ResumeThread.KERNEL32 ref: 00178DDC
      • Part of subcall function 00186BD0: memcmp.MSVCRT ref: 00186BE9
      • Part of subcall function 00186BD0: memcmp.MSVCRT ref: 00186C45
      • Part of subcall function 00186BD0: memcmp.MSVCRT ref: 00186CAB
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 0019B0EA: memcpy.MSVCRT ref: 0019B110
      • Part of subcall function 0019B0EA: memset.MSVCRT ref: 0019B1B3
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001831F3, Relevance: 10.8, APIs: 6, Instructions: 91
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00183205
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00183223
    • CertEnumCertificatesInStore.CRYPT32(?,?,?,00000000), ref: 00183230
    • PFXExportCertStoreEx.CRYPT32(?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00183264
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004,?,00000000,00000000,00000000,00000004,?,?,?,00000000), ref: 00183296
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 001832D5: GetUserNameExW.SECUR32(00000002), ref: 00183303
      • Part of subcall function 001832D5: GetSystemTime.KERNEL32 ref: 00183356
      • Part of subcall function 001832D5: CharLowerW.USER32(?), ref: 001833A6
      • Part of subcall function 001832D5: PathRenameExtensionW.SHLWAPI(?), ref: 001833D6
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 001832C5
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019D1E0, Relevance: 10.7, APIs: 6, Instructions: 74
    APIs
    • InitializeCriticalSection.KERNEL32(001A5AA4), ref: 0019D207
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • InitializeCriticalSection.KERNEL32 ref: 0019D218
    • memset.MSVCRT ref: 0019D229
    • TlsAlloc.KERNEL32(?,?,00000000,?,?,00000001), ref: 0019D240
    • GetModuleHandleW.KERNEL32(00000000), ref: 0019D25C
    • GetModuleHandleW.KERNEL32 ref: 0019D272
      • Part of subcall function 0019CAF0: EnterCriticalSection.KERNEL32(001A5AA4,7C80E4DD,0019D280,?,?,?,00000000,?,?,00000001), ref: 0019CB00
      • Part of subcall function 0019CAF0: LeaveCriticalSection.KERNEL32(001A5AA4,?,?,?,00000000,?,?,00000001), ref: 0019CB28
      • Part of subcall function 0019D2B1: TlsFree.KERNEL32(?), ref: 0019D2BD
      • Part of subcall function 0019D2B1: DeleteCriticalSection.KERNEL32(00C21E90,00000000,0019D2A8,00C21E90,?,?,00000000,?,?,00000001), ref: 0019D2C4
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017BD24, Relevance: 10.7, APIs: 6, Instructions: 65
    APIs
    • accept.WS2_32(?,?), ref: 0017BD45
    • WSAEventSelect.WS2_32(?,00000000,00000000), ref: 0017BD57
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • WSASetLastError.WS2_32(00000008,?,?,00000002,?,00000000,00000000,?,?), ref: 0017BDAE
      • Part of subcall function 0017B928: WSACreateEvent.WS2_32(00000000,?,0017BB6E,00000033,00000000,?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003), ref: 0017B93E
      • Part of subcall function 0017B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0017B954
      • Part of subcall function 0017B928: WSACloseEvent.WS2_32 ref: 0017B968
      • Part of subcall function 0017B864: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 0017B89E
      • Part of subcall function 0017B864: memset.MSVCRT ref: 0017B8B2
    • WSAGetLastError.WS2_32(00000023,?,00000000,00000000,?,?), ref: 0017BD88
    • shutdown.WS2_32(?,00000002), ref: 0017BDA0
    • closesocket.WS2_32 ref: 0017BDA7
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00175B0B, Relevance: 10.7, APIs: 6, Instructions: 60
    APIs
    • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00175B19
      • Part of subcall function 0019AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0019AECF
      • Part of subcall function 0019AEB1: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0019AF0A
      • Part of subcall function 0019AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0019AF4A
      • Part of subcall function 0019AEB1: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0019AF6D
      • Part of subcall function 0019AEB1: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0019AFBD
    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00175B5A
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 00175B6C
    • CloseHandle.KERNEL32 ref: 00175B73
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00175B85
    • CloseHandle.KERNEL32 ref: 00175B8C
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00182D1D, Relevance: 10.6, APIs: 7, Instructions: 146
    APIs
      • Part of subcall function 00176A4D: TlsSetValue.KERNEL32(00000001,0018A796), ref: 00176A5A
      • Part of subcall function 0019C09D: CreateMutexW.KERNEL32(001A49B4,00000000), ref: 0019C0BF
    • GetCurrentThread.KERNEL32 ref: 00182D49
    • SetThreadPriority.KERNEL32 ref: 00182D50
      • Part of subcall function 0019AFD3: WaitForSingleObject.KERNEL32(00000000,0018A849), ref: 0019AFDB
    • memset.MSVCRT ref: 00182D92
    • lstrlenA.KERNEL32(00000000), ref: 00182DA9
      • Part of subcall function 001826C5: memset.MSVCRT ref: 001826D5
      • Part of subcall function 0019621D: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00196283
      • Part of subcall function 0019621D: FindFirstFileW.KERNEL32 ref: 001962F1
      • Part of subcall function 0019621D: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0019634A
      • Part of subcall function 0019621D: SetLastError.KERNEL32(00000057,?,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 001963BB
      • Part of subcall function 0019621D: CloseHandle.KERNEL32 ref: 001963F5
      • Part of subcall function 0019621D: FindNextFileW.KERNEL32 ref: 00196429
      • Part of subcall function 0019621D: FindClose.KERNEL32 ref: 00196453
    • memset.MSVCRT ref: 00182E6F
    • memcpy.MSVCRT ref: 00182E7F
      • Part of subcall function 00182BE5: lstrlenA.KERNEL32(?,?), ref: 00182C1E
      • Part of subcall function 00182BE5: CreateMutexW.KERNEL32(001A49B4,00000001), ref: 00182C76
      • Part of subcall function 00182BE5: GetLastError.KERNEL32(?,?,?,?,?), ref: 00182C86
      • Part of subcall function 00182BE5: CloseHandle.KERNEL32 ref: 00182C94
      • Part of subcall function 00182BE5: memcpy.MSVCRT ref: 00182CBE
      • Part of subcall function 00182BE5: memcpy.MSVCRT ref: 00182CD2
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • WaitForSingleObject.KERNEL32(00007530), ref: 00182EA9
      • Part of subcall function 0017766D: ReleaseMutex.KERNEL32 ref: 00177671
      • Part of subcall function 0017766D: CloseHandle.KERNEL32 ref: 00177678
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00181E94, Relevance: 10.6, APIs: 3, Strings: 2, Instructions: 27
    APIs
    • GetModuleHandleW.KERNEL32(shell32.dll), ref: 00181EA2
    • GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00181EAE
    • SetLastError.KERNEL32(00000001,00178F04,001A47C0,?,001A4DF4,00000000,00000006,0019BD7A,001A4DF4,-00000258,?,00000000), ref: 00181EC6
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00198000, Relevance: 10.6, APIs: 7, Instructions: 126
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00198037
    • WSASetLastError.WS2_32(00000008), ref: 00198046
    • memcpy.MSVCRT ref: 00198063
    • memcpy.MSVCRT ref: 00198075
    • WSASetLastError.WS2_32(00000008,?,?,?), ref: 001980DF
    • WSAGetLastError.WS2_32(?,?,?), ref: 001980FB
      • Part of subcall function 00198325: RegisterWaitForSingleObject.KERNEL32(?,?,00198164,?,000000FF,00000004), ref: 0019838A
    • WSASetLastError.WS2_32(00000008,?,00000000,?,?,?,?,?), ref: 00198124
      • Part of subcall function 0018CC4F: memcpy.MSVCRT ref: 0018CC64
      • Part of subcall function 0018CC4F: SetEvent.KERNEL32 ref: 0018CC74
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017B0E5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
    APIs
    • memset.MSVCRT ref: 0017B106
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,00000000), ref: 0017B13E
    • memcpy.MSVCRT ref: 0017B159
    • CloseHandle.KERNEL32(?), ref: 0017B16E
    • CloseHandle.KERNEL32(00000000), ref: 0017B174
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018B286, Relevance: 10.5, APIs: 4, Strings: 1, Instructions: 295
    APIs
      • Part of subcall function 0019C09D: CreateMutexW.KERNEL32(001A49B4,00000000), ref: 0019C0BF
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
      • Part of subcall function 00188432: CreateFileW.KERNEL32(00C21EF0,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0018844B
      • Part of subcall function 00188432: GetFileSizeEx.KERNEL32 ref: 0018845E
      • Part of subcall function 00188432: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00188484
      • Part of subcall function 00188432: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0018849C
      • Part of subcall function 00188432: VirtualFree.KERNEL32(?,00000000,00008000), ref: 001884BA
      • Part of subcall function 00188432: CloseHandle.KERNEL32 ref: 001884C3
    • memset.MSVCRT ref: 0018B42B
    • memcpy.MSVCRT ref: 0018B457
      • Part of subcall function 00196875: GetSystemTime.KERNEL32 ref: 0019687F
      • Part of subcall function 001824F3: HeapAlloc.KERNEL32(00000000,?,?,?,00176328,?,?,00198D10,?,?,?,?,0000FFFF), ref: 0018251D
      • Part of subcall function 001824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00176328,?,?,00198D10,?,?,?,?,0000FFFF), ref: 00182530
      • Part of subcall function 001771D5: memcpy.MSVCRT ref: 001772E6
    • CreateFileW.KERNEL32(0016AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0018B55C
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0018B578
      • Part of subcall function 00195934: CloseHandle.KERNEL32 ref: 00195940
      • Part of subcall function 0017766D: ReleaseMutex.KERNEL32 ref: 00177671
      • Part of subcall function 0017766D: CloseHandle.KERNEL32 ref: 00177678
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 0018B161: memset.MSVCRT ref: 0018B170
      • Part of subcall function 0018B161: memset.MSVCRT ref: 0018B1B3
      • Part of subcall function 0018B161: memset.MSVCRT ref: 0018B1E9
      • Part of subcall function 00190370: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0019037F
      • Part of subcall function 0018FE5C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0018FEC2
      • Part of subcall function 0018FE5C: memcpy.MSVCRT ref: 0018FEDC
      • Part of subcall function 0018FE5C: VirtualProtect.KERNEL32(?,?,00000002,-00000048), ref: 0018FEEF
      • Part of subcall function 0018FE5C: memset.MSVCRT ref: 0018FF46
      • Part of subcall function 0018FE5C: memcpy.MSVCRT ref: 0018FF5A
      • Part of subcall function 0018FE5C: VirtualProtect.KERNEL32(?,?,?,-00000048), ref: 00190049
      • Part of subcall function 001773E0: memcmp.MSVCRT ref: 00177489
      • Part of subcall function 001884D3: VirtualFree.KERNEL32(?,00000000,00008000), ref: 001884E4
      • Part of subcall function 001884D3: CloseHandle.KERNEL32 ref: 001884F3
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017C8CD, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 46
    APIs
    • LoadLibraryW.KERNEL32(urlmon.dll), ref: 0017C8D4
    • GetProcAddress.KERNEL32(?,ObtainUserAgentString), ref: 0017C8EA
    • FreeLibrary.KERNEL32 ref: 0017C935
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00181ED5, Relevance: 10.2, APIs: 3, Strings: 2, Instructions: 38
    APIs
    • EnterCriticalSection.KERNEL32(001A5AA4,?,?,0019AA21,?,0019ADD5,?,?,?,00000001), ref: 00181EE6
    • LeaveCriticalSection.KERNEL32(001A5AA4,?,?,0019AA21,?,0019ADD5,?,?,?,00000001), ref: 00181F0E
      • Part of subcall function 00181E94: GetModuleHandleW.KERNEL32(shell32.dll), ref: 00181EA2
      • Part of subcall function 00181E94: GetProcAddress.KERNEL32(?,SHGetKnownFolderPath), ref: 00181EAE
      • Part of subcall function 00181E94: SetLastError.KERNEL32(00000001,00178F04,001A47C0,?,001A4DF4,00000000,00000006,0019BD7A,001A4DF4,-00000258,?,00000000), ref: 00181EC6
    • IsWow64Process.KERNEL32(000000FF), ref: 00181F37
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001824C1, Relevance: 9.9, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00182456: EnterCriticalSection.KERNEL32(001A5AA4,00000028,001824C9,?,0019D211,?,?,00000000,?,?,00000001), ref: 00182466
      • Part of subcall function 00182456: LeaveCriticalSection.KERNEL32(001A5AA4,?,0019D211,?,?,00000000,?,?,00000001), ref: 00182490
    • HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00199516, Relevance: 9.6, APIs: 5, Instructions: 138
    APIs
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    • FindFirstFileW.KERNEL32 ref: 00199555
    • SetLastError.KERNEL32(?,?,?,?,?,?,0016AB64), ref: 00199680
      • Part of subcall function 001996F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00199722
      • Part of subcall function 001996F5: PathMatchSpecW.SHLWAPI(00000010), ref: 00199741
    • FindNextFileW.KERNEL32(?,?), ref: 0019964A
    • GetLastError.KERNEL32(?,?,?,?,0016AB64), ref: 00199663
    • FindClose.KERNEL32 ref: 00199679
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017C0C5, Relevance: 9.5, APIs: 5, Instructions: 71
    APIs
      • Part of subcall function 0017B764: EnterCriticalSection.KERNEL32(Function_00065AA4,?,0017B826,?,0019C86A,0018C4AB,0018C4AB,?,0018C4AB,?,00000001), ref: 0017B774
      • Part of subcall function 0017B764: LeaveCriticalSection.KERNEL32(Function_00065AA4,?,0017B826,?,0019C86A,0018C4AB,0018C4AB,?,0018C4AB,?,00000001), ref: 0017B79E
    • socket.WS2_32(?,00000002,00000000), ref: 0017C0DF
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0017C112
    • WSAGetLastError.WS2_32(?,48000016,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00000002,00000000,00000000,?,?), ref: 0017C119
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    • WSAIoctl.WS2_32(?,48000016,00000000,00000000,?,?,?,00000000,00000000), ref: 0017C14D
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • closesocket.WS2_32 ref: 0017C15D
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017913F, Relevance: 9.5, APIs: 5, Instructions: 59
    APIs
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    • FindFirstFileW.KERNEL32(?), ref: 00179170
      • Part of subcall function 00195E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00195E26
      • Part of subcall function 00195E1D: DeleteFileW.KERNEL32 ref: 00195E2D
    • FindNextFileW.KERNEL32(?,?), ref: 001791C2
    • FindClose.KERNEL32 ref: 001791CD
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 001791D9
    • RemoveDirectoryW.KERNEL32 ref: 001791E0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019038C, Relevance: 9.4, APIs: 5, Instructions: 89
    APIs
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00190405
    • SetFileAttributesW.KERNEL32(?), ref: 00190424
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,?,00000000), ref: 0019043B
    • GetLastError.KERNEL32 ref: 00190448
    • CloseHandle.KERNEL32 ref: 00190481
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019C410, Relevance: 9.2, APIs: 6, Instructions: 88
    APIs
    • EnterCriticalSection.KERNEL32(00C227A8,00C227A8,?,?,?,0019C6E4,?,?,?,?,?,00000009,00000000,?,?,3D920600), ref: 0019C42A
    • LeaveCriticalSection.KERNEL32(00C227A8,?,3D920600,?), ref: 0019C511
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • memcpy.MSVCRT ref: 0019C49B
    • memcpy.MSVCRT ref: 0019C4BF
    • memcpy.MSVCRT ref: 0019C4D6
    • memcpy.MSVCRT ref: 0019C4F6
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00184BDB, Relevance: 9.2, APIs: 6, Instructions: 229
    APIs
    • PathFindFileNameW.SHLWAPI(?), ref: 00184C02
      • Part of subcall function 00179E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00179E9D
      • Part of subcall function 00179E88: StrCmpIW.SHLWAPI ref: 00179EA7
    • CreateFileW.KERNEL32(?,80000000,00000007,?,00000003,00000080), ref: 00184C31
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • SetLastError.KERNEL32(00000057,?,?,00000003,00000080), ref: 00184C96
      • Part of subcall function 00195B34: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00195B46
      • Part of subcall function 00195934: CloseHandle.KERNEL32 ref: 00195940
    • CharLowerW.USER32 ref: 00184CF6
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
      • Part of subcall function 0019868E: EnterCriticalSection.KERNEL32(001A5AA4,?,0019AA5B,?,0019ADD5,?,?,?,00000001), ref: 0019869E
      • Part of subcall function 0019868E: LeaveCriticalSection.KERNEL32(001A5AA4,?,0019AA5B,?,0019ADD5,?,?,?,00000001), ref: 001986C4
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    • memcmp.MSVCRT ref: 00184E48
    • GetTickCount.KERNEL32 ref: 00184E55
      • Part of subcall function 001907EE: RegSetValueExW.ADVAPI32(00000000,000000FE,?,00000000,?,?), ref: 00190823
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 00195AB0: GetFileSizeEx.KERNEL32 ref: 00195ABB
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019AEB1, Relevance: 9.2, APIs: 5, Instructions: 109
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0019AECF
      • Part of subcall function 0018C90D: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 0018C93C
      • Part of subcall function 0018C90D: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0018C97B
      • Part of subcall function 0018C90D: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0018C9A2
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0019AF0A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0019AF4A
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0019AF6D
      • Part of subcall function 0019A976: DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0019A999
      • Part of subcall function 0019A976: WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0019A9B1
      • Part of subcall function 0019A976: DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 0019A9CC
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0019AFBD
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018CAF1, Relevance: 9.2, APIs: 5, Instructions: 88
    APIs
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0018CB1D
      • Part of subcall function 0017C830: HttpQueryInfoA.WININET(0018CB41,40000009,?,?,00000000), ref: 0017C897
      • Part of subcall function 0017C830: memset.MSVCRT ref: 0017C8AD
    • GetSystemTime.KERNEL32(?), ref: 0018CB54
      • Part of subcall function 0018B7FF: EnterCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B80C
      • Part of subcall function 0018B7FF: LeaveCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B81A
    • Sleep.KERNEL32(000005DC), ref: 0018CB6D
    • WaitForSingleObject.KERNEL32(?,000005DC), ref: 0018CB76
    • lstrcpyA.KERNEL32 ref: 0018CBD4
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017BB55, Relevance: 9.2, APIs: 5, Instructions: 69
    APIs
      • Part of subcall function 0017B7D0: socket.WS2_32(?,?,00000006), ref: 0017B804
    • connect.WS2_32(?,?), ref: 0017BB93
    • WSAGetLastError.WS2_32(?,00000000,?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0017BBA2
    • WSASetLastError.WS2_32(00000000), ref: 0017BC00
      • Part of subcall function 0017B979: shutdown.WS2_32(?,00000002), ref: 0017B987
      • Part of subcall function 0017B979: closesocket.WS2_32 ref: 0017B990
      • Part of subcall function 0017B979: WSACloseEvent.WS2_32 ref: 0017B9A3
      • Part of subcall function 0017B928: WSACreateEvent.WS2_32(00000000,?,0017BB6E,00000033,00000000,?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003), ref: 0017B93E
      • Part of subcall function 0017B928: WSAEventSelect.WS2_32(?,?,00000033), ref: 0017B954
      • Part of subcall function 0017B928: WSACloseEvent.WS2_32 ref: 0017B968
    • WSASetLastError.WS2_32(?,?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0017BBC0
    • WSAGetLastError.WS2_32(?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0017BBC2
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00178DE6, Relevance: 9.1, APIs: 5, Instructions: 49
    APIs
    • EnterCriticalSection.KERNEL32(00C21F3C,?,?,?,0019B2F2,?,?,00000001), ref: 00178DEF
    • LeaveCriticalSection.KERNEL32(00C21F3C,?,?,?,0019B2F2,?,?,00000001), ref: 00178DF9
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00178E1F
    • EnterCriticalSection.KERNEL32(00C21F3C,?,?,?,0019B2F2,?,?,00000001), ref: 00178E37
    • LeaveCriticalSection.KERNEL32(00C21F3C,?,?,?,0019B2F2,?,?,00000001), ref: 00178E41
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017861E, Relevance: 9.1, APIs: 6, Instructions: 145
    APIs
    • memset.MSVCRT ref: 0017865F
      • Part of subcall function 00179F5F: memcpy.MSVCRT ref: 00179F99
    • CharLowerW.USER32 ref: 001786A3
    • CharUpperW.USER32(?,?,00000001), ref: 001786B4
    • CharLowerW.USER32 ref: 001786C8
    • CharUpperW.USER32(?,00000001), ref: 001786D2
    • memcmp.MSVCRT ref: 001786E7
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00198164, Relevance: 9.1, APIs: 6, Instructions: 141
    APIs
      • Part of subcall function 00176A4D: TlsSetValue.KERNEL32(00000001,0018A796), ref: 00176A5A
      • Part of subcall function 0018CC26: ResetEvent.KERNEL32 ref: 0018CC42
    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000), ref: 001981AA
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 001981B4
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 001982BD
    • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 001982C6
    • UnregisterWait.KERNEL32(?), ref: 001982EB
    • TlsSetValue.KERNEL32(00000000), ref: 00198316
      • Part of subcall function 0018CC4F: memcpy.MSVCRT ref: 0018CC64
      • Part of subcall function 0018CC4F: SetEvent.KERNEL32 ref: 0018CC74
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019BDF6, Relevance: 9.1, APIs: 5, Instructions: 172
    APIs
    • memset.MSVCRT ref: 0019BE2B
    • GetComputerNameW.KERNEL32 ref: 0019BE5F
    • GetVersionExW.KERNEL32 ref: 0019BE88
    • memset.MSVCRT ref: 0019BEA7
      • Part of subcall function 00190775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0019079C
      • Part of subcall function 00190755: RegFlushKey.ADVAPI32 ref: 00190765
      • Part of subcall function 00190755: RegCloseKey.ADVAPI32 ref: 0019076D
      • Part of subcall function 001993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00199433
      • Part of subcall function 001993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00199458
    • memset.MSVCRT ref: 0019BFAC
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 00199393: CryptDestroyHash.ADVAPI32 ref: 001993AB
      • Part of subcall function 00199393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 001993BC
      • Part of subcall function 0019946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 001994AA
      • Part of subcall function 00190A1D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00190A3A
      • Part of subcall function 001908A8: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00190903
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019FC6E, Relevance: 9.1, APIs: 6, Instructions: 79
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000004,0019FD90,00000000,?,?,?,?,?,?,?,0019EA72), ref: 0019FC78
    • HeapCreate.KERNEL32(00040001,00000000,00000000), ref: 0019FCB2
    • HeapAlloc.KERNEL32(?,00000000,0000000B,?,?,?,?,00000004,0019FD90,00000000), ref: 0019FCCF
    • HeapFree.KERNEL32(?,00000000,?,?,00000000,0000000B,?,?,?,?,00000004,0019FD90,00000000), ref: 0019FCF7
    • memcpy.MSVCRT ref: 0019FD07
      • Part of subcall function 00176D72: EnterCriticalSection.KERNEL32(001A468C,00000000,00184F6E,?,000000FF), ref: 00176D7E
      • Part of subcall function 00176D72: LeaveCriticalSection.KERNEL32(001A468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00C21EF0), ref: 00176D8E
      • Part of subcall function 00199DDC: GetCurrentThreadId.KERNEL32 ref: 00199DED
      • Part of subcall function 00199DDC: memcpy.MSVCRT ref: 00199F56
      • Part of subcall function 00199DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00199FE2
      • Part of subcall function 00199DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00199FEC
      • Part of subcall function 00176D9C: LeaveCriticalSection.KERNEL32(001A468C,00176E01,00000001,00000000,00000000,?,00184F82,00000001,00000000,?,000000FF), ref: 00176DA6
      • Part of subcall function 00176DAD: LeaveCriticalSection.KERNEL32(001A468C,?,00176E13,00000001,00000000,00000000,?,00184F82,00000001,00000000,?,000000FF), ref: 00176DBA
    • LeaveCriticalSection.KERNEL32(?,?,00000000,0000000B,?,?,?,?,00000004,0019FD90,00000000), ref: 0019FD4B
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00188A6A, Relevance: 9.1, APIs: 5, Instructions: 137
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,77C475F0), ref: 00188A9B
      • Part of subcall function 00197CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00197CF8
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,77C475F0), ref: 00188B2D
      • Part of subcall function 00188626: getsockopt.WS2_32(?,0000FFFF,00001008,00169417,00169417), ref: 001886B2
      • Part of subcall function 00188626: GetHandleInformation.KERNEL32 ref: 001886C4
      • Part of subcall function 00188626: socket.WS2_32(?,00000001,00000006), ref: 001886F7
      • Part of subcall function 00188626: socket.WS2_32(?,00000002,00000011), ref: 00188708
      • Part of subcall function 00188626: closesocket.WS2_32(?), ref: 00188727
      • Part of subcall function 00188626: closesocket.WS2_32 ref: 0018872E
      • Part of subcall function 00188626: memset.MSVCRT ref: 001887F2
      • Part of subcall function 00188626: memcpy.MSVCRT ref: 00188902
    • SetEvent.KERNEL32 ref: 00188B80
    • SetEvent.KERNEL32 ref: 00188BB9
      • Part of subcall function 00197CD3: SetEvent.KERNEL32 ref: 00197CE3
    • LeaveCriticalSection.KERNEL32(?,?,?,?,77C475F0), ref: 00188C3E
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019B838, Relevance: 9.1, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 0019ACAD: GetModuleHandleW.KERNEL32(00000000), ref: 0019ACF4
      • Part of subcall function 0019ACAD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0019AD59
      • Part of subcall function 0019ACAD: Process32FirstW.KERNEL32 ref: 0019AD74
      • Part of subcall function 0019ACAD: PathFindFileNameW.SHLWAPI ref: 0019AD87
      • Part of subcall function 0019ACAD: StrCmpNIW.SHLWAPI(rapport,?,00000007), ref: 0019AD99
      • Part of subcall function 0019ACAD: Process32NextW.KERNEL32(?,?), ref: 0019ADA9
      • Part of subcall function 0019ACAD: CloseHandle.KERNEL32 ref: 0019ADB4
      • Part of subcall function 0019ACAD: WSAStartup.WS2_32(00000202), ref: 0019ADC4
      • Part of subcall function 0019ACAD: CreateEventW.KERNEL32(001A49B4,00000001,00000000,00000000), ref: 0019ADEC
      • Part of subcall function 0019ACAD: GetLengthSid.ADVAPI32(?,?,?,?,00000001), ref: 0019AE22
      • Part of subcall function 0019ACAD: GetCurrentProcessId.KERNEL32 ref: 0019AE4D
    • SetErrorMode.KERNEL32(00008007), ref: 0019B851
    • GetCommandLineW.KERNEL32 ref: 0019B85D
    • CommandLineToArgvW.SHELL32 ref: 0019B864
    • LocalFree.KERNEL32 ref: 0019B8A1
    • ExitProcess.KERNEL32(00000001), ref: 0019B8B2
      • Part of subcall function 0019B4AA: CreateMutexW.KERNEL32(001A49B4,00000001), ref: 0019B550
      • Part of subcall function 0019B4AA: GetLastError.KERNEL32(?,38901130,?,00000001,?,?,00000001,?,?,?,0019B8C7), ref: 0019B560
      • Part of subcall function 0019B4AA: CloseHandle.KERNEL32 ref: 0019B56E
      • Part of subcall function 0019B4AA: lstrlenW.KERNEL32 ref: 0019B5D0
      • Part of subcall function 0019B4AA: ExitWindowsEx.USER32(00000014,80000000), ref: 0019B615
      • Part of subcall function 0019B4AA: OpenEventW.KERNEL32(00000002,00000000), ref: 0019B63B
      • Part of subcall function 0019B4AA: SetEvent.KERNEL32 ref: 0019B648
      • Part of subcall function 0019B4AA: CloseHandle.KERNEL32 ref: 0019B64F
      • Part of subcall function 0019B4AA: Sleep.KERNEL32(00007530), ref: 0019B674
      • Part of subcall function 0019B4AA: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 0019B68C
      • Part of subcall function 0019B4AA: Sleep.KERNEL32(000000FF), ref: 0019B694
      • Part of subcall function 0019B4AA: CloseHandle.KERNEL32 ref: 0019B697
      • Part of subcall function 0019B4AA: IsWellKnownSid.ADVAPI32(00C21EC0,00000016), ref: 0019B6E5
      • Part of subcall function 0019B4AA: CreateEventW.KERNEL32(001A49B4,00000001,00000000), ref: 0019B7B4
      • Part of subcall function 0019B4AA: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0019B7CD
      • Part of subcall function 0019B4AA: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 0019B7DF
      • Part of subcall function 0019B4AA: CloseHandle.KERNEL32(00000000), ref: 0019B7F6
      • Part of subcall function 0019B4AA: CloseHandle.KERNEL32(?), ref: 0019B7FC
      • Part of subcall function 0019B4AA: CloseHandle.KERNEL32(?), ref: 0019B802
    • Sleep.KERNEL32(000000FF), ref: 0019B8D8
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018ECD7, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 223
    APIs
      • Part of subcall function 0017BA34: getsockopt.WS2_32(?,0000FFFF,00002004), ref: 0017BA5A
      • Part of subcall function 00183A22: select.WS2_32(00000000,?,00000000,00000000), ref: 00183A81
      • Part of subcall function 00183A22: recv.WS2_32(?,?,?,00000000), ref: 00183A91
    • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0018EDB2
    • memcpy.MSVCRT ref: 0018EDEA
    • FreeAddrInfoW.WS2_32(?), ref: 0018EDF8
    • memset.MSVCRT ref: 0018EE13
      • Part of subcall function 0018EC55: getpeername.WS2_32(?,?,?), ref: 0018EC79
      • Part of subcall function 0018EC55: getsockname.WS2_32(?,?,?), ref: 0018EC91
      • Part of subcall function 0018EC55: send.WS2_32(00000000,00000000,00000008,00000000), ref: 0018ECC2
      • Part of subcall function 00183BBE: socket.WS2_32(?,00000001,00000006), ref: 00183BCA
      • Part of subcall function 00183BBE: bind.WS2_32 ref: 00183BE7
      • Part of subcall function 00183BBE: listen.WS2_32(?,00000001), ref: 00183BF4
      • Part of subcall function 00183BBE: WSAGetLastError.WS2_32(?,?,?,?,00000001,00000006,?,?,0018EE5F,?,?,?), ref: 00183BFE
      • Part of subcall function 00183BBE: closesocket.WS2_32 ref: 00183C07
      • Part of subcall function 00183BBE: WSASetLastError.WS2_32(?,?,?,?,?,?,00000001,00000006,?,?,0018EE5F,?,?,?), ref: 00183C0E
      • Part of subcall function 00183D73: accept.WS2_32(?,00000000), ref: 00183D94
      • Part of subcall function 00183AD3: socket.WS2_32(?,00000001,00000006), ref: 00183ADF
      • Part of subcall function 00183AD3: connect.WS2_32 ref: 00183AFC
      • Part of subcall function 00183AD3: closesocket.WS2_32 ref: 00183B07
      • Part of subcall function 0017C06E: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0017C082
      • Part of subcall function 00183C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00183C44
      • Part of subcall function 00183C1C: recv.WS2_32(?,?,00000400,00000000), ref: 00183C70
      • Part of subcall function 00183C1C: send.WS2_32(?,?,?,00000000), ref: 00183C92
      • Part of subcall function 00183C1C: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00183CBF
      • Part of subcall function 00183D9E: shutdown.WS2_32(?,00000002), ref: 00183DA9
      • Part of subcall function 00183D9E: closesocket.WS2_32 ref: 00183DB0
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018547E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
    APIs
      • Part of subcall function 0019868E: EnterCriticalSection.KERNEL32(001A5AA4,?,0019AA5B,?,0019ADD5,?,?,?,00000001), ref: 0019869E
      • Part of subcall function 0019868E: LeaveCriticalSection.KERNEL32(001A5AA4,?,0019AA5B,?,0019ADD5,?,?,?,00000001), ref: 001986C4
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 001854CE
    • GetProcAddress.KERNEL32(?,GetProductInfo), ref: 001854DE
    • GetSystemDefaultUILanguage.KERNEL32(?,?,?,001851C2), ref: 00185519
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00191B04, Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 81
    APIs
    • GetTempPathW.KERNEL32(00000104), ref: 00191B17
    • lstrcpyA.KERNEL32(?,0016C28A,00000000,00191DA8,?,?,?,00191DA8,?,?,?,?,?,?,?,0019A7AA), ref: 00191BAE
    • lstrcpynA.KERNEL32(?,?\C,00000003,?,0016C28A,00000000,00191DA8,?,?,?,00191DA8), ref: 00191BC4
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00184FD0, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 77
    APIs
    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00184FEE
    • VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 0018505B
      • Part of subcall function 00179E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00179E9D
      • Part of subcall function 00179E88: StrCmpIW.SHLWAPI ref: 00179EA7
    Strings
    • \StringFileInfo\%04x%04x\%s, xrefs: 00185030
    • \VarFileInfo\Translation, xrefs: 00184FE7
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00191285, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 44
    APIs
    • GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 0019129A
    • GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 001912A5
      • Part of subcall function 001912E6: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00191304
      • Part of subcall function 001912E6: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 0019130F
      • Part of subcall function 001912E6: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 0019131A
      • Part of subcall function 001912E6: lstrcmpiW.KERNEL32(?), ref: 001913A7
      • Part of subcall function 001912E6: memcpy.MSVCRT ref: 001913CA
      • Part of subcall function 001912E6: CreateStreamOnHGlobal.OLE32(00000000,00000001), ref: 001913F5
      • Part of subcall function 001912E6: memcpy.MSVCRT ref: 00191423
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001893A8, Relevance: 7.9, APIs: 5, Instructions: 107
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0018A111), ref: 001893BE
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0018A111), ref: 001894E9
      • Part of subcall function 00181A4F: memcmp.MSVCRT ref: 00181A6B
    • memcpy.MSVCRT ref: 00189419
    • LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0018A111,?,00000002), ref: 00189429
      • Part of subcall function 0018B7FF: EnterCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B80C
      • Part of subcall function 0018B7FF: LeaveCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B81A
    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,-00001388,?,00000000,00000000), ref: 0018945D
      • Part of subcall function 00196875: GetSystemTime.KERNEL32 ref: 0019687F
      • Part of subcall function 00181728: memcpy.MSVCRT ref: 00181771
      • Part of subcall function 00181858: memcpy.MSVCRT ref: 00181935
      • Part of subcall function 00181858: memcpy.MSVCRT ref: 00181956
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00183C1C, Relevance: 7.8, APIs: 4, Instructions: 68
    APIs
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00183C44
    • recv.WS2_32(?,?,00000400,00000000), ref: 00183C70
    • send.WS2_32(?,?,?,00000000), ref: 00183C92
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00183CBF
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00178CBF, Relevance: 7.7, APIs: 4, Instructions: 47
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,00182B51,00000005,00007530,?,00000000,00000000), ref: 00178CC7
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00178CEB
    • CloseHandle.KERNEL32 ref: 00178CFB
      • Part of subcall function 001824F3: HeapAlloc.KERNEL32(00000000,?,?,?,00176328,?,?,00198D10,?,?,?,?,0000FFFF), ref: 0018251D
      • Part of subcall function 001824F3: HeapReAlloc.KERNEL32(00000000,?,?,?,?,00176328,?,?,00198D10,?,?,?,?,0000FFFF), ref: 00182530
    • LeaveCriticalSection.KERNEL32(?,?,?,?,00182B51,00000005,00007530,?,00000000,00000000), ref: 00178D2B
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017A64B, Relevance: 7.7, APIs: 5, Instructions: 86
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00177F4D,00000001,?,00000001,?), ref: 0017A655
    • memcpy.MSVCRT ref: 0017A6D1
    • memcpy.MSVCRT ref: 0017A6E5
    • memcpy.MSVCRT ref: 0017A70F
    • LeaveCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,00177F4D,00000001,?,00000001,?), ref: 0017A735
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001827B5, Relevance: 7.7, APIs: 5, Instructions: 69
    APIs
    • EnterCriticalSection.KERNEL32(Function_00065AA4), ref: 001827D6
    • LeaveCriticalSection.KERNEL32(Function_00065AA4), ref: 001827FC
      • Part of subcall function 0018275F: InitializeCriticalSection.KERNEL32(001A50C8), ref: 00182764
      • Part of subcall function 0018275F: memset.MSVCRT ref: 00182773
    • EnterCriticalSection.KERNEL32(001A50C8), ref: 00182807
    • LeaveCriticalSection.KERNEL32(001A50C8), ref: 0018287F
      • Part of subcall function 0018B1FD: PathRenameExtensionW.SHLWAPI ref: 0018B26F
      • Part of subcall function 0018B286: memset.MSVCRT ref: 0018B42B
      • Part of subcall function 0018B286: memcpy.MSVCRT ref: 0018B457
      • Part of subcall function 0018B286: CreateFileW.KERNEL32(0016AF54,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0018B55C
      • Part of subcall function 0018B286: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0018B578
    • Sleep.KERNEL32(000007D0), ref: 00182872
      • Part of subcall function 0018B61E: memset.MSVCRT ref: 0018B640
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001946D9, Relevance: 7.7, APIs: 5, Instructions: 217
    APIs
    • LoadLibraryW.KERNEL32 ref: 00194736
    • GetProcAddress.KERNEL32 ref: 0019475E
    • StrChrA.SHLWAPI(?,00000040), ref: 00194885
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • StrChrW.SHLWAPI(?,00000040,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,00000000), ref: 00194866
      • Part of subcall function 0018D12D: lstrlenW.KERNEL32(0016C448), ref: 0018D149
      • Part of subcall function 0018D12D: lstrlenW.KERNEL32 ref: 0018D14F
      • Part of subcall function 0018D12D: memcpy.MSVCRT ref: 0018D173
    • FreeLibrary.KERNEL32 ref: 0019496B
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018D8E8, Relevance: 7.7, APIs: 4, Instructions: 179
    APIs
    • memcpy.MSVCRT ref: 0018DA9F
      • Part of subcall function 0018D8E8: memcpy.MSVCRT ref: 0018D8FF
      • Part of subcall function 0018D8E8: CharLowerA.USER32 ref: 0018D9CA
      • Part of subcall function 0018D8E8: CharLowerA.USER32(?), ref: 0018D9DA
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00177A78, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 167
    APIs
      • Part of subcall function 0017BDD5: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00177A9F,?,00000005), ref: 0017BE0B
      • Part of subcall function 0017BDD5: WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00177A9F,?,00000005), ref: 0017BE6F
    • memcmp.MSVCRT ref: 00177AB8
    • memcmp.MSVCRT ref: 00177AD0
    • memcpy.MSVCRT ref: 00177B05
      • Part of subcall function 0018DE94: memcpy.MSVCRT ref: 0018DEA1
      • Part of subcall function 0018E043: memcpy.MSVCRT ref: 0018E070
      • Part of subcall function 0018ADFE: EnterCriticalSection.KERNEL32(?,?,00000002,?,?,00177BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0018AE37
      • Part of subcall function 0018ADFE: LeaveCriticalSection.KERNEL32(0000002C,?,?,00000002,?,?,00177BF5,?,?,00000000,?,00000001,?,0000002C,?,0000002C), ref: 0018AE5B
      • Part of subcall function 00177A05: GetTickCount.KERNEL32 ref: 00177A12
      • Part of subcall function 0017BAC9: memset.MSVCRT ref: 0017BADE
      • Part of subcall function 0017BAC9: getsockname.WS2_32(?,00177C25), ref: 0017BAF1
      • Part of subcall function 0017C091: memcmp.MSVCRT ref: 0017C0B3
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00188DC8, Relevance: 7.6, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 00181B16: EnterCriticalSection.KERNEL32(001A5AA4,?,00188DDC,?,?,?,?,0019B233,?,00000001), ref: 00181B26
      • Part of subcall function 00181B16: LeaveCriticalSection.KERNEL32(001A5AA4,?,00188DDC,?,?,?,?,0019B233,?,00000001), ref: 00181B50
    • memset.MSVCRT ref: 00188E0A
    • memset.MSVCRT ref: 00188E16
    • memset.MSVCRT ref: 00188E22
    • InitializeCriticalSection.KERNEL32 ref: 00188E3A
    • InitializeCriticalSection.KERNEL32 ref: 00188E55
    • InitializeCriticalSection.KERNEL32 ref: 00188E92
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00196CDC, Relevance: 7.6, APIs: 4, Instructions: 207
    APIs
    • EnterCriticalSection.KERNEL32(00C227EC,3D920700), ref: 00196D43
      • Part of subcall function 00196A55: GetTickCount.KERNEL32 ref: 00196A5D
    • LeaveCriticalSection.KERNEL32(00C227EC), ref: 00196F22
      • Part of subcall function 00196BBC: IsBadReadPtr.KERNEL32 ref: 00196C88
      • Part of subcall function 00196BBC: IsBadReadPtr.KERNEL32 ref: 00196CA7
    • getservbyname.WS2_32(?,00000000), ref: 00196DBD
      • Part of subcall function 001972A6: memcpy.MSVCRT ref: 0019747A
      • Part of subcall function 001972A6: memcpy.MSVCRT ref: 0019757A
      • Part of subcall function 00196F86: memcpy.MSVCRT ref: 0019715A
      • Part of subcall function 00196F86: memcpy.MSVCRT ref: 0019725A
    • memcpy.MSVCRT ref: 00196E9C
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 001969E1: TlsAlloc.KERNEL32(00C227EC,00196EB9,?,?,?,?,00C227E0), ref: 001969EA
      • Part of subcall function 001969E1: TlsGetValue.KERNEL32(?,00000001,00C227EC), ref: 001969FC
      • Part of subcall function 001969E1: TlsSetValue.KERNEL32(?,?), ref: 00196A41
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001919B0, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 56
    APIs
    • lstrcmpA.KERNEL32(?,?\C), ref: 001919C6
    • lstrcpyW.KERNEL32(001917B0), ref: 001919DC
    • lstrcmpA.KERNEL32(?,0016C28C), ref: 001919EC
    • StrCmpNA.SHLWAPI(?,0016C284,00000002), ref: 00191A06
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00187AAA, Relevance: 7.5, APIs: 5, Instructions: 44
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000), ref: 00187AC3
    • CertDuplicateCertificateContext.CRYPT32(?,?,00000000), ref: 00187AD4
    • CertDeleteCertificateFromStore.CRYPT32(?,?,?,00000000), ref: 00187ADF
    • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00187AE7
    • CertCloseStore.CRYPT32(?,00000000,?,00000000), ref: 00187AF5
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00190B2C, Relevance: 7.5, APIs: 4, Instructions: 113
    APIs
      • Part of subcall function 00190775: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0019079C
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00190B87
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00190BF1
    • RegFlushKey.ADVAPI32(?), ref: 00190C1F
    • RegCloseKey.ADVAPI32(?), ref: 00190C26
      • Part of subcall function 00190A9D: EnterCriticalSection.KERNEL32(Function_00065AA4,?,?,?,00190C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00190AB3
      • Part of subcall function 00190A9D: LeaveCriticalSection.KERNEL32(Function_00065AA4,?,?,?,00190C47,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00190ADB
      • Part of subcall function 00190A9D: GetModuleHandleW.KERNEL32(advapi32.dll), ref: 00190AF7
      • Part of subcall function 00190A9D: GetProcAddress.KERNEL32 ref: 00190AFE
      • Part of subcall function 00190A9D: RegDeleteKeyW.ADVAPI32(?), ref: 00190B20
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
      • Part of subcall function 00190755: RegFlushKey.ADVAPI32 ref: 00190765
      • Part of subcall function 00190755: RegCloseKey.ADVAPI32 ref: 0019076D
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017645E, Relevance: 7.4, APIs: 4, Instructions: 87
    APIs
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,00185B49), ref: 00176470
      • Part of subcall function 00184269: CoCreateInstance.OLE32(?,00000000,00004401,?,?), ref: 0018427E
    • #2.OLEAUT32(?,00000000,?,?,?,00185B49), ref: 001764A4
    • #6.OLEAUT32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00185B49), ref: 001764D9
    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 001764F9
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00183CD5, Relevance: 7.4, APIs: 4, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00183CFD
    • memcpy.MSVCRT ref: 00183D1A
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00183D30
    • WSASetLastError.WS2_32(0000274C,?,00000000,00000000,00000000), ref: 00183D3F
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018920C, Relevance: 7.3, APIs: 4, Instructions: 138
    APIs
      • Part of subcall function 00181B5D: memcmp.MSVCRT ref: 00181B69
      • Part of subcall function 00181B79: memset.MSVCRT ref: 00181B87
      • Part of subcall function 00181B79: memcpy.MSVCRT ref: 00181BA8
      • Part of subcall function 00181B79: memcpy.MSVCRT ref: 00181BCE
      • Part of subcall function 00181B79: memcpy.MSVCRT ref: 00181BF2
    • TryEnterCriticalSection.KERNEL32 ref: 00189289
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • LeaveCriticalSection.KERNEL32 ref: 00189303
    • EnterCriticalSection.KERNEL32 ref: 00189322
      • Part of subcall function 00181A4F: memcmp.MSVCRT ref: 00181A6B
    • LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 0018936E
      • Part of subcall function 00181858: memcpy.MSVCRT ref: 00181935
      • Part of subcall function 00181858: memcpy.MSVCRT ref: 00181956
      • Part of subcall function 00196875: GetSystemTime.KERNEL32 ref: 0019687F
      • Part of subcall function 00181728: memcpy.MSVCRT ref: 00181771
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001832D5, Relevance: 7.3, APIs: 4, Instructions: 120
    APIs
    • GetUserNameExW.SECUR32(00000002), ref: 00183303
    • GetSystemTime.KERNEL32 ref: 00183356
    • CharLowerW.USER32(?), ref: 001833A6
    • PathRenameExtensionW.SHLWAPI(?), ref: 001833D6
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00198AD4, Relevance: 7.3, APIs: 4, Instructions: 112
    APIs
      • Part of subcall function 00198867: EnterCriticalSection.KERNEL32(001A5AA4,00C21E90,00198AE4,?,00C21E90), ref: 00198877
      • Part of subcall function 00198867: LeaveCriticalSection.KERNEL32(001A5AA4,?,00C21E90), ref: 001988A6
      • Part of subcall function 00184FD0: VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 00184FEE
      • Part of subcall function 00184FD0: VerQueryValueW.VERSION(?,?,?,?,\VarFileInfo\Translation), ref: 0018505B
    • GetCommandLineW.KERNEL32 ref: 00198B5E
    • CommandLineToArgvW.SHELL32 ref: 00198B65
    • LocalFree.KERNEL32 ref: 00198BA5
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • GetModuleHandleW.KERNEL32(?), ref: 00198BE7
      • Part of subcall function 00198DFE: PathFindFileNameW.SHLWAPI(00000000), ref: 00198E3F
      • Part of subcall function 001983AF: InitializeCriticalSection.KERNEL32 ref: 001983CF
      • Part of subcall function 00179E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00179E9D
      • Part of subcall function 00179E88: StrCmpIW.SHLWAPI ref: 00179EA7
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00188C4C, Relevance: 7.3, APIs: 4, Instructions: 104
    APIs
    • EnterCriticalSection.KERNEL32(?,77C475F0,?,?,?,?,?,0018984D,?,?,00000000,?,?,00000590), ref: 00188C7F
      • Part of subcall function 00197CEC: WaitForSingleObject.KERNEL32(?,00000000), ref: 00197CF8
    • memcmp.MSVCRT ref: 00188CCD
      • Part of subcall function 00175A03: memcpy.MSVCRT ref: 00175A39
      • Part of subcall function 00175A03: memcpy.MSVCRT ref: 00175A4D
      • Part of subcall function 00175A03: memset.MSVCRT ref: 00175A5B
    • SetEvent.KERNEL32 ref: 00188D0E
    • LeaveCriticalSection.KERNEL32(?,?,77C475F0,?,?,?,?,?,0018984D,?,?,00000000,?,?,00000590), ref: 00188D3B
      • Part of subcall function 00199175: EnterCriticalSection.KERNEL32(?,?,?,?,00189116,?), ref: 0019917B
      • Part of subcall function 00199175: memcmp.MSVCRT ref: 001991A7
      • Part of subcall function 00199175: memcpy.MSVCRT ref: 001991F2
      • Part of subcall function 00199175: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 001991FE
      • Part of subcall function 0018920C: TryEnterCriticalSection.KERNEL32 ref: 00189289
      • Part of subcall function 0018920C: LeaveCriticalSection.KERNEL32 ref: 00189303
      • Part of subcall function 0018920C: EnterCriticalSection.KERNEL32 ref: 00189322
      • Part of subcall function 0018920C: LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 0018936E
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001A294A, Relevance: 7.3, APIs: 4, Instructions: 91
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002,001A3210), ref: 001A297C
    • DuplicateHandle.KERNEL32(000000FF,?,?,00000000,00000000,00000002), ref: 001A299C
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
      • Part of subcall function 0019D990: memset.MSVCRT ref: 0019D9D3
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
      • Part of subcall function 0018222C: memcpy.MSVCRT ref: 00182268
      • Part of subcall function 0018222C: memcpy.MSVCRT ref: 0018227D
      • Part of subcall function 0018222C: memcpy.MSVCRT ref: 001822BA
      • Part of subcall function 0018222C: memcpy.MSVCRT ref: 001822F2
    • memset.MSVCRT ref: 001A2A39
    • memcpy.MSVCRT ref: 001A2A4B
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019D090, Relevance: 7.2, APIs: 4, Instructions: 65
    APIs
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 0019D0BF
    • GetLastError.KERNEL32(?,?,?,00000000,3D94878D,00000000,3D94878D,001979EF,?,?,?,?,00000000,?,?,0000203A), ref: 0019D0C5
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    • memcpy.MSVCRT ref: 0019D0F0
    • HttpQueryInfoA.WININET(?,0000FFFF,?,?,?), ref: 0019D109
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00197D1D, Relevance: 7.2, APIs: 4, Instructions: 62
    APIs
      • Part of subcall function 0018B7FF: EnterCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B80C
      • Part of subcall function 0018B7FF: LeaveCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B81A
    • QueryPerformanceCounter.KERNEL32 ref: 00197D3C
    • GetTickCount.KERNEL32 ref: 00197D49
      • Part of subcall function 00181B16: EnterCriticalSection.KERNEL32(001A5AA4,?,00188DDC,?,?,?,?,0019B233,?,00000001), ref: 00181B26
      • Part of subcall function 00181B16: LeaveCriticalSection.KERNEL32(001A5AA4,?,00188DDC,?,?,?,?,0019B233,?,00000001), ref: 00181B50
      • Part of subcall function 001993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00199433
      • Part of subcall function 001993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00199458
    • memset.MSVCRT ref: 00197D9D
    • memcpy.MSVCRT ref: 00197DAD
      • Part of subcall function 00199393: CryptDestroyHash.ADVAPI32 ref: 001993AB
      • Part of subcall function 00199393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 001993BC
      • Part of subcall function 0019946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 001994AA
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017987E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 58
    APIs
    • memcpy.MSVCRT ref: 00179894
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
    • memcmp.MSVCRT ref: 001798B6
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
    • lstrcmpiW.KERNEL32(00000000,000000FF), ref: 0017990F
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    Strings
    • C:\Documents and Settings\Administrator\Local Settings\Temp, xrefs: 001798DF
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001790A3, Relevance: 7.2, APIs: 4, Instructions: 56
    APIs
    • PathSkipRootW.SHLWAPI ref: 001790CD
    • GetFileAttributesW.KERNEL32(00000000), ref: 001790FA
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0017910E
    • SetLastError.KERNEL32(00000050,?,?,00000000), ref: 00179131
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018B161, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 51
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00174B40, Relevance: 7.2, APIs: 4, Instructions: 48
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001754F7
    • UnhandledExceptionFilter.KERNEL32(00146DB4), ref: 00175502
    • GetCurrentProcess.KERNEL32 ref: 0017550D
    • TerminateProcess.KERNEL32 ref: 00175514
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018A343, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133
    APIs
      • Part of subcall function 00179219: CharLowerW.USER32(?), ref: 001792D4
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0018A47D
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 0018A4BD
      • Part of subcall function 00179BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00179C2E
      • Part of subcall function 00179BC4: PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00179C75
      • Part of subcall function 00179BC4: SetEvent.KERNEL32 ref: 00179C84
      • Part of subcall function 00179BC4: WaitForSingleObject.KERNEL32 ref: 00179C95
      • Part of subcall function 00179BC4: CharToOemW.USER32 ref: 00179D26
      • Part of subcall function 00179BC4: CharToOemW.USER32 ref: 00179D36
      • Part of subcall function 00179BC4: ExitProcess.KERNEL32(00000000,?,?,00000014,?,?,00000014), ref: 00179D9A
      • Part of subcall function 0019D5A0: EnterCriticalSection.KERNEL32(Function_00065AA4,00000000,?,?,001793C9), ref: 0019D5B6
      • Part of subcall function 0019D5A0: LeaveCriticalSection.KERNEL32(Function_00065AA4,?,?,001793C9), ref: 0019D5DC
      • Part of subcall function 0019D5A0: CreateMutexW.KERNEL32(001A49B4,00000000,Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44}), ref: 0019D5EE
      • Part of subcall function 0017766D: ReleaseMutex.KERNEL32 ref: 00177671
      • Part of subcall function 0017766D: CloseHandle.KERNEL32 ref: 00177678
    • ExitWindowsEx.USER32(00000014,80000000), ref: 0018A4D0
      • Part of subcall function 0017AF99: GetCurrentThread.KERNEL32 ref: 0017AFAD
      • Part of subcall function 0017AF99: OpenThreadToken.ADVAPI32 ref: 0017AFB4
      • Part of subcall function 0017AF99: GetCurrentProcess.KERNEL32 ref: 0017AFC4
      • Part of subcall function 0017AF99: OpenProcessToken.ADVAPI32 ref: 0017AFCB
      • Part of subcall function 0017AF99: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege), ref: 0017AFEC
      • Part of subcall function 0017AF99: AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0017B001
      • Part of subcall function 0017AF99: GetLastError.KERNEL32 ref: 0017B00B
      • Part of subcall function 0017AF99: CloseHandle.KERNEL32(00000001), ref: 0017B01C
      • Part of subcall function 00179395: memcpy.MSVCRT ref: 001793B5
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00176E1F, Relevance: 7.1, APIs: 4, Instructions: 27
    APIs
    • GetLastError.KERNEL32(3D920680,?,0017652A), ref: 00176E21
      • Part of subcall function 0019AFD3: WaitForSingleObject.KERNEL32(00000000,0018A849), ref: 0019AFDB
    • TlsGetValue.KERNEL32(?,?,0017652A), ref: 00176E3E
    • TlsSetValue.KERNEL32(00000001), ref: 00176E50
    • SetLastError.KERNEL32(?,?,0017652A), ref: 00176E60
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00187B2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
    APIs
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
    • lstrcatW.KERNEL32(?,.dat), ref: 00187BA0
    • lstrlenW.KERNEL32 ref: 00187BB5
      • Part of subcall function 001883CA: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 001883E6
      • Part of subcall function 001883CA: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00188409
      • Part of subcall function 001883CA: CloseHandle.KERNEL32 ref: 00188416
      • Part of subcall function 00195E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00195E26
      • Part of subcall function 00195E1D: DeleteFileW.KERNEL32 ref: 00195E2D
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    Strings
    • .dat, xrefs: 00187B94
    • C:\Documents and Settings\Administrator\Local Settings\Application Data, xrefs: 00187B5E
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017B9AF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
    APIs
    • shutdown.WS2_32(?,00000001), ref: 0017B9BD
    • WSAGetLastError.WS2_32(?,00000020,?,00000001,?,?,?,?,?,?,?,00186970,?,?,?,00002710), ref: 0017B9DE
    • WSASetLastError.WS2_32(00000000,?,00002710,?,?,00000020,?,00000001), ref: 0017BA23
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017C208, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
    APIs
      • Part of subcall function 0017B764: EnterCriticalSection.KERNEL32(Function_00065AA4,?,0017B826,?,0019C86A,0018C4AB,0018C4AB,?,0018C4AB,?,00000001), ref: 0017B774
      • Part of subcall function 0017B764: LeaveCriticalSection.KERNEL32(Function_00065AA4,?,0017B826,?,0019C86A,0018C4AB,0018C4AB,?,0018C4AB,?,00000001), ref: 0017B79E
    • WSAAddressToStringA.WS2_32(?,?,00000000,?,?), ref: 0017C22E
    • lstrcpyA.KERNEL32(?,0:0,?,?,00000000,?,?,?,?,?,?,00186A4A), ref: 0017C23E
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017BDD5, Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 63
    APIs
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00177A9F,?,00000005), ref: 0017BE0B
    • WSASetLastError.WS2_32(00002775,?,?,?,?,?,?,?,?,00177A9F,?,00000005), ref: 0017BE6F
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018C318, Relevance: 6.5, APIs: 5, Instructions: 249
    APIs
    • memcmp.MSVCRT ref: 0018C385
    • memcpy.MSVCRT ref: 0018C486
      • Part of subcall function 0017BB55: connect.WS2_32(?,?), ref: 0017BB93
      • Part of subcall function 0017BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0017BBA2
      • Part of subcall function 0017BB55: WSASetLastError.WS2_32(?,?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0017BBC0
      • Part of subcall function 0017BB55: WSAGetLastError.WS2_32(?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0017BBC2
      • Part of subcall function 0017BB55: WSASetLastError.WS2_32(00000000), ref: 0017BC00
    • memcmp.MSVCRT ref: 0018C583
      • Part of subcall function 0017BEC0: WSAGetLastError.WS2_32 ref: 0017BEF6
      • Part of subcall function 0017BEC0: WSASetLastError.WS2_32(?,?,?,?), ref: 0017BF3E
      • Part of subcall function 0018C0DA: memcmp.MSVCRT ref: 0018C11A
      • Part of subcall function 0019DABF: memset.MSVCRT ref: 0019DACF
      • Part of subcall function 0019DABF: memcpy.MSVCRT ref: 0019DAF8
    • memset.MSVCRT ref: 0018C5E0
    • memcpy.MSVCRT ref: 0018C5F1
      • Part of subcall function 0019DB11: memcpy.MSVCRT ref: 0019DB22
      • Part of subcall function 0018C02F: memcmp.MSVCRT ref: 0018C06B
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001777BB, Relevance: 6.5, APIs: 5, Instructions: 207
    APIs
    • memset.MSVCRT ref: 0017785D
      • Part of subcall function 00181B5D: memcmp.MSVCRT ref: 00181B69
      • Part of subcall function 001819AE: memcmp.MSVCRT ref: 00181A24
      • Part of subcall function 00181821: memcpy.MSVCRT ref: 00181848
      • Part of subcall function 00181728: memcpy.MSVCRT ref: 00181771
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • memset.MSVCRT ref: 001778F1
    • memcpy.MSVCRT ref: 00177904
    • memcpy.MSVCRT ref: 00177926
    • memcpy.MSVCRT ref: 00177946
      • Part of subcall function 0018B7FF: EnterCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B80C
      • Part of subcall function 0018B7FF: LeaveCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B81A
      • Part of subcall function 00188F55: EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,0018914A,?,?,?,?,?,?,00000000,?), ref: 00188FAF
      • Part of subcall function 00188F55: SetEvent.KERNEL32 ref: 0018900A
      • Part of subcall function 00188F55: LeaveCriticalSection.KERNEL32 ref: 00189017
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019D027, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 47
    APIs
    • memset.MSVCRT ref: 0019D03A
    • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0019D05C
      • Part of subcall function 0019D133: SetLastError.KERNEL32(00000008,?,?,00000000,0019D06E,?,?,00000000), ref: 0019D15C
      • Part of subcall function 0019D133: memcpy.MSVCRT ref: 0019D17C
      • Part of subcall function 0019D133: memcpy.MSVCRT ref: 0019D1B4
      • Part of subcall function 0019D133: memcpy.MSVCRT ref: 0019D1CC
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017950C, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 46
    APIs
      • Part of subcall function 00181FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00181FFF
      • Part of subcall function 00181FEC: GetLastError.KERNEL32(?,001A49A8,00000000,?,?,0017AF07,?,00000008,?,?,?,?,?,00000000,0019AE13), ref: 00182009
      • Part of subcall function 00181FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00182031
    • EqualSid.ADVAPI32(?,5B867A00), ref: 0017952F
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 0017B1DE: LoadLibraryA.KERNEL32(userenv.dll), ref: 0017B1EE
      • Part of subcall function 0017B1DE: GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 0017B20C
      • Part of subcall function 0017B1DE: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0017B218
      • Part of subcall function 0017B1DE: memset.MSVCRT ref: 0017B258
      • Part of subcall function 0017B1DE: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 0017B2A5
      • Part of subcall function 0017B1DE: CloseHandle.KERNEL32(?), ref: 0017B2B9
      • Part of subcall function 0017B1DE: CloseHandle.KERNEL32(?), ref: 0017B2BF
      • Part of subcall function 0017B1DE: FreeLibrary.KERNEL32 ref: 0017B2D3
    • CloseHandle.KERNEL32(00000001), ref: 00179576
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018BE6E, Relevance: 6.4, APIs: 5, Instructions: 154
    APIs
      • Part of subcall function 00181B16: EnterCriticalSection.KERNEL32(001A5AA4,?,00188DDC,?,?,?,?,0019B233,?,00000001), ref: 00181B26
      • Part of subcall function 00181B16: LeaveCriticalSection.KERNEL32(001A5AA4,?,00188DDC,?,?,?,?,0019B233,?,00000001), ref: 00181B50
    • memcmp.MSVCRT ref: 0018BE99
      • Part of subcall function 00196875: GetSystemTime.KERNEL32 ref: 0019687F
    • memcmp.MSVCRT ref: 0018BEF8
      • Part of subcall function 00182543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7,?,@echo off%sdel /F "%s"), ref: 0018256D
      • Part of subcall function 00182543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7), ref: 00182580
    • memset.MSVCRT ref: 0018BF8A
    • memcpy.MSVCRT ref: 0018BFB7
    • memcmp.MSVCRT ref: 0018BFEE
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00181781, Relevance: 6.4, APIs: 4, Instructions: 62
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00190FB2, Relevance: 6.3, APIs: 4, Instructions: 168
    APIs
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
      • Part of subcall function 00197C35: memset.MSVCRT ref: 00197C5D
    • memcpy.MSVCRT ref: 00191167
      • Part of subcall function 00197CAE: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00197CBE
    • memcpy.MSVCRT ref: 001910E2
    • memcpy.MSVCRT ref: 001910FA
      • Part of subcall function 00197DC3: memcpy.MSVCRT ref: 00197DE3
      • Part of subcall function 00197DC3: memcpy.MSVCRT ref: 00197E0F
    • memcpy.MSVCRT ref: 00191156
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00195465, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 91
    APIs
      • Part of subcall function 00179F04: StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00179F19
      • Part of subcall function 00179F04: lstrcmpA.KERNEL32(Basic ,?,001954A4,00000006,Authorization,?,?,?), ref: 00179F23
    • StrChrA.SHLWAPI(?,0000003A), ref: 001954F6
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001A2F3B, Relevance: 6.3, APIs: 4, Instructions: 118
    APIs
    • memset.MSVCRT ref: 001A2F5F
    • memcpy.MSVCRT ref: 001A2FBF
    • memcpy.MSVCRT ref: 001A2FD7
      • Part of subcall function 00182070: memset.MSVCRT ref: 00182084
      • Part of subcall function 0019A7D7: memset.MSVCRT ref: 0019A862
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
    • memcpy.MSVCRT ref: 001A304D
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00195CA4, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 48
    APIs
    • GetFileAttributesW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data), ref: 00195CB1
    • CreateFileW.KERNEL32(C:\Documents and Settings\Administrator\Local Settings\Application Data,80000000,00000007,00000000,00000003,?,00000000), ref: 00195CD1
      • Part of subcall function 00195934: CloseHandle.KERNEL32 ref: 00195940
      • Part of subcall function 00195BE4: memcpy.MSVCRT ref: 00195C25
      • Part of subcall function 00195BE4: memcpy.MSVCRT ref: 00195C38
      • Part of subcall function 00195BE4: memcpy.MSVCRT ref: 00195C4B
      • Part of subcall function 00195BE4: memcpy.MSVCRT ref: 00195C56
      • Part of subcall function 00195BE4: GetFileTime.KERNEL32(?,?,?), ref: 00195C7A
      • Part of subcall function 00195BE4: memcpy.MSVCRT ref: 00195C90
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017CE23, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 47
    APIs
      • Part of subcall function 0017C942: EnterCriticalSection.KERNEL32(001A5AA4,?,0017CE31,00C21E90,0019D393), ref: 0017C952
      • Part of subcall function 0017C942: LeaveCriticalSection.KERNEL32(001A5AA4,?,0017CE31,00C21E90,0019D393), ref: 0017C987
    • VerQueryValueW.VERSION(?,0016AE74,?,?,00C21E90,0019D393), ref: 0017CE44
    • GetModuleHandleW.KERNEL32(?), ref: 0017CE85
      • Part of subcall function 0017CE9F: PathFindFileNameW.SHLWAPI(00000000), ref: 0017CEE3
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018222C, Relevance: 6.2, APIs: 4, Instructions: 77
    APIs
    • memcpy.MSVCRT ref: 00182268
    • memcpy.MSVCRT ref: 0018227D
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
    • memcpy.MSVCRT ref: 001822BA
    • memcpy.MSVCRT ref: 001822F2
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019D133, Relevance: 6.2, APIs: 4, Instructions: 70
    APIs
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    • SetLastError.KERNEL32(00000008,?,?,00000000,0019D06E,?,?,00000000), ref: 0019D15C
    • memcpy.MSVCRT ref: 0019D17C
    • memcpy.MSVCRT ref: 0019D1B4
    • memcpy.MSVCRT ref: 0019D1CC
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00181B79, Relevance: 6.2, APIs: 4, Instructions: 63
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00199175, Relevance: 6.2, APIs: 4, Instructions: 60
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00189116,?), ref: 0019917B
    • memcmp.MSVCRT ref: 001991A7
    • memcpy.MSVCRT ref: 001991F2
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 001991FE
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019FEDF, Relevance: 6.2, APIs: 4, Instructions: 39
    APIs
    • memset.MSVCRT ref: 0019FEF5
    • InitializeCriticalSection.KERNEL32(001A5050), ref: 0019FF05
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
    • memset.MSVCRT ref: 0019FF34
    • InitializeCriticalSection.KERNEL32(001A5030), ref: 0019FF3E
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0016CAB0, Relevance: 6.1, APIs: 4, Instructions: 130
    APIs
    • VirtualAlloc.KERNEL32(00000000,00006000,00003000,00000040), ref: 0016CAC5
    • LoadLibraryA.KERNEL32 ref: 0016CBAE
    • GetProcAddress.KERNEL32(00000000), ref: 0016CBD8
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0016CC0A
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00182F98, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 111
    APIs
      • Part of subcall function 001826C5: memset.MSVCRT ref: 001826D5
    • lstrlenA.KERNEL32(?), ref: 0018304D
    • lstrlenA.KERNEL32 ref: 0018305C
      • Part of subcall function 0018D8E8: memcpy.MSVCRT ref: 0018D8FF
      • Part of subcall function 0018D8E8: CharLowerA.USER32 ref: 0018D9CA
      • Part of subcall function 0018D8E8: CharLowerA.USER32(?), ref: 0018D9DA
      • Part of subcall function 0018D8E8: memcpy.MSVCRT ref: 0018DA9F
      • Part of subcall function 0018260E: memcpy.MSVCRT ref: 00182621
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018C63D, Relevance: 6.1, APIs: 4, Instructions: 108
    APIs
      • Part of subcall function 0019601D: FreeAddrInfoW.WS2_32 ref: 0019602C
      • Part of subcall function 0019601D: memset.MSVCRT ref: 00196042
    • getaddrinfo.WS2_32(?,00000000), ref: 0018C675
    • memset.MSVCRT ref: 0018C6BB
    • memcpy.MSVCRT ref: 0018C6CE
      • Part of subcall function 0017BB55: connect.WS2_32(?,?), ref: 0017BB93
      • Part of subcall function 0017BB55: WSAGetLastError.WS2_32(?,00000000,?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0017BBA2
      • Part of subcall function 0017BB55: WSASetLastError.WS2_32(?,?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0017BBC0
      • Part of subcall function 0017BB55: WSAGetLastError.WS2_32(?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003,?,00000001), ref: 0017BBC2
      • Part of subcall function 0017BB55: WSASetLastError.WS2_32(00000000), ref: 0017BC00
      • Part of subcall function 0017B979: shutdown.WS2_32(?,00000002), ref: 0017B987
      • Part of subcall function 0017B979: closesocket.WS2_32 ref: 0017B990
      • Part of subcall function 0017B979: WSACloseEvent.WS2_32 ref: 0017B9A3
    • FreeAddrInfoW.WS2_32(00000000), ref: 0018C778
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019CDAD, Relevance: 6.1, APIs: 4, Instructions: 89
    APIs
    • memset.MSVCRT ref: 0019CDD2
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • InternetReadFile.WININET(001899F7,?,00001000,?), ref: 0019CE24
    • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0019CE01
      • Part of subcall function 001825D5: memcpy.MSVCRT ref: 001825FB
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • SetLastError.KERNEL32(00000000,?,00001000,?,?,00000000,?,00000001,?,001899F7,?,00000CCA,?,?,00000001), ref: 0019CE78
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00186E45, Relevance: 6.1, APIs: 4, Instructions: 86
    APIs
      • Part of subcall function 001771D5: memcpy.MSVCRT ref: 001772E6
      • Part of subcall function 00195B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00195B25
    • WriteFile.KERNEL32(?,?,00000005,?,00000000), ref: 00186EB2
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00186ECA
    • FlushFileBuffers.KERNEL32(?), ref: 00186EE4
    • SetEndOfFile.KERNEL32 ref: 00186EFE
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 00195ADF: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00195AF1
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018669D, Relevance: 6.1, APIs: 4, Instructions: 77
    APIs
    • GetTickCount.KERNEL32 ref: 001866A8
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000002), ref: 001866BA
    • memcmp.MSVCRT ref: 001866F4
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000002), ref: 00186760
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017BF70, Relevance: 6.1, APIs: 4, Instructions: 75
    APIs
    • WSAEventSelect.WS2_32(?,?,?), ref: 0017BF85
    • WaitForMultipleObjects.KERNEL32(?,00000001,00000000,?), ref: 0017BFBA
    • WSAEventSelect.WS2_32 ref: 0017C008
    • WSASetLastError.WS2_32(?,?,?,?,?,00000001,00000000,?,?,?,?), ref: 0017C01B
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018BA48, Relevance: 6.1, APIs: 4, Instructions: 60
    APIs
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000104,00000000,?,00000000), ref: 0018BA66
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000103,00000000), ref: 0018BA9B
    • RegCloseKey.ADVAPI32(?), ref: 0018BAAA
    • RegCloseKey.ADVAPI32(?), ref: 0018BAC5
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018660E, Relevance: 6.1, APIs: 4, Instructions: 55
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,001868D1,?,?,?,?,00000002), ref: 00186619
    • GetTickCount.KERNEL32 ref: 0018664A
    • memcpy.MSVCRT ref: 00186681
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,?,001868D1,?,?,?,?,00000002), ref: 0018668D
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018512B, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • GetTickCount.KERNEL32 ref: 00185138
    • GetLastInputInfo.USER32(?), ref: 0018514B
    • GetLocalTime.KERNEL32 ref: 0018516F
      • Part of subcall function 00196891: SystemTimeToFileTime.KERNEL32 ref: 0019689B
    • GetTimeZoneInformation.KERNEL32 ref: 00185187
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017760D, Relevance: 6.0, APIs: 4, Instructions: 39
    APIs
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00177622
    • TranslateMessage.USER32 ref: 00177646
    • DispatchMessageW.USER32 ref: 00177651
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00177661
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018A6E2, Relevance: 6.0, APIs: 4, Instructions: 38
    APIs
      • Part of subcall function 00176A4D: TlsSetValue.KERNEL32(00000001,0018A796), ref: 00176A5A
      • Part of subcall function 0019C09D: CreateMutexW.KERNEL32(001A49B4,00000000), ref: 0019C0BF
      • Part of subcall function 0019AFD3: WaitForSingleObject.KERNEL32(00000000,0018A849), ref: 0019AFDB
    • GetCurrentThread.KERNEL32 ref: 0018A70A
    • SetThreadPriority.KERNEL32 ref: 0018A711
    • WaitForSingleObject.KERNEL32(00001388), ref: 0018A723
      • Part of subcall function 00175B9B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00175BC1
      • Part of subcall function 00175B9B: Process32FirstW.KERNEL32 ref: 00175BE6
      • Part of subcall function 00175B9B: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00175C3D
      • Part of subcall function 00175B9B: CloseHandle.KERNEL32 ref: 00175C5B
      • Part of subcall function 00175B9B: GetLengthSid.ADVAPI32 ref: 00175C77
      • Part of subcall function 00175B9B: memcmp.MSVCRT ref: 00175C8F
      • Part of subcall function 00175B9B: CloseHandle.KERNEL32(?), ref: 00175D07
      • Part of subcall function 00175B9B: Process32NextW.KERNEL32(?,?), ref: 00175D13
      • Part of subcall function 00175B9B: CloseHandle.KERNEL32 ref: 00175D26
    • WaitForSingleObject.KERNEL32(00001388), ref: 0018A73C
      • Part of subcall function 0017766D: ReleaseMutex.KERNEL32 ref: 00177671
      • Part of subcall function 0017766D: CloseHandle.KERNEL32 ref: 00177678
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019C3C1, Relevance: 6.0, APIs: 4, Instructions: 28
    APIs
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 0019C3D1
    • EnterCriticalSection.KERNEL32(?,?,00007530), ref: 0019C3DF
    • LeaveCriticalSection.KERNEL32(?,?,00007530), ref: 0019C3F4
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 0019C3FE
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00188F55, Relevance: 6.0, APIs: 3, Instructions: 67
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000002,00000001,?,?,0018914A,?,?,?,?,?,?,00000000,?), ref: 00188FAF
    • LeaveCriticalSection.KERNEL32 ref: 00189017
      • Part of subcall function 00188A41: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00188A52
      • Part of subcall function 00182543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7,?,@echo off%sdel /F "%s"), ref: 0018256D
      • Part of subcall function 00182543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7), ref: 00182580
    • SetEvent.KERNEL32 ref: 0018900A
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018EC55, Relevance: 6.0, APIs: 3, Instructions: 51
    APIs
    • getpeername.WS2_32(?,?,?), ref: 0018EC79
    • getsockname.WS2_32(?,?,?), ref: 0018EC91
    • send.WS2_32(00000000,00000000,00000008,00000000), ref: 0018ECC2
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00183AD3, Relevance: 6.0, APIs: 3, Instructions: 30
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017B979, Relevance: 6.0, APIs: 3, Instructions: 17
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017B928, Relevance: 5.8, APIs: 3, Instructions: 30
    APIs
    • WSACreateEvent.WS2_32(00000000,?,0017BB6E,00000033,00000000,?,?,?,0018C4F0,?,00003A98,?,00000000,?,00000003), ref: 0017B93E
    • WSAEventSelect.WS2_32(?,?,00000033), ref: 0017B954
    • WSACloseEvent.WS2_32 ref: 0017B968
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00194C13, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 138
    APIs
      • Part of subcall function 00194BC8: StrCmpNIA.SHLWAPI ref: 00194BDF
    • StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00194D7B
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001A258D, Relevance: 5.7, APIs: 3, Instructions: 83
    APIs
      • Part of subcall function 00197ED8: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00197EEF
      • Part of subcall function 00197ED8: CloseHandle.KERNEL32 ref: 00197F0E
    • GetFileSizeEx.KERNEL32(00000000), ref: 001A25C4
      • Part of subcall function 00197F3D: UnmapViewOfFile.KERNEL32 ref: 00197F49
      • Part of subcall function 00197F3D: MapViewOfFile.KERNEL32(?,00000001,00000000,00000000,00000001), ref: 00197F60
      • Part of subcall function 00195B15: SetFilePointerEx.KERNEL32(?,00000001,00000001,00000000,?), ref: 00195B25
    • SetEndOfFile.KERNEL32 ref: 001A263A
    • FlushFileBuffers.KERNEL32(?), ref: 001A2645
      • Part of subcall function 00195934: CloseHandle.KERNEL32 ref: 00195940
      • Part of subcall function 00195B5F: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00195B87
      • Part of subcall function 001A2474: GetFileAttributesW.KERNEL32 ref: 001A2485
      • Part of subcall function 001A2474: PathRemoveFileSpecW.SHLWAPI(?), ref: 001A24BA
      • Part of subcall function 001A2474: MoveFileExW.KERNEL32(?,?,00000001), ref: 001A2501
      • Part of subcall function 001A2474: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 001A251A
      • Part of subcall function 001A2474: Sleep.KERNEL32(00001388), ref: 001A255D
      • Part of subcall function 001A2474: FlushFileBuffers.KERNEL32 ref: 001A256B
      • Part of subcall function 00197E98: UnmapViewOfFile.KERNEL32 ref: 00197EA4
      • Part of subcall function 00197E98: CloseHandle.KERNEL32 ref: 00197EB7
      • Part of subcall function 00197E98: CloseHandle.KERNEL32 ref: 00197ECD
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00183A22, Relevance: 5.7, APIs: 2, Instructions: 57
    APIs
    • select.WS2_32(00000000,?,00000000,00000000), ref: 00183A81
    • recv.WS2_32(?,?,?,00000000), ref: 00183A91
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00199B45, Relevance: 5.7, APIs: 3, Instructions: 56
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00199B46
    • VirtualProtect.KERNEL32(?,0000007C,?,?), ref: 00199B7D
      • Part of subcall function 00199A67: memset.MSVCRT ref: 00199A78
      • Part of subcall function 00199821: GetCurrentProcess.KERNEL32 ref: 00199824
      • Part of subcall function 00199821: VirtualProtect.KERNEL32(3D920000,00010000,00000020), ref: 00199845
      • Part of subcall function 00199821: FlushInstructionCache.KERNEL32(?,3D920000,00010000), ref: 0019984E
    • ResumeThread.KERNEL32(?), ref: 00199BBE
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019D4EF, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 52
    APIs
    • memset.MSVCRT ref: 0019D506
      • Part of subcall function 0019BC89: memcpy.MSVCRT ref: 0019BCA4
      • Part of subcall function 0019BC89: StringFromGUID2.OLE32 ref: 0019BD4A
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
      • Part of subcall function 0019570F: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,0019ABEA,0019ABEA), ref: 0019573C
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00178FE0
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 00178FEA
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179033
      • Part of subcall function 00178F6F: memcpy.MSVCRT ref: 00179060
      • Part of subcall function 00178F6F: PathRemoveBackslashW.SHLWAPI ref: 0017906A
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00197B26, Relevance: 5.6, APIs: 3, Instructions: 48
    APIs
    • CloseHandle.KERNEL32(?), ref: 00197B37
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • InternetQueryOptionA.WININET(?,00000015,?,?), ref: 00197B77
    • InternetCloseHandle.WININET(?), ref: 00197B82
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00181FEC, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00181FFF
    • GetLastError.KERNEL32(?,001A49A8,00000000,?,?,0017AF07,?,00000008,?,?,?,?,?,00000000,0019AE13), ref: 00182009
      • Part of subcall function 001824DA: HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    • GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00182031
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019A976, Relevance: 5.6, APIs: 3, Instructions: 44
    APIs
    • DuplicateHandle.KERNEL32(000000FF,?,?,?,00000000,00000000,00000002), ref: 0019A999
    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0019A9B1
    • DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000001), ref: 0019A9CC
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017AEE3, Relevance: 5.6, APIs: 3, Instructions: 42
    APIs
    • OpenProcessToken.ADVAPI32(?,00000008), ref: 0017AEF5
      • Part of subcall function 00181FEC: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000), ref: 00181FFF
      • Part of subcall function 00181FEC: GetLastError.KERNEL32(?,001A49A8,00000000,?,?,0017AF07,?,00000008,?,?,?,?,?,00000000,0019AE13), ref: 00182009
      • Part of subcall function 00181FEC: GetTokenInformation.ADVAPI32(?,00000001,?,?), ref: 00182031
    • GetTokenInformation.ADVAPI32(?,0000000C,001A49A8,00000004), ref: 0017AF1D
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • CloseHandle.KERNEL32(?), ref: 0017AF33
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019C012, Relevance: 5.6, APIs: 3, Instructions: 37
    APIs
      • Part of subcall function 0018204E: memcpy.MSVCRT ref: 0018205C
      • Part of subcall function 0019BC89: memcpy.MSVCRT ref: 0019BCA4
      • Part of subcall function 0019BC89: StringFromGUID2.OLE32 ref: 0019BD4A
    • CreateMutexW.KERNEL32(001A49B4,00000001), ref: 0019C058
    • GetLastError.KERNEL32(?,?,?,?,00000002,00000000), ref: 0019C064
    • CloseHandle.KERNEL32 ref: 0019C072
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018A755, Relevance: 5.6, APIs: 3, Instructions: 16
    APIs
    • PathFindFileNameW.SHLWAPI(000001ED), ref: 0018A759
    • PathRemoveExtensionW.SHLWAPI ref: 0018A76D
    • CharUpperW.USER32 ref: 0018A777
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018D12D, Relevance: 5.6, APIs: 3, Instructions: 40
    APIs
    • lstrlenW.KERNEL32(0016C448), ref: 0018D149
    • lstrlenW.KERNEL32 ref: 0018D14F
      • Part of subcall function 00182543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7,?,@echo off%sdel /F "%s"), ref: 0018256D
      • Part of subcall function 00182543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7), ref: 00182580
    • memcpy.MSVCRT ref: 0018D173
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00182543, Relevance: 5.6, APIs: 2, Instructions: 32
    APIs
    • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7), ref: 00182580
      • Part of subcall function 00182456: EnterCriticalSection.KERNEL32(001A5AA4,00000028,001824C9,?,0019D211,?,?,00000000,?,?,00000001), ref: 00182466
      • Part of subcall function 00182456: LeaveCriticalSection.KERNEL32(001A5AA4,?,0019D211,?,?,00000000,?,?,00000001), ref: 00182490
    • HeapAlloc.KERNEL32(00000008,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7,?,@echo off%sdel /F "%s"), ref: 0018256D
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00176EA5, Relevance: 5.6, APIs: 3, Instructions: 10
    APIs
    • GetLastError.KERNEL32(?,00176577), ref: 00176EA6
    • TlsSetValue.KERNEL32(00000000), ref: 00176EB6
    • SetLastError.KERNEL32(?,?,00176577), ref: 00176EBD
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001986CC, Relevance: 5.5, APIs: 3, Instructions: 115
    APIs
    • GetVersionExW.KERNEL32(001A4858), ref: 001986E6
    • GetNativeSystemInfo.KERNEL32(000000FF), ref: 00198822
    • memset.MSVCRT ref: 00198857
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00184EC0, Relevance: 5.5, APIs: 3, Instructions: 93
    APIs
      • Part of subcall function 001849CD: EnterCriticalSection.KERNEL32(001A5AA4,00C21E90,00184ECC,00C21E90), ref: 001849DD
      • Part of subcall function 001849CD: LeaveCriticalSection.KERNEL32(001A5AA4,?,?,?,?,?,?,?,?,?,?,?,?,00C21EF0,0019D345), ref: 00184A05
    • PathFindFileNameW.SHLWAPI(00C21E90), ref: 00184ED2
      • Part of subcall function 00179E88: StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00179E9D
      • Part of subcall function 00179E88: StrCmpIW.SHLWAPI ref: 00179EA7
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • InitializeCriticalSection.KERNEL32 ref: 00184F44
      • Part of subcall function 00176D72: EnterCriticalSection.KERNEL32(001A468C,00000000,00184F6E,?,000000FF), ref: 00176D7E
      • Part of subcall function 00176D72: LeaveCriticalSection.KERNEL32(001A468C,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00C21EF0), ref: 00176D8E
      • Part of subcall function 00176D9C: LeaveCriticalSection.KERNEL32(001A468C,00176E01,00000001,00000000,00000000,?,00184F82,00000001,00000000,?,000000FF), ref: 00176DA6
      • Part of subcall function 00199DDC: GetCurrentThreadId.KERNEL32 ref: 00199DED
      • Part of subcall function 00199DDC: memcpy.MSVCRT ref: 00199F56
      • Part of subcall function 00199DDC: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00199FE2
      • Part of subcall function 00199DDC: GetLastError.KERNEL32(?,00000040,00000000,?,?,00000000), ref: 00199FEC
      • Part of subcall function 00176DAD: LeaveCriticalSection.KERNEL32(001A468C,?,00176E13,00000001,00000000,00000000,?,00184F82,00000001,00000000,?,000000FF), ref: 00176DBA
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • DeleteCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00C21EF0), ref: 00184FBB
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001993C4, Relevance: 5.5, APIs: 2, Instructions: 68
    APIs
      • Part of subcall function 0019931E: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040), ref: 00199336
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00199433
    • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00199458
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018C90D, Relevance: 5.5, APIs: 3, Instructions: 63
    APIs
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 0018C93C
      • Part of subcall function 001825A7: memcpy.MSVCRT ref: 001825C6
    • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0018C97B
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0018C9A2
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0019D610, Relevance: 5.5, APIs: 3, Instructions: 51
    APIs
    • EnterCriticalSection.KERNEL32(001A5AA4,?,00000001,?,?,0019D824,?,?,?,00000001), ref: 0019D62C
    • LeaveCriticalSection.KERNEL32(001A5AA4,?,00000001,?,?,0019D824,?,?,?,00000001), ref: 0019D653
      • Part of subcall function 0019D4EF: memset.MSVCRT ref: 0019D506
      • Part of subcall function 001993C4: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000), ref: 00199433
      • Part of subcall function 001993C4: CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00199458
      • Part of subcall function 0019946B: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 001994AA
    • _ultow.MSVCRT ref: 0019D69A
      • Part of subcall function 00199393: CryptDestroyHash.ADVAPI32 ref: 001993AB
      • Part of subcall function 00199393: CryptReleaseContext.ADVAPI32(?,00000000), ref: 001993BC
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001969E1, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • TlsAlloc.KERNEL32(00C227EC,00196EB9,?,?,?,?,00C227E0), ref: 001969EA
    • TlsGetValue.KERNEL32(?,00000001,00C227EC), ref: 001969FC
    • TlsSetValue.KERNEL32(?,?), ref: 00196A41
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001883CA, Relevance: 5.5, APIs: 3, Instructions: 46
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 001883E6
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00188409
    • CloseHandle.KERNEL32 ref: 00188416
      • Part of subcall function 00195E1D: SetFileAttributesW.KERNEL32(?,00000080), ref: 00195E26
      • Part of subcall function 00195E1D: DeleteFileW.KERNEL32 ref: 00195E2D
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00179E88, Relevance: 5.5, APIs: 2, Instructions: 26
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00179F04, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 26
    APIs
    • StrCmpNA.SHLWAPI(Basic ,?,00000000), ref: 00179F19
    • lstrcmpA.KERNEL32(Basic ,?,001954A4,00000006,Authorization,?,?,?), ref: 00179F23
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001769DF, Relevance: 5.4, APIs: 3, Instructions: 24
    APIs
    • memset.MSVCRT ref: 001769F9
    • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C21EF0), ref: 00176A02
    • InitializeCriticalSection.KERNEL32(001A468C), ref: 00176A12
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00197E98, Relevance: 5.4, APIs: 3, Instructions: 21
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018B7BD, Relevance: 5.4, APIs: 3, Instructions: 20
    APIs
    • InitializeCriticalSection.KERNEL32(001A47FC), ref: 0018B7C7
    • QueryPerformanceCounter.KERNEL32 ref: 0018B7D1
    • GetTickCount.KERNEL32 ref: 0018B7DB
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001A14F4, Relevance: 5.2, APIs: 4, Instructions: 191
    APIs
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • memcpy.MSVCRT ref: 001A1657
    • memcpy.MSVCRT ref: 001A166A
    • memcpy.MSVCRT ref: 001A168B
      • Part of subcall function 00194C13: StrCmpNIA.SHLWAPI(?,nbsp;,00000005), ref: 00194D7B
      • Part of subcall function 00182543: HeapAlloc.KERNEL32(00000008,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7,?,@echo off%sdel /F "%s"), ref: 0018256D
      • Part of subcall function 00182543: HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0018D89F,?,?,?,00000000,00000000,00000000,0018D869,?,0017B3C7), ref: 00182580
    • memcpy.MSVCRT ref: 001A16FD
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
      • Part of subcall function 001825A7: memcpy.MSVCRT ref: 001825C6
      • Part of subcall function 001A1070: memmove.MSVCRT ref: 001A12E1
      • Part of subcall function 001A1070: memcpy.MSVCRT ref: 001A12F0
      • Part of subcall function 001A1364: memcpy.MSVCRT ref: 001A13D9
      • Part of subcall function 001A1364: memmove.MSVCRT ref: 001A149F
      • Part of subcall function 001A1364: memcpy.MSVCRT ref: 001A14AE
      • Part of subcall function 0018BAD5: strcmp.MSVCRT(?,?,00000009,?,00000007,?,00000008,?,?,?,?,00000000,?), ref: 0018BB42
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0018B7FF, Relevance: 5.1, APIs: 2, Instructions: 14
    APIs
      • Part of subcall function 0018B64D: EnterCriticalSection.KERNEL32(001A5AA4,?,0018B806,?,?,001959A9,00000000), ref: 0018B65D
      • Part of subcall function 0018B64D: LeaveCriticalSection.KERNEL32(001A5AA4,?,?,001959A9,00000000), ref: 0018B687
    • EnterCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B80C
    • LeaveCriticalSection.KERNEL32(001A47FC,?,?,001959A9,00000000), ref: 0018B81A
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 001824DA, Relevance: 5.1, APIs: 1, Instructions: 9
    APIs
      • Part of subcall function 00182456: EnterCriticalSection.KERNEL32(001A5AA4,00000028,001824C9,?,0019D211,?,?,00000000,?,?,00000001), ref: 00182466
      • Part of subcall function 00182456: LeaveCriticalSection.KERNEL32(001A5AA4,?,0019D211,?,?,00000000,?,?,00000001), ref: 00182490
    • HeapAlloc.KERNEL32(00000008,?,?,0017B076,?,?,?,00000000,?,?,00000000,0019AA69,?,0019ADD5), ref: 001824EB
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00195E1D, Relevance: 5.1, APIs: 2, Instructions: 12
    APIs
    • SetFileAttributesW.KERNEL32(?,00000080), ref: 00195E26
    • DeleteFileW.KERNEL32 ref: 00195E2D
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 0017766D, Relevance: 5.1, APIs: 2, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true
    Function 00184AA6, Relevance: 5.1, APIs: 4, Instructions: 65
    APIs
    • EnterCriticalSection.KERNEL32(00000000,001A30F0,00000038,00184BB2,00000000,?), ref: 00184ACC
    • memcmp.MSVCRT ref: 00184AE3
      • Part of subcall function 001824C1: HeapAlloc.KERNEL32(00000000,00000028,?,0019D211,?,?,00000000,?,?,00000001), ref: 001824D2
    • memcpy.MSVCRT ref: 00184B11
    • LeaveCriticalSection.KERNEL32(00000000), ref: 00184B68
      • Part of subcall function 00182593: HeapFree.KERNEL32(00000000,00C21E90,0019D2D1,?,?,00000000,?,?,00000001), ref: 001825A0
    Memory Dump Source
    • Source File: 00000009.00000002.278971206.00140000.00000040.sdmp, Offset: 00140000, based on PE: true