Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
a2e-enterprise.26.3.3677.2903.exe

Overview

General Information

Sample name:a2e-enterprise.26.3.3677.2903.exe
Analysis ID:1407717
MD5:29c3418978dd57c42c7e9530b3aac3d6
SHA1:08283dd80f9597fffd5abc3977b21894e9ad962b
SHA256:22a18e7582631d3d2efae7d691fc20421c7a9693103b6f21a190f664c686b94b
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
  • System is w10x64
  • a2e-enterprise.26.3.3677.2903.exe (PID: 7316 cmdline: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe MD5: 29C3418978DD57C42C7E9530B3AAC3D6)
    • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: a2e-enterprise.26.3.3677.2903.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.rtfJump to behavior
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.pdfJump to behavior
Source: Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdbpdbGCTL source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source: Binary string: DPCA.pdb source: Add2ExchangeSetup.msi.0.dr
Source: Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdb source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source: Binary string: E3BA6A-4260-D8AD-6F2E-E0BA27C2626F}C__DB5490D874434060B5523DC70DC6B4C7ADD2EX~2.PDB|Add2Exchange Agent.pdb_DCD27D1155FD4FA49AFEC52B9E214BCFC__DCD27D1155FD4FA49AFEC52B9E214BCFInstallUtilB03F5F7F11D50A3APublicKeyToken4.0.0.0{C765414F-517E-9D44-62DB-200DC45A7F01}4.0.30319.1INSTAL~1.EXE|InstallUtil.exe_E03A55A6B7E740C8A8611EDEE423521F{3379E351-9B46-C8C1-8C31-193B6939E1C9}C__E03A55A6B7E740C8A8611EDEE423521FPROFMAN.DLL|ProfMan.dll_E155EF057E684BC49827EACF5A35D6C7{CB60CA7A-BE59-83D9-B889-8C03277AB948}C__E155EF057E6 source: Add2ExchangeSetup.msi.0.dr
Source: Binary string: DPCA.pdb<0 source: Add2ExchangeSetup.msi.0.dr
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_0040729B __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,0_2_0040729B
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.drString found in binary or memory: http://127.0.0.1:13556/HosterIdentityHttpLogWriterEndpointInsiderSlabBehaviorProviderLabMachineLangT
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://support.diditbetter.com/Secure/Login.aspx?returnurl=/downloads.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://support.diditbetter.com/disable-group-policy.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://support.diditbetter.com/support-request.aspx
Source: Add2ExchangeSetup.msi.0.drString found in binary or memory: http://www.DidITBetter.com/Solutions/Add2Exchange/Overview.aspARPHELPLINKAdvantage
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, Add2Exchange EULA.rtf.0.dr, Add2ExchangeSetup.msi.0.drString found in binary or memory: http://www.DidITbetter.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sysinternals.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sysinternals.comopenThe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://aka.ms/ssmsfullsetup
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.drString found in binary or memory: https://client-office365-tas.msedge.net/abMicrosoft.Office.Experimentation.SendTenantIdToTasMicrosof
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.drString found in binary or memory: https://config.edge.skype.net/config/v1/Officehttps://config.edge.skype.com/config/v1/Office0.0.0.0?
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.drString found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com/nexus/rules/nexus/upload/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/abclientidRequestGUIDX-MSEdge-IGcorpnetflightReached
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, SQL12x_to_SQL12xSP4.ps1.0.dr, SQL12x_to_SQL22x.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/A2EDiags-2.3.exe
Source: SQL12x_to_SQL22x.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/Microsoft_SQL_Server_Express_2022.ini
Source: SQL12x_to_SQL22x.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQL2022-SSEI-Expr.exe
Source: SQL12x_to_SQL12xSP4.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQLEXPR_x86_ENU_2012SP4.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SQLServer2008SP4-KB2979596-x86-ENU.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s3.amazonaws.com/dl.diditbetter.com/SQL%20Express/SSMS-Setup-ENU.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Add2Exchange_Guide.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/GAL_Sync_Scenario.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Migrating_A2E_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Migrating_Environments_A2E_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Private_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Public_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Private_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Public_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://s3.amazonaws.com/guides.diditbetter.com/Template_Creation_RGM_Sync_Scenarios.pdf
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://support.DidItBetter.com/
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://support.diditbetter.com/downloads.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drString found in binary or memory: https://support.diditbetter.com/support-request.aspx
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_97c23fc6-3
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_004171E00_2_004171E0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_0041525D0_2_0041525D
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_0041239B0_2_0041239B
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_004196400_2_00419640
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00418D700_2_00418D70
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00417EF00_2_00417EF0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00419E800_2_00419E80
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00416F4A0_2_00416F4A
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00418F600_2_00418F60
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: String function: 0040540C appears 42 times
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: String function: 004199A0 appears 232 times
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002B14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000000.1748755714.0000000000428000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7z.sfx.exe, vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutolog.exeN vs a2e-enterprise.26.3.3677.2903.exe
Source: a2e-enterprise.26.3.3677.2903.exeBinary or memory string: OriginalFilename7z.sfx.exe, vs a2e-enterprise.26.3.3677.2903.exe
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeSection loaded: apphelp.dllJump to behavior
Source: a2e-enterprise.26.3.3677.2903.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean5.winEXE@2/93@0/0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: a2e-enterprise.26.3.3677.2903.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Add2ExchangeSetup.msi.0.drBinary or memory string: SELECT `Directory`, `DefaultDir` FROM `Directory` WHERE `Directory_Parent` = '%s'Software\Microsoft\NET Framework Setup\NDP\v3.%lu%sSOFTWARE\Microsoft\NET Framework Setup\DotNetClient\v3.5Software\Microsoft\NET Framework Setup\NDPSELECT * FROM `%s`Custom action not implemented.ToggleNearestAppRoot.kernel32IsWow64ProcessProcess call was successful.The error indicates that IIS is in 64 bit mode, while this application is a 32 bit application and thus not compatible.The error indicates that IIS is in 32 bit mode, while this application is a 64 bit application and thus not compatible.The error indicates that this version of ASP.NET must first be registered on the machine.Unknown Error.The call to aspnet_regiis.exe was failed. Path: '%s'Process Call Result Code: '%ld'Process Exit Code: '%ld'.Create Process failed.Running process '%s' with parameters '%s' silently...Access denied.CoInitializeEx - COM initialization Free Threaded.FAILED:%ldCoInitializeEx - COM initialization Apartment Threaded...Attach Debugger To MeVSCADEBUGATTACHSetTARGETSITETargetVersion%s\v%d\%sGatherWebSitesGatherAppPoolsSetTARGETAPPPOOLTARGETIISPATHRoot//LM/TARGETVDIRTARGETSITESetTARGETIISPATHaspnet_regiis.exeRESULTPath = PathUsing 64 bit registry key...Reading registry value Path from key 'HKLM\%s'...Software\Microsoft\ASP.NET\%sProductNameRunning show message with fUseMessageBox = %sFALSETRUEVSDINVALIDURLMSGHideFatalErrorFormopenExecuting URL '%s' with source directory '%s'...SourceDirRESULT:Condition is false.RESULT:Condition is true. Nothing more to do.Evaluating condition '%s'...Getting the condition to evaluate...A launch condition has already fired. My work is done here.Checking a launch condition..."/><supportedRuntime version=";VSDFxConfigFile
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile read: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: a2e-enterprise.26.3.3677.2903.exeStatic file information: File size 42987850 > 1048576
Source: Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdbpdbGCTL source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source: Binary string: DPCA.pdb source: Add2ExchangeSetup.msi.0.dr
Source: Binary string: F:\Office\Target\x86\ship\click2run\en-us\AdminBootstrapper.pdb source: a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.dr
Source: Binary string: E3BA6A-4260-D8AD-6F2E-E0BA27C2626F}C__DB5490D874434060B5523DC70DC6B4C7ADD2EX~2.PDB|Add2Exchange Agent.pdb_DCD27D1155FD4FA49AFEC52B9E214BCFC__DCD27D1155FD4FA49AFEC52B9E214BCFInstallUtilB03F5F7F11D50A3APublicKeyToken4.0.0.0{C765414F-517E-9D44-62DB-200DC45A7F01}4.0.30319.1INSTAL~1.EXE|InstallUtil.exe_E03A55A6B7E740C8A8611EDEE423521F{3379E351-9B46-C8C1-8C31-193B6939E1C9}C__E03A55A6B7E740C8A8611EDEE423521FPROFMAN.DLL|ProfMan.dll_E155EF057E684BC49827EACF5A35D6C7{CB60CA7A-BE59-83D9-B889-8C03277AB948}C__E155EF057E6 source: Add2ExchangeSetup.msi.0.dr
Source: Binary string: DPCA.pdb<0 source: Add2ExchangeSetup.msi.0.dr
Source: setup.exe0.0.drStatic PE information: real checksum: 0x4fc7d8 should be: 0x4f70e0
Source: setup.exe.0.drStatic PE information: real checksum: 0x4fc7d8 should be: 0x4f70e0
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_004199A0 push eax; ret 0_2_004199BE
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exeJump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.rtfJump to behavior
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeFile created: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\EULA\Add2Exchange EULA.pdfJump to behavior
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeDropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeDropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exeJump to dropped file
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeDropped PE file which has not been started: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exeJump to dropped file
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_0040729B __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,0_2_0040729B
Source: a2e-enterprise.26.3.3677.2903.exeBinary or memory string: ;qEMu
Source: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exeCode function: 0_2_00404151 __EH_prolog,GetVersionExA,0_2_00404151
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Process Injection
1
Masquerading
11
Input Capture
1
Security Software Discovery
Remote Services11
Input Capture
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
File and Directory Discovery
Remote Desktop Protocol1
Archive Collected Data
Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager2
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
SourceDetectionScannerLabelLink
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exe0%ReversingLabs
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Autologon.exe0%ReversingLabs
C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://127.0.0.1:13556/HosterIdentityHttpLogWriterEndpointInsiderSlabBehaviorProviderLabMachineLangT0%Avira URL Cloudsafe
http://support.diditbetter.com/Secure/Login.aspx?returnurl=/downloads.aspx0%Avira URL Cloudsafe
http://support.diditbetter.com/disable-group-policy.aspx0%Avira URL Cloudsafe
http://www.DidITBetter.com/Solutions/Add2Exchange/Overview.aspARPHELPLINKAdvantage0%Avira URL Cloudsafe
http://www.DidITbetter.com0%Avira URL Cloudsafe
http://www.sysinternals.comopenThe0%Avira URL Cloudsafe
https://support.DidItBetter.com/0%Avira URL Cloudsafe
https://support.diditbetter.com/downloads.aspx0%Avira URL Cloudsafe
http://support.diditbetter.com/support-request.aspx0%Avira URL Cloudsafe
https://support.diditbetter.com/support-request.aspx0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://s3.amazonaws.com/dl.diditbetter.coma2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, SQL12x_to_SQL12xSP4.ps1.0.dr, SQL12x_to_SQL22x.ps1.0.drfalse
    high
    https://s3.amazonaws.com/guides.diditbetter.com/Migrating_A2E_Sync_Scenarios.pdfa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
      high
      https://support.DidItBetter.com/a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
      • Avira URL Cloud: safe
      unknown
      http://support.diditbetter.com/disable-group-policy.aspxa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://s3.amazonaws.com/guides.diditbetter.com/Add2Exchange_Guide.pdfa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
        high
        https://s3.amazonaws.com/dl.diditbetter.com/a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          http://support.diditbetter.com/Secure/Login.aspx?returnurl=/downloads.aspxa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://s3.amazonaws.com/dl.diditbetter.com/A2EDiags-2.3.exea2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Private_Sync_Scenarios.pdfa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
              high
              https://s3.amazonaws.com/guides.diditbetter.com/Private_to_Public_Sync_Scenarios.pdfa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
                high
                http://www.DidITbetter.coma2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, Add2Exchange EULA.rtf.0.dr, Add2ExchangeSetup.msi.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://s3.amazonaws.com/guides.diditbetter.com/Migrating_Environments_A2E_Sync_Scenarios.pdfa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
                  high
                  https://s3.amazonaws.com/guides.diditbetter.com/Template_Creation_RGM_Sync_Scenarios.pdfa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
                    high
                    http://www.sysinternals.coma2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Public_Sync_Scenarios.pdfa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
                        high
                        https://support.diditbetter.com/support-request.aspxa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://aka.ms/ssmsfullsetupa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
                          high
                          http://www.sysinternals.comopenThea2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://s3.amazonaws.com/guides.diditbetter.com/Public_to_Private_Sync_Scenarios.pdfa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
                            high
                            https://support.diditbetter.com/downloads.aspxa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://127.0.0.1:13556/HosterIdentityHttpLogWriterEndpointInsiderSlabBehaviorProviderLabMachineLangTa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002626000.00000004.00000020.00020000.00000000.sdmp, a2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1814391759.0000000002204000.00000004.00000020.00020000.00000000.sdmp, setup.exe0.0.drfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.DidITBetter.com/Solutions/Add2Exchange/Overview.aspARPHELPLINKAdvantageAdd2ExchangeSetup.msi.0.drfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://s3.amazonaws.com/guides.diditbetter.com/GAL_Sync_Scenario.pdfa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmp, DiditBetter_Support_Menu.ps1.0.drfalse
                              high
                              http://support.diditbetter.com/support-request.aspxa2e-enterprise.26.3.3677.2903.exe, 00000000.00000003.1805077363.0000000002207000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              No contacted IP infos
                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1407717
                              Start date and time:2024-03-12 18:06:47 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 27s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:2
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:a2e-enterprise.26.3.3677.2903.exe
                              Detection:CLEAN
                              Classification:clean5.winEXE@2/93@0/0
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 50
                              • Number of non-executed functions: 37
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated
                              • Not all processes where analyzed, report is missing behavior information
                              • VT rate limit hit for: a2e-enterprise.26.3.3677.2903.exe
                              No simulations
                              No context
                              No context
                              No context
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\setup.exeV425Q1tORs.exeGet hashmaliciousUnknownBrowse
                                V425Q1tORs.exeGet hashmaliciousUnknownBrowse
                                  C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903\Setup\Setup Files\setup.exeV425Q1tORs.exeGet hashmaliciousUnknownBrowse
                                    V425Q1tORs.exeGet hashmaliciousUnknownBrowse
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:PDF document, version 1.7
                                      Category:dropped
                                      Size (bytes):13802294
                                      Entropy (8bit):7.381292062112644
                                      Encrypted:false
                                      SSDEEP:98304:AVtrmiA6vqtF7gGDpOUU1egv9+SGqjoHm6z3MIBlPB86QnXAe:AVcp6odUUUb+SGwcLBo6Qn7
                                      MD5:E42B5D240E70A4AE87E23B646B2CE944
                                      SHA1:6811A7D2FD4B4C5B84BE239C63DF0BC22ADFBC3C
                                      SHA-256:B2485A101BFBD604737D39FF4A91507292E24784F98CACCCAC48486D32249812
                                      SHA-512:45B69F7791E1506460560FAEF8768416F59415B231DFFA47CFF690EEA1D5C764DCCF7C5E9F73D57184960876C45D41AF1D2A64C9DD65244F6CF11189BA706512
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:%PDF-1.7..........2 0 obj..[/ICCBased 3 0 R]..endobj..3 0 obj..<<../Filter /FlateDecode ../Length 2596 ../N 3 ..>>..stream..x...wTS....7.P.....khR.H..H..*1..J..."6DTpDQ...2(...C.."...Q....D.qp...Id...y.....~k....g.}.......LX....X......g`......l..p..B..F...|.l....... ..*.?.......Y"1.P......\...8=W.%.O..4M.0J."Y.2V.s.,[|..e.9.2.<..s..e...'.9....`......2.&c.tI.@.o..|N6.(....sSdl-c.(2.-.y..H._../X........Z..$...&\S........M...0.7.#.1..Y..r.f..Y.ym..";.8980m-m.(..]....v.^....D....W~.....e....mi..]..P....`/....u.}q..|^R..,g+...\K..k)/......C_|.R....ax.8.t1C^7nfz.D....p.......u....$../.ED.L L..[.....B.@...............X..!.@~..(*. .{d+..}..G.........}W.L...$..cGD2..Q...Z.4 .E@..@...............A(..q`1.....D .........`'..u..4.6p.t.c.48....`...R0...)...@......R.t C....X.....C.P...%CBH..@.R.....f.[.(t....C..Qh...z.#0...Z..l..`O8.......28......p.|..O...X.?......:..0...FB.x$..!.....i@......H...[..EE1PL........V.6..Q.P..>.U.(j...MFk......t,:....FW........8.....c.1...L.&.
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {6CC5F0A5-DD20-463B-A745-23226EA64FC9}, Title: Add2Exchange Setup, Subject: Add2Exchange, Author: Advantage International, Comments: A Microsoft Exchange Server synchronization program., Number of Words: 2, Last Saved Time/Date: Mon Mar 11 15:43:44 2024, Last Printed: Mon Mar 11 15:43:44 2024
                                      Category:dropped
                                      Size (bytes):30423552
                                      Entropy (8bit):7.989713441416668
                                      Encrypted:false
                                      SSDEEP:786432:AZHbPULLLrq72tsjOH5uQol2vRY+DVN8HKOG:AlPsHrTtsjOH/Hz0H
                                      MD5:2D8B406D3C360459C99E3A1BC9D1E30E
                                      SHA1:3288467999C470DC54535A831C47720C299103BE
                                      SHA-256:F1B7B284704703E02471A645F7295D6678EC87DF998B2C9A90C6B3067CFB590C
                                      SHA-512:ED6A44B2ED614CE9B2FC698701BAFA8D806B4A3F7158C6AE9F2F2D190A9A0A74FF17F4F0C3A50357323581E339900DAD933F9CFE8CC3D55FC8701EAAAE2E67E5
                                      Malicious:false
                                      Reputation:low
                                      Preview:......................>...................................8...................................w.......u...............{...............................................................................................................................................................................................................................................................................................................................................................................................................Z................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...G.......:...;...<...=...>...?...@...A...B...C...D...Y...F.......H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...[...\...]..._.......^.......`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:PDF document, version 1.7, 6 pages
                                      Category:dropped
                                      Size (bytes):416578
                                      Entropy (8bit):7.9921021749352
                                      Encrypted:true
                                      SSDEEP:6144:0DZnpoW8Juj+7PQzBg5vxLX09lgN9h26fswbbEH2XeudeW0uLX:AnNj+bQK5vio9TswUTkeo
                                      MD5:5717BDB29D1561AE86E08AF6459CAC84
                                      SHA1:7D74FF33E1A7299CAF9BF2F45D64F15F2F0C336A
                                      SHA-256:FB6B1D910F9B44416C50E5E31E449835391B9B33FD238AA45C5BCB61465F7373
                                      SHA-512:995045AC8002438BB0958FBBDB3261B850D4C2AAE7684BE668A94449608573080A079E90458FEDBA5120376C248B913DA1E7141A0591E3E7FECCE4D907C1C203
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:%PDF-1.7..4 0 obj.(Identity).endobj.5 0 obj.(Adobe).endobj.8 0 obj.<<./Filter /FlateDecode./Length 77377./Length1 352268./Type /Stream.>>.stream.x..}.`T.......Y2K..7{..dB2Y....(....$.d..%.\p....}i..j...b@.im...`m+..P...J[......7.........|p..=w}..w.s.9.. ..F..u..O..[P<...3.<.Lhn.oY.x..?<...Lh.:....!......N.~z.8Q...".5O.:}......@..k.N.1}.;/V.4...:m..xi.e./..\....4y...k....`......t......9.]R......c.;........{......-.:...._*....@U....]`.-.7....].ra.....kz.`.._p.......>....-.;......Az.E.`S8....0.Zt..K..V=....a....]H.%>.;.&.Y:o.9..[...X....^.3......}.,X1....l.....^..._...O....k.........-...t......-..F...'...k..5.........kw...M.s..,.Z.<..j.`..).77}..`.N..v.bm.. ...........y9.....@.....2. ........%.ix.R..]P..K..j.....M>........2..</.I.Rx.....J!KUMrii..(.......h...c....80~....e.....:?S_....N.,....r....Lz+..s.Px`y.0......L.=0.{."..........9.I./.............V._.........a$A .U.N..7............................?.....pT .......b.0..........l..=......7....
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                      Category:dropped
                                      Size (bytes):16151
                                      Entropy (8bit):4.908485763338948
                                      Encrypted:false
                                      SSDEEP:384:8EK8+x+DdcyDbv+IvRapPD3+roNVkLNXm64rd2:XK8+x+htbvJwN3+rocP
                                      MD5:F23F6315632CF0B58C2243A3FA3E4D06
                                      SHA1:CD32534BAEE9CCB55C1FAF8653FC53DB22291C85
                                      SHA-256:EA34C9C0CD918EF15FCE8FEED4DF83359BDE1D6E60F6632378970D73D68F36A7
                                      SHA-512:A5CC08E0CCFE4BD48CDF19D5638B3A34B756DFA8636A12CBD53A78415DCFE6874DFFE99119CDF4D4CF7C05EB041EB461B8E8F48FB84EAF07BAD85FFB4AC97AAB
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\fswiss\fprq2\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17134}{\*\mmathPr\mnaryLim0\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\widctlpar\b\f0\fs22 Add2Exchange End User License Agreement\par..\b0\par....\pard\widctlpar\sa200\sl276\slmult1\f1 This EULA covers both the Retail License and the Original Equipment Manufacturers License. By proceeding, you agree to be bound by one of the following options. [Option #1 is the Retail License and Option #2 is the OEM License]. This is your END-USER LICENSE AGREEMENT ("EULA") FOR DIDITBETTER SOFTWARE(r). IMPORTANT-READ CAREFULLY: This End-User License Agreement ("EULA") is a legal agreement between you (whether an individual or an entity) and [Option #1 - DIDITBETTER SOFTWARE, a division of Advantage International, Inc. ("DIDITBETTER SOFTWARE")] or [Option #2 - the manufactur
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):17385
                                      Entropy (8bit):4.608607390064206
                                      Encrypted:false
                                      SSDEEP:192:y4EBdqrg+gCoTgFPjAJy9oWSWvncm5yJvv8WEj+WonoHEqNgr:CpCocFPSyKWdvXAJcWEtoiEq+r
                                      MD5:24906D4F36602C1492A74A26C229E000
                                      SHA1:11A0EA2FDE23EF154F4B2F2E0B37BF4BDB20B390
                                      SHA-256:E8F85E3101B5613AF06DD998E7E119A9D8F48B2CB0178FD79769EF4CCA73FD0C
                                      SHA-512:00C6C2F4F94EB11860F061DE5E53A710C93FD13AFDC71D475087AD4C3058E4AB9205E8C3567F420A9D538C80035B29A866002F27DA1BE4AB55206C181BC9FB73
                                      Malicious:false
                                      Reputation:low
                                      Preview:<#.. .SYNOPSIS.. Create Initial Environment for Add2Exchange Install.. Assign Permissions for Add2Exchange.. Install Add2Exchange.. Cleanup.. Luanch Add2Exchange for the first time.... .DESCRIPTION.. Step 1: Account Creation.. Step 2: Upgrade .Net and Powershell if needed.. Step 3: Create zLibrary and Create Shortcuts.. Step 4: Install Outlook and Setup Profile.. Step 5: Mailbox Creation.. Step 6: Create a Mail Profile.. Step 7: Add Permissions (moved to step 11a).. Step 8: Add Public Folder Permissions.. Step 9: Enable AutoLogon.. Step 10: Install Add2Exchange.. Step 11: Add Registry Favs.. Step 11a: Setup Timed Permissions.. Step 12: Cleanup...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurren
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Generic INItialization configuration [InternetShortcut]
                                      Category:dropped
                                      Size (bytes):207
                                      Entropy (8bit):5.155953403004538
                                      Encrypted:false
                                      SSDEEP:6:J254vVG/4xtOFVm/lCBL3W3yLPiQAwW3UGIyc1ynE5Vsv:3VW4xtOFVm9C93W3yrCwWghynd
                                      MD5:A675BC61B22D603FA553D133C3A80530
                                      SHA1:69C7F69497435AE1C7045FC7646DF7E030A71D60
                                      SHA-256:703F87D93902B09647F65B0A6C0FAC76AD3D3ECEFCECBA0B487D6BE5FC11CC86
                                      SHA-512:6B7410E10F34E3675B57A12A0F3986396FFFF60187CE07B8BC2932E463351EEF8C4BF8B0E5E384BEAAEA79CDBA4CBA606C12ECABBC93D0C5FADC40B8A439D6A5
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,2..[InternetShortcut]..URL=http://support.diditbetter.com/support-request.aspx..IDList=..IconFile=C:\Windows\system32\SHELL32.dll..IconIndex=160..HotKey=0..
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2031
                                      Entropy (8bit):4.9264371266008435
                                      Encrypted:false
                                      SSDEEP:48:uLl0WZPDP6MPPOb0PPGsGyk9z1585wQ5zYGLa9zOdg9zzPtvvKn3anlPIl:20WIMaMyyk9z1585wQ50GLa9zOdg9zxC
                                      MD5:9A6C59517107E29E7078D7B96723CB98
                                      SHA1:3511E00B4372319EF796129621FC62D4AF7A4FA5
                                      SHA-256:C0553E6FA21203007BCF887EB57BACDC9E01BB3646495200A76C372030164CEF
                                      SHA-512:C14AA17A084ECA0E3EC106F962AF5271ABCF9AB363CC5D3AC467D29ADF4BFDE1D36CD7AF707897D913C77F660E3B3585527CA8CE15F51EE4930FC210039CE5CC
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:<#...NAME.. Outlook Installer..#>....Add-Type -AssemblyName System.Windows.Forms..[System.Windows.Forms.Application]::EnableVisualStyles()....$Outlook365Installer = New-Object system.Windows.Forms.Form..$Outlook365Installer.ClientSize = New-Object System.Drawing.Point(247,169)..$Outlook365Installer.text = "Outlook 365 Install"..$Outlook365Installer.TopMost = $false....$ProRetail = New-Object system.Windows.Forms.Label..$ProRetail.text = "Office 365 Pro Retail"..$ProRetail.AutoSize = $true..$ProRetail.width = 25..$ProRetail.height = 10..$ProRetail.location = New-Object System.Drawing.Point(21,30)..$ProRetail.Font = New-Object System.Drawing.Font('Microsoft Sans Serif',14,[System.Drawing.FontStyle]([System.Drawing.FontStyle]::Bold -bor [System.Drawing.FontStyle]::Underline))....$Pro32 = New-Object system.Windows.Forms.Button
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1023
                                      Entropy (8bit):5.202613438368244
                                      Encrypted:false
                                      SSDEEP:24:OkfEslTC6jycWuLcWlfAcWiLcWbFS8httxkB:9fE+e6jyctLcrcjLcqDDtyB
                                      MD5:BC70B4D7C9C7053F4C30FC1721A67D63
                                      SHA1:D9E574805F4018C7CC25C2AA97DC56DA3E0B5044
                                      SHA-256:794E2365F2E580F669BAD988064606F814A1EDDDB7F865C3D291AAF15AE1EF0D
                                      SHA-512:6AF3A9F2428698FB935894470BF7F0AC8BEAE66936DF3E6B5994A96E62972AD693763892B4FF58CE322E8275C135F4E2FE3A31CBA7A87AC15DA129B0CB242569
                                      Malicious:false
                                      Preview:<Configuration ID="0ed28122-0109-4692-886e-6c4b754f4025">.. <Add OfficeClientEdition="64" Channel="Broad" ForceUpgrade="TRUE">.. <Product ID="O365ProPlusRetail">.. <Language ID="MatchOS" />.. <ExcludeApp ID="Access" />.. <ExcludeApp ID="Excel" />.. <ExcludeApp ID="Groove" />.. <ExcludeApp ID="Lync" />.. <ExcludeApp ID="OneDrive" />.. <ExcludeApp ID="OneNote" />.. <ExcludeApp ID="PowerPoint" />.. <ExcludeApp ID="Publisher" />.. <ExcludeApp ID="Word" />.. <ExcludeApp ID="Teams" />.. </Product>.. </Add>.. <Property Name="SharedComputerLicensing" Value="0" />.. <Property Name="PinIconsToTaskbar" Value="TRUE" />.. <Property Name="SCLCacheOverride" Value="0" />.. <Property Name="AUTOACTIVATE" Value="FALSE" />.. <Updates Enabled="TRUE" />.. <AppSettings>.. <User Value="0" Name="runosc" Id="L_TurnOffOutlookSocialConnector" App="outlk16" Type="REG_DWORD" Key="software\microsoft\office\outlook\socialconnector"/>.. </AppSett
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1023
                                      Entropy (8bit):5.2041868894674
                                      Encrypted:false
                                      SSDEEP:24:OTfEslTC6jycWuLcWlfAcWiLcWbFS8httxkB:ufE+e6jyctLcrcjLcqDDtyB
                                      MD5:6C49E64FFF25A2225546976F7A9BE5F6
                                      SHA1:6CC15D048275904F2E8D7AFC1F7789750FC6365E
                                      SHA-256:B52A9402BB73233A077BC2437228A26AEEB9C8F53FE3E9147209A09A9D5A833F
                                      SHA-512:FDCF646EA8D896ACA2EF3AF156D5403D509EAA06580A87854BAA5B2D0353B4483F62EA60F128338020E8039A95A3DC3FC85A45ED4A2539929A0A3B366A0F7B99
                                      Malicious:false
                                      Preview:<Configuration ID="0ed28122-0109-4692-886e-6c4b754f4025">.. <Add OfficeClientEdition="32" Channel="Broad" ForceUpgrade="TRUE">.. <Product ID="O365ProPlusRetail">.. <Language ID="MatchOS" />.. <ExcludeApp ID="Access" />.. <ExcludeApp ID="Excel" />.. <ExcludeApp ID="Groove" />.. <ExcludeApp ID="Lync" />.. <ExcludeApp ID="OneDrive" />.. <ExcludeApp ID="OneNote" />.. <ExcludeApp ID="PowerPoint" />.. <ExcludeApp ID="Publisher" />.. <ExcludeApp ID="Word" />.. <ExcludeApp ID="Teams" />.. </Product>.. </Add>.. <Property Name="SharedComputerLicensing" Value="0" />.. <Property Name="PinIconsToTaskbar" Value="TRUE" />.. <Property Name="SCLCacheOverride" Value="0" />.. <Property Name="AUTOACTIVATE" Value="FALSE" />.. <Updates Enabled="TRUE" />.. <AppSettings>.. <User Value="0" Name="runosc" Id="L_TurnOffOutlookSocialConnector" App="outlk16" Type="REG_DWORD" Key="software\microsoft\office\outlook\socialconnector"/>.. </AppSett
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):62
                                      Entropy (8bit):4.572765012132931
                                      Encrypted:false
                                      SSDEEP:3:Pg4QQ6/QIK6Wde8UMeKJ:PVQQFKWlU2
                                      MD5:E49E7FD101C66A32558FF27564234222
                                      SHA1:671A4BBE57BB7C9E872693DFA4CDC967D4329A93
                                      SHA-256:72507222065118F1D879128E8E98C633AFA6C21275CB9246F5AAC18041A1FDBF
                                      SHA-512:1A7CE80BE39B2B2CF38B1687A0CD6E9F318C216F6562F1170283835360B8AFE053D72CAD6714F4073927932BFFCD3EDDFCAB09962A6C145BF5F34C1CBD261E8B
                                      Malicious:false
                                      Preview:setup.exe /configure Office365_Pro_Retailx64_Configuration.xml
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):62
                                      Entropy (8bit):4.572765012132931
                                      Encrypted:false
                                      SSDEEP:3:Pg4QQ6/QIK6WdoMeKJ:PVQQFKWi2
                                      MD5:8D16D2E6750AE5217ADBBAC538E6E89E
                                      SHA1:06126FF482AB5F91E32315DE94ECE2F39533C1BF
                                      SHA-256:FFB180B7837FAB58A39779694E3025F98A0AE6B747B3A84BCB96BBA59486C5F7
                                      SHA-512:D17FC93E05CAF4FB938EC1CE9A18793610A2B2381D020227613117031E238B0E6F8A1957EC1000BDD7D2CF2587C3DD1FD4C2CD93010B70686FDF46747BE50B2C
                                      Malicious:false
                                      Preview:setup.exe /configure Office365_Pro_Retailx86_Configuration.xml
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):5169440
                                      Entropy (8bit):6.649944627880774
                                      Encrypted:false
                                      SSDEEP:98304:vqihTvjtEh2N5LQhyddG4THBZoJG3QBMxvble/bsTwY2h3:TpvE8dgq3oJG3QBMxBlW3
                                      MD5:B374FA0E7E34B9CE9C142FE80E1EFADE
                                      SHA1:2537F4523B12E9801F2ACB8FE38D5D725A56A61D
                                      SHA-256:A87105965530799BABBB71A1FD52DBD7CDDEE71C40E2C37576235D156FF02027
                                      SHA-512:8F5FF73932568006C38B9E1BB8DAABF0DC6E419FC1E6D96159FB1234439B8AB9B283D617540CDC5860538AFFEA89BA0A553F4CCF2B9F1949D9E907BA56C2F74C
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: V425Q1tORs.exe, Detection: malicious, Browse
                                      • Filename: V425Q1tORs.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Gc.-...~...~...~..'~...~..%~...~..$~#..~Ig.....~Ig..+..~Ig.....~...~...~...~...~fd.....~fd.....~fd.....~fd.....~...~)..~.d.....~.d.....~.d)~...~..A~...~.d.....~Rich...~........PE..L...r..[.........."......l+..2#.......#.......+...@...........................O.......O...@.................................8b?.......A...............N. ?...`K..<....:.8.....................:......,.@.............+.8....M?......................text....k+......l+................. ..`.rdata........+......p+.............@..@.data.........?..H...x?.............@....rsrc.........A.......@.............@..@.reloc...<...`K..>...dJ.............@..B........................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                      Category:dropped
                                      Size (bytes):2668259
                                      Entropy (8bit):7.998881312154931
                                      Encrypted:true
                                      SSDEEP:49152:MUbYsgyV5rS/kPE79ObqVIBYZKKXEqYbrjdLiBWn8qfMVqCqJ:MUbYsgyUcgOIdZ4ZZLou6qCqJ
                                      MD5:A00060FA16A451A14EFD4D8431CF4FA0
                                      SHA1:57EE5FF9CE2DCD217AFC03820FDF2E4A1EFB072B
                                      SHA-256:5FC1DC21BE4CBC3536079157FD9C75F93EAC09C90DF836432320817E7C720F1A
                                      SHA-512:4C02E3F18FB1F66BE214811491C7FA11E4570E947DD3C34A18B13A3F24F37B117266E91ACAF0B6A4F11A21A8965918C83CCF8D39AD142290566FBCEFAB8888BA
                                      Malicious:false
                                      Preview:PK.........@[W................Setup/PK.........AiV .-......<......Setup/A2E_Auto_Migration.ps1..ks.F.{f....g..Rj..t<u3...6.p.6..C:.j.S...$..........0N_..|...n_.k.}....>...no...K..<.K.....%=....^.......kx.....|".v..7C.g.bR.Y.........R.....%.........h.........y..2.L.O....+..v.+u-.pSr...%....pc...oL..K7..g.R...Sr|$.f.V.....^...e.c>w.N-2.........d...z,R.=P.......H..fTp...WN...... ~.7.....h|.}x.3e[.q....O..,...;.fOH].*..z.@..X.=.vM..qi..........c.i..7...h..7.F'.}.u$.@MB....5.];.`0.o4..e.g..]sJ(.8a...5[.Cn. 8Pp.A}........6e.c..#.~...}N.5...wZ....s.....g............A.c..fdYla...P.O......k8..|.h.....ERX8Zz4.$.S~}....%.C..... :.'Z.`..............w4.=..b...C..(..........\K.}E}....|..+k..7..TJ..<~....C.....6..<..+.,f....g..A.dx..G......;...u..c.S..c.J.x<.38...it*...}.7M...v._.N.........c.......H..:...j...R.5..2P..x...?v..p..`.e...=ri...U.7..F}....W..`.L-h..O.>...^M+.x..d.C.'K....p...gk6.|..nM...(D..=.....Z.L#.<g.b..c..(#. .K.R..c..Q..5R..e.Ex..
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):15579
                                      Entropy (8bit):4.889068941413246
                                      Encrypted:false
                                      SSDEEP:192:URv4EBdSWEG7Dw4XpX4XoXJszFpzVf+/g7sD5FNPZWSDw4XpX4XoXhopz6f+/g7j:URxSWRb5oY+zd+/gI55oYOzC+/gqS
                                      MD5:93424836BFC74EF4E3291D2AD4190A59
                                      SHA1:3E9240FD41C8BDD4F969D1676CB4859FA4480F2E
                                      SHA-256:B9FC8E91F823BC275C8A881B9918609D646546AF25255E9F25E339544A662441
                                      SHA-512:7E95C9EC2D62D1AD8831BD2160B58C248AECDEF60EF07F7F4322B71A037141C4F784AF50CF80334674B53063098CFC66255E33CBAF9B52057FE1E77BC035D2FA
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Step 1 of 2.. Run Post_A2E_Migration.ps1 after this.. Automatically Migrates Add2Exchange to a new server.... .DESCRIPTION.. Check for current files and locations.. copy reg. files for Add2Exchange and backup.. Backup A2E SQL DB and move to landing zone.. Download from S3 latest build of Add2Exchange and upgrade prior to move...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_Power
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):897
                                      Entropy (8bit):5.143902574568429
                                      Encrypted:false
                                      SSDEEP:24:SU0+J2+rcELm7LR6LPk1ophAl6PoHZu2p2MeD3nMhz:A+gYmPROsEDm9eD3E
                                      MD5:F0881E090546B066243B4E31C5871A4F
                                      SHA1:20E3AFBA20B081A484E4F6EA00E865394D7DAFC8
                                      SHA-256:09DC73CEAAC643ED32120FBB7AE81BE75A922C2318A3A55ACED9042CF0350466
                                      SHA-512:96AA3A128CCF4C7B9735F349A31C240A927D2F44F855BC5C66554A2A466C96028805991BB508EC3DDAE35A5BDF6368FBC4B212AFAAD458041550812FD9040675
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. A2E Directory shortcut.... .DESCRIPTION.. Open Add2Exchange Directory...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force......# Script #....$Install = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange" -Name "InstallLocation" -ErrorAction SilentlyContinue.. Start-Process $Install....Write-Host "ttyl"..Get-PSSession | Remove-PSSession..Exit....# End Scripting
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):916
                                      Entropy (8bit):5.206402114423433
                                      Encrypted:false
                                      SSDEEP:24:zKU0jSJ2+rcELm7LR6LPk1ophAl6PoLZu2p2MeHhpyhz:8+gYmPROsEDO9eHhpK
                                      MD5:6C6FE5D9C01ED59D63ABC1737A003357
                                      SHA1:B8FE156802D624D1B1322A211A572C6EC0332E33
                                      SHA-256:2C9CDDAA12253497C76A7DF48A9E9845FE3D9D3289F2E5844043EDDDA57C6273
                                      SHA-512:1405622C66DB32383DD8CDEB3409261BD3FD11B8C96BEA0D757B87AEA3EE09E6D98EF39F20303FB8C47A132A2B632A5385A76970AB8E59ADA2D3B79ADCB07C3A
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. A2E MMC shortcut.... .DESCRIPTION.. Open Add2Exchange MMC...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force......# Script #....$MMC = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange" -Name "InstallLocation" -ErrorAction SilentlyContinue..Push-Location $MMC..Start-Process ".\Console\DidItBetter MMC.msc"....Write-Host "ttyl"..Get-PSSession | Remove-PSSession..Exit....# End Scripting
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                      Category:dropped
                                      Size (bytes):216321
                                      Entropy (8bit):4.453510072484783
                                      Encrypted:false
                                      SSDEEP:6144:Bruqfz1OZCOkNCRPRs8rHwsREvJGA217MY0sM:hLZOZtpBRmH2V+sM
                                      MD5:8A81C1400FFC2CD5B1FAAD465C0701EE
                                      SHA1:D26758B75BB032383464C2F5E5B020DD06FAE7D8
                                      SHA-256:8CD1F3A5BB0971E36910A7B67E48E2F7C6D310FD088BDA61B498E231AE585F0B
                                      SHA-512:146A14848BD885D892B38DD264D98D77805273A4F714A355446C0B81DAFBD200B1647E20C1370EC0DDF836B8B4E1F3EF99E5CF3A01477762354BA34F2360193E
                                      Malicious:false
                                      Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033\deflangfe1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fmodern\fprq1\fcharset0 Consolas;}{\f2\fnil\fcharset0 Arial;}{\f3\fswiss\fprq2\fcharset0 Calibri;}}..{\colortbl ;\red106\green153\blue85;\red212\green212\blue212;\red86\green156\blue214;\red220\green220\blue170;}..{\*\generator Riched20 10.0.19041}{\*\mmathPr\mnaryLim0\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\widctlpar\f0\fs22\lang9{\pict{\*\picprop{\sp{\sn wzDescription}{\sv Image}}{\sp{\sn posv}{\sv 1}}..}\pngblip\picw5349\pich1291\picwgoal3033\pichgoal732 ..89504e470d0a1a0a0000000d494844520000184d000005dd08030000008fbc05e8000000017352..474200aece1ce90000000467414d410000b18f0bfc610500000300504c5445000000fffffffcef..e7fef7f3fadeceef9560eb7d3cf9d6c2f5be9df2ad85d3e5c7b8d5a6cae0bcdcead2e4efddf4b6..91f09d6cec8547f6faf48cbb6e72ac4d95c179afd09af1a578ed8d547ab157f6c6a9f7ceb683b6..63fbe7daa7cb8fc1dbb19ec684edf5e9ecececb2b2b2c5c5c5d9d9d9f5f5f5cfcfcf6666667979..798c8c8c6f6f6fbcb
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8283
                                      Entropy (8bit):5.268485089494731
                                      Encrypted:false
                                      SSDEEP:96:lPdmPEB3GsP9ELNqjkdsiY7/MyDIC4GmL2MuozftgXWefk7NawVJDQxx/vJvXW1x:b4EBWsPGNqXMyD2LPR6RYNawVpYvBE
                                      MD5:E289DC757526BB6118CCD8B234483DB7
                                      SHA1:7185C6F23862169FA3E148935909E28952FA5D08
                                      SHA-256:C3C92F663B02D0E1E2B2BD46AE8A2983DC6A829EB4E4A8AF09B4D37B589D593C
                                      SHA-512:F7E76959B0EC843C2EE8C97FBF1D730F779D0BE369C13CCDF83A9D25D9792E02CF06905D2E51AC3CF420B43CBAFAFE80C4F70E4141AC3F6727E866CF5296158F
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. A2E SQL Backup.... .DESCRIPTION.. Auto backs up the A2E SQL database.. Makes task for auto backup.. default retention is 5 copies...... .NOTES.. Version: 4.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Variables..$Install = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange" -Name "InstallLocation" -ErrorAction SilentlyContinue #Current Add2Exchange Installation Path..$CurrentDB = $Install + 'Database\' #Current Database Location..$ServerName = Get-ItemPropertyVal
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with very long lines (485), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):20181
                                      Entropy (8bit):5.1450742793043265
                                      Encrypted:false
                                      SSDEEP:384:4Xp3AzWqaGaAn6b/bSA40PeFlREGS+FUzgrfFfGroH+mLMYT+RdwKGip4fP28Ewj:yb340SlRjS+6zgLFfeoH3MYCRdbGiKfz
                                      MD5:8DC459D4B78D918A341B4938B1552F70
                                      SHA1:595052E1A7BA7A36D8A32AF4CC53AE1B0F85D4EF
                                      SHA-256:1F27A71C9A9008D49BAF22364336AF763ACB549D260225E387746199A68D6EA8
                                      SHA-512:EC2DE4DE898083E46C4BE3F32D1FEE0E5032223D4BFF73D9988C51C1DC1C8038E86B4F36184AD4DCBD1EC804020B0CF08D82010DF9FD276E10FA77C826AAEAB3
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Powershell script to include Add2Exchange setup details in .txt.... .DESCRIPTION.. Checks registry for A2E setup details and prints to .txt file.. Get licensing info.. Get install paths.. Get local account for Add2Exchange.. Get PS Version.. Get Windows Version.. Get DB Version...... .NOTES.. Version: 1.10.2023.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....# Script #....#Logging..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim()
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):24006
                                      Entropy (8bit):4.5977428899880435
                                      Encrypted:false
                                      SSDEEP:192:q4EBlX9hOegnbK4pDTfMQ2EX6LyOCXzY4pvfMmc8n6w0STq4pffMcG:EAnbK4pDTfMCuwzY4pvfMQvTq4pffMH
                                      MD5:9531BBFDE471AF746FDFEEB69964B848
                                      SHA1:CAE7CAD062B3FE3EF4ED3B78BDE521823C169E99
                                      SHA-256:229C448416621A50ED51125A1973D019BF3A5FE596584A4CE53E3C6AE1B0A098
                                      SHA-512:029D7B8703A2A5BF2F1F0B48F5E6F461B3FCD3D3662DBC5DC903E29C201CD565867263FC6576B32730FB11857C3945309DD3550E9AE563C671FD6546CDB6C94F
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Add2Outlook Granular permissions.... .DESCRIPTION.. Sets Granualr permissions to users on-premise or office 365...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path "C:\Program Files (x86)\DidItBetterSoftware\Support"..}....Start-Transcript -Path "C:\Program
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):41968
                                      Entropy (8bit):5.243228574520891
                                      Encrypted:false
                                      SSDEEP:384:H6tXgbb7+HNlzF2lm8tPj78F2cfBF2lCUBI2F2lzRjRtF2xpF215F2NAF2kFF2G2:m0ADOPpen/Fx0j
                                      MD5:BB243A354ADBE069FCAF359567A51028
                                      SHA1:A224B862CEFEEE04408459E81EDC2639DAD3D2E0
                                      SHA-256:7AED627FC4B85C44148A3AAAEF85B80636D388838AFDE60D62C494E53C8DEA3F
                                      SHA-512:9FD37D8ACBDC015580B7C2E0A090BDF6C68D52416D5EEA7203EACF9C3F3407A8B0A7A56F072286AEAD99DDB224B79655C77C8F38E00BC7D28698D954D9F7C6EA
                                      Malicious:false
                                      Preview:#Logging..Start-Transcript -Path ".\A2E_PowerShell_log.txt" -Append....#Pathing....$TestPath = ".\Add2Exchange Creds"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.. ..}..Else {.. .. New-Item -ItemType directory -Path ".\Add2Exchange Creds"..}....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version | Sort-Object -Descending | Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2) { Write-Host "You are on the latest Version" } .... Else {.. Write-Host "Upgrading Modules...".. Update-Module -Name ExchangeOnlineManagement -Force.. Write-Host "Success
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2151
                                      Entropy (8bit):5.162487348740605
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBka5K9X9Lz9k9TElltstjA4HcYA4Zx:qmPEBVo9X939k9TaMjYY9x
                                      MD5:3A7D2158C9D2F4FCB32B6E159B0B525E
                                      SHA1:26955DDF02A0ADA152B45B870A3757EE35DDB157
                                      SHA-256:8E47D64B5963369453417FFC938997BEF43B15C951C57E52DF190B4BABD95276
                                      SHA-512:4C0B8E4A3D6832842823CE9D13D864A746CF3876F542A1E5111346C1E21F41481DCA11684CAF0032C7BD8862839486E44B8185903C11DB6E0CE733F10A891DF2
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit.. }.. .. .. #Execution Policy.. .. Set-ExecutionPolicy -ExecutionPolicy Bypass.. [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12.. .. #Variables.. $Exchangename = Get-Content ".\Add2Exchange Creds\Exchange_Server_Name.txt".. $ServiceAccount = Get-Content ".\Add2Exchange Creds\Sync_Account_Name.txt".. $Username = Get-Content ".\Add2Exchange Creds\Exchange_Server_Admin.txt".. $Password = Get-Content ".\Add2Exchange Creds\Exchange_Server_Pass.txt" | convertto-securestring.. .. # Script #.. .. Try {.. .. $Cred = New-Object -typename System.Management.Automation.PSCredential `.. -Argumentlist $Username, $Password.. .. $S
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2102
                                      Entropy (8bit):5.230466173766324
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBk6PBN9n9LT9U9TS9jY1tkD7PzNIFMGIA4H9r:qmPEBtPBN9n939U9TS9y8bS2P5r
                                      MD5:89CF421CCCE150873AA500F3758F8F5A
                                      SHA1:0B65BA14167491C7764374092CBE1B7013BC5DD0
                                      SHA-256:FBE3DB3AE3ABACE46DD71EAF8FB1CFE9CDD6E5487B58FD5D94FF1ECA6BF91ECE
                                      SHA-512:CB948C442328D6A0AD0DF3B9382E2A482DEAE6CD3A613E30411F9C9A3DA172E7F249D0D6DD4DC03E987A400418ECF9D3305C976C305B768F50EEDC3FF34D2BDF
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Variables..$Exchangename = Get-Content ".\Add2Exchange Creds\Exchange_Server_Name.txt"..$ServiceAccount = Get-Content ".\Add2Exchange Creds\Sync_Account_Name.txt"..$Username = Get-Content ".\Add2Exchange Creds\Exchange_Server_Admin.txt"..$Password = Get-Content ".\Add2Exchange Creds\Exchange_Server_Pass.txt" | convertto-securestring..$Groups = Get-Content ".\Add2Exchange Creds\Dist_List_Name.txt"....Try {....$Cred = New-Object -typename System.Management.Automation.PSCredential `.. -Argumentlist $Username
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):3035
                                      Entropy (8bit):5.145689633354292
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBk6PBN9Z9U9TZ9n9x1tkfnAH7IzYtn3BKz1w:qmPEBtPBN9Z9U9TZ9n9n57m6xKz1w
                                      MD5:1F7EB58896F3866ECF20359778262CC9
                                      SHA1:93116FF3EDF8528B74641019AEABE9CF53EB528B
                                      SHA-256:86DC185646EA5CDFEBBB3EAB8A188F3E4A006C07C256777FB18652EAB29564D1
                                      SHA-512:200C61EBD1C921E461EF6B7129C15A4E094C6C0BBBC235BB199EDA82C99F64EB688C9EF028E76A0233AC476BF851A3B105B782F0B4F6DB4DDC01C0636BE9E659
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Variables..$Exchangename = Get-Content ".\Add2Exchange Creds\Exchange_Server_Name.txt"..$Username = Get-Content ".\Add2Exchange Creds\Exchange_Server_Admin.txt"..$Password = Get-Content ".\Add2Exchange Creds\Exchange_Server_Pass.txt" | convertto-securestring..$DynamicDG1 = Get-Content ".\Add2Exchange Creds\Dynamic_Name.txt"..$StaticDG1 = Get-Content ".\Add2Exchange Creds\Static_Name.txt"....Try{....$Cred = New-Object -typename System.Management.Automation.PSCredential `.. -Argumentlist $Username, $Passwor
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2554
                                      Entropy (8bit):5.173142548372283
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBk642pHCZMC/9LT9/9+EY7A4H29:qmPEBtKMC/939/9+ti9
                                      MD5:454AD4DAF7770AA0475332B7B61F35A8
                                      SHA1:D9CAF58B50B20B15B6D713DC1C2A87CB0F421CFE
                                      SHA-256:0B995601F037D76FD2B6B9746AFDCC33A29F8769772A7E26AE8DDA20B79B392A
                                      SHA-512:D19D3080FD3207716A8AB794DDB103339D50C28AC0BC24FCBBE80BD10E64A27C0282844F6E32B55643AD196912E043A16A3C45EF187C83AB3ED0B1A2CE3F255F
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version | Sort-Object -Descending | Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2772
                                      Entropy (8bit):5.190597884596586
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBk642pHCZMC/9LT9/9+S9jYT7PzNIFMGIA4HyKx:qmPEBtKMC/939/9+S9qbS2PmKx
                                      MD5:40849438C1AD17F7506ECA0AF810E5A5
                                      SHA1:622291B78908387DBE154E641D6D22496DA2C946
                                      SHA-256:9E68CCDA9FA2A971FF15BEA0264A326433C9DAE2AE635E240A790ACE6C7B5F49
                                      SHA-512:A05BBBE610A0E9317E764782FB375C4140B55CDA1AE0C535B4993A183DE77F74C39BD056853EAE7FA8DE55C33C2E7861F0E58B5C73BA867F52B4F5BD64793934
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version | Sort-Object -Descending | Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):3701
                                      Entropy (8bit):5.118368046067273
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBk642pHCZMCB9/9+V9v9uYWNja7IzYtn8UQprG:qmPEBtKMCB9/9+V9v9ia7m689prG
                                      MD5:0E3C648CF3C2A950A790C8412752F058
                                      SHA1:7AD73D971222436E5801E14AF3A43A1E49FE1E9F
                                      SHA-256:528E4E9F041933014B6CBB1C1405DBBF2CEA0A5225AC56F5090D333595BFEDA7
                                      SHA-512:E7CE197E2993FA6AABDF8AC4823BD8CAF08312E1AC5D785CF40E28ABB271850444D911678914F4F5DEBD1AF485DCDD642B9037C0127406761ED71ADFBFC414DE
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version | Sort-Object -Descending | Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):35480
                                      Entropy (8bit):4.466946069094336
                                      Encrypted:false
                                      SSDEEP:192:q4EBXL2hO9keHSowqzeZrTJN7nW9pdYkyO:2nkeHSowqCZ78YkF
                                      MD5:09F016831A4007FBC4A35EF1C5E88CDA
                                      SHA1:9AFEC61CECE26BCA466EB0F98EB1D9AD95A83D71
                                      SHA-256:A1095A2035A2CCD0C20A7DB63A6A473FD1973F481C2C6995A910518320DFEA4F
                                      SHA-512:0039359F4547CBBEF21ED0584FC16A6FB488CDE30702F4BBF05A354D472033E413111215360F3C0B78884DF4ED7746E35E43836D9BEB41DBAC2EBEB73351DD77
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging....$TestPath = ".\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path ".\Support"..}....Start-Transcript -Path ".\Support\A2E_Permission_Results.txt" -Append....# Script #....$Title1 = 'Add2Exchange Enterprise Permissions Menu'....Clear-Host ..Write-Host "================ $Title1 ================"..""..Write-Host "How Are We Logging In?"..""..Write-Host "Press '1' for Office 365"..Write-Host "Press '2' for Exchange 2010" ..Write-Host "Press '3' for Exchange 2013-2019"
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1182
                                      Entropy (8bit):5.177298437958451
                                      Encrypted:false
                                      SSDEEP:24:9ELm7LR6LPk1ophAl6PoqGba5KNZDaNvmLbPXuq7Whz:9YmPROsEDFdAzuX
                                      MD5:E7429B9BC39E9217F0FB503DE41E1364
                                      SHA1:0608BB8B293A11F58EEB8CAA322CAF670CD48EFA
                                      SHA-256:6C696EF6E3D94FE2712B3063C7A52C6618A0D346C0B22718572FE7DB2A178885
                                      SHA-512:DB305B546B58D66809CC7F79389CE1D637C1EDDFB490162527C95752A306F2E616CB264B03719A40297773CE1A79D960B453F6EFA6B3C9486648705D351D56B5
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass......# Script #..# Report Correct File Path of DynamicDistribution List File..Write-Host "Creating Task".. $Repeater = (New-TimeSpan -Minutes 720).. $Duration = ([timeSpan]::maxvalue).. $Trigger = New-JobTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval $Repeater -RepetitionDuration $Duration.. $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -WorkingDirectory $Location -Argument '-NoProfile -WindowStyle Hidden -Executionpolicy Bypass -file "ENTER FILE PATH HERE"'.. Register-ScheduledTask -Action $Action -RunLevel Highest -Trigger $Trigger -TaskName "Add2Exchange Permissions" -Descrip
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2376
                                      Entropy (8bit):5.091813731955432
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBkH+yF0TveJjpnAH7IzYtn3BKzi:qmPEBl6KeJjs7m6xKzi
                                      MD5:CBC1624883A282B70B867D25B380EE1C
                                      SHA1:519E9B90F6558C1B507A1B71F9706B9400FE1E40
                                      SHA-256:0470A94170B0407E9C8AF85F2292EA767A424A82686E1991E28F320A2A325809
                                      SHA-512:16E60FA701564121144AD3217F7F1689C39FB9D368067256C08D4CF0E57CAFEB75B65F2F32FC58AF5119A62D6F1B253B5E18210B4871EAE48CB8E93EA5F0245D
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....# Service Stop #..Get-Service -ComputerName "TYPE COMPUTER NAME HERE" -Name "Add2Exchange Service" | Stop-Service -Verbose -ErrorAction Stop..Start-Sleep -s 30..Get-Service -ComputerName "TYPE COMPUTER NAME HERE" -Name "Add2Exchange Agent" | Stop-Service -Verbose..Start-Sleep -s 10....# Script #..Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;..Set-ADServerSettings -ViewEntireForest $true.. ..#Variables..# Fill Out Dynamic and Statis Distribution Groups Below....$DynamicDG = @("Dynamic DL HERE", "Dynamic DL HERE")..$StaticDG = @("Static DL HERE", "Static DL HERE")....for ($i = 0;
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):13582
                                      Entropy (8bit):5.313134466355976
                                      Encrypted:false
                                      SSDEEP:384:XUY0O+oYiiMwqhZ6UbLPr9pNjg/vXdAZNBvOrj75bxF5HXgoco8D7zRRCOOyiD+n:z0O+oYiiMwqhZ6UbLPr9pNjg/vXdAZND
                                      MD5:6BEDF8B55CAB971FF2E23CCC1EA27E7F
                                      SHA1:627234B6FF79F0780A8B7DAE89B0BDEE54F7526E
                                      SHA-256:77AD9D0C0B089A83B26AAEFEA3CE8165F0EF1E32B3819AC16B3C4EF9CBCCEE21
                                      SHA-512:C516BB789C1E8CC52835FFC29C3B25A3BF50E0CE1730BCD2721DE99CD211CB3F976C75928805A5A97A9AED791410C7D05F13ABC5B24D85DDA071B7C5374B183B
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Automatically upgrades Add2Exchange to the newest version.... .DESCRIPTION.. Check and Creates scheduled update for Add2Exhcange.. Checks for outdated license keys and prompts before upgrading.. Downloads from S3.. Upgrades Add2Exchange to latest build.. Sets password for Add2Exchange Service.. Start Add2Exchange Console.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4036
                                      Entropy (8bit):5.235276683746445
                                      Encrypted:false
                                      SSDEEP:48:3WN3qEyse+3iL+gYmPROBkuNQloEMmotXW0muXzag4fvSSRkFWJKMZyqc0IAXzI2:3WPyPCmPEBd+aVnSRRF/ADJHofSLPw
                                      MD5:4AAA734208D8E215BBAB17D855B7CF97
                                      SHA1:93840F59A560538EE2DBB7DA884D70FDE2DDAB4B
                                      SHA-256:B6BF85319892EBDDA5FA5CF47F59531153C463D33A1D74C39D3C704CE2405556
                                      SHA-512:82357105967198B1494A9483527FB26D9F8110FC20811733C7E3A4FDE6D0D96B0D5688C71F05B5703D42F27D692924C339F15A42376E2CC7CF92C677AAFB1C43
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Automatically upgrades Add2Outlook to the newest version.... .DESCRIPTION.. Check and Creates scheduled update for Add2Outlook.. Checks for outdated license keys and prompts before upgrading.. Downloads from S3.. Upgrades Add2Outlook to latest build.. Sets password for Add2Outlook Service.. Start Add2Outlook interface.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6201
                                      Entropy (8bit):5.186007695712116
                                      Encrypted:false
                                      SSDEEP:96:3BcOyaymPEBt0qBfROuEnSjc5SomkY8DP9ku7zF7GNnSnMF/AN6HofYCntdX92rc:C4EBtbf0uSSjlQY8aCa/AEHS
                                      MD5:2FB639DA7949E56BAA214AE840F13E0B
                                      SHA1:AC820AE801AB94D6041B5CA11921E53DD31BA232
                                      SHA-256:2A4E8368A8A7CCAFDE0E226BB499A53A5F265DFBFB48155221C1AD067D7CB072
                                      SHA-512:F96D6C64D6C99307332835D93B08C8705A32AB74B1FD06E7E24E3856DCD40956ACBFA21FC21D766E0806F2D7DBB8EC161CC52D61621A12290CE51AA9BD9B616B
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Automatically upgrades Recovery and Migration Manager to the newest version.... .DESCRIPTION.. Check and Creates scheduled update for RMM.. Checks for outdated license keys and prompts before upgrading.. Downloads from S3.. Upgrades RMM to latest build.. Start RMM interface.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>.... if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit.. }....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....#Test for Upgrad
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4164
                                      Entropy (8bit):5.222446959080407
                                      Encrypted:false
                                      SSDEEP:48:3WN3qEyse+3iL+gYmPROBkuNQloEMFtXWaZXzag4fvSSRkFWJkWZyqcKIAXzIy/v:3WPyPCmPEBd+qrnSlLF/AOHofKcOx
                                      MD5:28E59560B884DA8763573D7B485297E4
                                      SHA1:05507AC499BF399373C168177ECBC4DD4E60ADD5
                                      SHA-256:919D7C612EA6790AE25373037E04AE138356135124F83A4A2C9253D3CB42014C
                                      SHA-512:9677C82C3388628260DAEAA67FB99048AF6B87771BF6E370CA7A73FC705E882452A62AA3C24DA03F2A6B0F829DBCAECACBAC0D04B4B442613324D7A5E9FC6D0C
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Automatically upgrades Add2Outlook to the newest version.... .DESCRIPTION.. Check and Creates scheduled update for Add2Outlook.. Checks for outdated license keys and prompts before upgrading.. Downloads from S3.. Upgrades Add2Outlook to latest build.. Sets password for Add2Outlook Service.. Start Add2Outlook interface.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):138920
                                      Entropy (8bit):6.351883874026519
                                      Encrypted:false
                                      SSDEEP:1536:uMpeguHQeJD3z7NF0Y1g/z1EwyjcOzk954H6STYSs+sRd1cccTMTsWjcdLEs6y2S:Js5HQeh/vgLewZUFYdmJ4s6puehSE+EU
                                      MD5:607A332709458F781C20AB49940C4B64
                                      SHA1:923409BE6C1B183C74DA221DD23A42B4B981BA19
                                      SHA-256:324C64D24818A0BE63A43A8DF678B88DCA4F8959841F91F4875CC6ED0E93F549
                                      SHA-512:DF90A3E8B041B756DAD139E4036C3D3F512D4348FCA222886E765FA20D1A578271038A798D4D8936447D9767272FC2D27AB0ABE1F021673ED43F3B8DBC730AD2
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........bc....K...K...K.Q.K...K.Q.K...K.Q.K...K.{.K...K...KF..K.z.K...K.Q.K...K...K...K.z.K...KRich...K........................PE..L......W.............................9............@..........................0............@..............................................................>......0.......................................@............................................text............................... ..`.rdata..p...........................@..@.data...<1..........................@....rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2311
                                      Entropy (8bit):5.186434811896025
                                      Encrypted:false
                                      SSDEEP:48:ZZrFM+gYmPROsEDUX7PpQzs6PkQ8ajPpEIxPphApPp8rgn7:1MCmPEsNrhmR88hEIxhhAphsgn7
                                      MD5:E4178F8743EFBCF5C913DF3B0C0A67EF
                                      SHA1:63F9EFBB79FDD3E92DBCB446CD63F41BF0E419E7
                                      SHA-256:10BEAABFD5D7E3DB3BFF5DEDF25FA115B70603CB4C7B3F984240488D3FE93DEC
                                      SHA-512:D800D8247F2E8A7B930526A7150857A775CAA68FB358DF2FD3D6490E17DBCAE71C176579D1CC1C31C9AB3EC55E6BDA36774BC6ABAA3E6030142D09CB3169CF05
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Bypass AutoDiscover.... .DESCRIPTION.. When ran, will set registry keys in regedit to bypass current autodiscover and exclude O365 Endpoint...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....# Bypass AutoDiscover..Get-ItemProperty -Path "HKCU:Software\Policies\Microsoft\Office\16.0\Outlook\Autodiscover" -Name "ExcludeExplicitO365Endpoint" -ErrorAction SilentlyContinue -E
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):36279
                                      Entropy (8bit):5.094410419594323
                                      Encrypted:false
                                      SSDEEP:384:iqZEMT2lsd9y18hT2lA5h1OYYPT2lPxD49gccsWT2l1oLq6Al4nlT2lhAKrRWQb5:Dm36PZ+
                                      MD5:3243E53FE3DC8EBDD8DD2D9C82862EB2
                                      SHA1:C2FE83D72161EF9A3D8FB01E84B7F2621832E296
                                      SHA-256:2C3173702001100EDA5538994095561DA59B7023E34EF1F748F2634FA5B39B9B
                                      SHA-512:5D0E8C8E3C23E75C3139B9CD9DB9B580862A9A92DF4D7EE0C6337DF54C0CEB0B192B5CD6F679A3F0694EA9E5D12A21AF5B1358C0847A4B6F27E57FEF8C20F5A3
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. DidItBetter Software Support Menu.... .DESCRIPTION.. Menu for all powershell tools used.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....Add-Type -AssemblyName System.Windows.Forms..[System.Windows.Forms.Application]::EnableVisualStyles()....$DidItBetterSupportMenu = New-Object system.Windows.Forms.Form..$DidItBetterSupportMenu.ClientSize = New-Object System.Drawing.Point(542,725)..$DidItBetterSupportMenu.text = "DidItBetter Software Support Menu"..$DidItBetterSupportMenu.TopMost = $false..$DidItBetterSupportMenu.BackColor = [System.Drawing.ColorTranslator]::FromHtml("#ffffff")....$Upgrades = New-Object system.Windows.Forms.Label..$Upgrades.text = "Upgrades"..$Upgrades.AutoSize = $true..$Upgrades.width = 150..$Upgrades.height = 10..$Upgrades.location = New-Object Sys
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1761
                                      Entropy (8bit):5.156369223547245
                                      Encrypted:false
                                      SSDEEP:48:6X+gYmPROBku5S4uvdGeE/unqH9eD7MFszUHjLH:oCmPEBd5S4ulCunqC7MGojT
                                      MD5:F15B2367D478E08070CF913EFF9775A4
                                      SHA1:3B239969D571EC0F29E4C88D7ACF783FDB3EC50F
                                      SHA-256:9853B16C6DC415B0FE4D19FC9929D987CEEFFDBC65BAD3C5426CDAA4897CD5EC
                                      SHA-512:C9B94757D0F30B29F27D5F4D0F4C14D3E9A66F2D9CB14F0ECD23D0CB285B61B6B4AD30260573ED3AE71CF8D8B9DFC9922C39E478CD6AF69DF19FFBBFF2E4FE09
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Directory Sync.... .DESCRIPTION.. Forces AD sync with cloud AD...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....# Script #..$wshell = New-Object -ComObject Wscript.Shell.. ..$answer = $wshell.Popup("Caution... You Must Run this on a box with Active Directory. If the box you are running this on does not have Active Directory; Click Cancel and the File will be Automatically copied to your Clipboard. Otherwise, Click OK to Continue.", 0, "WARNING!!", 0x1)..if ($answer -eq 2) {.. $Location = Get-Ite
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2643
                                      Entropy (8bit):5.267360743384632
                                      Encrypted:false
                                      SSDEEP:48:HrxMy4+gYmPROhE5UNleEXfEXmtXyBM9wv4DyEwDEuwDymDRn7:54CmPEh9j0mAa9WCyEKEuKy8Rn7
                                      MD5:DAC366EB2AC0C56F103FCE8F00DFE019
                                      SHA1:390268DFFE32FE42E167CDC5BD95F2FD1BF63C7C
                                      SHA-256:AEAE6072BC4BA590E63D789457E46EFCB5FDC1EDC9A5E49C850D834E8ABED797
                                      SHA-512:BFDCF96F078325CA890CE1CF182196A0ADD12F3BE50558B6B499C52898A5587995F1E46F682913DB25BB48311A70A3B75A5D806CDED12CFE93D6D5AD4AB8B86A
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Disable Modern Authentication.... .DESCRIPTION.. Will disable Modern Authentication for machine that it is run on.. Outlook will then use creds manager on board to connect to exchange...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....$TestPath = Get-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\Identity" -Name EnableADAL..$TestPath = Get-Itemproperty -
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1490
                                      Entropy (8bit):5.198020535628352
                                      Encrypted:false
                                      SSDEEP:24:oXtLJ2+rcELm7LR6LPk1ophAl6PoPsIN4SHAts+8XToL9bGs+8XToLo/T8GnzJhz:oX2+gYmPROsEDUXr2N8XTawN8XTao/R7
                                      MD5:4D42BA60AD65211D97ACD062F44E7332
                                      SHA1:01847AA3E0AF6DB359AD6F1C95D68C20F9C24C11
                                      SHA-256:21C7370D4D2A23DF0F8C3DF41077AF150497F526B25FAC566C705AAF6DD005B8
                                      SHA-512:AFF23EB46EE4E323BFE28CA3C15BAE0FB0CB9F7048CB3E56FAA76AC1CA9844FD58CF92046C62E0790F8F2D1403500183A60294176C65A162B1A91D92EF0BBE58
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Disables Outlook Updates.... .DESCRIPTION.. Will disable automatic updates within outlook...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....Do {.. $confirmation = Read-Host "Would you like to Disable or Enable Outlook Updates [D/E]".. if ($confirmation -eq 'D') {.. Write-Host "Disabling Outlook Updates".. Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\C
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1403
                                      Entropy (8bit):5.267747383282788
                                      Encrypted:false
                                      SSDEEP:24:SvD+ilJ2+rcELm7LR6LPk1ophAl6Po/INdWnVV6InVVodkMUSoMnrojRnz:SvD+iq+gYmPROsEDn3qOQokxSoSrox
                                      MD5:06EF6793B7BB09AC2DCA61E6B9CD8E9F
                                      SHA1:19389578400B32411CC079DA4BB84433340A0DAF
                                      SHA-256:7168CE2EE7EDF60478CA33A20070A43EF5825ABF2596CFE14CAB6299B76AC7CA
                                      SHA-512:7DFBA058341CC28B83D3FF347D2A124E09A3F1852CA65E3712A3F3D932E2F1D08E867CAA4E1DD91C92CA6B0DE9A4C3D7A7818044378FEBE5A8E8A5C27830E81F
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Disable User Access Control.... .DESCRIPTION.. Disables User Access control within the registry.. Reboot is needed if disabled.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Disable UAC..$Val = Get-ItemProperty -Path "HKLM:Software\Microsoft\Windows\Currentversion\Policies\System" -Name "EnableLUA"....if($val.EnableLUA -ne 0)....{..Set-ItemProperty -Path "HKLM:Software\Microsoft
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4479
                                      Entropy (8bit):5.181862913027437
                                      Encrypted:false
                                      SSDEEP:96:qmPEBydtczToZMpYGoYFJoYFJEvsI3GqJSPKegPB:q4EBeATpCytoEI/Yi5
                                      MD5:690CA58ED8C9BA7684EE98C8AD8CA515
                                      SHA1:89F8AE137ADFE3B97D67564CDB301FA178D6756E
                                      SHA-256:3C80256C8C465767B21829577643B47DE98E91A129C562016F18FF2F2E0BF283
                                      SHA-512:618B34BC22E2AE4FBAF63DB00CF8FBF14FEF173C03CBEC843B0F28258A7CC9AEBE636EA15E1916AEFF734700E037BE57E3DD516A39CC440BDC73474BBE156AF1
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....#Auto Reboot..$Confirmation = Read-Host "This update may need a reboot. Reboot automatically after successful Install? [Y/N]"..If ($confirmation -eq 'y') { $Reboot = "Auto Reboot Selected" }..If ($confirmation -eq 'n') { $NoReboot = "Please reboot when possible after update" }......#Create zLibrary..Write-Host "Creating Landing Zone"..$TestPath = "C:\zlibrary\.NET Updates"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Directory
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):5871
                                      Entropy (8bit):4.9788787772328185
                                      Encrypted:false
                                      SSDEEP:96:2t3dCmPEBpeYS4o2uDqC7mILsFr/5rhrWWGrhynfxJTSyrhynVZBjqiKqdcT6lSq:ig4EBkAuBCILi1FeY75YDBjsqcTlq
                                      MD5:73B703ABFEE693CFE74DA332CE4D6306
                                      SHA1:02BA53EC7F923158E3D0F72010E69AF9A983665C
                                      SHA-256:921FCEFFB82CA49BD1BB8B546C375FC43A701DE8976DB41655ED8807050B8B0B
                                      SHA-512:AA0813187360F0DBC3FF48303A286A4CCE5A82083B26F344B2FBC70C48FCB7A30BAB8C51C4E16470BCABF344F91E8CBA1F02ED1968F201AE4C237AD70B81E37C
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Export Avtice Directory Photos.... .DESCRIPTION.. Exports user photos from AD or Azure.. PLaces them in .jpg format and attaches an email to the photo.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Support Directory..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\AD_Photos"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path "C:\Program Files (x86)\DidItBetterSoftw
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):999
                                      Entropy (8bit):5.26714723254083
                                      Encrypted:false
                                      SSDEEP:24:SFLuFOJ2+rcELm7LR6LPk1ophAl6PHPek2p8DHk2phqKhz:N+gYmPROsEDveSHH
                                      MD5:67BCE29BD16BD783041BE4C485263227
                                      SHA1:F6B6570F9C474666ABEA3E36FB66CF5446A3AF7C
                                      SHA-256:A6DCFAB242B14EEB55F98F0055AB46856BDAED46FEC060719E91177082039C93
                                      SHA-512:11C347577D7C297A6951F4BA19BCC8416A06B528EBD0D66A125C0851CD58488E04F1505A191291A4BD4D792321DD88C9B2AED3177DB6DF3FBCD78C6DFC49FEE5
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. A2E Export license and Profile 1 data.... .DESCRIPTION.. Exports A2E reg files license and profile 1 data.. places files in zlibrary.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}..#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....REG EXPORT "HKLM\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange\LicenseRegistryInfo" C:\zlibrary\License_Info.Reg..REG EXPORT "HKLM\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange\Profile 1" C:\zlibrary\Profile_1.Reg....Write-Host "Done"..Write-Host "ttyl"..Get-PSSession | Remove-PSSession..Exit....# End Scripting
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):17385
                                      Entropy (8bit):4.608607390064206
                                      Encrypted:false
                                      SSDEEP:192:y4EBdqrg+gCoTgFPjAJy9oWSWvncm5yJvv8WEj+WonoHEqNgr:CpCocFPSyKWdvXAJcWEtoiEq+r
                                      MD5:24906D4F36602C1492A74A26C229E000
                                      SHA1:11A0EA2FDE23EF154F4B2F2E0B37BF4BDB20B390
                                      SHA-256:E8F85E3101B5613AF06DD998E7E119A9D8F48B2CB0178FD79769EF4CCA73FD0C
                                      SHA-512:00C6C2F4F94EB11860F061DE5E53A710C93FD13AFDC71D475087AD4C3058E4AB9205E8C3567F420A9D538C80035B29A866002F27DA1BE4AB55206C181BC9FB73
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Create Initial Environment for Add2Exchange Install.. Assign Permissions for Add2Exchange.. Install Add2Exchange.. Cleanup.. Luanch Add2Exchange for the first time.... .DESCRIPTION.. Step 1: Account Creation.. Step 2: Upgrade .Net and Powershell if needed.. Step 3: Create zLibrary and Create Shortcuts.. Step 4: Install Outlook and Setup Profile.. Step 5: Mailbox Creation.. Step 6: Create a Mail Profile.. Step 7: Add Permissions (moved to step 11a).. Step 8: Add Public Folder Permissions.. Step 9: Enable AutoLogon.. Step 10: Install Add2Exchange.. Step 11: Add Registry Favs.. Step 11a: Setup Timed Permissions.. Step 12: Cleanup...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurren
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1559
                                      Entropy (8bit):5.174877386170697
                                      Encrypted:false
                                      SSDEEP:24:YhvEJ2+rcELm7LR6Lifk1oxhAlOHoPWIN/kvjstXBGXjdmPZGkvsv/S+jyGnzJKS:YNL+gYmPROBkuNp4jstXcsDsHVjPn9
                                      MD5:D8F3B0F174893BFD6855097BCF188C38
                                      SHA1:5D3CC8271B4E8F192368369E8F8D1A6C651AA9E7
                                      SHA-256:891FB63F37784A2D77653278198C3B1CEEC2F923BE32A1FBFE38D3284E29ED26
                                      SHA-512:0AA9A49F4084A5084CB6075592EF46F2039F8C4D467B680E7990FD08455F3CE0985C7A10669284455301434462BAF91AC5D6E97DC563CD70D599DEE328893318
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Group Policy Results.... .DESCRIPTION.. Finds and diplays current group policies on current user and machine.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Group Policy Results..$TestPath = "C:\zlibrary"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "zLibrary Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path "C:\zli
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2063
                                      Entropy (8bit):5.320900192955916
                                      Encrypted:false
                                      SSDEEP:48:goN+gYmPROBkuNQtXhRvzfh305LK1019skCZ:9NCmPEBdmdmZi05m
                                      MD5:2F9F4E1534713C5F75B2D1569B4980C8
                                      SHA1:D317F95060E851D36DE749BD0C3EA164331FACE9
                                      SHA-256:D294B5769B0DFE14ED596287FD3676D7FD8F034DFC3D9844AE8D6AD9F25DF870
                                      SHA-512:EE43595AC38D5C2CA5BEBB6C35720ABB1ECDC8BABDF50E04CF0B9987315E8F03F14DF6D6818A93DD3045E490162393003E5FC60C450382A1D924C75B73393C2F
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Get A2E Diags.... .DESCRIPTION.. Downloads and extracts A2E Diags from Amazon S3.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....#Create zLibrary\A2E Diags Directory....Write-Host "Creating Landing Zone"..$TestPath = "C:\zlibrary\A2E Diags"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "A2E Diags Directory Exists...Resuming"..}..Else {.. New-Ite
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4326
                                      Entropy (8bit):5.300027941259094
                                      Encrypted:false
                                      SSDEEP:96:YhPCmPEBdHHYXTYp8rgcr9wSEW4v2ZQwSES8ZwSEVc:R4EBdYXsirvJZ+Z8tr
                                      MD5:38AC352720450197714B1C8A9A32ACE3
                                      SHA1:D3C6469DC5B28659DEFA3B7DCA680B78463C1135
                                      SHA-256:E52FFA8E1FD828987EE62B2975DBD7900EB138EBE95FA03F6BD66B0A07269FB3
                                      SHA-512:86168DA8760E7663D3001DE186E68BE041566FE786275A62BB96A32D49C67DA02C9D7E8EB19B4BF58E1DF61CF0BA2AA2FDE1379517E62597F545E1C55C7FC717
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Powershell script to check and update .net and .... .DESCRIPTION.. Will update Powershell to 5.1 if .net is below version 4.5.. Get Windows Version.. Get .net version...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Check if .Net 4.5 or above is installed..$release = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\' -Name Release -Err
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with very long lines (321), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):3485
                                      Entropy (8bit):5.146501540480007
                                      Encrypted:false
                                      SSDEEP:48:G54+gYmPROBkx9JItXiJJ5IJTS4uvdGeE/unqH9eD7rdBNR/S7ERp5rZjPnv:G54CmPEBuMW4S4ulCunqC7rDN3JZjPnv
                                      MD5:C3B6051BFF57D81301759DFF51EDE1C5
                                      SHA1:C65685554BA7717D9980D46FBE9A52B4FEE60F90
                                      SHA-256:202D5AA879A1511C7F8EB926B6A5AD98DBF9D13443CD54C9D8414C142DFE9B09
                                      SHA-512:44C445F99A30389BF63B1C3FCC90256AE10DE4277B074EA208952AF0F414770B7744C5D47423C5697FE294D2F16019D53CE1D1D0D4A55D2F6D8908DA0B4119CF
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Microsoft Exchange Delegation.... .DESCRIPTION.. Finds old data in msexchangedelegate attribute field for users in a specific OU.. Must run this on AD.. Removes the msexchangedelegate list link from the user.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}.. .. ..#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass.. ..#Support Directory..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.. .. Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-I
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2735
                                      Entropy (8bit):5.422414574821863
                                      Encrypted:false
                                      SSDEEP:48:qeo1e9eoxe9ZW9eIxZW9edZW5eIxZW5edXW9eIxXW9edXW5eoxXW5eaz4zF0Bnzu:qREdEZW99ZW9kZW59ZW5kXW99XW9kXWV
                                      MD5:59FDCC52E51AC335C4D24CD27A0FD8BC
                                      SHA1:019DDC5FD0193C995CA930959E4A8F8BB38C03AC
                                      SHA-256:3B123AA11B50E117A4FBA11ED03922121F64ED5C8D64DA30F0AEACEC78F0C820
                                      SHA-512:DCC1B89D0AA1419BF85EE71ABC415878D23F3BA33D5ACBFD522B2E47702112F5090D1E191C714E8635D7DBE5667B172AF0E8C88FC99D845DB6CFB614EE21B4B9
                                      Malicious:false
                                      Preview:reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Outlook\Addins\OscAddin.Connect....if %ERRORLEVEL% EQU 0 (..reg add HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Outlook\Addins\OscAddin.Connect /t REG_DWORD /v LoadBehavior /d 0 /f..)....reg query HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\OscAddin.Connect....if %ERRORLEVEL% EQU 0 (..reg add HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\OscAddin.Connect /t REG_DWORD /v LoadBehavior /d 0 /f..)....reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Office\Outlook\AddIns\OscAddin.Connect....if %ERRORLEVEL% EQU 0 (..reg add HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Office\Outlook\AddIns\OscAddin.Connect /t REG_DWORD /v LoadBehavior /d 0 /f..)....reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\Outlook\AddIns\OscAddin.Connect....if %ERRORLEVEL% EQU 0 (..reg add HKLM\SOFTWARE\Microso
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):980
                                      Entropy (8bit):5.145816531057854
                                      Encrypted:false
                                      SSDEEP:24:GoqapJ2+rcELm7LR6LPk1ophAl6PofINPy+27hz:GoqJ+gYmPROsEDNr2h
                                      MD5:F7AFFC19CB6DD094845898341D7F08B7
                                      SHA1:57BF666D2BC57314E4B1CDAFB859E02FD87ABFAD
                                      SHA-256:8DA1870CAC7721E842024BE4653DEA71D8799F7DFB1BD598DCCFD4E639F7F1BF
                                      SHA-512:D45539CFD91BF560F6CA0CC55AE7064BFF55849EB265914287DA0E80D6AE7ABB1639AF907978A7A11E045A6EDF9CCCC8E49C3083FC900525479FC319AE6C02D5
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Microsoft Office Manual updater.... .DESCRIPTION.. Will start the process for Outlook to search for new updates.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #..Set-Location "C:\Program Files\Common Files\Microsoft Shared\ClickToRun".....\OfficeC2RClient.exe /update user......Write-Host "ttyl"..Get-PSSession | Remove-PSSession..Exit....# End Scripting
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2265
                                      Entropy (8bit):4.869041116921122
                                      Encrypted:false
                                      SSDEEP:48:fLn2wmL+a0WZPDP6MPPOb0PPGsGyk9z1585wQ5zYGLa9zOdg9zzPtvvKn3anlPIl:Sdr0WIMaMyyk9z1585wQ50GLa9zOdg9M
                                      MD5:D44914C6A4C7369D3C627CD4E10BD2D1
                                      SHA1:7C216AF33F406E83EE06FCC19084A8667AE47DED
                                      SHA-256:6320EA3B5D06B458781D3EA9411C9E80BBFE6352A3C9D714A371333883D1032A
                                      SHA-512:5D29A3E880AC2862D7051D6A5F45CAED339C783B1A797459BFAE0E1A6AFC43236B7181471AE81C0BC4C703DC51F2147C6813B2BC30D913E85F2BCC5AD346084B
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Outlook Installer Menu.... .DESCRIPTION.. Choose between Outlook 32bit or 64bit.. This is just a menu for choice.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....Add-Type -AssemblyName System.Windows.Forms..[System.Windows.Forms.Application]::EnableVisualStyles()....$Outlook365Installer = New-Object system.Windows.Forms.Form..$Outlook365Installer.ClientSize = New-Object System.Drawing.Point(247,169)..$Outlook365Installer.text = "Outlook 365 Install"..$Outlook365Installer.TopMost = $false....$ProRetail = New-Object system.Windows.Forms.Label..$ProRetail.text = "Office 365 Pro Retail"..$ProRetail.AutoSize = $true..$ProRetail.width = 25..$ProRetail.height = 10..$ProRetail.location = New-Object System.Drawing.Point(21,30)..$ProRetail.Font = New-
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):20832
                                      Entropy (8bit):5.392154078265476
                                      Encrypted:false
                                      SSDEEP:384:K4Dno5fW6yyfe8sPbkZb/CzHtIf+qm/Vru1Fw4Ck8CjI8r:NDno57CzHtIf+iI8r
                                      MD5:880A9575A59B6D1B592248FAC5EE0571
                                      SHA1:4807DD3AF489E41FAB399745F0B57722FDBE5DE5
                                      SHA-256:84205172A09054014BB37A59CC32A75D21C941CDBE6D570424AA9544A6BBC670
                                      SHA-512:6165CBFFADF62A44D1F8007E9F7DF4CF707DEA3A4997BAEE8FA89421990EED67075F70274415B7CACAE1CBA474BB68DC6CDFBB091A44C2617B32E0DAB53FABA9
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Outlook Profile Setup.... .DESCRIPTION.. Setup Outlook profile for Add2Exchange.. Setup GAL Options.. Setup Send/Recieve.. Disables COM Addins.. Sets Options.. Disables Outlook Popups.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....#Check Outlook Version..$Version = Get-ItemProperty "Registry::HKEY_CLASSES_ROOT\Outlook.Application\CurV
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):5780
                                      Entropy (8bit):5.151421010601781
                                      Encrypted:false
                                      SSDEEP:96:ir0WeMjI/wz9zqL29zI+9zruY9z3lB9z77u9zPdt9zuk9ze6cqW:NyE/wz9m29M+9fuY95B9H7u9zdt9Ck9U
                                      MD5:140B1F8CA61563B37C91750045ECBF87
                                      SHA1:28354FA245E5310B8C74F240EEF115B9C41D44E6
                                      SHA-256:3E7B62BD9BBE9222449438EDBAC7198C5BAF01E77D32E19FDABAC645293AA10A
                                      SHA-512:C06F1D8F0D6B769FDFA5E43572DD82F0B4D7D99CC87D64D0D7042D58BC9192DF9B3F3DAB1F0470A0C89EF2046BDBA62A71476F7F0B7331B54E2B7A23996269DB
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Outlook Tools Menu.... .DESCRIPTION.. Simple Menu to show tools that link to powershell files.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....Add-Type -AssemblyName System.Windows.Forms..[System.Windows.Forms.Application]::EnableVisualStyles()....$OutlookTools_Menu = New-Object system.Windows.Forms.Form..$OutlookTools_Menu.ClientSize = New-Object System.Drawing.Point(247,344)..$OutlookTools_Menu.text = "Outlook Tools"..$OutlookTools_Menu.TopMost = $false..$OutlookTools_Menu.BackColor = [System.Drawing.ColorTranslator]::FromHtml("#ffffff")....$Rearm_Office = New-Object system.Windows.Forms.Label..$Rearm_Office.text = "rearm Office"..$Rearm_Office.AutoSize = $true..$Rearm_Office.width = 150..$Rearm_Office.height = 10..$Rearm_Office.location = New-Object System.Drawing.Poi
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):37412
                                      Entropy (8bit):4.4377513076022455
                                      Encrypted:false
                                      SSDEEP:192:lK4EBuL1h59kJvwqzukl6zZrTJccUV6D9pFO:lLrkJvwq3mur
                                      MD5:7E4D25A72B3C66B9434B31C57E06F287
                                      SHA1:80A029D83FF84BDB3239FEC19ED6D7276582098C
                                      SHA-256:3A95B367EAAFB21B83C53F3BF8BC252180315FB419B155A5AB9C50003C1A6309
                                      SHA-512:2CD4600CEC2DFEDBADE22C26151FEB6178E6EA0BA7042CFBC488B452F718F28AF5A674412C6241D581E7ADC7D173A8337375FC240A3950C9605FDEB0120E7FB7
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Permissions for on Premise or Office365.... .DESCRIPTION.. Updates PS EXO modules.. Choice of on premise Exchange 2010-2019 server or Office 365.. Sets permissions for individual users, dist. lists.. Can remove permissions.. Remove or add permissions to public folders.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "S
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):43490
                                      Entropy (8bit):5.249776444593379
                                      Encrypted:false
                                      SSDEEP:384:e6tXgbb7+HNlzF2lm8tPj78F2cfBF2lCUBI2F2lzRjRtF2xpF215F2NAF2kFF2Gl:N0ADYsXQZxfnaL
                                      MD5:84A7CA382672E2CC2AC294809F5DD084
                                      SHA1:C8B5AEB08A1C2244429D9D1C2FDCA193D721C458
                                      SHA-256:F5CB96173BFF7C6DC81C01CC6416E9D384A6ECEC64ABEDAA95E1BD023DAE3038
                                      SHA-512:44F1AB6E1174273F473547E72608F26C50F99558106F1A6257054F0265105FE35F44D4A06029D713B537D242085642C50EF35C2B12B3E0521EC53482ACD72A96
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Permissions task creator.... .DESCRIPTION.. Updates EXO PS modules.. Saves and bit locks passwords and usernames for auto log in to exchange or office 365.. sets additional tasks for permissions to auto run using credentials provided.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....#Pathing....$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.. ..}..Else {.. .. New-Item -ItemType directory -Path "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds"..}....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....IF (Get-Module -ListAvailable -
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8346
                                      Entropy (8bit):4.744374547827754
                                      Encrypted:false
                                      SSDEEP:192:8sY4EBfPE0BYmSABMdKJX4hBdmSATMFKJXQu:8hPjBDSABMmohBsSATM+V
                                      MD5:75631EEEF162F81CA161A59E63693945
                                      SHA1:37B8587D9228B52CC88F6234E533B771C7CE78CA
                                      SHA-256:0F84D9670388289E3DED4D3500656D20DA4E976CA8831B3CE8E1C95D0AD58A86
                                      SHA-512:0E70B72914F3AA591EB7389750DCDF29F80E1ED295C199FFF12BB1C2F1188DD90A11DEA621C79375966DBC00D6541C632E5AAFABABC0CDD59C03F2F6EB107C11
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Step 2 of 2.. Finishes Migration of Add2Exchange to a new server.... .DESCRIPTION.. Check for current files and locations.. copy reg. files for Add2Exchange and backup.. Runs First_Time_Installer.ps1 once all files are copied over...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #..Do {.... $Title1 = 'Add2Exchange Post Migration Wizard'.... Clear
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):268
                                      Entropy (8bit):5.030279585044127
                                      Encrypted:false
                                      SSDEEP:3:TQ9h+rOtcN+m87REKOLEBYMQsNjD/vzTKOtUDATrBAHiLlEQuUIE7UybfrQuFYL8:kgScNPcRjOcjrKuuAT7JUcEDLXs
                                      MD5:A7171DD633A4B2F800DF6102D7E93DC0
                                      SHA1:0969D0388FBE550FFB679E331B2217C37BBC1D00
                                      SHA-256:E93783BCF685866CDD02275E987EA5F2266FCDF50465578D132F2549A85BD634
                                      SHA-512:EC366E1722818C997A4B9E867ECADC076241FC98C1AB456C2CCCE86195D4E3AB21CF5156E7D05B5A735AF9E37A22326B4C1BB44799A415474D9A633AA90E131E
                                      Malicious:false
                                      Preview:Option Explicit....Dim objOL, objNS, objFolder..Set objOL = CreateObject("Outlook.application")..Set objNS = objOL.GetNamespace("MAPI")......Set objFolder = objNS.GetDefaultFolder(18).Folders("Contacts").Folders("Firm Contacts").. objFolder.ShowAsOutlookAB = True..
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1386
                                      Entropy (8bit):5.304265312379865
                                      Encrypted:false
                                      SSDEEP:24:f8NLJ2+rcELm7LR6LPk1ophAl6PoP6+8P5o1FDO+p+utP5o14DIzChz:f8G+gYmPROsEDUP8P5wDsoP5wBz6
                                      MD5:D3AF23D1D7084FC8BE912E016D51B4FF
                                      SHA1:D1B3DC03B0419669FD8BAA02D1343875693DD253
                                      SHA-256:0B2157D302BCAE924480D48254111A363EAB87933881A105FCB300B528041E25
                                      SHA-512:6D0E5BC6229FAC783E14147D13FC5A4266C6E38F59B2C83A42EBCE385F4551E991ED00CF9E00C6ACA1EB9B925C8BEA20022E011BDA5BDEAB2AB9DD417C210B4D
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Outlook ReARM.... .DESCRIPTION.. Restarts Outlook trial mode.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force......# Script #....#Detect Bitness..$64Bits = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\16.0\Outlook" -Name "Bitness" | Select-Object Bitness -ExpandProperty Bitness -ErrorAction SilentlyContinue....If ($64Bits -eq 'x64'){.. Set-Location "C:\Program Files\Microsoft Office\Office16".....\OSPPREARM.EXE....cscript .\ospp.vbs /dstatus....Pause..}....$32Bits = Get-ItemProperty -Path "HKL
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with very long lines (342), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4433
                                      Entropy (8bit):5.260436401478338
                                      Encrypted:false
                                      SSDEEP:48:P+gYmPROBzBr2gjUkIxUYEwoU+YUf8UIDU8kUvIkUb/UzIp0sUBIMUcVIXW9ev6r:PCmPEBUhbC7kqNf8tQtbc8cCl7XW90jw
                                      MD5:AF59015B32AE299D4428243674C54706
                                      SHA1:6B2A86DD040D579348F32F4FCC349729514491A5
                                      SHA-256:FFF79D64EDF0F517CCC529A88E21D3A3974BE82E9B209EDDAC0B1048943414BC
                                      SHA-512:FA9511E5C7C11B0A470BDD46791984F8C37A07A696A5F486FED7E2A48982A5FDD48615601B36B22515B7BE6B89E250B57AA6DD2E9B38E0D7A5AC9C2CBBE725D6
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Powershell script to add Registry favorites.... .DESCRIPTION.. Adds Reg. Favs to Registry shortcuts...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.... Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Registry Favorites..Start-Process Regedit....Write-Host "Creating Registry Favorites"..New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" -Name "Session Manager" -Type string -Value "
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1776
                                      Entropy (8bit):5.178124013506394
                                      Encrypted:false
                                      SSDEEP:24:kDbM731MpW/J2+rcELm7LR6Lifk1oxhAlOHoPhd1sEVTIs08mCDdK6CDfsZdxV2j:R3u7+gYmPROBkuzX0gCA7Bz7MH
                                      MD5:6D9B75BDE724C06B10B6A2BF461859C9
                                      SHA1:9AC9C9CD2F844E174CBF56A6D3C66B34E911C5E5
                                      SHA-256:D85A2F7527A2126274FB31CBD8CE40BEF76F652EB7C3307A1DB62B2F3A896253
                                      SHA-512:6720554B12444558F91C07DAD836FE38AE203710A29FCE8F42851ADE40AC67838EBFAD5605CC4A1A69675F0043A514F75265DC2C6C4DFAF687CE8212DA7435EB
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Add2Exchange password Reset.... .DESCRIPTION.. Clears out the password field in A2E reg... Asks for new password and updates the Add2Exchange service with new password...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass......# Script #..Write-Host "Reseting the Servive Account Password" -ForegroundColor Red..$Password = Read-Host "What is the New Service Account Password?"..$SVC = Get-WmiObject win32_service -Filter "Name='Add2Exchange Service'"..$SVC.StopService();..$Result = $SVC.Change($Null, $Nul
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6339
                                      Entropy (8bit):4.59062346175513
                                      Encrypted:false
                                      SSDEEP:96:P8CmPEBdMt4IEYcrjJ+YALRqHALzPAFRqHAFZPn7:74EBdnIEYcrjUBR7zWR1B7
                                      MD5:5D15CC681D31E58EB755EDF96DAB987F
                                      SHA1:045A9EE48903AC50B494A0716A8751BAA0942F4F
                                      SHA-256:298CE83535B8F62B324ACF467722EB89E114AB09687883FCA5B27CF08E57A627
                                      SHA-512:C8B699E226F3D50C53ECDCC48EE4F3F8CA3B39F1B5226957B61237FE8BBE3C690B90B3F607E462ED571A689582258F42AA4F0C6DAFFBA82FA114723B3D80F473
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. SQL Firewall Rules.... .DESCRIPTION.. Deploys rule changes in Firewall for SQL to properly work.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append......# Script #..Do {.. $Title1 = 'Firewall Rules for Remote Add2Exchange SQL'.... Clear-Host .. Write-Host "================ $Title1 ================".. "".. Write-Host "Please Pick Were to Apply Firewall Rules".. "".. Write
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6945
                                      Entropy (8bit):5.221084649519329
                                      Encrypted:false
                                      SSDEEP:192:9HhM4EDNMCCmdjMVpDlSczf3cTxEa6gF1Xhx:92MXmhgpDMiIEaX
                                      MD5:0B20B6F052DFDB6E1C3A69AF0030ACB8
                                      SHA1:0F1461CF9E7616F04A0F94C054C895A1850F6CF6
                                      SHA-256:543708058ADB5F3AC204995B2EC266AA39766FE8DEA0CB3A893673A2139DEB3B
                                      SHA-512:DEC7B4DF7877786C6B5724380EB1571695974D79A563C7A413DA03643FFB6A16657415ED785AFA806B0A29CE0F12A0913449A59CEDEFE0401E5BC084FA46CD75
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS..PowerShell Script to Upgrade SQL Server Express 2012 to 2012 SP4....Ensure you run PowerShell as Administrator....Ensure to adjust paths and instance names as per your environment.....1. Backup Databases..Implement backup logic as per your environment & requirement.....2. Verify SQL Server 2012 is installed..Verify manually or add script logic as per your requirement.....3. Install SQL Server 2012 Express SP4.... .DESCRIPTION.. Will upgrade SQL Express 2012 to SQL Express 2012 SP4.... .NOTES.. Version: 1.3.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. #Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}.. ..#Execution Policy..Set-ExecutionPolicy -Executi
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):13337
                                      Entropy (8bit):5.2561277625098555
                                      Encrypted:false
                                      SSDEEP:192:+1IBq4EDNQdTMVpDQSczW3ZT/HuHpy+tSLdcSJ3aWGpXrjBZo2ClUoI76v:+1QxgpDli0td5+VRZpClUJ76v
                                      MD5:AD4A1E79C7603CBCCBDC37A9109C498C
                                      SHA1:4332F28C590CED2B9B9EA66CF8EE78D28E494E53
                                      SHA-256:BA17D1CFF354EF35C11C62D9DAEBCD5357D2E51EEA89EFEFAC29ED912E6D6813
                                      SHA-512:D726DF4DCC2C71F799A9129B0BCA45FFF75455DC9CB0A409D0CD09ECF8BCF49796AD45AF6E2C768A90B6486C82ECB25E10D096FF65F0AB81EE999A003E86A745
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS..PowerShell Script to Upgrade SQL Server Express 2012 SP4 to 2022....Ensure you run PowerShell as Administrator....Ensure to adjust paths and instance names as per your environment.....1. Backup Databases..Implement backup logic as per your environment & requirement.....2. Verify SQL Server 2008 SP4 is installed..Verify manually or add script logic as per your requirement.....3. Install SQL Express 2022.... .DESCRIPTION.. Will upgrade SQL Express 2012 SP4+ to SQL Express 2022.... .NOTES.. Version: 1.3.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. #Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}.. ..#Execution Policy..Set-ExecutionPolicy -ExecutionPoli
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6918
                                      Entropy (8bit):5.206034581692453
                                      Encrypted:false
                                      SSDEEP:192:EAtc0q4EDNYC6djMVpDiSczf3XT/pgFyNc0q:EAi3h6hgpDbijql
                                      MD5:F1C85E7B65D147DD29AE2AE410AEC21A
                                      SHA1:4CA83E0864F3AE91B15987896AC741DA42D28472
                                      SHA-256:D5E8B1EC255797D5797F36F9B6B81E37D912E2D5E911428EC88CC055764463C0
                                      SHA-512:6633BD676977EFD456D5363194EE6B4251B33AC86A12FFD24D440242C8C869DB9569D2F5000A09A22BD4828E06CAC4D39A7B641D85B97D472C9DAC36F57D55B4
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS..PowerShell Script to Upgrade SQL Server Express 2017+ to 2022....Ensure you run PowerShell as Administrator....Ensure to adjust paths and instance names as per your environment.....1. Backup Databases..Implement backup logic as per your environment & requirement.....2. Verify SQL Server 2017+ is installed..Verify manually or add script logic as per your requirement.....3. Install SQL Server 2022 Express.... .DESCRIPTION.. Will upgrade SQL Express 2017+ to SQL Express 2022.... .NOTES.. Version: 1.3.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. #Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}.. ..#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6880
                                      Entropy (8bit):5.246944638572133
                                      Encrypted:false
                                      SSDEEP:192:pHTM4EDdskCPdjMVpDQSczf3cTxEa6gFiXTo:pIsNPhgpDliIEav
                                      MD5:EBA62744DFE66991433BAF7FC0BAEBF5
                                      SHA1:137385A79E897DF5C0D0FC6AEFEDDDB8CC4385D7
                                      SHA-256:9AD9453564BABC5EB58CB18243E094C5CB8BA753009724393517185E1AFDE7BB
                                      SHA-512:54CAEC1376B3CDEF75CF75B22CF924DCA1EA663BB6203DB85EA6D15916D79E85C0421765C614D2161686384498DA9DB2885C57C0E6D099DA6E2D8C76E168D64C
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS..PowerShell Script to Upgrade SQL Server Express 2008 SP4 to 2012 SP4....Ensure you run PowerShell as Administrator....Ensure to adjust paths and instance names as per your environment.....1. Backup Databases..Implement backup logic as per your environment & requirement.....2. Verify SQL Server 2008 SP4 is installed..Verify manually or add script logic as per your requirement.....3. Install SQL Server 2012 Express SP4.... .DESCRIPTION.. Will upgrade SQL Express 2008 SP4 to SQL Express 2012 SP4.... .NOTES.. Version: 1.3.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. #Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6869
                                      Entropy (8bit):5.271716332455319
                                      Encrypted:false
                                      SSDEEP:192:SmCd4EDd9yCGdjMVpD5SczW3bTR79IgFJXC/:StBGhgpDAiT
                                      MD5:1A8612F6E5EF271B6308386FAFCAC2FC
                                      SHA1:C12001B6714417A25E9D33CBB5E0E3E28FC0C8AB
                                      SHA-256:A02286A6251AA589C3A01D14DAD72E6A973C5CE3247775ACBDF0A0002702202C
                                      SHA-512:1F933E8BB7A0DC707820275A3A00DFBF065CF4583A0D20D5978100D5CDD3F1FC64FC844F822CF441C32BDD912667FBF545534BBBEB18BF66F30420D473E29F75
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS..PowerShell Script to Upgrade SQL Server Express 2008 to 2008 SP4....Ensure you run PowerShell as Administrator....Ensure to adjust paths and instance names as per your environment.....1. Backup Databases..Implement backup logic as per your environment & requirement.....2. Verify SQL Server 2008 is installed..Verify manually or add script logic as per your requirement.....3. Install SQL Server 2008 Express SP4.... .DESCRIPTION.. Will upgrade SQL Express 2008 to SQL Express 2008 SP4.... .NOTES.. Version: 1.3.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. #Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPo
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):10147
                                      Entropy (8bit):5.151791839049951
                                      Encrypted:false
                                      SSDEEP:192:5icEOrSM54EBd7MCpNOvO07BBkNOh50LspMzxaSa9/Oz0/Xu/yc0/W5/G3p:wnYDNmnH5qPoyU
                                      MD5:1ADD9F6985014CB6D580776FB1ED7184
                                      SHA1:6037CE1867FDAECD5AB96619330C7056B81A667E
                                      SHA-256:F396B1B7C0812275DC5A3F9F46881FFB8D1BA9A9AC356AFCDC9571E8F1911D61
                                      SHA-512:87E8B62FBD2E2B30DE4A7E069C2EF79A26E4DECC08F2479B1978F1446BF471B94BF5879FE977DCFD18DC2B662F9C7624CDCB67587A8A7E2D4B49EDBD75740562
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Backup and Store A2E DB.. Find SQL Express Version and upgrade accordingly.. Upgrades SQL Express 8x to SQL Express 2022.. Note* SQL 2008 must be at least SP4 to update to SQL Express 2012.. Note* SQL Express 2012 SP4 last version for x86. Must export and import DB into fresh SQL Express 2022.... .DESCRIPTION.. .... .NOTES.. Version: 1.1.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....#Logging..Start-Transcript -Path
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):3008
                                      Entropy (8bit):5.120422215233596
                                      Encrypted:false
                                      SSDEEP:48:4WM+YmPROBkuXjXzag4fvSf8/kyb0X/x3EpWoDLgmtQ7+7lt0c/EqzCwZu4M:7MlmPEBdznf8cyb0GtLgwQ7+7liPt
                                      MD5:D1BC3C992B5D78090C375480B7BE9D3B
                                      SHA1:7FE5F2FBC111E6B863326F74D24438169CA680EC
                                      SHA-256:53E87C98740D6CF268B641B55133958EA6A729DCEB04E71FAB13710B3861D4F0
                                      SHA-512:325BD84478EE91C5C39A1A92469853DC6084B42CAF079766B0130866653507456DD01CA48F7CCBC9D3CFFF5938B1800463B3EA78123D557FD3FCCB149E314CDD
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Downloads and Silently Installs SQL Managament Studio 19x.... .DESCRIPTION.. .... .NOTES.. Version: 1.1.. Author: DidItBetter Software.... #>......if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program Files (x86)\DidItBetterSoftware\Support\A2E_PowerShell_log.txt" -Append....# Script #....#Test for HTTPS Access..Write-Host "Testing for HTTPS Connectivity"....try {.. $wresponse = Invoke-WebRequest -Uri https://s3.amazonaws.com/dl.diditbetter.com -UseBasicParsing.. if ($wresponse.StatusCode -eq 200) {.. Write-Output
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6631
                                      Entropy (8bit):5.235810758535446
                                      Encrypted:false
                                      SSDEEP:96:aUKXYYmPEBhJ77gEmYBF/A54HofObcV7755JG9ZZ07xz0aDQrQ:hY4EBhJzf/A6HHAt0rQ
                                      MD5:AFB9AADF777A7A19E1AE27D5FD22514F
                                      SHA1:0C1A6A7F0E6D22BC7A635C266868682D7DDEEF1A
                                      SHA-256:DD988CFD11109E1E7875D41607916EC30B73F4DDDF310515BD15E762A36058D8
                                      SHA-512:45C3B59D82600DFA5FC3A970C4EB88850AA38D40C05930D8F3ABF8E000AB4384A34BD2B6F26ABB0ECDDE45A982A9F109E49235CD874FA33BA41495A02878648C
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Scheduled Task to automatically upgrade Add2Exchange to the newest version.... .DESCRIPTION.. Downloads from S3.. Upgrades Add2Exchange to latest build.. Sets password for Add2Exchange Service.. Starts Add2Exchange Service after succesfull install.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... To run this as a scheduled task open CMD prompt and type in: schtasks /run /tn "Scheduled Update Add2Exchange" .. Note* the task must be already created before running this in CMD.. #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}........#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1023
                                      Entropy (8bit):5.202613438368244
                                      Encrypted:false
                                      SSDEEP:24:OkfEslTC6jycWuLcWlfAcWiLcWbFS8httxkB:9fE+e6jyctLcrcjLcqDDtyB
                                      MD5:BC70B4D7C9C7053F4C30FC1721A67D63
                                      SHA1:D9E574805F4018C7CC25C2AA97DC56DA3E0B5044
                                      SHA-256:794E2365F2E580F669BAD988064606F814A1EDDDB7F865C3D291AAF15AE1EF0D
                                      SHA-512:6AF3A9F2428698FB935894470BF7F0AC8BEAE66936DF3E6B5994A96E62972AD693763892B4FF58CE322E8275C135F4E2FE3A31CBA7A87AC15DA129B0CB242569
                                      Malicious:false
                                      Preview:<Configuration ID="0ed28122-0109-4692-886e-6c4b754f4025">.. <Add OfficeClientEdition="64" Channel="Broad" ForceUpgrade="TRUE">.. <Product ID="O365ProPlusRetail">.. <Language ID="MatchOS" />.. <ExcludeApp ID="Access" />.. <ExcludeApp ID="Excel" />.. <ExcludeApp ID="Groove" />.. <ExcludeApp ID="Lync" />.. <ExcludeApp ID="OneDrive" />.. <ExcludeApp ID="OneNote" />.. <ExcludeApp ID="PowerPoint" />.. <ExcludeApp ID="Publisher" />.. <ExcludeApp ID="Word" />.. <ExcludeApp ID="Teams" />.. </Product>.. </Add>.. <Property Name="SharedComputerLicensing" Value="0" />.. <Property Name="PinIconsToTaskbar" Value="TRUE" />.. <Property Name="SCLCacheOverride" Value="0" />.. <Property Name="AUTOACTIVATE" Value="FALSE" />.. <Updates Enabled="TRUE" />.. <AppSettings>.. <User Value="0" Name="runosc" Id="L_TurnOffOutlookSocialConnector" App="outlk16" Type="REG_DWORD" Key="software\microsoft\office\outlook\socialconnector"/>.. </AppSett
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1023
                                      Entropy (8bit):5.2041868894674
                                      Encrypted:false
                                      SSDEEP:24:OTfEslTC6jycWuLcWlfAcWiLcWbFS8httxkB:ufE+e6jyctLcrcjLcqDDtyB
                                      MD5:6C49E64FFF25A2225546976F7A9BE5F6
                                      SHA1:6CC15D048275904F2E8D7AFC1F7789750FC6365E
                                      SHA-256:B52A9402BB73233A077BC2437228A26AEEB9C8F53FE3E9147209A09A9D5A833F
                                      SHA-512:FDCF646EA8D896ACA2EF3AF156D5403D509EAA06580A87854BAA5B2D0353B4483F62EA60F128338020E8039A95A3DC3FC85A45ED4A2539929A0A3B366A0F7B99
                                      Malicious:false
                                      Preview:<Configuration ID="0ed28122-0109-4692-886e-6c4b754f4025">.. <Add OfficeClientEdition="32" Channel="Broad" ForceUpgrade="TRUE">.. <Product ID="O365ProPlusRetail">.. <Language ID="MatchOS" />.. <ExcludeApp ID="Access" />.. <ExcludeApp ID="Excel" />.. <ExcludeApp ID="Groove" />.. <ExcludeApp ID="Lync" />.. <ExcludeApp ID="OneDrive" />.. <ExcludeApp ID="OneNote" />.. <ExcludeApp ID="PowerPoint" />.. <ExcludeApp ID="Publisher" />.. <ExcludeApp ID="Word" />.. <ExcludeApp ID="Teams" />.. </Product>.. </Add>.. <Property Name="SharedComputerLicensing" Value="0" />.. <Property Name="PinIconsToTaskbar" Value="TRUE" />.. <Property Name="SCLCacheOverride" Value="0" />.. <Property Name="AUTOACTIVATE" Value="FALSE" />.. <Updates Enabled="TRUE" />.. <AppSettings>.. <User Value="0" Name="runosc" Id="L_TurnOffOutlookSocialConnector" App="outlk16" Type="REG_DWORD" Key="software\microsoft\office\outlook\socialconnector"/>.. </AppSett
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):62
                                      Entropy (8bit):4.572765012132931
                                      Encrypted:false
                                      SSDEEP:3:Pg4QQ6/QIK6Wde8UMeKJ:PVQQFKWlU2
                                      MD5:E49E7FD101C66A32558FF27564234222
                                      SHA1:671A4BBE57BB7C9E872693DFA4CDC967D4329A93
                                      SHA-256:72507222065118F1D879128E8E98C633AFA6C21275CB9246F5AAC18041A1FDBF
                                      SHA-512:1A7CE80BE39B2B2CF38B1687A0CD6E9F318C216F6562F1170283835360B8AFE053D72CAD6714F4073927932BFFCD3EDDFCAB09962A6C145BF5F34C1CBD261E8B
                                      Malicious:false
                                      Preview:setup.exe /configure Office365_Pro_Retailx64_Configuration.xml
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):62
                                      Entropy (8bit):4.572765012132931
                                      Encrypted:false
                                      SSDEEP:3:Pg4QQ6/QIK6WdoMeKJ:PVQQFKWi2
                                      MD5:8D16D2E6750AE5217ADBBAC538E6E89E
                                      SHA1:06126FF482AB5F91E32315DE94ECE2F39533C1BF
                                      SHA-256:FFB180B7837FAB58A39779694E3025F98A0AE6B747B3A84BCB96BBA59486C5F7
                                      SHA-512:D17FC93E05CAF4FB938EC1CE9A18793610A2B2381D020227613117031E238B0E6F8A1957EC1000BDD7D2CF2587C3DD1FD4C2CD93010B70686FDF46747BE50B2C
                                      Malicious:false
                                      Preview:setup.exe /configure Office365_Pro_Retailx86_Configuration.xml
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):5169440
                                      Entropy (8bit):6.649944627880774
                                      Encrypted:false
                                      SSDEEP:98304:vqihTvjtEh2N5LQhyddG4THBZoJG3QBMxvble/bsTwY2h3:TpvE8dgq3oJG3QBMxBlW3
                                      MD5:B374FA0E7E34B9CE9C142FE80E1EFADE
                                      SHA1:2537F4523B12E9801F2ACB8FE38D5D725A56A61D
                                      SHA-256:A87105965530799BABBB71A1FD52DBD7CDDEE71C40E2C37576235D156FF02027
                                      SHA-512:8F5FF73932568006C38B9E1BB8DAABF0DC6E419FC1E6D96159FB1234439B8AB9B283D617540CDC5860538AFFEA89BA0A553F4CCF2B9F1949D9E907BA56C2F74C
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: V425Q1tORs.exe, Detection: malicious, Browse
                                      • Filename: V425Q1tORs.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Gc.-...~...~...~..'~...~..%~...~..$~#..~Ig.....~Ig..+..~Ig.....~...~...~...~...~fd.....~fd.....~fd.....~fd.....~...~)..~.d.....~.d.....~.d)~...~..A~...~.d.....~Rich...~........PE..L...r..[.........."......l+..2#.......#.......+...@...........................O.......O...@.................................8b?.......A...............N. ?...`K..<....:.8.....................:......,.@.............+.8....M?......................text....k+......l+................. ..`.rdata........+......p+.............@..@.data.........?..H...x?.............@....rsrc.........A.......@.............@..@.reloc...<...`K..>...dJ.............@..B........................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):7051
                                      Entropy (8bit):4.675718132414485
                                      Encrypted:false
                                      SSDEEP:96:iCmPEBdzcsNZg5MVzQWgM4cRpPOY6WIQK84cRpfOY6Wi:54EBdQshqkl6fUV65
                                      MD5:4ABCE57C7D70986A012F11683C23D47F
                                      SHA1:4B7CD4E02EDBE9D04A489196A0465A228A5DD39D
                                      SHA-256:5507006FEDCC5410CAB7C9DC33C0B52E6E919697DD46EEC2F3733E3803887CFD
                                      SHA-512:A879AA334B113E7A6A64F1A936871C15E79D32DA37EEA257D867F38C762E5263E8124F6C4FE3AE219BEB8719C2BBB7C78C69740E7D648F195D864A07359FCBB6
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Shell into Exchange.... .DESCRIPTION.. Allows for login to Exchange or Office 365 with ability to enter commands manually...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path "C:\Program Files (x86)\DidItBetterSoftware\Support"..}....Start-Transcript -Path "C:\Pr
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with very long lines (355), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):36559
                                      Entropy (8bit):4.503630667237573
                                      Encrypted:false
                                      SSDEEP:192:zo4EBdHRhO9keHSowqzSZrTJN7nd9pdYkyO:EIkeHSowqGZ7PYkF
                                      MD5:BF7B956A983D4C2B772F143AC437F401
                                      SHA1:BB5902AAF9844CC9C0786884F8B35D052BE13B4A
                                      SHA-256:51250044F351B81A1A8E38C1EFD47DCB99312DAAAAE15F1A2CA856E0D0E42E73
                                      SHA-512:4E980628CDA60EC0F91CD4C78B1C8D1D651FBBCD29702A205721B26BBE45B43342BE932DD37C5B2D498ECFD73E511A7EA982C3CBB326A629D64F34A725DA44D7
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Shell Permissions.... .DESCRIPTION.. Automatically logs into the desired on premise exchange or Office 365 and applies permissions.. uses bit-locked creds from timed permission setup...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass....#Logging..$TestPath = "C:\Program Files (x86)\DidItBetterSoftware\Support"..if ( $(Try { Test-Path $TestPath.trim() } Catch { $false }) ) {.... Write-Host "Support Directory Exists...Resuming"..}..Else {.. New-Item -ItemType directory -Path "C:\Program Files (x
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2313
                                      Entropy (8bit):5.206475437016567
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBkaheuGuLiuZuTElltsEjA4HcYA4Zx:qmPEBV7JpoTaJjYY9x
                                      MD5:A119485189BCC14AC82C12ADCA54E81E
                                      SHA1:5CFE9A212D000E8F367B83B1F39474B99F89CD55
                                      SHA-256:25CA6D42AEE88E873C065741F37959D148A07A41CCC8B393ACB05C7B9F3729CB
                                      SHA-512:C6FAB52DDC71FAF46D9F260ADA73C5D22E2880068E3319F07106838A86EC2484AF42BEE4383C5708F1A37181D89D4EFF082EB8D158999DEC6BB08E8F9269246F
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit.. }.. .. .. #Execution Policy.. .. Set-ExecutionPolicy -ExecutionPolicy Bypass.. [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12.... #Variables.. .. $Exchangename = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Name.txt".. $ServiceAccount = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Sync_Account_Name.txt".. $Username = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Admin.txt".. $Password = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Pass.txt" | convertto-securestring.
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2309
                                      Entropy (8bit):5.27046054524564
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBk6PYUuWuLCuJuTnujY1tkD7PzNIFMGIA4H9r:qmPEBtPYX5p4Tuy8bS2P5r
                                      MD5:65AEF2EBB5A702F05BDDB39426D22E9E
                                      SHA1:A40DB715731183703E8E0D9B8D883D039E64D1C0
                                      SHA-256:A57544B50D040A836A9AFA3334EC7820AD4A11CE3B1E22563BD68183296B1802
                                      SHA-512:FF41E94E3DD9E40D731F2EB19D2CB978D2AA2564841F42D3E272981EDCE0CC061697FD55D49BAA3E9D6E5B11200DFEE9DC4246089FAD05C577C49D86C6E1EA33
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Variables....$Exchangename = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Name.txt"..$ServiceAccount = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Sync_Account_Name.txt"..$Username = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Admin.txt"..$Password = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Pass.txt" | convertto-securestring..$Groups = G
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):3242
                                      Entropy (8bit):5.184235576844559
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBk6PYUuguJuTguWux1tkfnAH7IzYtn3BKz1w:qmPEBtPYXD4TD5n57m6xKz1w
                                      MD5:399F572DA4C7F58117067DD1D70AB422
                                      SHA1:03CC2AFDF3AF84E147F0E0A934B094D32FB0460E
                                      SHA-256:BB60CC3AB32A798ABAD83A52224C2A665B43FD0B389B5FEF8FD146BB8ECFC281
                                      SHA-512:90576BDD350BEF61E341B50FC59CE81C1C298C97CDA65E1CCD160044B976A848681E82C3CF7C89C15F4DE86DAFD8BA583253328E135EF2B65C7A7D853E01707A
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Variables....$Exchangename = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Name.txt"..$Username = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Admin.txt"..$Password = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Exchange_Server_Pass.txt" | convertto-securestring..$DynamicDG1 = Get-Content "C:\Program Files (x86)\DidItBetterSoftware\Add2Exchange Creds\Dynamic_Name.txt"..$StaticDG1 = Get-Con
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2681
                                      Entropy (8bit):5.206204413905134
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBk642pHCZMTruLCuuu+EY7A4H29:qmPEBtKMTipx+ti9
                                      MD5:4CEE73D454FF52AD206F6779B8C1B1C2
                                      SHA1:2AFF775DEBB685870CB1027DFB629709134C78AD
                                      SHA-256:CFFE62C1DD72BB82A9B1FF47092FD096B2A5DF219778CDA5D9D0B61B86E72E6B
                                      SHA-512:00727409C9A4EA398854BAA6398D04C404E40B8B69AB940DAC26789F708F2D0223C27A55FF53FC372B5B1D7DB57BB6967647B8CD7DECD97C4C66BB02418CB4ED
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version | Sort-Object -Descending | Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2936
                                      Entropy (8bit):5.226696749733595
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBk642pHCZMCruLCuuu+nujYs7PzNIFMGIA4HyKx:qmPEBtKMCipx+u9bS2PmKx
                                      MD5:29DCE03F380B4119D910F6916C83E553
                                      SHA1:C094CFF3C3D9B460F44F7CF61CA78C8D1F84122D
                                      SHA-256:3B92B4559CBB46C25330E2D1272C1946928A896B0FEC503A2C2624C7E35509F7
                                      SHA-512:C14CB1A123CAC0DBB3306A193C5BADAD07E088565383111F1265FC9AA8B5E0BD5A1B94942FF8F7C4C5A9D44E3C250BFFD681AAEF70A5465690A8C8002455F69F
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version | Sort-Object -Descending | Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):3867
                                      Entropy (8bit):5.150671684787593
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBk642pHCZMCpuuu+8ueuuYWNja7IzYtn8UQprG:qmPEBtKMCYx+fBia7m689prG
                                      MD5:9DB45E661D4F1819D5C2119BA8EBE6F7
                                      SHA1:43F8E5466B03431EE886981A1A6D15AC4CBF09C4
                                      SHA-256:91B84050C3505A65F63C4084DE97CEB183BB2131C5ECE05E1FD5B2C9385A5271
                                      SHA-512:6A8968A8B70BCD6DA01BDD495D2BE1A7F4F2B2620CA216EB123E524F862641860711D3A048029853BF8609C2ED2A96F9586938A184E3E0BF3D8D2C32D976B939
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}......#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass..[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12....# Script #....#Check for MS Online Module..Write-Host "Checking for Exhange Online Module"....IF (Get-Module -ListAvailable -Name ExchangeOnlineManagement) {.. Write-Host "Exchange Online Module Exists".... $InstalledEXOv2 = ((Get-Module -Name ExchangeOnlineManagement -ListAvailable).Version | Sort-Object -Descending | Select-Object -First 1).ToString().... $LatestEXOv2 = (Find-Module -Name ExchangeOnlineManagement).Version.ToString().... [PSCustomObject]@{.. Match = If ($InstalledEXOv2 -eq $LatestEXOv2)
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1182
                                      Entropy (8bit):5.177298437958451
                                      Encrypted:false
                                      SSDEEP:24:9ELm7LR6LPk1ophAl6PoqGba5KNZDaNvmLbPXuq7Whz:9YmPROsEDFdAzuX
                                      MD5:E7429B9BC39E9217F0FB503DE41E1364
                                      SHA1:0608BB8B293A11F58EEB8CAA322CAF670CD48EFA
                                      SHA-256:6C696EF6E3D94FE2712B3063C7A52C6618A0D346C0B22718572FE7DB2A178885
                                      SHA-512:DB305B546B58D66809CC7F79389CE1D637C1EDDFB490162527C95752A306F2E616CB264B03719A40297773CE1A79D960B453F6EFA6B3C9486648705D351D56B5
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass......# Script #..# Report Correct File Path of DynamicDistribution List File..Write-Host "Creating Task".. $Repeater = (New-TimeSpan -Minutes 720).. $Duration = ([timeSpan]::maxvalue).. $Trigger = New-JobTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval $Repeater -RepetitionDuration $Duration.. $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -WorkingDirectory $Location -Argument '-NoProfile -WindowStyle Hidden -Executionpolicy Bypass -file "ENTER FILE PATH HERE"'.. Register-ScheduledTask -Action $Action -RunLevel Highest -Trigger $Trigger -TaskName "Add2Exchange Permissions" -Descrip
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2376
                                      Entropy (8bit):5.091813731955432
                                      Encrypted:false
                                      SSDEEP:48:9YmPROBkH+yF0TveJjpnAH7IzYtn3BKzi:qmPEBl6KeJjs7m6xKzi
                                      MD5:CBC1624883A282B70B867D25B380EE1C
                                      SHA1:519E9B90F6558C1B507A1B71F9706B9400FE1E40
                                      SHA-256:0470A94170B0407E9C8AF85F2292EA767A424A82686E1991E28F320A2A325809
                                      SHA-512:16E60FA701564121144AD3217F7F1689C39FB9D368067256C08D4CF0E57CAFEB75B65F2F32FC58AF5119A62D6F1B253B5E18210B4871EAE48CB8E93EA5F0245D
                                      Malicious:false
                                      Preview:if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass....# Service Stop #..Get-Service -ComputerName "TYPE COMPUTER NAME HERE" -Name "Add2Exchange Service" | Stop-Service -Verbose -ErrorAction Stop..Start-Sleep -s 30..Get-Service -ComputerName "TYPE COMPUTER NAME HERE" -Name "Add2Exchange Agent" | Stop-Service -Verbose..Start-Sleep -s 10....# Script #..Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;..Set-ADServerSettings -ViewEntireForest $true.. ..#Variables..# Fill Out Dynamic and Statis Distribution Groups Below....$DynamicDG = @("Dynamic DL HERE", "Dynamic DL HERE")..$StaticDG = @("Static DL HERE", "Static DL HERE")....for ($i = 0;
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4303
                                      Entropy (8bit):5.198975556588784
                                      Encrypted:false
                                      SSDEEP:48:o+gYmPROBkuU69eKr3IHvD5AMgihSKD6dgmdW7CXdWCnvlCVg7SCjSpcMQJtI6oT:oCmPEBdUGwvsiL7FC4GmL2MuozKtG
                                      MD5:3AAAC6808F523B20E401258345F64C9B
                                      SHA1:D69BE6F4135500FC2E9312F3F5091FDA06CDB046
                                      SHA-256:E54C2AB3CA3FAD2491C022C763744D6F82998734F616801F049B21266029BE1D
                                      SHA-512:0DD462BD8D984B6BACC6635611D128D4AE024D689E5278266B640CEA1204749DED2124CC6589D110637907A2726F20720DE283786C25D746D0C733E29F5D79F5
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Timed A2E SQL Backup.... .DESCRIPTION.. This is a part of a scheduled task to run and backup A2E SQl DB every 3 days.. 5 version retention by default.... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Variables..$Install = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\WOW6432Node\OpenDoor Software.\Add2Exchange" -Name "InstallLocation" -ErrorAction SilentlyContinue #Current Add2Exchange Installation Path..$CurrentDB = $Install + 'Database\' #Current Database Location..$BackupDirs = Get-Conten
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ISO-8859 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2815
                                      Entropy (8bit):5.2554300122995485
                                      Encrypted:false
                                      SSDEEP:48:wIi8k8z+N+8Y8zK+gYmPROhE5N/ZVgo9ei2COW818zW1NR8t8zf/xcXWH9enxoSa:halKCmPEhgVJAhfYxoSroz
                                      MD5:65BAF2C4AECB3C31BD9F5D991FB5F666
                                      SHA1:7AAC1911A4A0E2235AD4BAC1F8D03DDFC863F4C5
                                      SHA-256:65DB9ADCFD894401F42E618FCD973498F2D86563BF7B12687A9AFCC0B3BF65E4
                                      SHA-512:6139BAC47DEA096CD4E6F8AAEFF5A77ABBEE42D1BFE71E1E646534C295262EC96119AF971132920B45731ACC240B42418244380A82C783E0767F2D7CD0D24BC3
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Windows Defender Exclusions.... .DESCRIPTION.. Excludes the below from windows defender live scanning.. "Program Files (x86)\OpenDoor Software.".. "Program Files (x86)\Microsoft SQL Server".. "Program Files\Microsoft SQL Server".. "Program Files (x86)\DidItBetterSoftware".. "zLibrary".. "Program Files (x86)\Microsoft Office".. "C:\Users\zadd2exchange\AppData".... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File", ('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy....Set-ExecutionPolicy -ExecutionPolicy Bypass -Force....#Logging..Start-Transcript -Path "C:\Program
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):786
                                      Entropy (8bit):5.003777918597954
                                      Encrypted:false
                                      SSDEEP:24:V5U4J2+rcELm7LR6LPk1ophAl6PoPhjJyFhNxT:7E+gYmPROsEDUJs5
                                      MD5:0C3D59CF2897ACE0354138628A349F9A
                                      SHA1:D3CD0F829B6C162C77C68FFC137E89392E573410
                                      SHA-256:E81BF291B9B93BDD31AAB066D2E4078C3C2D9EC8A5BFC802DD910C59F47361DD
                                      SHA-512:498A6702F9CFF747AB1986CB1CB5AB61D11979DDF8C2892FA2C07645FFD883A0048C7DC132C0B229647344957692583B292D1E47DDD82658B0FED116AF53219C
                                      Malicious:false
                                      Preview:<#.. .SYNOPSIS.. Shell.... .DESCRIPTION.. Simple open another PS session to shell into Exchange of Office365.. Calls another powershell file "Shell into Exchange"...... .NOTES.. Version: 3.2023.. Author: DidItBetter Software.... #>....if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))..{.. # Relaunch as an elevated process:.. Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs.. exit..}....#Execution Policy..Set-ExecutionPolicy -ExecutionPolicy Bypass......# Script #..Powershell.exe -noexit ".\Shell_Into_Exchange.ps1" -noprofile....# End Scripting..
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):8
                                      Entropy (8bit):2.75
                                      Encrypted:false
                                      SSDEEP:3:xJ8n:xun
                                      MD5:FB5B87D7E7127C6CCBB0D47B99C98629
                                      SHA1:D0E38F05930EF0AC54BF5A2C555B5013BF7B8145
                                      SHA-256:120C7DC65B2424AAC3D64B06D0F28C1CFB41553A0294C99DFCBC6B750428430B
                                      SHA-512:9F39FAEAC437F3A6FC7E32818209CE19E0441B389C6028FDD706B64417EE8EFCF36963A08A1B6764680E762A40716C6E833EE8FBE97F33D07CD6BA68AD164C39
                                      Malicious:false
                                      Preview:Level:9
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Messaging API and Collaboration Data Objects 1.2.1 v6.5.8320.0, Author: Microsoft, Keywords: Installer, Template: Intel;1033, Revision Number: {EB06CAF7-FF9E-4e70-B2DC-20D0B3E4A188}, Create Time/Date: Mon Apr 29 10:13:53 2013, Last Saved Time/Date: Mon Apr 29 10:13:53 2013, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (candle/light), Security: 1
                                      Category:dropped
                                      Size (bytes):3569152
                                      Entropy (8bit):6.968260863030964
                                      Encrypted:false
                                      SSDEEP:49152:Ozi7eSMsESiOtGc5DUNmj6lpDrfb0YZUafrtxjkkwuh+GQGY:tllElIGcyNy6lpDrfQYZ7Bxj1wpGQ
                                      MD5:1C0E9FD7CB73D8E40802FA2F535B2D96
                                      SHA1:F109F0E751D0B358C9D5DEE1322738609E07EA2E
                                      SHA-256:40480D120D9A4349716471B75015FFC08313B541A8E303E326F2A2809EA98731
                                      SHA-512:EEEEC835D3B29C0E7A5147A2D57A289584DF81070DE90569A0DA6A508EE7CB739CDA5737BB394B6370A0B990440A663B1FD0CCA973F52213FD00445CDB3843A2
                                      Malicious:false
                                      Preview:......................>...................7...............=...........................i...j.../...0...1...2...3...4...5...6...7...8...9...................................................................................................................................................................................................................................................................................................................................................................................................................................+............................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Windows Registry text (Win2K or above)
                                      Category:dropped
                                      Size (bytes):673
                                      Entropy (8bit):5.200084512777063
                                      Encrypted:false
                                      SSDEEP:12:jBJ0SK0Z83rQbDIYLRfRRfJ/bjr83rQrKfAsGKMAsk8dAskKPysAskKObsAsOKPK:jBJtZ8bQbDv7P78bQrKf1S1ki1kKf1kT
                                      MD5:6650B0C072434405DF42D91C81A1573C
                                      SHA1:D5EF1E3A4408F8FBDC0A514C1F411627FCEA1F98
                                      SHA-256:D5157FAE52FF0A7CF3D0BFC204EA1674AA117267241B95F1FF90A87F2DA2F612
                                      SHA-512:83241CAEDB38CC1BCB1DC5FE37984F92E879C8FFACC458DC95947462CE216789F756642CBA99B622289800A45AA8CE3F022ED36E9663EE26CA8B5F31F00096D8
                                      Malicious:false
                                      Preview:Windows Registry Editor Version 5.00....[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\AutoDiscover].."ExcludeScpLookup"=dword:00000000.."ExcludeHttpsAutodiscoverDomain"=dword:00000001.."ExcludeHttpsRootDomain"=dword:00000001.."ExcludeSrvLookup"=dword:00000000.."ExcludeHttpRedirect"=dword:00000000.."ExcludeSrvRecord"=dword:00000000....[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\AutoDiscover\RedirectServers].."autodiscover-s.outlook.com"=hex(0):.."autodiscover.hotmail.com"=hex(0):.."autodiscover-s.partner.outlook.cn"=hex(0):.."autodiscover-s.outlook.de"=hex(0):.."autodiscover-s.office365.us"=hex(0):.."autodiscover.THEIR_DOMAIN.com"=hex(0):..
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:Windows Registry text (Win2K or above)
                                      Category:dropped
                                      Size (bytes):673
                                      Entropy (8bit):5.201934605641604
                                      Encrypted:false
                                      SSDEEP:12:jBJ0SK0Z8PbDIYLRfRRfJ/bjr8PrKfAsGKMAsk8dAskKPysAskKObsAsOKPAv:jBJtZ8PbDv7P78PrKf1S1ki1kKf1kKY1
                                      MD5:98DD72DEF80AB5D47318F76A726EAFBF
                                      SHA1:A596F1DC0D4060B90872ABD75C5AA587B55469D6
                                      SHA-256:224D9957C0368840C9677FAB790B7978AD85F8CBE1F4C344853D4ABB2E19FC8E
                                      SHA-512:F95D02AF1CD45FC4E6365C290412CD4BBA9B03A44905D33659CFB7B1D34262946DF6589617581D69F78E39BDB9B989017FF3E22E41DB212359DEF138FA937792
                                      Malicious:false
                                      Preview:Windows Registry Editor Version 5.00....[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover].."ExcludeScpLookup"=dword:00000000.."ExcludeHttpsAutodiscoverDomain"=dword:00000001.."ExcludeHttpsRootDomain"=dword:00000001.."ExcludeSrvLookup"=dword:00000000.."ExcludeHttpRedirect"=dword:00000000.."ExcludeSrvRecord"=dword:00000000....[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover\RedirectServers].."autodiscover-s.outlook.com"=hex(0):.."autodiscover.hotmail.com"=hex(0):.."autodiscover-s.partner.outlook.cn"=hex(0):.."autodiscover-s.outlook.de"=hex(0):.."autodiscover-s.office365.us"=hex(0):.."autodiscover.THEIR_DOMAIN.com"=hex(0):..
                                      Process:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):9011
                                      Entropy (8bit):5.090114603797306
                                      Encrypted:false
                                      SSDEEP:96:e5JV1qFpLMKTjVEQqoheUe68AX313tBA73pAC6kvDDM:edQqoheFOIbQ
                                      MD5:D2AE156D41D73955EF95375E429E5B8A
                                      SHA1:42DF0552AE25A3C214CDB14B2E26DAF136CB2820
                                      SHA-256:BE67C2179BF4F732A1F1DDC529F0DEC5BA18728804EDB6EDF889EC5CAB402168
                                      SHA-512:81AD918486F87C1C42FE54D1CB48A9F34E1F6F3232B6A03BA6AC673C97AE365617135D24BAC5BC02E1151BAC636A171B311633851E3357F02C0E21986913CAEF
                                      Malicious:false
                                      Preview:..7-Zip SFX 4.65 Copyright (c) 1999-2009 Igor Pavlov 2009-02-03....Processing archive: C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe....Extracting a2e-enterprise.26.3.3677.2903\Setup.zip..Extracting a2e-enterprise.26.3.3677.2903\Add2ExchangeSetup.msi..Extracting a2e-enterprise.26.3.3677.2903\Tools\Mapi\ExchangeMapiCdo.MSI..Extracting a2e-enterprise.26.3.3677.2903\Setup\OSC_Disable.bat..Extracting a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Pro_Retailx64.cmd..Extracting a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Pro_Retailx64.cmd..Extracting a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Pro_Retailx86.cmd..Extracting a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Pro_Retailx86.cmd..Extracting a2e-enterprise.26.3.3677.2903\O365Outlook32\Setup Files\Office365_Pro_Retailx64_Configuration.xml..Extracting a2e-enterprise.26.3.3677.2903\Setup\Setup Files\Office365_Pro_Retailx64_Configuration.xml..Extracting a2e-enterprise.26.3.3677.2903\O365Ou
                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                      Entropy (8bit):7.999918044877228
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:a2e-enterprise.26.3.3677.2903.exe
                                      File size:42'987'850 bytes
                                      MD5:29c3418978dd57c42c7e9530b3aac3d6
                                      SHA1:08283dd80f9597fffd5abc3977b21894e9ad962b
                                      SHA256:22a18e7582631d3d2efae7d691fc20421c7a9693103b6f21a190f664c686b94b
                                      SHA512:e8ffc68971e23bf040155fec5dc0101730fb729365208a202a101e27c289c55016b8e94ef7eaceb820182372fedd68484165b8e491587cf4b5c5a0ed127fb9b3
                                      SSDEEP:786432:v/NH38u8rB8LSc8EPX+0m8EKQLFD/uDoWIqIKxMTxv9+vCqJuI:JMwPXjFQZGDo/qFAxVw9b
                                      TLSH:7B973304B0A08677F1022970B3695BE456BFEAD4AC3A3937761267BA1DB7D0D8633DC1
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A..~/F.~/F.~/F.a$F.~/F^b!F.~/F.a%F.~/F.a+F.~/FSvpF.~/F.~.F_~/F^vrF.~/F.X$F.~/F.,.F.~/F..RF.~/F.X%F.~/F.x)F.~/FRich.~/F.......
                                      Icon Hash:b8868baba9aba2d8
                                      Entrypoint:0x419d2c
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows cui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:
                                      Time Stamp:0x4987F062 [Tue Feb 3 07:21:06 2009 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:be41dda43b3125c88e27c41d5512c51f
                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      push FFFFFFFFh
                                      push 0041DC68h
                                      push 00419D26h
                                      mov eax, dword ptr fs:[00000000h]
                                      push eax
                                      mov dword ptr fs:[00000000h], esp
                                      sub esp, 20h
                                      push ebx
                                      push esi
                                      push edi
                                      mov dword ptr [ebp-18h], esp
                                      and dword ptr [ebp-04h], 00000000h
                                      push 00000001h
                                      call dword ptr [0041D0DCh]
                                      pop ecx
                                      or dword ptr [00427704h], FFFFFFFFh
                                      or dword ptr [00427708h], FFFFFFFFh
                                      call dword ptr [0041D0E0h]
                                      mov ecx, dword ptr [004256FCh]
                                      mov dword ptr [eax], ecx
                                      call dword ptr [0041D0E4h]
                                      mov ecx, dword ptr [004256F8h]
                                      mov dword ptr [eax], ecx
                                      mov eax, dword ptr [0041D0E8h]
                                      mov eax, dword ptr [eax]
                                      mov dword ptr [00427700h], eax
                                      call 00007FDCB47E441Ah
                                      cmp dword ptr [004233D0h], 00000000h
                                      jne 00007FDCB47E434Eh
                                      push 00419E6Ch
                                      call dword ptr [0041D0ECh]
                                      pop ecx
                                      call 00007FDCB47E43EBh
                                      push 00422050h
                                      push 0042204Ch
                                      call 00007FDCB47E43D6h
                                      mov eax, dword ptr [004256F4h]
                                      mov dword ptr [ebp-28h], eax
                                      lea eax, dword ptr [ebp-28h]
                                      push eax
                                      push dword ptr [004256F0h]
                                      lea eax, dword ptr [ebp-20h]
                                      push eax
                                      lea eax, dword ptr [ebp-2Ch]
                                      push eax
                                      lea eax, dword ptr [ebp-1Ch]
                                      push eax
                                      call dword ptr [0041D0F4h]
                                      push 00422048h
                                      push 00422000h
                                      call 00007FDCB47E43A3h
                                      Programming Language:
                                      • [C++] VS98 (6.0) SP6 build 8804
                                      • [ C ] VS2008 build 21022
                                      • [ASM] VS2005 build 50727
                                      • [ C ] VS98 (6.0) SP6 build 8804
                                      • [EXP] VC++ 6.0 SP5 build 8804
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x216000x64.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x280000x818.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x1d0000x180.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x1b1020x1b200d4c5d76b946ca36ab9bd5aab6cc41d87False0.5753078197004609data6.570310815454297IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x1d0000x4db40x4e00c6b21ccaf0d9ef15381630f9c2f032a4False0.30193309294871795data4.0571847265275185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x220000x570c0x1400e1801865b67dbd9655621941066a71b9False0.5072265625data4.868264558733701IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x280000x8180xa008a01387edd37bf9a125c14f9a1d77f1eFalse0.248828125data2.249846752391889IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x283e00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.16532258064516128
                                      RT_ICON0x286c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.32094594594594594
                                      RT_GROUP_ICON0x287f00x22dataEnglishUnited States1.0
                                      RT_VERSION0x281200x2c0dataEnglishUnited States0.49857954545454547
                                      DLLImport
                                      USER32.dllCharUpperW, CharNextA, CharUpperA
                                      OLEAUT32.dllVariantClear, SysFreeString, SysAllocString
                                      MSVCRT.dll_controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, exit, _XcptFilter, _exit, _onexit, __dllonexit, ?terminate@@YAXXZ, ??1type_info@@UAE@XZ, _except_handler3, _beginthreadex, memset, memcpy, fputc, fputs, fflush, fgetc, fclose, _iob, free, malloc, memmove, _purecall, memcmp, _CxxThrowException, __CxxFrameHandler
                                      KERNEL32.dllFormatMessageW, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventA, WaitForSingleObject, VirtualFree, VirtualAlloc, DeleteCriticalSection, WaitForMultipleObjects, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, FileTimeToSystemTime, SetEndOfFile, WriteFile, ReadFile, SetFilePointer, GetFileSize, CreateFileA, FindFirstFileW, FindFirstFileA, FindClose, GetFullPathNameW, GetFullPathNameA, lstrlenA, DeleteFileW, GetCommandLineW, SetFileApisToOEM, SetConsoleCtrlHandler, FileTimeToLocalFileTime, GetVersionExA, MultiByteToWideChar, WideCharToMultiByte, GetLastError, AreFileApisANSI, GetModuleFileNameA, GetModuleFileNameW, LocalFree, FormatMessageA, CloseHandle, SetFileTime, CreateFileW, SetLastError, SetFileAttributesA, RemoveDirectoryA, MoveFileA, SetFileAttributesW, RemoveDirectoryW, MoveFileW, CreateDirectoryA, CreateDirectoryW, DeleteFileA
                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States
                                      No network behavior found

                                      Click to jump to process

                                      Click to jump to process

                                      Click to jump to process

                                      Target ID:0
                                      Start time:18:07:45
                                      Start date:12/03/2024
                                      Path:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\a2e-enterprise.26.3.3677.2903.exe
                                      Imagebase:0x400000
                                      File size:42'987'850 bytes
                                      MD5 hash:29C3418978DD57C42C7E9530B3AAC3D6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      Target ID:1
                                      Start time:18:07:45
                                      Start date:12/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:15.5%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:1%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:105
                                        execution_graph 13399 417000 13400 417004 13399->13400 13401 417007 VirtualAlloc 13399->13401 13402 414485 13407 4144af 13402->13407 13405 41449a 13408 4144d3 ctype 13407->13408 13412 416ff0 free 13408->13412 13410 41448d 13410->13405 13411 40540c free 13410->13411 13411->13405 13412->13410 13413 4108b7 13414 4108c4 13413->13414 13418 4108d5 13413->13418 13414->13418 13419 4108dc 13414->13419 13420 4108e6 __EH_prolog 13419->13420 13424 410917 13420->13424 13423 40540c free 13423->13418 13425 410921 __EH_prolog 13424->13425 13438 405a24 13425->13438 13428 405a24 ctype 4 API calls 13429 410949 13428->13429 13430 405a24 ctype 4 API calls 13429->13430 13431 410958 13430->13431 13432 405a24 ctype 4 API calls 13431->13432 13433 410967 13432->13433 13434 405a24 ctype 4 API calls 13433->13434 13435 410976 13434->13435 13444 41098e 13435->13444 13439 405a2f 13438->13439 13480 405a4d 13439->13480 13443 405a3f 13443->13428 13445 410998 __EH_prolog 13444->13445 13446 405a24 ctype 4 API calls 13445->13446 13447 4109b3 13446->13447 13448 405a24 ctype 4 API calls 13447->13448 13449 4109c8 13448->13449 13450 405a24 ctype 4 API calls 13449->13450 13451 4109d3 13450->13451 13452 405a24 ctype 4 API calls 13451->13452 13453 4109e8 13452->13453 13454 405a24 ctype 4 API calls 13453->13454 13455 4109f3 13454->13455 13456 405a24 ctype 4 API calls 13455->13456 13457 410a08 13456->13457 13458 405a24 ctype 4 API calls 13457->13458 13459 410a13 13458->13459 13460 405a24 ctype 4 API calls 13459->13460 13461 410a25 13460->13461 13462 405a24 ctype 4 API calls 13461->13462 13463 410a30 13462->13463 13464 405a4d ctype 4 API calls 13463->13464 13465 410a47 13464->13465 13466 405a24 ctype 4 API calls 13465->13466 13467 410a52 13466->13467 13468 405a24 ctype 4 API calls 13467->13468 13469 410a5e 13468->13469 13470 405a4d ctype 4 API calls 13469->13470 13471 410a75 13470->13471 13472 405a24 ctype 4 API calls 13471->13472 13473 410a80 13472->13473 13474 405a24 ctype 4 API calls 13473->13474 13475 410a8c 13474->13475 13476 405a24 ctype 4 API calls 13475->13476 13477 410a98 13476->13477 13478 405a24 ctype 4 API calls 13477->13478 13479 4108cf 13478->13479 13479->13423 13484 405a62 13480->13484 13483 40540c free 13483->13443 13487 40f75c 13484->13487 13490 40f773 13487->13490 13488 40f7ab 13512 405ba3 13488->13512 13490->13488 13494 40dbb5 13490->13494 13516 40540c free 13490->13516 13495 40dbbf __EH_prolog 13494->13495 13496 405a24 ctype 4 API calls 13495->13496 13497 40dbda 13496->13497 13498 405a24 ctype 4 API calls 13497->13498 13499 40dbe9 13498->13499 13500 405a4d ctype 4 API calls 13499->13500 13501 40dc03 13500->13501 13502 405a24 ctype 4 API calls 13501->13502 13503 40dc0e 13502->13503 13504 405a4d ctype 4 API calls 13503->13504 13505 40dc25 13504->13505 13506 405a24 ctype 4 API calls 13505->13506 13507 40dc30 13506->13507 13517 4092f6 13507->13517 13513 405bb9 13512->13513 13514 405a37 13513->13514 13528 405b57 memmove 13513->13528 13514->13483 13516->13490 13518 409315 13517->13518 13519 40930e 13517->13519 13524 418a70 13518->13524 13523 418b30 SetEvent 13519->13523 13522 40931f 13525 418a76 13524->13525 13526 418a60 WaitForSingleObject 13524->13526 13525->13522 13526->13522 13528->13514 13529 40bba6 13530 40bbb3 13529->13530 13534 40bbc4 13529->13534 13530->13534 13535 40bbcb 13530->13535 13536 40bbd5 __EH_prolog 13535->13536 13550 40540c free 13536->13550 13538 40bc00 13539 405a4d ctype 4 API calls 13538->13539 13540 40bc1b 13539->13540 13541 405a24 ctype 4 API calls 13540->13541 13542 40bc26 13541->13542 13551 40540c free 13542->13551 13544 40bc43 13552 40540c free 13544->13552 13546 40bc4b 13553 40540c free 13546->13553 13548 40bbbe 13549 40540c free 13548->13549 13549->13534 13550->13538 13551->13544 13552->13546 13553->13548 13554 40f5b8 13555 40f5c5 13554->13555 13556 40f5d6 13554->13556 13555->13556 13560 40f5f7 13555->13560 13561 40f601 __EH_prolog 13560->13561 13562 405a4d ctype 4 API calls 13561->13562 13563 40f625 13562->13563 13564 405a24 ctype 4 API calls 13563->13564 13565 40f630 13564->13565 13566 405a4d ctype 4 API calls 13565->13566 13567 40f647 13566->13567 13568 405a24 ctype 4 API calls 13567->13568 13569 40f652 13568->13569 13573 40d553 13569->13573 13572 40540c free 13572->13556 13574 40d55d __EH_prolog 13573->13574 13575 405a24 ctype 4 API calls 13574->13575 13576 40d573 13575->13576 13577 405a24 ctype 4 API calls 13576->13577 13578 40d57f 13577->13578 13579 405a24 ctype 4 API calls 13578->13579 13580 40d58b 13579->13580 13581 405a24 ctype 4 API calls 13580->13581 13582 40d596 13581->13582 13582->13572 13583 402829 13584 402851 13583->13584 13589 40561c fputs 13584->13589 13586 402858 13590 405634 13586->13590 13588 40285f 13589->13586 13591 40563e __EH_prolog 13590->13591 13602 401e71 13591->13602 13597 405669 13610 40540c free 13597->13610 13599 405671 13611 40540c free 13599->13611 13601 405679 13601->13588 13603 401e8f 13602->13603 13603->13603 13612 4024a3 13603->13612 13606 405a04 13622 405943 13606->13622 13609 40561c fputs 13609->13597 13610->13599 13611->13601 13613 4024b3 13612->13613 13617 401ea5 13612->13617 13618 4053e5 malloc 13613->13618 13617->13606 13619 4053f6 _CxxThrowException 13618->13619 13620 4024bd 13618->13620 13619->13620 13620->13617 13621 40540c free 13620->13621 13621->13617 13623 40594d __EH_prolog 13622->13623 13634 402aeb 13623->13634 13626 405990 WideCharToMultiByte 13628 4059d3 13626->13628 13629 4059be _CxxThrowException 13626->13629 13640 402aac 13628->13640 13629->13628 13631 402aeb 3 API calls 13631->13626 13633 405660 13633->13609 13635 402afb 13634->13635 13639 402b26 13634->13639 13636 4053e5 2 API calls 13635->13636 13637 402b02 13636->13637 13637->13639 13644 40540c free 13637->13644 13639->13626 13639->13628 13639->13631 13641 402aeb 3 API calls 13640->13641 13642 402ac7 13641->13642 13643 40540c free 13642->13643 13643->13633 13644->13639 13645 4144ea 13646 414504 13645->13646 13647 41451e 13646->13647 13649 416fd0 13646->13649 13650 416fd4 13649->13650 13651 416fd7 malloc 13649->13651 13650->13647 13651->13647 13652 4084cc 13653 4084d9 13652->13653 13654 4084ea 13652->13654 13653->13654 13658 4084f1 13653->13658 13659 4084fb __EH_prolog 13658->13659 13663 417020 13659->13663 13662 40540c free 13662->13654 13664 4084e4 13663->13664 13665 417024 VirtualFree 13663->13665 13664->13662 13665->13664 13666 408b6c 13667 408b7d 13666->13667 13669 408b86 13666->13669 13673 408028 13667->13673 13668 408ba5 13669->13668 13670 408b9b LeaveCriticalSection 13669->13670 13679 407fd5 13669->13679 13670->13668 13674 408031 13673->13674 13675 408038 13673->13675 13674->13669 13684 407664 SetFilePointer 13675->13684 13691 407711 13679->13691 13681 407fed 13682 408004 GetLastError 13681->13682 13683 408000 13682->13683 13683->13670 13685 407697 13684->13685 13686 40768d GetLastError 13684->13686 13687 408004 13685->13687 13686->13685 13688 408008 13687->13688 13689 40800b GetLastError 13687->13689 13688->13674 13690 408015 13689->13690 13690->13674 13692 407722 ReadFile 13691->13692 13693 40771f 13691->13693 13692->13681 13693->13692 13694 419d2c __set_app_type __p__fmode __p__commode 13695 419d9a 13694->13695 13696 419da3 __setusermatherr 13695->13696 13697 419daf 13695->13697 13696->13697 13702 419e5a _controlfp 13697->13702 13699 419db4 _initterm __getmainargs _initterm __p___initenv 13703 404151 13699->13703 13702->13699 13713 4199a0 13703->13713 13705 40415b GetVersionExA 13706 40418c 13705->13706 13714 402517 SetConsoleCtrlHandler 13706->13714 13713->13705 13715 402535 _CxxThrowException 13714->13715 13716 40254a 13714->13716 13715->13716 13717 40117a 13716->13717 13928 4199a0 13717->13928 13719 401184 SetFileApisToOEM 13929 40561c fputs 13719->13929 13721 4011a8 13722 4011b0 GetCommandLineW 13721->13722 13723 401e71 3 API calls 13722->13723 13724 4011cc 13723->13724 13930 4048d3 13724->13930 13728 4011e6 13729 4024a3 3 API calls 13728->13729 13730 4011fa 13729->13730 13731 4024a3 3 API calls 13730->13731 13732 401211 13731->13732 13953 4067e7 13732->13953 13737 401232 14170 40561c fputs 13737->14170 13738 40125f 14014 40540c free 13738->14014 13741 40123e 14171 40540c free 13741->14171 13742 40126b 14015 401df5 13742->14015 13745 401246 14172 40540c free 13745->14172 13749 401284 14025 404b1c 13749->14025 13751 405a4d ctype 4 API calls 13752 401a60 13751->13752 13753 405a24 ctype 4 API calls 13752->13753 13754 401a6c 13753->13754 13925 40258c SetConsoleCtrlHandler 13754->13925 13755 401a93 14341 40100a 13755->14341 13758 404ac7 4 API calls 13760 401aa7 13758->13760 13759 40129c 13759->13755 13762 4012fc 13759->13762 13766 4012ea 13759->13766 14173 401c2f 13759->14173 14344 40540c free 13760->14344 14176 40101b 13762->14176 14030 401131 13766->14030 13767 405a4d ctype 4 API calls 13769 401ac2 13767->13769 13768 401c2f fputs 13768->13766 13770 405a24 ctype 4 API calls 13769->13770 13770->13754 13772 401341 13773 4024a3 3 API calls 13772->13773 13776 401378 13773->13776 13774 40139b 14038 401e59 13774->14038 13776->13774 13778 401f0c 3 API calls 13776->13778 13778->13774 13781 4013d8 13783 401401 13781->13783 13784 4013e5 _CxxThrowException 13781->13784 13782 4013bc _CxxThrowException 13782->13781 13785 4024a3 3 API calls 13783->13785 13784->13783 13786 401414 13785->13786 13787 401f0c 3 API calls 13786->13787 13788 40144b 13786->13788 13789 401443 13787->13789 14047 401dae 13788->14047 14190 407820 13789->14190 13793 401dae 7 API calls 13794 40148a 13793->13794 13795 4053e5 2 API calls 13794->13795 13796 40149f 13795->13796 14055 40b012 13796->14055 13799 401502 13801 401910 13799->13801 13802 40150c 13799->13802 13800 4014eb _CxxThrowException 13800->13799 14237 4033a7 13801->14237 13803 4053e5 2 API calls 13802->13803 13804 401513 13803->13804 13806 401526 13804->13806 14194 401c7a 13804->14194 14065 401f0c 13806->14065 13809 405a24 ctype 4 API calls 13810 40196d 13809->13810 13812 40197b 13810->13812 13814 401a71 13810->13814 14336 40561c fputs 13812->14336 13816 401700 13814->13816 13817 401a7c _CxxThrowException 13814->13817 13821 405a4d ctype 4 API calls 13816->13821 13817->13755 13820 401f0c 3 API calls 13823 4015a5 13820->13823 13825 40172f 13821->13825 13822 40199c 13826 4056cd fputs 13822->13826 14072 401b82 13823->14072 13828 405a24 ctype 4 API calls 13825->13828 13829 4019a3 13826->13829 13831 40173b 13828->13831 13832 405a4d ctype 4 API calls 13829->13832 13830 401f0c 3 API calls 13833 4015e9 13830->13833 13834 405a4d ctype 4 API calls 13831->13834 13835 4019c0 13832->13835 13836 4024a3 3 API calls 13833->13836 13837 401750 13834->13837 13838 405a24 ctype 4 API calls 13835->13838 13839 401605 13836->13839 13840 405a24 ctype 4 API calls 13837->13840 13841 4019cc 13838->13841 14080 40b278 13839->14080 13842 40175f 13840->13842 13843 405a4d ctype 4 API calls 13841->13843 14207 40540c free 13842->14207 13845 4019e1 13843->13845 13849 405a24 ctype 4 API calls 13845->13849 13847 401767 14208 40540c free 13847->14208 13852 4019f0 13849->13852 13851 401772 14209 40540c free 13851->14209 14337 40540c free 13852->14337 13853 405a24 ctype 4 API calls 13864 40166c 13853->13864 13856 40177a 13859 405a4d ctype 4 API calls 13856->13859 13857 4019f8 14338 40540c free 13857->14338 13858 401697 13862 4016bf 13858->13862 13876 4017cc 13858->13876 13861 401796 13859->13861 13865 405a24 ctype 4 API calls 13861->13865 13867 4016c6 _CxxThrowException 13862->13867 13868 4016dd 13862->13868 13863 401a03 14339 40540c free 13863->14339 13864->13858 14197 40561c fputs 13864->14197 13872 4017a5 13865->13872 13866 401833 14225 40540c free 13866->14225 13867->13868 14198 40540c free 13868->14198 13871 401690 13879 405634 6 API calls 13871->13879 14210 404ac7 13872->14210 13874 401a0b 13883 405a4d ctype 4 API calls 13874->13883 13881 4017f9 13876->13881 14219 40561c fputs 13876->14219 13877 401842 13885 401d56 free 13877->13885 13879->13858 13881->13866 14224 40561c fputs 13881->14224 13882 4016e5 14199 401d56 13882->14199 13884 401a27 13883->13884 13890 405a24 ctype 4 API calls 13884->13890 13891 401852 13885->13891 13886 4017f2 14220 4056cd 13886->14220 13896 401a36 13890->13896 14226 40540c free 13891->14226 13894 40182c 13899 4056cd fputs 13894->13899 13901 404ac7 4 API calls 13896->13901 13898 4017bc 13898->13767 13899->13866 13903 401a45 13901->13903 13902 40185d 13906 405a4d ctype 4 API calls 13902->13906 14340 40540c free 13903->14340 13905 40124e 13905->13751 13907 40188c 13906->13907 13908 405a24 ctype 4 API calls 13907->13908 13909 401898 13908->13909 13910 405a4d ctype 4 API calls 13909->13910 13911 4018ad 13910->13911 13912 405a24 ctype 4 API calls 13911->13912 13913 4018bc 13912->13913 14227 40540c free 13913->14227 13915 4018c4 14228 40540c free 13915->14228 13917 4018cf 14229 40540c free 13917->14229 13919 4018d7 14230 401f65 13919->14230 13922 404ac7 4 API calls 13923 4018f8 13922->13923 14236 40540c free 13923->14236 13926 4025a7 _CxxThrowException 13925->13926 13927 4025bc exit _XcptFilter 13925->13927 13926->13927 13928->13719 13929->13721 13931 4048dd __EH_prolog 13930->13931 14345 401ed2 13931->14345 13938 405a4d ctype 4 API calls 13945 404909 13938->13945 13939 4024a3 malloc _CxxThrowException free 13939->13945 13941 401dae 7 API calls 13941->13945 13942 40497e 14374 40540c free 13942->14374 13943 401f0c 3 API calls 13943->13945 13945->13939 13945->13941 13945->13942 13945->13943 13948 40540c free codecvt 13945->13948 14364 404832 13945->14364 13946 404986 14375 40540c free 13946->14375 13948->13945 13949 40498e 14376 40540c free 13949->14376 13951 4011db 13952 40540c free 13951->13952 13952->13728 13954 4067f1 __EH_prolog 13953->13954 13955 406810 GetModuleFileNameW 13954->13955 13956 406844 13954->13956 13958 40683c 13955->13958 13959 40682a 13955->13959 13957 402aeb 3 API calls 13956->13957 13961 406857 13957->13961 13960 40121f 13958->13960 13959->13958 14431 403eab 13959->14431 13973 406f29 13960->13973 14435 40679d GetModuleFileNameA 13961->14435 13965 406893 14452 40540c free 13965->14452 13966 406868 AreFileApisANSI 14439 40589c 13966->14439 13970 401f0c 3 API calls 13971 40688b 13970->13971 14451 40540c free 13971->14451 13974 406f33 __EH_prolog 13973->13974 13975 406fe0 13974->13975 13976 406f55 13974->13976 13977 402aeb 3 API calls 13975->13977 13978 406f6a GetFullPathNameW 13976->13978 13980 4024a3 3 API calls 13976->13980 13979 406ff3 13977->13979 13984 40122e 13978->13984 14458 406aea 13979->14458 13980->13978 13984->13737 13984->13738 13987 407029 13988 40703e 13987->13988 13989 40702e 13987->13989 14475 407165 13988->14475 14474 40540c free 13989->14474 13996 407066 14482 407144 13996->14482 13999 4069f5 6 API calls 14000 407083 13999->14000 14485 40540c free 14000->14485 14002 40708f 14486 40722a 14002->14486 14005 401f0c 3 API calls 14006 4070b0 14005->14006 14496 40540c free 14006->14496 14008 4070b8 14497 40540c free 14008->14497 14010 4070c0 14498 40540c free 14010->14498 14012 4070c8 14499 40540c free 14012->14499 14014->13742 14016 401e0c 14015->14016 14019 401e46 14016->14019 14020 40540c free codecvt 14016->14020 14017 405ba3 memmove 14018 401277 14017->14018 14021 4049a7 14018->14021 14019->14017 14020->14016 14022 4049b1 __EH_prolog 14021->14022 14023 4053e5 2 API calls 14022->14023 14024 4049e9 14023->14024 14024->13749 14026 404b39 14025->14026 14028 404b7f 14025->14028 14027 401dae 7 API calls 14026->14027 14026->14028 14519 404b86 14026->14519 14027->14026 14028->13759 14031 40113b __EH_prolog 14030->14031 14032 401e71 3 API calls 14031->14032 14033 40114f 14032->14033 14548 401098 14033->14548 14037 40116a 14037->13772 14039 4024a3 3 API calls 14038->14039 14040 4013a6 14039->14040 14041 407492 14040->14041 14042 40749c __EH_prolog 14041->14042 14724 40729b 14042->14724 14048 401db8 __EH_prolog 14047->14048 14049 4053e5 2 API calls 14048->14049 14050 401dc3 14049->14050 14051 401dda 14050->14051 14052 401ed2 3 API calls 14050->14052 14053 40bfe5 7 API calls 14051->14053 14052->14051 14054 40147e 14053->14054 14054->13793 14056 40b01c __EH_prolog 14055->14056 14057 405a4d ctype 4 API calls 14056->14057 14058 40b02b 14057->14058 14060 403eab 3 API calls 14058->14060 14064 4014e7 14058->14064 14772 40b0b3 14058->14772 14775 40ae16 14058->14775 14802 40b153 14058->14802 14810 40236d 14058->14810 14060->14058 14064->13799 14064->13800 14066 401f18 14065->14066 14068 40155b 14065->14068 14067 4024a3 3 API calls 14066->14067 14067->14068 14069 401c02 14068->14069 14070 4024a3 3 API calls 14069->14070 14071 40157e 14070->14071 14071->13820 14073 401b8c __EH_prolog 14072->14073 14074 4024a3 3 API calls 14073->14074 14075 401bb0 14074->14075 14076 4024a3 3 API calls 14075->14076 14077 401bc8 14076->14077 14862 401be7 14077->14862 14081 40b282 __EH_prolog 14080->14081 14865 40beeb 14081->14865 14083 40b361 14084 4053e5 2 API calls 14083->14084 14086 40b36b 14084->14086 14085 401e59 3 API calls 14095 40b2c1 14085->14095 14091 40b37e 14086->14091 14949 40b9f9 14086->14949 14087 407492 12 API calls 14087->14095 14089 40b382 _CxxThrowException 14090 40b397 _CxxThrowException 14089->14090 14090->14091 14097 40b423 14091->14097 14128 40b45a 14091->14128 14092 40b772 14098 405a24 ctype 4 API calls 14092->14098 14094 401e59 3 API calls 14094->14128 14095->14083 14095->14085 14095->14087 14095->14089 14095->14090 14945 40d665 14095->14945 14948 40540c free 14095->14948 14101 405a24 ctype 4 API calls 14097->14101 14100 40b7e4 14098->14100 14099 407492 12 API calls 14099->14128 14102 401d56 free 14100->14102 14104 40b443 14101->14104 14105 40165a 14102->14105 14103 40b806 _CxxThrowException 14106 40b81b _CxxThrowException 14103->14106 14107 401d56 free 14104->14107 14105->13853 14109 40b830 14106->14109 14107->14105 14108 401f0c malloc _CxxThrowException free 14108->14128 14971 40540c free 14109->14971 14111 405a24 ctype 4 API calls 14112 40b9e3 14111->14112 14114 401d56 free 14112->14114 14114->14105 14115 405a4d ctype 4 API calls 14115->14128 14118 40b852 14119 405a24 ctype 4 API calls 14118->14119 14120 40b85e 14119->14120 14121 403dcd 4 API calls 14120->14121 14122 40b86d 14121->14122 14972 40540c free 14122->14972 14124 40b891 14125 405a24 ctype 4 API calls 14124->14125 14127 40b89d 14125->14127 14126 405a24 ctype 4 API calls 14126->14128 14129 403dcd 4 API calls 14127->14129 14128->14092 14128->14094 14128->14099 14128->14103 14128->14106 14128->14108 14128->14109 14128->14115 14128->14118 14128->14124 14128->14126 14131 4024a3 3 API calls 14128->14131 14134 40b8ce 14128->14134 14136 40b90b 14128->14136 14144 405ba3 memmove 14128->14144 14151 40b952 14128->14151 14152 40b994 14128->14152 14154 40540c free codecvt 14128->14154 14873 403cf9 14128->14873 14879 40e5b2 14128->14879 14884 40d240 14128->14884 14887 40568c fputc 14128->14887 14888 403d71 14128->14888 14892 40bca7 14128->14892 14961 403dcd 14128->14961 14130 40b8ac 14129->14130 14973 40540c free 14130->14973 14131->14128 14135 405a24 ctype 4 API calls 14134->14135 14137 40b8da 14135->14137 14975 40540c free 14136->14975 14139 403dcd 4 API calls 14137->14139 14141 40b8e9 14139->14141 14140 40b913 14143 405a24 ctype 4 API calls 14140->14143 14974 40540c free 14141->14974 14146 40b920 14143->14146 14144->14128 14147 403dcd 4 API calls 14146->14147 14148 40b92f 14147->14148 14976 40540c free 14148->14976 14977 40540c free 14151->14977 14979 40540c free 14152->14979 14154->14128 14156 40b95a 14158 405a24 ctype 4 API calls 14156->14158 14157 40b999 14160 405a24 ctype 4 API calls 14157->14160 14159 40b967 14158->14159 14161 403dcd 4 API calls 14159->14161 14162 40b9a6 14160->14162 14163 40b976 14161->14163 14164 403dcd 4 API calls 14162->14164 14978 40540c free 14163->14978 14166 40b9b5 14164->14166 14980 40540c free 14166->14980 14167 40b838 14167->14111 14170->13741 14171->13745 14172->13905 14174 40100a fputs 14173->14174 14175 401c34 14174->14175 14177 401025 __EH_prolog 14176->14177 14178 401ed2 3 API calls 14177->14178 14179 401035 14178->14179 16658 405778 14179->16658 14182 4024a3 3 API calls 14183 401055 14182->14183 16675 404e85 14183->16675 14187 40107e 16691 40540c free 14187->16691 14189 401086 14189->13766 14189->13768 14191 407840 14190->14191 14192 40782b 14190->14192 14191->13788 14192->14191 14193 404f4a 3 API calls 14192->14193 14193->14191 14195 4024a3 3 API calls 14194->14195 14196 401ca1 14195->14196 14196->13806 14197->13871 14198->13882 16699 40540c free 14199->16699 14201 401d61 16700 40540c free 14201->16700 14203 401d69 16701 40540c free 14203->16701 14205 4016f5 14206 40540c free 14205->14206 14206->13816 14207->13847 14208->13851 14209->13856 14211 404ad1 __EH_prolog 14210->14211 14212 404aea 14211->14212 16702 404a41 14211->16702 14214 405a4d ctype 4 API calls 14212->14214 14215 404b04 14214->14215 14216 405a24 ctype 4 API calls 14215->14216 14217 4017b4 14216->14217 14218 40540c free 14217->14218 14218->13898 14219->13886 14221 4056e7 14220->14221 16718 40561c fputs 14221->16718 14223 4056f2 14223->13881 14224->13894 14225->13877 14226->13902 14227->13915 14228->13917 14229->13919 14231 401f6f __EH_prolog 14230->14231 14232 405a4d ctype 4 API calls 14231->14232 14233 401f85 14232->14233 14234 405a24 ctype 4 API calls 14233->14234 14235 4018e9 14234->14235 14235->13922 14236->13905 14238 4033b1 __EH_prolog 14237->14238 14332 4033ef 14238->14332 16719 402b9a 14238->16719 14240 401e59 3 API calls 14240->14332 14241 403ae9 14242 405a4d ctype 4 API calls 14241->14242 14245 403b06 14242->14245 14243 407492 12 API calls 14243->14332 14244 403a7b 14244->14241 16841 402db0 14244->16841 14246 405a24 ctype 4 API calls 14245->14246 14247 40195b 14246->14247 14247->13809 14249 403a9e 14253 4031d3 8 API calls 14249->14253 14250 403cf9 3 API calls 14250->14332 14251 401c02 3 API calls 14251->14332 14252 405634 6 API calls 14252->14332 14255 403ac6 14253->14255 14254 401f0c 3 API calls 14254->14332 16846 40561c fputs 14255->16846 14256 40d240 89 API calls 14256->14332 14258 403ae2 16847 4056a6 14258->16847 14259 403b25 16851 40540c free 14259->16851 14262 403b30 14264 403dcd 4 API calls 14262->14264 14263 403d71 3 API calls 14263->14332 14265 403b40 14264->14265 16852 40540c free 14265->16852 14267 403b4b 16853 403fd4 14267->16853 14270 403ba8 16862 40540c free 14270->16862 14271 403b5f 16859 40540c free 14271->16859 14274 403bb3 16863 40540c free 14274->16863 14275 403b6a 16860 40540c free 14275->16860 14279 403bf1 16865 40540c free 14279->16865 14280 402db0 fputc 14280->14332 14281 403bbe 14286 403dcd 4 API calls 14281->14286 14282 403b75 14283 403dcd 4 API calls 14282->14283 14288 403b86 14283->14288 14284 4024a3 3 API calls 14284->14332 14285 40561c fputs 14285->14332 14289 403bcf 14286->14289 16861 40540c free 14288->16861 16864 40540c free 14289->16864 14290 403bfc 16866 40540c free 14290->16866 14293 40540c free codecvt 14293->14332 14294 40c4d8 5 API calls 14294->14332 14296 403c07 14299 403dcd 4 API calls 14296->14299 14297 403b91 14305 405a4d ctype 4 API calls 14297->14305 14301 403c18 14299->14301 14300 403c3c 16868 40540c free 14300->16868 16867 40540c free 14301->16867 14303 403dcd 4 API calls 14303->14332 14304 40c5f8 VariantClear 14304->14332 14308 403ce6 14305->14308 14307 403c47 16869 40540c free 14307->16869 14311 405a24 ctype 4 API calls 14308->14311 14310 403c8e 16872 40540c free 14310->16872 14311->14247 14312 403744 SysFreeString 14312->14332 14315 403c52 16870 40540c free 14315->16870 14316 4061a4 15 API calls 14316->14332 14317 403c99 16873 40540c free 14317->16873 14320 403c5d 14323 403dcd 4 API calls 14320->14323 14322 403ca4 16874 40540c free 14322->16874 14327 403c6f 14323->14327 14326 40793d VariantClear 14326->14312 16871 40540c free 14327->16871 14328 403320 _CxxThrowException VariantClear _CxxThrowException 14328->14332 14329 403caf 14331 403dcd 4 API calls 14329->14331 14334 403cc1 14331->14334 14332->14240 14332->14243 14332->14244 14332->14250 14332->14251 14332->14252 14332->14254 14332->14256 14332->14259 14332->14263 14332->14270 14332->14271 14332->14279 14332->14280 14332->14284 14332->14285 14332->14293 14332->14294 14332->14300 14332->14303 14332->14304 14332->14310 14332->14312 14332->14316 14332->14326 14332->14328 16728 402917 14332->16728 16738 40d301 14332->16738 16788 402d27 14332->16788 16792 402d74 14332->16792 16797 402c46 14332->16797 16810 402e7e 14332->16810 16831 4031d3 14332->16831 16875 40540c free 14334->16875 14336->13822 14337->13857 14338->13863 14339->13874 14340->13905 16985 40561c fputs 14341->16985 14343 40101a 14343->13758 14344->13898 14346 4024a3 3 API calls 14345->14346 14347 401eec 14346->14347 14348 405102 14347->14348 14349 40510c __EH_prolog 14348->14349 14377 4051e3 14349->14377 14355 4048fa 14356 4050c7 14355->14356 14357 4050d1 __EH_prolog 14356->14357 14358 4051e3 3 API calls 14357->14358 14359 4050e0 14358->14359 14408 40513d 14359->14408 14363 404902 14363->13938 14367 40483c __EH_prolog 14364->14367 14365 40489e 14413 404f75 14365->14413 14367->14365 14369 404f4a 3 API calls 14367->14369 14369->14367 14370 401f0c 3 API calls 14371 4048b9 14370->14371 14416 40540c free 14371->14416 14373 4048c1 14373->13945 14374->13946 14375->13949 14376->13951 14378 4051ed __EH_prolog 14377->14378 14379 4024a3 3 API calls 14378->14379 14380 405209 14379->14380 14396 404f4a 14380->14396 14383 404f4a 3 API calls 14384 405220 14383->14384 14385 404f4a 3 API calls 14384->14385 14386 40522a 14385->14386 14387 401ed2 3 API calls 14386->14387 14388 405236 14387->14388 14399 40540c free 14388->14399 14390 40511b 14391 405194 14390->14391 14392 405127 14391->14392 14393 4051a5 14391->14393 14395 40540c free 14392->14395 14393->14392 14404 405251 14393->14404 14395->14355 14400 404107 14396->14400 14399->14390 14401 40414b 14400->14401 14402 40411b 14400->14402 14401->14383 14403 4024a3 3 API calls 14402->14403 14403->14401 14405 405268 14404->14405 14406 405270 memmove 14405->14406 14407 405299 14405->14407 14406->14407 14407->14392 14409 405143 14408->14409 14410 405251 memmove 14409->14410 14411 4050ec 14410->14411 14412 40540c free 14411->14412 14412->14363 14417 404f96 14413->14417 14416->14373 14419 404fa0 __EH_prolog 14417->14419 14418 404fd4 14421 4024a3 3 API calls 14418->14421 14419->14418 14420 404fc9 14419->14420 14422 401ed2 3 API calls 14420->14422 14423 404fe7 14421->14423 14429 4048ad 14422->14429 14424 4024a3 3 API calls 14423->14424 14425 404ff4 14424->14425 14426 401ed2 3 API calls 14425->14426 14427 405028 14426->14427 14430 40540c free 14427->14430 14429->14370 14430->14429 14432 403ec8 14431->14432 14433 4024a3 3 API calls 14432->14433 14434 403ede 14433->14434 14434->13958 14436 4067de 14435->14436 14437 4067cc 14435->14437 14436->13965 14436->13966 14437->14436 14453 4068b0 14437->14453 14440 4058a6 __EH_prolog 14439->14440 14441 4024a3 3 API calls 14440->14441 14442 4058c9 14441->14442 14443 405910 14442->14443 14445 4058e1 MultiByteToWideChar 14442->14445 14448 4024a3 3 API calls 14442->14448 14444 401ed2 3 API calls 14443->14444 14447 405926 14444->14447 14445->14443 14446 4058fb _CxxThrowException 14445->14446 14446->14443 14457 40540c free 14447->14457 14448->14445 14450 40592e 14450->13970 14451->13965 14452->13958 14454 4068c6 14453->14454 14454->14454 14455 402aeb 3 API calls 14454->14455 14456 4068d5 14455->14456 14456->14436 14457->14450 14459 406af4 __EH_prolog 14458->14459 14460 401e71 3 API calls 14459->14460 14461 406b07 AreFileApisANSI 14460->14461 14462 405a04 5 API calls 14461->14462 14463 406b21 14462->14463 14500 40540c free 14463->14500 14465 406b29 14466 406eac 14465->14466 14467 406ed1 14466->14467 14468 406ed9 GetFullPathNameA 14466->14468 14469 402aeb 3 API calls 14467->14469 14470 406ef8 14468->14470 14469->14468 14471 406f0e lstrlenA 14470->14471 14472 406f03 14470->14472 14471->14472 14473 40540c free 14472->14473 14473->13987 14474->13984 14501 407181 14475->14501 14478 4069f5 AreFileApisANSI 14479 40589c 5 API calls 14478->14479 14480 406a16 14479->14480 14481 40540c free 14480->14481 14481->13996 14483 407181 3 API calls 14482->14483 14484 407075 14483->14484 14484->13999 14485->14002 14487 407234 __EH_prolog 14486->14487 14488 401ed2 3 API calls 14487->14488 14489 407247 14488->14489 14515 4064a7 14489->14515 14492 401ed2 3 API calls 14493 407261 14492->14493 14518 40540c free 14493->14518 14495 4070a4 14495->14005 14496->14008 14497->14010 14498->14012 14499->13984 14500->14465 14502 40718b __EH_prolog 14501->14502 14503 4071bf 14502->14503 14505 4071b4 14502->14505 14504 402aeb 3 API calls 14503->14504 14506 4071d2 14504->14506 14507 402aac 3 API calls 14505->14507 14508 402aeb 3 API calls 14506->14508 14509 40704c 14507->14509 14510 4071df 14508->14510 14509->14478 14511 402aac 3 API calls 14510->14511 14512 40720d 14511->14512 14514 40540c free 14512->14514 14514->14509 14516 404107 3 API calls 14515->14516 14517 4064b7 14516->14517 14517->14492 14518->14495 14537 404b90 __EH_prolog 14519->14537 14520 404de1 _CxxThrowException 14521 404df6 _CxxThrowException 14520->14521 14522 404e0b _CxxThrowException 14521->14522 14523 404e20 _CxxThrowException 14522->14523 14524 404e35 14523->14524 14525 404f75 3 API calls 14524->14525 14526 404e42 14525->14526 14527 401dae 7 API calls 14526->14527 14529 404e52 14527->14529 14547 40540c free 14529->14547 14531 401f0c 3 API calls 14531->14537 14532 404bb6 14532->14026 14533 404f96 3 API calls 14533->14537 14534 401e71 malloc _CxxThrowException free 14534->14537 14536 401dae 7 API calls 14536->14537 14537->14520 14537->14521 14537->14522 14537->14523 14537->14524 14537->14531 14537->14532 14537->14533 14537->14534 14537->14536 14538 40540c free codecvt 14537->14538 14539 404f4a 3 API calls 14537->14539 14540 405045 14537->14540 14543 40584f 14537->14543 14538->14537 14539->14537 14541 404f96 3 API calls 14540->14541 14542 40505a 14541->14542 14542->14537 14545 405858 14543->14545 14544 4056f7 5 API calls ctype 14544->14545 14545->14544 14546 40588a 14545->14546 14546->14537 14547->14532 14554 4010ea 14548->14554 14551 4010b7 14553 40540c free 14551->14553 14553->14037 14555 4010fb 14554->14555 14562 4061f1 14555->14562 14558 4010ba 14723 40561c fputs 14558->14723 14560 4010d1 14561 4010d8 _CxxThrowException 14560->14561 14563 4061fb __EH_prolog 14562->14563 14598 405c52 14563->14598 14565 4024a3 3 API calls 14568 4062c4 14565->14568 14566 406227 14566->14565 14567 406303 14569 401ed2 3 API calls 14567->14569 14571 406367 14567->14571 14568->14567 14570 4064a7 3 API calls 14568->14570 14573 404f4a 3 API calls 14568->14573 14578 401df5 2 API calls 14568->14578 14572 406326 14569->14572 14570->14568 14574 405a4d ctype 4 API calls 14571->14574 14625 406403 14572->14625 14573->14568 14576 40637f 14574->14576 14611 406693 14576->14611 14578->14568 14588 405a4d ctype 4 API calls 14589 4063bf 14588->14589 14590 405a24 ctype 4 API calls 14589->14590 14591 4063cb 14590->14591 14624 40540c free 14591->14624 14593 4063d3 14594 405a4d ctype 4 API calls 14593->14594 14595 4063e6 14594->14595 14596 405a24 ctype 4 API calls 14595->14596 14597 4010a5 14596->14597 14597->14551 14597->14558 14599 405c5c __EH_prolog 14598->14599 14600 405a4d ctype 4 API calls 14599->14600 14601 405c6e 14600->14601 14602 4024a3 3 API calls 14601->14602 14605 405c83 14602->14605 14603 405cdb 14655 40540c free 14603->14655 14605->14603 14606 405ccf 14605->14606 14609 401dae 7 API calls 14605->14609 14610 404f4a 3 API calls 14605->14610 14607 401dae 7 API calls 14606->14607 14607->14603 14608 405ce3 14608->14566 14609->14605 14610->14605 14656 405aa5 14611->14656 14613 4066ab 14614 40638b 14613->14614 14615 401dae 7 API calls 14613->14615 14616 405f15 14614->14616 14615->14613 14621 405f1f __EH_prolog 14616->14621 14617 405f91 14671 405efa 14617->14671 14621->14617 14623 402138 4 API calls 14621->14623 14675 405fad 14621->14675 14678 4064dd 14621->14678 14623->14621 14624->14593 14626 4024a3 3 API calls 14625->14626 14627 406335 14626->14627 14628 4065a4 14627->14628 14629 4065ae __EH_prolog 14628->14629 14630 4053e5 2 API calls 14629->14630 14631 4065ba 14630->14631 14632 4065e4 14631->14632 14633 401ed2 3 API calls 14631->14633 14634 40bfe5 7 API calls 14632->14634 14635 4065d4 14633->14635 14637 406347 14634->14637 14636 406605 10 API calls 14635->14636 14636->14632 14638 402138 14637->14638 14639 402142 __EH_prolog 14638->14639 14640 405a4d ctype 4 API calls 14639->14640 14641 402168 14640->14641 14642 405a24 ctype 4 API calls 14641->14642 14643 402173 14642->14643 14644 405a4d ctype 4 API calls 14643->14644 14645 402186 14644->14645 14646 405a24 ctype 4 API calls 14645->14646 14647 402191 14646->14647 14648 405a4d ctype 4 API calls 14647->14648 14649 4021a8 14648->14649 14650 405a24 ctype 4 API calls 14649->14650 14651 4021b3 14650->14651 14722 40540c free 14651->14722 14653 4021bb 14654 40540c free 14653->14654 14654->14571 14655->14608 14657 405b49 14656->14657 14658 405ab9 14656->14658 14657->14613 14659 405ac1 _CxxThrowException 14658->14659 14660 405ad6 14658->14660 14659->14660 14661 405ae8 _CxxThrowException 14660->14661 14662 405afd 14660->14662 14661->14662 14663 405b41 14662->14663 14664 4053e5 2 API calls 14662->14664 14670 40540c free 14663->14670 14666 405b09 14664->14666 14667 405b10 _CxxThrowException 14666->14667 14668 405b25 memcpy 14666->14668 14667->14668 14668->14663 14670->14657 14672 405f05 14671->14672 14686 40655d 14672->14686 14676 401ed2 3 API calls 14675->14676 14677 405fc2 14676->14677 14677->14621 14679 4064e7 __EH_prolog 14678->14679 14680 4053e5 2 API calls 14679->14680 14681 4064f2 14680->14681 14682 406509 14681->14682 14700 406605 14681->14700 14684 40bfe5 7 API calls 14682->14684 14685 406515 14684->14685 14685->14621 14687 406567 __EH_prolog 14686->14687 14688 4053e5 2 API calls 14687->14688 14689 406572 14688->14689 14690 406589 14689->14690 14697 40666c 14689->14697 14694 40bfe5 14690->14694 14695 405a76 7 API calls 14694->14695 14696 405f12 14695->14696 14696->14588 14698 40645b 10 API calls 14697->14698 14699 40667a 14698->14699 14699->14690 14701 40660f __EH_prolog 14700->14701 14702 401ed2 3 API calls 14701->14702 14703 40662a 14702->14703 14710 4066cc 14703->14710 14708 406718 10 API calls 14709 40665a 14708->14709 14709->14682 14711 4066d6 __EH_prolog 14710->14711 14712 405a4d ctype free memmove WaitForSingleObject SetEvent 14711->14712 14713 4066fd 14712->14713 14714 406764 10 API calls 14713->14714 14715 40663a 14714->14715 14716 406718 14715->14716 14717 406722 __EH_prolog 14716->14717 14718 405a4d ctype free memmove WaitForSingleObject SetEvent 14717->14718 14719 406749 14718->14719 14720 406524 10 API calls 14719->14720 14721 40664a 14720->14721 14721->14708 14722->14653 14723->14560 14725 4072a5 __EH_prolog 14724->14725 14726 40727b FindClose 14725->14726 14727 4072b3 14726->14727 14728 4072c4 FindFirstFileW 14727->14728 14729 4072eb 14727->14729 14731 4072e9 14727->14731 14730 4072db 14728->14730 14728->14731 14732 401e71 3 API calls 14729->14732 14745 407363 14730->14745 14742 40727b 14731->14742 14734 4072f6 AreFileApisANSI 14732->14734 14735 405a04 5 API calls 14734->14735 14736 407311 FindFirstFileA 14735->14736 14749 40540c free 14736->14749 14738 40732b 14750 40540c free 14738->14750 14740 407337 14740->14731 14751 4073c5 14740->14751 14743 407285 FindClose 14742->14743 14744 4013b8 14742->14744 14743->14744 14744->13781 14744->13782 14746 4073a1 14745->14746 14747 403eab 3 API calls 14746->14747 14748 4073bb 14747->14748 14748->14731 14749->14738 14750->14740 14752 4073cf __EH_prolog 14751->14752 14763 4070e6 14752->14763 14757 401f0c 3 API calls 14758 407451 14757->14758 14770 40540c free 14758->14770 14760 407459 14771 40540c free 14760->14771 14762 407461 14762->14731 14764 4070fd 14763->14764 14765 402aeb 3 API calls 14764->14765 14766 40710c AreFileApisANSI 14765->14766 14767 407478 14766->14767 14768 40589c 5 API calls 14767->14768 14769 407444 14768->14769 14769->14757 14770->14760 14771->14762 14773 4024a3 3 API calls 14772->14773 14774 40b0d3 14773->14774 14774->14058 14776 40ae20 __EH_prolog 14775->14776 14777 401e71 3 API calls 14776->14777 14778 40ae57 14777->14778 14818 40af6d 14778->14818 14782 40ae72 14783 401e71 3 API calls 14782->14783 14795 40ae9e 14782->14795 14786 40ae83 14783->14786 14784 40af23 14785 405a4d ctype 4 API calls 14784->14785 14787 40af32 14785->14787 14788 40af6d 10 API calls 14786->14788 14789 405a24 ctype 4 API calls 14787->14789 14790 40ae92 14788->14790 14792 40af3e 14789->14792 14832 40540c free 14790->14832 14791 401e59 malloc _CxxThrowException free 14791->14795 14794 405a4d ctype 4 API calls 14792->14794 14796 40af50 14794->14796 14795->14784 14795->14791 14799 401f0c malloc _CxxThrowException free 14795->14799 14801 40540c free codecvt 14795->14801 14833 40b0f2 14795->14833 14797 405a24 ctype 4 API calls 14796->14797 14798 40af5c 14797->14798 14798->14058 14799->14795 14801->14795 14803 40b15d __EH_prolog 14802->14803 14804 4053e5 2 API calls 14803->14804 14805 40b168 14804->14805 14806 40b17f 14805->14806 14844 40b19a 14805->14844 14808 40bfe5 7 API calls 14806->14808 14809 40b18b 14808->14809 14809->14058 14811 402377 __EH_prolog 14810->14811 14812 405a4d ctype 4 API calls 14811->14812 14813 40239b 14812->14813 14814 405a24 ctype 4 API calls 14813->14814 14815 4023a6 14814->14815 14861 40540c free 14815->14861 14817 4023ae 14817->14058 14819 40af77 __EH_prolog 14818->14819 14820 405a4d ctype 4 API calls 14819->14820 14821 40af89 14820->14821 14822 4024a3 3 API calls 14821->14822 14828 40af9e 14822->14828 14823 40affa 14843 40540c free 14823->14843 14825 40afe9 14825->14823 14827 401dae 7 API calls 14825->14827 14826 40ae66 14831 40540c free 14826->14831 14827->14823 14828->14823 14828->14825 14829 404f4a 3 API calls 14828->14829 14830 401dae 7 API calls 14828->14830 14829->14828 14830->14828 14831->14782 14832->14795 14834 40b0fc __EH_prolog 14833->14834 14835 4053e5 2 API calls 14834->14835 14837 40b108 14835->14837 14836 40b132 14840 40bfe5 7 API calls 14836->14840 14837->14836 14838 401ed2 3 API calls 14837->14838 14839 40b122 14838->14839 14841 401ed2 3 API calls 14839->14841 14842 40b143 14840->14842 14841->14836 14842->14795 14843->14826 14845 40b1a4 __EH_prolog 14844->14845 14846 401ed2 3 API calls 14845->14846 14847 40b1cb 14846->14847 14850 40b1f3 14847->14850 14851 40b1fd __EH_prolog 14850->14851 14852 405a4d ctype 4 API calls 14851->14852 14853 40b224 14852->14853 14856 40b23f 14853->14856 14857 405aa5 7 API calls 14856->14857 14858 40b257 14857->14858 14859 40b1db 14858->14859 14860 40b0f2 7 API calls 14858->14860 14859->14806 14860->14858 14861->14817 14863 4024a3 3 API calls 14862->14863 14864 4015b0 14863->14864 14864->13830 14866 40bef5 __EH_prolog 14865->14866 14867 401ed2 3 API calls 14866->14867 14868 40bf1d 14867->14868 14869 401ed2 3 API calls 14868->14869 14870 40bf33 14869->14870 14871 401ed2 3 API calls 14870->14871 14872 40bf52 14871->14872 14872->14095 14874 403d03 __EH_prolog 14873->14874 14875 4024a3 3 API calls 14874->14875 14876 403d2b 14875->14876 14877 4024a3 3 API calls 14876->14877 14878 403d41 14877->14878 14878->14128 14880 405aa5 7 API calls 14879->14880 14881 40e5ca 14880->14881 14882 40e5e2 14881->14882 14883 40bfe5 7 API calls 14881->14883 14882->14128 14883->14881 14981 40d07b 14884->14981 14887->14128 14889 403d82 14888->14889 14890 401ed2 3 API calls 14889->14890 14891 403d8e 14890->14891 14891->14128 14910 40bcb1 __EH_prolog 14892->14910 14893 405a24 ctype 4 API calls 14896 40bed8 14893->14896 14894 4024a3 3 API calls 14894->14910 14895 40bce0 14895->14893 14896->14128 14897 40bd6c 14897->14895 14899 401ed2 3 API calls 14897->14899 14901 40bdb0 14899->14901 14900 40bd80 15552 40540c free 14900->15552 14904 401e71 3 API calls 14901->14904 14905 40bdc1 14904->14905 15445 40bf6e 14905->15445 14910->14894 14910->14895 14910->14897 14910->14900 14912 40bfe5 7 API calls 14910->14912 15429 40c4d8 14910->15429 15545 40c5f8 14910->15545 15548 4061a4 14910->15548 15551 40540c free 14910->15551 14911 40bde1 14914 405102 4 API calls 14911->14914 14912->14910 14915 40bdea 14914->14915 14916 40be5d 14915->14916 15553 406c3a 14915->15553 15451 409338 14916->15451 14921 40bdfc GetLastError 14922 40be08 14921->14922 14924 401e71 3 API calls 14922->14924 14923 40be9d 15543 40561c fputs 14923->15543 15544 40568c fputc 14923->15544 14925 40be1a 14924->14925 14927 40722a 3 API calls 14925->14927 14926 40bea6 15593 40540c free 14926->15593 14929 40be2c 14927->14929 14931 401f0c 3 API calls 14929->14931 14930 40be51 14933 405a4d ctype 4 API calls 14930->14933 14932 40be39 14931->14932 15590 40540c free 14932->15590 14935 40bec0 14933->14935 14937 405a24 ctype 4 API calls 14935->14937 14936 40be41 15591 40540c free 14936->15591 14937->14895 14939 40be49 15592 40540c free 14939->15592 14946 405a76 7 API calls 14945->14946 14947 40d66d 14946->14947 14947->14095 14948->14095 14950 40ba03 __EH_prolog 14949->14950 14951 4024a3 3 API calls 14950->14951 14952 40ba4d 14951->14952 14953 4024a3 3 API calls 14952->14953 14954 40ba62 14953->14954 14955 4024a3 3 API calls 14954->14955 14956 40ba77 14955->14956 14957 4024a3 3 API calls 14956->14957 14958 40babd 14957->14958 14959 4053e5 2 API calls 14958->14959 14960 40baea 14959->14960 14960->14091 14962 403dd7 __EH_prolog 14961->14962 14963 405a4d ctype 4 API calls 14962->14963 14964 403dfb 14963->14964 14965 405a24 ctype 4 API calls 14964->14965 14966 403e06 14965->14966 16656 40540c free 14966->16656 14968 403e0e 16657 40540c free 14968->16657 14970 403e16 14970->14128 14971->14167 14972->14167 14973->14167 14974->14167 14975->14140 14976->14167 14977->14156 14978->14167 14979->14157 14980->14167 14982 40d085 __EH_prolog 14981->14982 14983 4053e5 2 API calls 14982->14983 14984 40d0a5 14983->14984 14985 40d0b7 14984->14985 15075 40cde5 14984->15075 14987 4024a3 3 API calls 14985->14987 14988 40d0ee 14987->14988 14989 406f29 12 API calls 14988->14989 14990 40d103 14989->14990 14991 405045 3 API calls 14990->14991 14992 40d112 14991->14992 14993 404f75 3 API calls 14992->14993 14994 40d125 14993->14994 15022 40cf72 14994->15022 14999 40d18f 15001 40722a 3 API calls 14999->15001 15000 40d15f 15083 40540c free 15000->15083 15003 40d19e 15001->15003 15005 401dae 7 API calls 15003->15005 15004 40d167 15084 40540c free 15004->15084 15008 40d1ab 15005->15008 15007 40d16f 15085 40540c free 15007->15085 15086 40540c free 15008->15086 15011 40d1f0 15088 40540c free 15011->15088 15013 40722a 3 API calls 15015 40d1b7 15013->15015 15014 40d20c 15089 40540c free 15014->15089 15015->15011 15015->15013 15016 401dae 7 API calls 15015->15016 15087 40540c free 15015->15087 15016->15015 15018 40d214 15090 40540c free 15018->15090 15021 40d177 15021->14128 15023 40cf7c __EH_prolog 15022->15023 15024 401f0c 3 API calls 15023->15024 15025 40cf91 15024->15025 15026 40722a 3 API calls 15025->15026 15027 40cf9e 15026->15027 15028 407492 12 API calls 15027->15028 15029 40cfaf 15028->15029 15091 40540c free 15029->15091 15031 40cfc3 15032 40cfc8 _CxxThrowException 15031->15032 15033 40cfdd 15031->15033 15032->15033 15034 405a4d ctype 4 API calls 15033->15034 15035 40cfe5 15034->15035 15036 40c98e 15035->15036 15037 40c998 __EH_prolog 15036->15037 15074 40c9ab 15037->15074 15092 40c8ce 15037->15092 15040 4024a3 3 API calls 15041 40cb06 15040->15041 15106 40c45d 15041->15106 15074->14999 15074->15000 15076 40cdef __EH_prolog 15075->15076 15077 4024a3 3 API calls 15076->15077 15078 40ce29 15077->15078 15079 401be7 3 API calls 15078->15079 15080 40ce34 15079->15080 15081 4024a3 3 API calls 15080->15081 15082 40ce4a 15081->15082 15082->14985 15083->15004 15084->15007 15085->15021 15086->15015 15087->15015 15088->15014 15089->15018 15090->15021 15091->15031 15093 40c8d8 __EH_prolog 15092->15093 15094 4053e5 2 API calls 15093->15094 15095 40c8ea 15094->15095 15198 407fc6 15095->15198 15098 40c932 GetLastError 15100 40c96c 15098->15100 15099 40c93c 15101 405cf3 3 API calls 15099->15101 15100->15040 15100->15074 15102 40c946 15101->15102 15103 40c606 83 API calls 15102->15103 15104 40c962 15103->15104 15201 40540c free 15104->15201 15107 40c467 __EH_prolog 15106->15107 15208 40786e 15107->15208 15109 40c48a 15212 40793d 15109->15212 15110 403eab 3 API calls 15110->15109 15112 40c4c6 15202 407703 15198->15202 15201->15100 15205 4076e2 15202->15205 15206 4076c5 9 API calls 15205->15206 15207 407700 15206->15207 15207->15098 15207->15099 15216 4079af 15208->15216 15211 407891 15211->15109 15211->15110 15215 407942 15212->15215 15213 407963 VariantClear 15213->15112 15214 40797a 15214->15112 15215->15213 15215->15214 15217 40793d VariantClear 15216->15217 15218 407876 SysAllocString 15217->15218 15218->15211 15430 40c4e2 __EH_prolog 15429->15430 15431 40c45d 5 API calls 15430->15431 15432 40c4f6 15431->15432 15433 401f0c 3 API calls 15432->15433 15443 40c553 15432->15443 15434 40c50b 15433->15434 15435 40c529 15434->15435 15436 40c534 15434->15436 15437 40c566 15434->15437 15440 40793d VariantClear 15435->15440 15438 404f4a 3 API calls 15436->15438 15437->15435 15439 40c547 15437->15439 15441 40c53d 15438->15441 15442 40793d VariantClear 15439->15442 15440->15443 15444 403f0a 3 API calls 15441->15444 15442->15443 15443->14910 15444->15439 15446 40bdd5 15445->15446 15447 40bf81 15445->15447 15450 40540c free 15446->15450 15447->15446 15448 405251 memmove 15447->15448 15594 40c023 15447->15594 15448->15447 15450->14911 15452 409386 15451->15452 15453 401f0c 3 API calls 15452->15453 15454 4093d0 15453->15454 15455 405a4d ctype 4 API calls 15454->15455 15456 4093fa 15455->15456 15457 406693 7 API calls 15456->15457 15458 409404 15457->15458 15459 401f0c 3 API calls 15458->15459 15460 40941c 15459->15460 15461 407820 3 API calls 15460->15461 15462 409423 15461->15462 15463 40ffad 15462->15463 15499 40f8fc 15462->15499 15475 40fb04 15463->15475 15464 40ffed 15739 41013f 15464->15739 15465 40fb32 15469 41013f 4 API calls 15465->15469 15468 4053e5 2 API calls 15468->15475 15471 40fb52 15469->15471 15473 405a4d ctype 4 API calls 15471->15473 15474 40fb65 15473->15474 15476 405a24 ctype 4 API calls 15474->15476 15475->15464 15475->15465 15475->15468 15478 40fc11 15475->15478 15486 4107bc 48 API calls 15475->15486 15487 40fe2f 15475->15487 15488 40fd4e 15475->15488 15490 40fdbc 15475->15490 15497 40fea2 15475->15497 15602 4104c9 15475->15602 15606 40e7ba 15475->15606 15749 4103a7 15475->15749 15485 40fb71 15476->15485 15479 41013f 4 API calls 15478->15479 15480 40fc42 15479->15480 15481 405a4d ctype 4 API calls 15480->15481 15483 40fc55 15481->15483 15484 405a24 ctype 4 API calls 15483->15484 15484->15485 15485->14923 15486->15475 15489 41013f 4 API calls 15487->15489 15491 41013f 4 API calls 15488->15491 15492 40fd89 15489->15492 15493 41013f 4 API calls 15490->15493 15491->15492 15494 405a4d ctype 4 API calls 15492->15494 15493->15492 15495 40fef3 15494->15495 15496 405a24 ctype 4 API calls 15495->15496 15496->15485 15498 41013f 4 API calls 15497->15498 15498->15492 15507 40f906 __EH_prolog 15499->15507 15501 40fa90 15502 4053e5 2 API calls 15501->15502 15531 40fac3 15502->15531 15503 41022c 10 API calls 15503->15507 15504 405a24 free memmove WaitForSingleObject SetEvent ctype 15504->15507 15505 4101d2 7 API calls 15505->15507 15507->15501 15507->15503 15507->15504 15507->15505 15528 40f956 15507->15528 16588 4100cd 15507->16588 16594 410040 15507->16594 15508 40ffed 15510 41013f 4 API calls 15508->15510 15509 40fb32 15513 41013f 4 API calls 15509->15513 15511 410008 15510->15511 15514 4101f4 ctype 4 API calls 15511->15514 15512 4053e5 2 API calls 15512->15531 15515 40fb52 15513->15515 15514->15528 15517 405a4d ctype 4 API calls 15515->15517 15516 4103a7 2 API calls 15516->15531 15518 40fb65 15517->15518 15519 405a24 ctype 4 API calls 15518->15519 15519->15528 15520 4104c9 50 API calls 15520->15531 15521 40fc11 15522 41013f 4 API calls 15521->15522 15523 40fc42 15522->15523 15524 405a4d ctype 4 API calls 15523->15524 15526 40fc55 15524->15526 15525 40e7ba 74 API calls 15525->15531 15527 405a24 ctype 4 API calls 15526->15527 15527->15528 15528->14923 15529 4107bc 48 API calls 15529->15531 15530 40fe2f 15533 41013f 4 API calls 15530->15533 15531->15508 15531->15509 15531->15512 15531->15516 15531->15520 15531->15521 15531->15525 15531->15529 15531->15530 15532 40fd4e 15531->15532 15534 40fdbc 15531->15534 15538 40fea2 15531->15538 15535 41013f 4 API calls 15532->15535 15542 40fd89 15533->15542 15536 41013f 4 API calls 15534->15536 15535->15542 15536->15542 15537 405a4d ctype 4 API calls 15539 40fef3 15537->15539 15541 41013f 4 API calls 15538->15541 15540 405a24 ctype 4 API calls 15539->15540 15540->15528 15541->15542 15542->15537 15543->14926 15544->14926 15546 40c581 VariantClear 15545->15546 15547 40c603 15546->15547 15547->14910 16598 406126 15548->16598 15551->14910 15552->14895 15554 406c44 __EH_prolog 15553->15554 15555 401e71 3 API calls 15554->15555 15561 406c53 15555->15561 15556 406ca7 15557 401ed2 3 API calls 15556->15557 15584 406cb3 15557->15584 15558 406bf9 8 API calls 15558->15584 15559 406cca GetLastError 15562 406d47 15559->15562 15559->15584 15560 406d9e 15563 401f0c 3 API calls 15560->15563 15561->15556 15564 406c95 15561->15564 15565 405251 memmove 15561->15565 15567 401e59 3 API calls 15562->15567 15579 406dab 15563->15579 16655 40540c free 15564->16655 15565->15556 15566 406e0f 16654 40540c free 15566->16654 15568 406d4f 15567->15568 15570 407492 12 API calls 15568->15570 15573 406d5e 15570->15573 15572 406d8a 15572->14916 15572->14921 15574 406d62 15573->15574 15575 406d92 15573->15575 16649 40540c free 15574->16649 16652 40540c free 15575->16652 15576 405045 3 API calls 15576->15579 15579->15566 15579->15576 15582 406bf9 8 API calls 15579->15582 16653 40540c free 15579->16653 15580 406d7a 16650 40540c free 15580->16650 15581 405045 3 API calls 15581->15584 15582->15579 15584->15558 15584->15559 15584->15560 15584->15566 15584->15581 15586 401f0c 3 API calls 15584->15586 16648 40540c free 15584->16648 15585 406d82 16651 40540c free 15585->16651 15586->15584 15590->14936 15591->14939 15592->14930 15593->14930 15595 40c032 15594->15595 15597 40c04b 15595->15597 15598 40c078 15595->15598 15597->15447 15599 40c088 15598->15599 15600 404107 3 API calls 15599->15600 15601 40c096 memmove 15600->15601 15601->15597 15603 4104f2 15602->15603 15759 410609 15603->15759 15607 40e7c4 __EH_prolog 15606->15607 16363 4115b7 15607->16363 15609 40e7dc 15703 40ee79 15609->15703 16380 418b70 InitializeCriticalSection 15609->16380 15611 40e909 16381 40f339 15611->16381 15613 40e940 15615 405a4d ctype 4 API calls 15613->15615 15715 40eb15 15613->15715 15614 4053e5 malloc _CxxThrowException 15624 40e808 15614->15624 15618 40ef5e 15624->15611 15624->15614 16416 40e0ce 15624->16416 15634 40ef68 15648 40f016 15654 40efa9 15671 40f06f SysFreeString 15687 405aa5 7 API calls 15687->15715 15691 40915e 4 API calls 15691->15715 15703->15475 15706 40f0cf 15715->15618 15715->15634 15715->15648 15715->15654 15715->15671 15715->15687 15715->15691 15715->15706 15716 40bfe5 7 API calls 15715->15716 15717 405a24 free memmove WaitForSingleObject SetEvent ctype 15715->15717 15720 40f15c 15715->15720 15716->15715 15717->15715 15740 410149 __EH_prolog 15739->15740 15741 405a4d ctype 4 API calls 15740->15741 15742 41016d 15741->15742 15743 405a24 ctype 4 API calls 15742->15743 15744 410178 15743->15744 15745 405a24 ctype 4 API calls 15744->15745 15746 41019e 15745->15746 15747 40d553 4 API calls 15746->15747 15748 410008 15747->15748 15753 4101f4 15748->15753 15750 4103b1 __EH_prolog 15749->15750 15751 4053e5 2 API calls 15750->15751 15752 4103db 15751->15752 15752->15475 15754 4101fe __EH_prolog 15753->15754 15755 405a4d ctype 4 API calls 15754->15755 15756 410214 15755->15756 15757 405a24 ctype 4 API calls 15756->15757 15758 41021f 15757->15758 15758->15485 15760 41050d 15759->15760 15762 410617 15759->15762 15760->15475 15762->15760 15766 410512 15762->15766 15776 40777f SetFileTime 15762->15776 15777 4075f9 15762->15777 15780 40a472 15762->15780 15767 41051c __EH_prolog 15766->15767 15790 4096e3 15767->15790 16097 40774b 15767->16097 16100 406a1c 15767->16100 16105 40960c 15767->16105 15768 410569 15769 410570 15768->15769 16112 40561c fputs 15768->16112 16113 402684 15768->16113 15769->15762 15776->15762 15778 407603 FindCloseChangeNotification 15777->15778 15779 40760e 15777->15779 15778->15779 15779->15762 15785 40a47c __EH_prolog 15780->15785 15781 40a57d 16356 40568c fputc 15781->16356 15782 40a515 15782->15781 15784 40a58d 15782->15784 16346 406aa2 15782->16346 15784->15762 15785->15782 15785->15784 16357 40777f SetFileTime 15785->16357 15787 40a4fc 16358 408087 15787->16358 15793 4096ed __EH_prolog 15790->15793 15791 4024a3 3 API calls 15792 40973f 15791->15792 15794 40c4d8 5 API calls 15792->15794 15793->15791 15795 409759 15794->15795 15796 40c5f8 VariantClear 15795->15796 15823 40987f 15795->15823 15798 409770 15796->15798 15800 401f0c 3 API calls 15798->15800 15798->15823 15799 409912 15799->15768 15802 409784 15800->15802 15801 4097a8 15804 40793d VariantClear 15801->15804 15802->15801 15803 4097c1 15802->15803 15805 40793d VariantClear 15802->15805 15809 40793d VariantClear 15803->15809 15806 4098d9 15804->15806 15807 4097e9 15805->15807 16157 40540c free 15806->16157 16125 40c581 15807->16125 15809->15806 15812 409847 15813 40793d VariantClear 15812->15813 15815 409867 15813->15815 15816 409bd8 15815->15816 15817 409878 15815->15817 15818 4098a9 15815->15818 15818->15801 16312 40540c free 15823->16312 16316 407549 16097->16316 16101 406a36 CreateFileW 16100->16101 16102 406a2a SetLastError 16100->16102 16103 406a71 16101->16103 16104 406a55 SetFileTime FindCloseChangeNotification 16101->16104 16102->16103 16103->15768 16104->16103 16106 401f0c 3 API calls 16105->16106 16108 40961e 16106->16108 16107 409650 16107->15768 16108->16107 16109 404f4a 3 API calls 16108->16109 16110 4064a7 3 API calls 16108->16110 16334 406bf9 16108->16334 16109->16108 16110->16108 16112->15769 16114 402692 16113->16114 16116 4026b6 16114->16116 16343 40561c fputs 16114->16343 16117 405634 6 API calls 16116->16117 16118 4026c2 16117->16118 16119 4026ef 16118->16119 16344 40561c fputs 16118->16344 16119->15769 16121 4026e1 16122 4056cd fputs 16121->16122 16123 4026e8 16122->16123 16345 40561c fputs 16123->16345 16126 40c58b __EH_prolog 16125->16126 16127 40793d VariantClear 16126->16127 16128 4097fa 16127->16128 16128->15801 16128->15812 16128->15823 16153 407c45 16128->16153 16154 407c51 16153->16154 16155 407c70 16153->16155 16154->16155 16156 407c5b _CxxThrowException 16154->16156 16155->15812 16156->16155 16157->15799 16312->15799 16317 407553 __EH_prolog 16316->16317 16318 407564 16317->16318 16319 4075bb 16317->16319 16320 401e71 malloc _CxxThrowException free 16318->16320 16321 4075f9 FindCloseChangeNotification 16319->16321 16322 40756f AreFileApisANSI 16320->16322 16323 4075c2 16321->16323 16324 405a04 malloc _CxxThrowException free WideCharToMultiByte _CxxThrowException 16322->16324 16325 4075c6 CreateFileW 16323->16325 16326 4075e9 16323->16326 16327 407589 16324->16327 16325->16326 16326->15768 16328 407510 CreateFileA FindCloseChangeNotification 16327->16328 16329 4075a3 16328->16329 16330 40540c codecvt free 16329->16330 16331 4075ad 16330->16331 16332 40540c codecvt free 16331->16332 16333 4075b5 16332->16333 16333->16326 16335 406c08 16334->16335 16336 406c2a CreateDirectoryW 16334->16336 16337 406aea 6 API calls 16335->16337 16336->16108 16338 406c13 16337->16338 16339 406bea CreateDirectoryA 16338->16339 16340 406c1a 16339->16340 16341 40540c codecvt free 16340->16341 16342 406c24 16341->16342 16342->16108 16343->16116 16344->16121 16345->16119 16347 406ab4 16346->16347 16348 406ada SetFileAttributesW 16346->16348 16350 406aea 6 API calls 16347->16350 16349 406ae7 16348->16349 16349->15781 16351 406abf 16350->16351 16361 406a79 SetFileAttributesA 16351->16361 16353 406aca 16362 40540c free 16353->16362 16355 406ad4 16355->16349 16356->15784 16357->15787 16359 4075f9 FindCloseChangeNotification 16358->16359 16360 40808f 16359->16360 16361->16353 16362->16355 16364 4115c1 __EH_prolog 16363->16364 16365 41176d 16364->16365 16453 4117e4 16364->16453 16365->15609 16367 411609 16368 4117e4 10 API calls 16367->16368 16369 4117c7 16367->16369 16373 41165a 16368->16373 16371 405a24 ctype 4 API calls 16369->16371 16370 41167e 16372 405a24 ctype 4 API calls 16370->16372 16371->16365 16376 41168a 16372->16376 16373->16369 16373->16370 16374 411720 16377 405a24 ctype 4 API calls 16374->16377 16375 40bfe5 7 API calls 16375->16376 16376->16374 16376->16375 16378 411761 16377->16378 16379 405a24 ctype 4 API calls 16378->16379 16379->16365 16380->15624 16463 40f407 16381->16463 16384 405a4d ctype 4 API calls 16385 40f358 16384->16385 16386 40d665 7 API calls 16385->16386 16391 40f37b 16385->16391 16386->16385 16387 40f3e2 16388 40f402 16387->16388 16389 40bfe5 7 API calls 16387->16389 16388->15613 16389->16387 16390 40d665 7 API calls 16390->16391 16391->16387 16391->16390 16392 40bfe5 7 API calls 16391->16392 16392->16391 16417 40e0d8 __EH_prolog 16416->16417 16418 4053e5 2 API calls 16417->16418 16420 40e0e4 16418->16420 16419 40bfe5 7 API calls 16421 40e113 16419->16421 16420->16419 16421->15624 16454 405a4d ctype 4 API calls 16453->16454 16455 4117ef 16454->16455 16456 405aa5 7 API calls 16455->16456 16457 4117f7 16456->16457 16458 411807 16457->16458 16460 4101d2 16457->16460 16458->16367 16461 405a76 7 API calls 16460->16461 16462 4101da 16461->16462 16462->16457 16464 405a4d ctype 4 API calls 16463->16464 16465 40f40f 16464->16465 16466 405a4d ctype 4 API calls 16465->16466 16467 40f417 16466->16467 16468 405a4d ctype 4 API calls 16467->16468 16469 40f41f 16468->16469 16470 405a4d ctype 4 API calls 16469->16470 16471 40f350 16470->16471 16471->16384 16589 4100d7 __EH_prolog 16588->16589 16590 410125 16589->16590 16591 405aa5 7 API calls 16589->16591 16590->15507 16592 41011c 16591->16592 16593 4101d2 7 API calls 16592->16593 16593->16590 16595 41004f 16594->16595 16597 410055 16594->16597 16595->15507 16596 41006b _CxxThrowException 16596->16595 16597->16595 16597->16596 16599 406130 __EH_prolog 16598->16599 16600 405c52 10 API calls 16599->16600 16601 406160 16600->16601 16608 406041 16601->16608 16604 405a4d ctype 4 API calls 16605 406185 16604->16605 16606 405a24 ctype 4 API calls 16605->16606 16607 406191 16606->16607 16607->14910 16609 40604b __EH_prolog 16608->16609 16629 406003 16609->16629 16612 406003 5 API calls 16613 406080 16612->16613 16614 406068 16613->16614 16633 40645b 16613->16633 16614->16604 16617 401df5 2 API calls 16618 4060ba 16617->16618 16619 406041 15 API calls 16618->16619 16620 4060d1 16619->16620 16621 4060f7 16620->16621 16622 4060dc 16620->16622 16623 405a4d ctype 4 API calls 16621->16623 16624 405a4d ctype 4 API calls 16622->16624 16625 406106 16623->16625 16626 4060e7 16624->16626 16628 405a24 ctype 4 API calls 16625->16628 16627 405a24 ctype 4 API calls 16626->16627 16627->16614 16628->16614 16632 40600f 16629->16632 16630 406036 16630->16612 16630->16614 16632->16630 16639 405dfe 16632->16639 16634 406465 __EH_prolog 16633->16634 16635 405a4d ctype 4 API calls 16634->16635 16636 40648c 16635->16636 16637 406693 7 API calls 16636->16637 16638 4060a8 16637->16638 16638->16617 16641 405e0d 16639->16641 16640 405eba 16640->16632 16641->16640 16643 405d2e 16641->16643 16644 405d37 16643->16644 16645 405d37 CharUpperW GetLastError WideCharToMultiByte CharUpperA MultiByteToWideChar 16644->16645 16646 405db5 16644->16646 16647 4056f7 5 API calls ctype 16644->16647 16645->16644 16646->16641 16647->16644 16648->15584 16649->15580 16650->15585 16651->15572 16652->15560 16653->15579 16654->15564 16655->15572 16656->14968 16657->14970 16659 405782 __EH_prolog 16658->16659 16660 405794 CharUpperW 16659->16660 16674 401042 16659->16674 16661 4057a1 GetLastError 16660->16661 16660->16674 16662 4057ac 16661->16662 16661->16674 16663 401e71 3 API calls 16662->16663 16664 4057b5 16663->16664 16665 405a04 5 API calls 16664->16665 16666 4057c4 16665->16666 16692 40540c free 16666->16692 16668 4057d0 CharUpperA 16669 40589c 5 API calls 16668->16669 16670 4057e6 16669->16670 16693 40540c free 16670->16693 16672 40580a 16694 40540c free 16672->16694 16674->14182 16678 404e8f __EH_prolog 16675->16678 16676 40106e 16690 40540c free 16676->16690 16677 401e71 3 API calls 16677->16678 16678->16676 16678->16677 16679 404f30 16678->16679 16680 404f02 16678->16680 16695 40540c free 16678->16695 16698 40540c free 16679->16698 16683 404f75 3 API calls 16680->16683 16684 404f10 16683->16684 16685 401f0c 3 API calls 16684->16685 16686 404f1d 16685->16686 16696 40540c free 16686->16696 16688 404f25 16697 40540c free 16688->16697 16690->14187 16691->14189 16692->16668 16693->16672 16694->16674 16695->16678 16696->16688 16697->16676 16698->16676 16699->14201 16700->14203 16701->14205 16703 404a72 16702->16703 16704 404a4e 16702->16704 16711 404a8c 16703->16711 16709 404a6c 16704->16709 16710 40540c free 16704->16710 16709->14212 16710->16709 16712 404a96 __EH_prolog 16711->16712 16713 405a4d ctype 4 API calls 16712->16713 16714 404aaf 16713->16714 16715 405a24 ctype 4 API calls 16714->16715 16716 404a79 16715->16716 16716->16709 16717 40540c free 16716->16717 16717->16709 16718->14223 16720 402ba4 __EH_prolog 16719->16720 16721 405a4d ctype 4 API calls 16720->16721 16723 402bb0 16721->16723 16724 403eab 3 API calls 16723->16724 16727 402c10 16723->16727 16876 402c21 16723->16876 16879 40400c 16723->16879 16887 40540c free 16723->16887 16724->16723 16727->14332 16729 402921 __EH_prolog 16728->16729 16730 402aeb 3 API calls 16729->16730 16731 402943 16730->16731 16891 4068f6 FormatMessageA 16731->16891 16734 402aac 3 API calls 16735 40295b 16734->16735 16896 40540c free 16735->16896 16737 402963 16737->14332 16739 40d30b __EH_prolog 16738->16739 16740 40d326 16739->16740 16741 40d42b 16739->16741 16742 40d431 16740->16742 16745 40d335 16740->16745 16746 40d3df 16740->16746 16741->16742 16743 40d43f 16741->16743 16911 407b12 16742->16911 16744 4024a3 3 API calls 16743->16744 16748 40d452 16744->16748 16750 40d367 16745->16750 16751 40d33a 16745->16751 16749 40d401 16746->16749 16755 40d3ef FileTimeToLocalFileTime 16746->16755 16753 40d467 16748->16753 16757 404f4a 3 API calls 16748->16757 16756 4024a3 3 API calls 16749->16756 16750->16742 16754 40d371 16750->16754 16751->16742 16762 40d34c 16751->16762 16752 40d362 16752->14332 16760 40d479 16753->16760 16764 404f4a 3 API calls 16753->16764 16758 40d3a4 16754->16758 16759 40d37c 16754->16759 16755->16749 16761 40d417 16755->16761 16756->16752 16757->16753 16766 40d3d3 16758->16766 16767 40d3ab 16758->16767 16897 40d4fe 16759->16897 16765 40d48c 16760->16765 16771 404f4a 3 API calls 16760->16771 16901 407ab8 16761->16901 16774 401e71 3 API calls 16762->16774 16764->16760 16773 40d49f 16765->16773 16777 404f4a 3 API calls 16765->16777 16769 40d4fe 3 API calls 16766->16769 16772 40d4fe 3 API calls 16767->16772 16769->16752 16771->16765 16776 40d3b6 16772->16776 16778 40d4b2 16773->16778 16779 404f4a 3 API calls 16773->16779 16774->16752 16775 40ac23 3 API calls 16781 40d39c 16775->16781 16782 40ac23 3 API calls 16776->16782 16777->16773 16780 40d4c5 16778->16780 16783 404f4a 3 API calls 16778->16783 16779->16778 16784 40d4d7 16780->16784 16785 404f4a 3 API calls 16780->16785 16931 40540c free 16781->16931 16782->16781 16783->16780 16786 401ed2 3 API calls 16784->16786 16785->16784 16786->16781 16789 402d39 16788->16789 16790 401e71 3 API calls 16789->16790 16791 402d6d 16790->16791 16791->14332 16795 402d7f 16792->16795 16796 402dac 16792->16796 16795->16796 16946 402b39 16795->16946 16950 402b51 16795->16950 16796->14332 16798 402c50 __EH_prolog 16797->16798 16799 405a4d ctype 4 API calls 16798->16799 16801 402c5e 16799->16801 16800 402d01 16800->14332 16801->16800 16802 402d14 SysFreeString 16801->16802 16803 402c21 3 API calls 16801->16803 16804 402d27 3 API calls 16801->16804 16805 401f0c 3 API calls 16801->16805 16807 40400c 7 API calls 16801->16807 16959 40540c free 16801->16959 16960 40540c free 16801->16960 16802->16800 16803->16801 16804->16801 16805->16801 16807->16801 16809 402cf1 SysFreeString 16809->16800 16809->16801 16830 402e88 __EH_prolog 16810->16830 16811 4030c0 16811->14332 16812 4024a3 3 API calls 16812->16830 16813 40c4d8 5 API calls 16813->16830 16814 4030d8 16815 40793d VariantClear 16814->16815 16815->16811 16816 4030d3 16971 40540c free 16816->16971 16817 40786e SysAllocString VariantClear 16817->16830 16820 4030e9 _CxxThrowException 16821 402b39 fputc 16821->16830 16822 40c5f8 VariantClear 16822->16830 16823 40d301 8 API calls 16823->16830 16824 401e71 3 API calls 16824->16830 16825 40793d VariantClear 16825->16830 16826 405634 6 API calls 16826->16830 16827 40561c fputs 16827->16830 16828 40540c free codecvt 16828->16830 16829 402b51 7 API calls 16829->16830 16830->16811 16830->16812 16830->16813 16830->16814 16830->16816 16830->16817 16830->16820 16830->16821 16830->16822 16830->16823 16830->16824 16830->16825 16830->16826 16830->16827 16830->16828 16830->16829 16961 402dfe 16830->16961 16833 4031dd __EH_prolog 16831->16833 16832 402b39 fputc 16832->16833 16833->16832 16835 401e71 malloc _CxxThrowException free 16833->16835 16836 402b51 7 API calls 16833->16836 16837 40793d VariantClear 16833->16837 16838 40330d 16833->16838 16840 403f0a malloc _CxxThrowException free 16833->16840 16973 403163 16833->16973 16981 40540c free 16833->16981 16835->16833 16836->16833 16837->16833 16838->14332 16840->16833 16842 402dea 16841->16842 16844 402dbb 16841->16844 16842->14249 16843 402b39 fputc 16843->16844 16844->16842 16844->16843 16983 40568c fputc 16844->16983 16846->14258 16848 4056bd 16847->16848 16984 40561c fputs 16848->16984 16850 4056c8 16850->14241 16851->14262 16852->14267 16854 403fde __EH_prolog 16853->16854 16855 405a4d ctype 4 API calls 16854->16855 16856 403ff4 16855->16856 16857 405a24 ctype 4 API calls 16856->16857 16858 403fff 16857->16858 16858->14247 16859->14275 16860->14282 16861->14297 16862->14274 16863->14281 16864->14297 16865->14290 16866->14296 16867->14297 16868->14307 16869->14315 16870->14320 16871->14297 16872->14317 16873->14322 16874->14329 16875->14297 16877 4024a3 3 API calls 16876->16877 16878 402c38 16877->16878 16878->16723 16880 404016 __EH_prolog 16879->16880 16881 4053e5 2 API calls 16880->16881 16882 404021 16881->16882 16883 404038 16882->16883 16888 4040d0 16882->16888 16885 40bfe5 7 API calls 16883->16885 16886 404044 16885->16886 16886->16723 16887->16723 16889 401ed2 3 API calls 16888->16889 16890 4040e8 16889->16890 16890->16883 16892 402950 16891->16892 16893 40691b 16891->16893 16892->16734 16894 4068b0 3 API calls 16893->16894 16895 406925 LocalFree 16894->16895 16895->16892 16896->16737 16898 40d516 16897->16898 16899 401e71 3 API calls 16898->16899 16900 40d387 16899->16900 16900->16775 16902 407ac2 __EH_prolog 16901->16902 16932 4079c5 FileTimeToSystemTime 16902->16932 16904 407ade 16905 4070e6 3 API calls 16904->16905 16906 407aea 16905->16906 16934 4069e0 16906->16934 16910 407b00 16910->16752 16912 407b86 16911->16912 16913 407b26 16911->16913 16917 407b80 16912->16917 16919 407b91 16912->16919 16920 407b5f 16912->16920 16914 407b28 16913->16914 16913->16917 16915 407b2c 16914->16915 16916 407b6d 16914->16916 16915->16920 16921 407b33 16915->16921 16918 4024a3 3 API calls 16916->16918 16942 407beb 16917->16942 16928 407b5a 16918->16928 16919->16917 16923 407b94 16919->16923 16938 407c18 16920->16938 16925 407b3d 16921->16925 16926 407b99 _CxxThrowException 16921->16926 16923->16926 16927 407bae 16923->16927 16930 401e71 3 API calls 16925->16930 16926->16927 16929 407ab8 6 API calls 16927->16929 16928->16752 16929->16928 16930->16928 16931->16752 16933 4079e0 16932->16933 16933->16904 16935 40589c 5 API calls 16934->16935 16936 4069f0 16935->16936 16937 40540c free 16936->16937 16937->16910 16939 407c33 16938->16939 16940 401e71 3 API calls 16939->16940 16941 407c3e 16940->16941 16941->16928 16943 407c06 16942->16943 16944 401e71 3 API calls 16943->16944 16945 407c11 16944->16945 16945->16928 16947 402b4f 16946->16947 16948 402b3d 16946->16948 16947->16795 16948->16947 16958 40568c fputc 16948->16958 16951 402b65 16950->16951 16952 402b39 fputc 16951->16952 16953 402b7f 16952->16953 16954 405634 6 API calls 16953->16954 16955 402b8b 16954->16955 16956 402b39 fputc 16955->16956 16957 402b94 16956->16957 16957->16795 16958->16948 16959->16801 16960->16809 16962 402e20 16961->16962 16963 402e0b _CxxThrowException 16961->16963 16964 402e61 16962->16964 16965 402e2e FileTimeToLocalFileTime 16962->16965 16963->16962 16972 40561c fputs 16964->16972 16966 402e52 16965->16966 16967 402e3d _CxxThrowException 16965->16967 16969 4079c5 FileTimeToSystemTime 16966->16969 16967->16966 16969->16964 16970 402e7b 16970->16830 16971->16814 16972->16970 16974 40316d __EH_prolog 16973->16974 16975 401e71 3 API calls 16974->16975 16976 4031a8 16975->16976 16977 402b51 7 API calls 16976->16977 16978 4031b9 16977->16978 16982 40540c free 16978->16982 16980 4031c1 16980->16833 16981->16833 16982->16980 16983->16844 16984->16850 16985->14343

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1642 40729b-4072b5 call 4199a0 call 40727b 1647 407354-407360 1642->1647 1648 4072bb-4072c2 1642->1648 1649 4072c4-4072d9 FindFirstFileW 1648->1649 1650 4072eb-40733c call 401e71 AreFileApisANSI call 405a04 FindFirstFileA call 40540c * 2 1648->1650 1651 4072db-4072e9 call 407363 1649->1651 1652 40734c-407351 1649->1652 1650->1652 1663 40733e-407347 call 4073c5 1650->1663 1651->1652 1652->1647 1663->1652
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004072A0
                                          • Part of subcall function 0040727B: FindClose.KERNELBASE(00000000,?,004072B3,00000000), ref: 00407286
                                        • FindFirstFileW.KERNELBASE(?,?,00000000), ref: 004072CE
                                        • AreFileApisANSI.KERNEL32(?,00000000), ref: 004072FA
                                        • FindFirstFileA.KERNEL32(?,?,00000001), ref: 0040731B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: FileFind$First$ApisCloseH_prolog
                                        • String ID:
                                        • API String ID: 4121580741-0
                                        • Opcode ID: 5c3926ebc48c721fdce823b9a54e600e3ca16dbec11882dde2ac97a4a5634cf2
                                        • Instruction ID: c18351d92dbe26744bc10dadc26f85e170059a6449482e44c1ef4992d28b18b4
                                        • Opcode Fuzzy Hash: 5c3926ebc48c721fdce823b9a54e600e3ca16dbec11882dde2ac97a4a5634cf2
                                        • Instruction Fuzzy Hash: 1121AE71804209DBCF14EF60C845ADEBB74EF04328F10436EE861A21D1CB38AA85DB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prologVersion
                                        • String ID:
                                        • API String ID: 1836448879-0
                                        • Opcode ID: 47cb9441f001fc510186d2f1fbe4dca210325c07bb1e5254520bf53accf4a332
                                        • Instruction ID: 29164d621a4e179869cae3949537221d291e262eae215510eaaefc1c74ca3229
                                        • Opcode Fuzzy Hash: 47cb9441f001fc510186d2f1fbe4dca210325c07bb1e5254520bf53accf4a332
                                        • Instruction Fuzzy Hash: 3801DFB1A00204EBCB20DBA4E9197DEBBB4FF44398F0042ABD401B72C1C3780A49CA69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 40117a-401230 call 4199a0 SetFileApisToOEM call 40561c call 402488 GetCommandLineW call 401e71 call 4048d3 call 40540c call 4024a3 * 2 call 4067e7 call 406f29 21 401232-40125a call 40561c call 40540c * 2 0->21 22 40125f-4012c5 call 40540c call 401df5 call 4049a7 call 404b1c call 404e78 0->22 36 401a58-401a6f call 405a4d call 405a24 21->36 45 401a93-401ab3 call 40100a call 404ac7 call 40540c 22->45 46 4012cb-4012dc call 404e78 22->46 47 401ad0-401ade 36->47 66 401aba-401ace call 405a4d call 405a24 45->66 46->45 53 4012e2-4012e8 46->53 55 4012ea-4012ed 53->55 56 4012ef-4012f5 53->56 58 401315-40137f call 401000 call 401f4a call 401131 call 404e78 * 2 call 4024a3 55->58 59 4012f7 call 401c2f 56->59 60 4012fc-40130e call 40101b 56->60 84 401381-401396 call 404e78 call 401f0c 58->84 85 40139b-4013ba call 401e59 call 407492 58->85 59->60 60->58 68 401310 call 401c2f 60->68 66->47 68->58 84->85 93 4013d8-4013e3 85->93 94 4013bc-4013d3 _CxxThrowException 85->94 95 401401-401427 call 4024a3 call 404e78 93->95 96 4013e5-4013fc _CxxThrowException 93->96 94->93 101 401429-401446 call 404e78 call 401f0c call 407820 95->101 102 40144b-4014ab call 402488 * 2 call 401dae * 2 call 4053e5 95->102 96->95 101->102 118 4014c3-4014c6 102->118 119 4014ad-4014c1 call 401ffe 102->119 121 4014c8-4014d4 118->121 119->121 123 4014d6-4014d8 121->123 124 4014dc-4014e9 call 40b012 121->124 123->124 127 401502-401506 124->127 128 4014eb-4014fd _CxxThrowException 124->128 129 401910-401970 call 401adf call 4033a7 call 405a24 127->129 130 40150c-40151d call 4053e5 127->130 128->127 147 401972-401975 129->147 148 40197b-4019a9 call 405607 call 40561c call 4056cd 129->148 136 40152a 130->136 137 40151f-401528 call 401c7a 130->137 140 40152c-401535 136->140 137->140 143 401537-401539 140->143 144 40153d-401655 call 401f0c call 401c02 call 401f0c call 401b82 call 401f0c call 4024a3 call 401adf call 40b278 140->144 143->144 194 40165a-40166f call 405a24 144->194 147->148 150 401a71-401a76 147->150 172 4019b1-401a51 call 405a4d call 405a24 call 405a4d call 405a24 call 40540c * 3 call 405a4d call 405a24 call 404ac7 call 40540c 148->172 173 4019ab-4019ad 148->173 154 401712-401718 150->154 155 401a7c-401a8e _CxxThrowException 150->155 157 401720-4017c7 call 405a4d call 405a24 call 405a4d call 405a24 call 40540c * 3 call 405a4d call 405a24 call 404ac7 call 40540c 154->157 158 40171a-40171c 154->158 155->45 157->66 158->157 172->36 173->172 203 401671-40169a call 405607 call 40561c call 405634 194->203 204 4016a3-4016ad 194->204 203->204 248 40169c 203->248 206 4016b3-4016b9 204->206 207 4017cc-4017d0 204->207 206->207 211 4016bf-4016c4 206->211 213 401800-40180a 207->213 214 4017d2-4017fb call 405607 call 40561c call 4056cd call 405607 207->214 219 4016c6-4016d8 _CxxThrowException 211->219 220 4016dd-401707 call 40540c call 401d56 call 40540c 211->220 217 40183a-401864 call 40540c call 401d56 call 40540c 213->217 218 40180c-401835 call 405607 call 40561c call 4056cd call 405607 213->218 214->213 264 401866-401868 217->264 265 40186c-401875 217->265 218->217 219->220 267 401709-40170b 220->267 268 40170f 220->268 248->204 264->265 270 401877-401879 265->270 271 40187d-40190b call 405a4d call 405a24 call 405a4d call 405a24 call 40540c * 3 call 401f65 call 404ac7 call 40540c 265->271 267->268 268->154 270->271 271->36
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040117F
                                        • SetFileApisToOEM.KERNEL32 ref: 00401190
                                          • Part of subcall function 0040561C: fputs.MSVCRT ref: 00405626
                                        • GetCommandLineW.KERNEL32 ref: 004011BD
                                          • Part of subcall function 004048D3: __EH_prolog.LIBCMT ref: 004048D8
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                          • Part of subcall function 004067E7: __EH_prolog.LIBCMT ref: 004067EC
                                          • Part of subcall function 004067E7: GetModuleFileNameW.KERNEL32(?,?,00000105,z @,00423400,00000000), ref: 0040681D
                                          • Part of subcall function 00406F29: __EH_prolog.LIBCMT ref: 00406F2E
                                          • Part of subcall function 00406F29: GetFullPathNameW.KERNEL32(?,00000105,00000000,?,z @,00423400,00000000), ref: 00406F79
                                        • _CxxThrowException.MSVCRT(?,0041DDD8), ref: 004013D3
                                        • _CxxThrowException.MSVCRT(?,0041DDD8), ref: 004013FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionFileNameThrow$ApisCommandFullLineModulePathfputsfree
                                        • String ID: "$Archive Errors: $Error: $Errors: $GetFullPathName Error$Sub items Errors: $jq$x B$z @
                                        • API String ID: 3265642719-1150129021
                                        • Opcode ID: c773df35222393fd28ddaca40b2e66891401fc39d32c85b300611b74e3c6c18c
                                        • Instruction ID: 534f0a68ab572439674a15718fc533e9b748ce036701bf02642d9f7af2b2015a
                                        • Opcode Fuzzy Hash: c773df35222393fd28ddaca40b2e66891401fc39d32c85b300611b74e3c6c18c
                                        • Instruction Fuzzy Hash: 72528A70D01258DADF11EFA5C895BDEBBB0AF14308F1441AEE449772D2DB781A89CF29
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040E7BF
                                          • Part of subcall function 004115B7: __EH_prolog.LIBCMT ref: 004115BC
                                          • Part of subcall function 00418B70: InitializeCriticalSection.KERNEL32 ref: 00418B9E
                                        • DeleteCriticalSection.KERNEL32(?), ref: 0040E9FA
                                          • Part of subcall function 004053E5: malloc.MSVCRT ref: 004053EB
                                          • Part of subcall function 004053E5: _CxxThrowException.MSVCRT(?,0041E930), ref: 00405405
                                        • SysFreeString.OLEAUT32(?), ref: 0040EC94
                                        • DeleteCriticalSection.KERNEL32(?), ref: 0040ED82
                                        • DeleteCriticalSection.KERNEL32(?), ref: 0040EDED
                                        • DeleteCriticalSection.KERNEL32(?), ref: 0040EE49
                                        • DeleteCriticalSection.KERNEL32(?), ref: 0040EF9B
                                        • DeleteCriticalSection.KERNEL32(?), ref: 0040EFF2
                                        • DeleteCriticalSection.KERNEL32(?), ref: 0040F049
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        • SysFreeString.OLEAUT32(?), ref: 0040F072
                                        • DeleteCriticalSection.KERNEL32(?), ref: 0040F0AE
                                          • Part of subcall function 0040915E: memmove.MSVCRT ref: 0040918B
                                        • SysFreeString.OLEAUT32(?), ref: 0040F0E8
                                        • DeleteCriticalSection.KERNEL32(?), ref: 0040F124
                                        • DeleteCriticalSection.KERNEL32(?,?,?,00000004,00000004), ref: 0040F19F
                                        • DeleteCriticalSection.KERNEL32(?), ref: 0040F22F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Delete$FreeString$H_prolog$ExceptionInitializeThrowfreemallocmemmove
                                        • String ID: (
                                        • API String ID: 527550986-3887548279
                                        • Opcode ID: 446a92fe0d9b6d5ff2eab511201c66791821879c076ca17a6dd6603e8f85bc05
                                        • Instruction ID: d6e78a68a9d5be5bacde93fdad0885ae2f5ebf8ff8468a999ab200fed8580cea
                                        • Opcode Fuzzy Hash: 446a92fe0d9b6d5ff2eab511201c66791821879c076ca17a6dd6603e8f85bc05
                                        • Instruction Fuzzy Hash: 54824B74D00249DFCF11DFA5C884ADDBBB0BF18308F1484AEE459A7291CB78AA89DF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__p__commode__p__fmode__set_app_type__setusermatherrexit
                                        • String ID: P B$P B
                                        • API String ID: 167530163-3583781393
                                        • Opcode ID: bca006545a28d04027b3fc903f0605031a812510328e61349f35a91f96ca5743
                                        • Instruction ID: f1c1613c88e361827a60ee2d6430e86b491c058f9a061bab899c927fc7155da6
                                        • Opcode Fuzzy Hash: bca006545a28d04027b3fc903f0605031a812510328e61349f35a91f96ca5743
                                        • Instruction Fuzzy Hash: 40314BB5E00305EFDB14DFA0EC45AD97B78FB08724F60812AF512A32E0DB786941CB28
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 628 4012a9-4012c5 call 404e78 632 401a93-401ab3 call 40100a call 404ac7 call 40540c 628->632 633 4012cb-4012dc call 404e78 628->633 652 401aba-401ace call 405a4d call 405a24 632->652 633->632 639 4012e2-4012e8 633->639 641 4012ea-4012ed 639->641 642 4012ef-4012f5 639->642 644 401315-40137f call 401000 call 401f4a call 401131 call 404e78 * 2 call 4024a3 641->644 645 4012f7 call 401c2f 642->645 646 4012fc-40130e call 40101b 642->646 671 401381-401396 call 404e78 call 401f0c 644->671 672 40139b-4013a1 call 401e59 644->672 645->646 646->644 654 401310 call 401c2f 646->654 664 401ad0-401ade 652->664 654->644 671->672 676 4013a6-4013b3 call 407492 672->676 679 4013b8-4013ba 676->679 680 4013d8-4013e3 679->680 681 4013bc-4013d3 _CxxThrowException 679->681 682 401401-401427 call 4024a3 call 404e78 680->682 683 4013e5-4013fc _CxxThrowException 680->683 681->680 688 401429-401446 call 404e78 call 401f0c call 407820 682->688 689 40144b-4014ab call 402488 * 2 call 401dae * 2 call 4053e5 682->689 683->682 688->689 705 4014c3-4014c6 689->705 706 4014ad-4014c1 call 401ffe 689->706 708 4014c8-4014d4 705->708 706->708 710 4014d6-4014d8 708->710 711 4014dc-4014e2 call 40b012 708->711 710->711 713 4014e7-4014e9 711->713 714 401502-401506 713->714 715 4014eb-4014fd _CxxThrowException 713->715 716 401910-401970 call 401adf call 4033a7 call 405a24 714->716 717 40150c-40151d call 4053e5 714->717 715->714 734 401972-401975 716->734 735 40197b-4019a9 call 405607 call 40561c call 4056cd 716->735 723 40152a 717->723 724 40151f-401528 call 401c7a 717->724 727 40152c-401535 723->727 724->727 730 401537-401539 727->730 731 40153d-401611 call 401f0c call 401c02 call 401f0c call 401b82 call 401f0c call 4024a3 call 401adf 727->731 730->731 774 401616-401655 call 40b278 731->774 734->735 737 401a71-401a76 734->737 759 4019b1-401a51 call 405a4d call 405a24 call 405a4d call 405a24 call 40540c * 3 call 405a4d call 405a24 call 404ac7 call 40540c 735->759 760 4019ab-4019ad 735->760 741 401712-401718 737->741 742 401a7c-401a8e _CxxThrowException 737->742 744 401720-4017c7 call 405a4d call 405a24 call 405a4d call 405a24 call 40540c * 3 call 405a4d call 405a24 call 404ac7 call 40540c 741->744 745 40171a-40171c 741->745 742->632 744->652 745->744 861 401a58-401a6f call 405a4d call 405a24 759->861 760->759 781 40165a-40166f call 405a24 774->781 790 401671-40169a call 405607 call 40561c call 405634 781->790 791 4016a3-4016ad 781->791 790->791 835 40169c 790->835 793 4016b3-4016b9 791->793 794 4017cc-4017d0 791->794 793->794 798 4016bf-4016c4 793->798 800 401800-40180a 794->800 801 4017d2-4017fb call 405607 call 40561c call 4056cd call 405607 794->801 806 4016c6-4016d8 _CxxThrowException 798->806 807 4016dd-401707 call 40540c call 401d56 call 40540c 798->807 804 40183a-401864 call 40540c call 401d56 call 40540c 800->804 805 40180c-401835 call 405607 call 40561c call 4056cd call 405607 800->805 801->800 851 401866-401868 804->851 852 40186c-401875 804->852 805->804 806->807 854 401709-40170b 807->854 855 40170f 807->855 835->791 851->852 857 401877-401879 852->857 858 40187d-40190b call 405a4d call 405a24 call 405a4d call 405a24 call 40540c * 3 call 401f65 call 404ac7 call 40540c 852->858 854->855 855->741 857->858 858->861 861->664
                                        APIs
                                        • _CxxThrowException.MSVCRT(?,0041DDD8), ref: 004013D3
                                        • _CxxThrowException.MSVCRT(?,0041DDD8), ref: 004013FC
                                          • Part of subcall function 00401DAE: __EH_prolog.LIBCMT ref: 00401DB3
                                          • Part of subcall function 004053E5: malloc.MSVCRT ref: 004053EB
                                          • Part of subcall function 004053E5: _CxxThrowException.MSVCRT(?,0041E930), ref: 00405405
                                        • _CxxThrowException.MSVCRT(?,0041DDC8), ref: 004014FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$H_prologmalloc
                                        • String ID: "$Error: $jq$x B$z @
                                        • API String ID: 3044594480-687722055
                                        • Opcode ID: 105abb600226d0131ef9453cca30999543467e489297b96e2f3d0d5a63f04ab7
                                        • Instruction ID: 7ac0dede9f98fec9eb1c1b39b41e7df7d60f04298f2134219041bfe3def959c5
                                        • Opcode Fuzzy Hash: 105abb600226d0131ef9453cca30999543467e489297b96e2f3d0d5a63f04ab7
                                        • Instruction Fuzzy Hash: 01F16770D00298DEDB21EFA5C895BDEBBB0BF14304F0441AEE14977292DB785A85CF59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 885 40b278-40b2ee call 4199a0 call 40beeb call 401adf 892 40b2f0-40b313 call 401e59 call 407492 885->892 893 40b361-40b375 call 4053e5 885->893 901 40b318-40b31a 892->901 899 40b377-40b380 call 40b9f9 893->899 900 40b3ac 893->900 902 40b3ae-40b3b7 899->902 900->902 904 40b382-40b392 _CxxThrowException 901->904 905 40b31c-40b324 901->905 906 40b3b9-40b3bb 902->906 907 40b3bf-40b40b 902->907 909 40b397-40b3a7 _CxxThrowException 904->909 905->909 910 40b326-40b35f call 40d665 call 40540c 905->910 906->907 911 40b45a-40b463 907->911 912 40b40d-40b421 907->912 909->900 910->892 910->893 913 40b775-40b7f3 call 40d29a call 405a24 call 401d56 911->913 914 40b469-40b493 call 401e59 call 407492 911->914 912->911 923 40b423-40b42c 912->923 941 40b7f5-40b803 913->941 933 40b806-40b816 _CxxThrowException 914->933 934 40b499-40b4a1 914->934 927 40b434-40b455 call 405a24 call 401d56 923->927 928 40b42e-40b430 923->928 927->941 928->927 938 40b81b-40b82b _CxxThrowException 933->938 937 40b4a7-40b4e6 call 401f0c 934->937 934->938 943 40b830-40b842 call 40540c 937->943 954 40b4ec-40b545 call 403cf9 call 401adf call 405a4d call 40e5b2 call 40d240 937->954 938->943 948 40b844-40b846 943->948 949 40b84a-40b84d 943->949 948->949 950 40b9d4-40b9f4 call 405a24 call 401d56 949->950 950->941 967 40b852-40b87f call 405a24 call 403dcd call 40540c 954->967 968 40b54b-40b56f call 40568c 954->968 984 40b881-40b883 967->984 985 40b887-40b88c 967->985 976 40b891-40b8be call 405a24 call 403dcd call 40540c 968->976 977 40b575-40b578 968->977 1010 40b8c0-40b8c2 976->1010 1011 40b8c6-40b8c9 976->1011 978 40b738-40b76c call 405a24 call 403dcd call 40540c 977->978 979 40b57e-40b587 977->979 978->914 1014 40b772 978->1014 982 40b5f8 979->982 983 40b589-40b5a1 call 403e47 979->983 990 40b625-40b64b call 4024a3 982->990 991 40b5fa-40b61d 982->991 999 40b5a3-40b5a6 983->999 1000 40b5df-40b5eb 983->1000 984->985 985->950 1016 40b651-40b654 990->1016 1017 40b90b-40b941 call 40540c call 405a24 call 403dcd call 40540c 990->1017 1003 40b623 991->1003 1004 40b8ce-40b8fb call 405a24 call 403dcd call 40540c 991->1004 999->1000 1006 40b5a8-40b5da call 405ba3 999->1006 1000->983 1007 40b5ed-40b5f2 1000->1007 1003->990 1036 40b903-40b906 1004->1036 1037 40b8fd-40b8ff 1004->1037 1006->1000 1007->982 1010->1011 1011->950 1014->913 1020 40b656-40b665 1016->1020 1021 40b66b-40b6aa call 403d71 call 401f0c call 40540c 1016->1021 1017->950 1047 40b947-40b94d 1017->1047 1020->1017 1020->1021 1043 40b6b2-40b6db call 40bca7 1021->1043 1044 40b6ac 1021->1044 1036->950 1037->1036 1048 40b6e0-40b6e4 1043->1048 1044->1043 1047->950 1049 40b952-40b988 call 40540c call 405a24 call 403dcd call 40540c 1048->1049 1050 40b6ea-40b72c 1048->1050 1072 40b990-40b992 1049->1072 1073 40b98a-40b98c 1049->1073 1052 40b732-40b737 call 40540c 1050->1052 1053 40b994-40b9c7 call 40540c call 405a24 call 403dcd call 40540c 1050->1053 1052->978 1074 40b9c9-40b9cb 1053->1074 1075 40b9cf 1053->1075 1072->950 1073->1072 1074->1075 1075->950
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040B27D
                                          • Part of subcall function 0040BEEB: __EH_prolog.LIBCMT ref: 0040BEF0
                                          • Part of subcall function 00407492: __EH_prolog.LIBCMT ref: 00407497
                                        • _CxxThrowException.MSVCRT(?,0041E1B0), ref: 0040B392
                                        • _CxxThrowException.MSVCRT(00000001,0041E1B0), ref: 0040B816
                                        • _CxxThrowException.MSVCRT(00423050,0041E1B0), ref: 0040B82B
                                          • Part of subcall function 00403DCD: __EH_prolog.LIBCMT ref: 00403DD2
                                        • _CxxThrowException.MSVCRT(00423050,0041E1B0), ref: 0040B3A7
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ExceptionH_prologThrow$free
                                        • String ID: P0B$z @
                                        • API String ID: 2114536809-228493968
                                        • Opcode ID: 5b752b00c754d80dd462c80eed99d346b9cb6eecee36879faaaf8797cc02f67f
                                        • Instruction ID: 80415a599fe0b547aa77d71a7c6402cf8ac950e2b8ce91f7db9f18a14ad2ee2b
                                        • Opcode Fuzzy Hash: 5b752b00c754d80dd462c80eed99d346b9cb6eecee36879faaaf8797cc02f67f
                                        • Instruction Fuzzy Hash: 0F421970900259DFCB14DFA9C984BDDBBB4EF48304F1480AAE849BB292DB749E45CF59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1077 411b76-411b9b call 4199a0 call 4091f9 1082 411d11-411d1f 1077->1082 1083 411ba1-411baa call 411d22 1077->1083 1086 411bb3-411bf3 call 40915e memcpy 1083->1086 1087 411bac-411bae 1083->1087 1090 411bf6-411bfb 1086->1090 1087->1082 1091 411c1a-411c3c call 407fd5 1090->1091 1092 411bfd-411c0a 1090->1092 1099 411c42-411c4a 1091->1099 1100 411cfd 1091->1100 1093 411cc1-411cc4 1092->1093 1094 411c10 1092->1094 1095 411cff-411d0f call 40540c 1093->1095 1094->1091 1096 411c12-411c14 1094->1096 1095->1082 1096->1091 1096->1093 1099->1093 1101 411c4c-411c50 1099->1101 1100->1095 1101->1091 1103 411c52-411c62 1101->1103 1104 411c64 1103->1104 1105 411cbc-411cbf 1103->1105 1107 411c6c 1104->1107 1106 411c9f-411cb7 memmove 1105->1106 1106->1090 1108 411c6f-411c73 1107->1108 1109 411c75-411c77 1108->1109 1110 411c7f 1108->1110 1111 411c81 1109->1111 1112 411c79-411c7d 1109->1112 1110->1111 1111->1106 1113 411c83-411c8c call 411d22 1111->1113 1112->1108 1116 411cc6-411cfa memcpy call 408028 1113->1116 1117 411c8e-411c97 1113->1117 1116->1100 1118 411c66-411c69 1117->1118 1119 411c99-411c9c 1117->1119 1118->1107 1119->1106
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prologmemcpymemmove
                                        • String ID:
                                        • API String ID: 1608800686-3916222277
                                        • Opcode ID: 06cca9289681a650a057e5db6445d20b21d4165150ec291f3020f629dbc88ab2
                                        • Instruction ID: f0efae93e1cf06dd7da0d80deb9cfea385ac533b253575772d98703a7808fb3a
                                        • Opcode Fuzzy Hash: 06cca9289681a650a057e5db6445d20b21d4165150ec291f3020f629dbc88ab2
                                        • Instruction Fuzzy Hash: F35172B1E401169BDF04CF58C885AEEB7B5FF48304F14811AE905AB351E7789D81CB99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004096E8
                                          • Part of subcall function 00409656: __EH_prolog.LIBCMT ref: 0040965B
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID: ,$can not open output file $z @
                                        • API String ID: 2654054672-3366752113
                                        • Opcode ID: e4021acf10c05e144b0ba4c8d8dc4a3ef75a86f21a53af52f3158a9468734916
                                        • Instruction ID: 7ffc52c154260c420d4a5f12ec48cd137f8a684e05fbd2e850fcf7609794582b
                                        • Opcode Fuzzy Hash: e4021acf10c05e144b0ba4c8d8dc4a3ef75a86f21a53af52f3158a9468734916
                                        • Instruction Fuzzy Hash: 1F828B71900648EECF11EFA5C981ADEBBB1AF14304F2481BEE44177292DB395E45DF2A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1563 40bca7-40bcde call 4199a0 call 401adf 1569 40bce0-40bce2 1563->1569 1570 40bce7-40bcf0 1563->1570 1571 40becc-40bee8 call 405a24 1569->1571 1572 40bcf2-40bd16 call 4024a3 call 40c4d8 1570->1572 1573 40bd6c-40bd6f 1570->1573 1584 40bd1b-40bd1d 1572->1584 1576 40bd90-40bdee call 402488 call 401ed2 call 401e71 call 40bf6e call 40540c call 405102 1573->1576 1577 40bd71-40bd7b 1573->1577 1609 40bdf0-40bdfa call 406c3a 1576->1609 1610 40be5d-40be99 call 409338 1576->1610 1577->1571 1586 40bd80-40bd8b call 40540c 1584->1586 1587 40bd1f-40bd2f call 40c5f8 1584->1587 1586->1571 1587->1586 1595 40bd31-40bd47 call 4061a4 1587->1595 1601 40bd54-40bd6a call 40540c 1595->1601 1602 40bd49-40bd4f call 40bfe5 1595->1602 1601->1572 1601->1573 1602->1601 1609->1610 1615 40bdfc-40be06 GetLastError 1609->1615 1638 40be9a call 40f8fc 1610->1638 1639 40be9a call 40ffad 1610->1639 1616 40be08 1615->1616 1617 40be0d-40be5b call 401e71 call 40722a call 401f0c call 40540c * 3 1615->1617 1616->1617 1627 40beb8-40bec7 call 405a4d call 405a24 1617->1627 1618 40be9d-40bea1 1640 40bea3 call 40561c 1618->1640 1641 40bea3 call 40568c 1618->1641 1621 40bea6-40beb4 call 40540c 1621->1627 1627->1571 1638->1618 1639->1618 1640->1621 1641->1621
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: Can not create output directory $z @
                                        • API String ID: 3519838083-3661672706
                                        • Opcode ID: d513d20b6cc50ae0be570f3012e1c44788260c0e40265cc58a068c9e09ce33f4
                                        • Instruction ID: 246d32385fb4a975fb34a6faf6d035bbe4692238bba53b55af9d53ecfd45f7c6
                                        • Opcode Fuzzy Hash: d513d20b6cc50ae0be570f3012e1c44788260c0e40265cc58a068c9e09ce33f4
                                        • Instruction Fuzzy Hash: E7716C71900119EBCF11EFA5D841AEEBBB4EF18304F20416EE402B7292DB785E45CFA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1665 406a1c-406a28 1666 406a36-406a53 CreateFileW 1665->1666 1667 406a2a-406a34 SetLastError 1665->1667 1669 406a71-406a73 1666->1669 1670 406a55-406a6b SetFileTime FindCloseChangeNotification 1666->1670 1668 406a74-406a76 1667->1668 1669->1668 1670->1669
                                        APIs
                                        • SetLastError.KERNEL32(00000078), ref: 00406A2C
                                        • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00406A48
                                        • SetFileTime.KERNELBASE(00000000,?,?,?,?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00406A5F
                                        • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00406A6B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: File$ChangeCloseCreateErrorFindLastNotificationTime
                                        • String ID:
                                        • API String ID: 255131691-0
                                        • Opcode ID: 85a1c22ea028354ac8943e5fefa8ee7cc2f5e7228d56c7602a5f43497407cd05
                                        • Instruction ID: 2d15ff4f5d21fa3b996a1357c662cf8c592ccec830ddb50ccd9867c1ccf9d7e6
                                        • Opcode Fuzzy Hash: 85a1c22ea028354ac8943e5fefa8ee7cc2f5e7228d56c7602a5f43497407cd05
                                        • Instruction Fuzzy Hash: 1AF0E2757812207FE220AB246C58F97AAAC9F8A729F028135B55A760E0C6294D1AD638
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1671 40b012-40b033 call 4199a0 call 405a4d 1676 40b0a4-40b0b2 1671->1676 1677 40b035-40b037 1671->1677 1678 40b03c-40b069 call 40b0b3 call 403eab call 40ae16 1677->1678 1684 40b06e-40b0a0 call 40b153 call 40236d 1678->1684 1684->1678 1689 40b0a2-40b0a3 1684->1689 1689->1676
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040B017
                                          • Part of subcall function 0040AE16: __EH_prolog.LIBCMT ref: 0040AE1B
                                          • Part of subcall function 0040B153: __EH_prolog.LIBCMT ref: 0040B158
                                          • Part of subcall function 0040236D: __EH_prolog.LIBCMT ref: 00402372
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: P1B$z @
                                        • API String ID: 3519838083-3334625589
                                        • Opcode ID: 15a08404549a3715069346adb6742004a6826916f0789c2bd9c2f3783a478a90
                                        • Instruction ID: 4bb09bd43c83cf1a26edd2b0f99aa09ce1d6c311f57905ba5debb0ab0f539945
                                        • Opcode Fuzzy Hash: 15a08404549a3715069346adb6742004a6826916f0789c2bd9c2f3783a478a90
                                        • Instruction Fuzzy Hash: B5116D31900618DFCB24EFA5D8816AEF7B4FF44315F00852EE466B3691D738AA41DF59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1690 407549-407562 call 4199a0 1693 407564-4075b9 call 401e71 AreFileApisANSI call 405a04 call 407510 call 40540c * 2 1690->1693 1694 4075bb-4075c4 call 4075f9 1690->1694 1701 4075e9-4075f6 1693->1701 1700 4075c6-4075e7 CreateFileW 1694->1700 1694->1701 1700->1701
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040754E
                                        • AreFileApisANSI.KERNEL32(?,00000000,?,00000000,0040C92E,?,?,?,00000000,?,?,?,00000000,00000000), ref: 00407572
                                          • Part of subcall function 00407510: CreateFileA.KERNEL32(00000001,?,?,00000000,?,?,00000000,?,?,004075A3,?,?,?,?,?,00000001), ref: 00407532
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00000000,?,00000000,0040C92E,?,?,?,00000000), ref: 004075D7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: File$Create$ApisH_prologfree
                                        • String ID:
                                        • API String ID: 3697404956-0
                                        • Opcode ID: 6684766a1a2c28f6622b7f2af9e0b77614d440e366c4ef289b9103af7c9f768f
                                        • Instruction ID: 4c561829ebc80b42705eaf63d70327d3a9573cfa90e0a0f938c4de0a047e9e52
                                        • Opcode Fuzzy Hash: 6684766a1a2c28f6622b7f2af9e0b77614d440e366c4ef289b9103af7c9f768f
                                        • Instruction Fuzzy Hash: 0F119372900109FFCF05AFA0DC419DE7F75EF08318F10452AF911B21A1CB3A9AA5EB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1709 40c98e-40c9a9 call 4199a0 1712 40c9b5-40c9bb 1709->1712 1713 40c9ab-40c9b0 1709->1713 1715 40c9c4-40c9d4 call 40c8ce 1712->1715 1716 40c9bd-40c9c0 1712->1716 1714 40cd19-40cd27 1713->1714 1718 40c9d9-40c9dd 1715->1718 1716->1715 1718->1714 1719 40c9e3-40c9e9 1718->1719 1720 40cce5-40cce7 1719->1720 1721 40c9ef-40c9f6 1719->1721 1720->1714 1722 40ca02-40ca29 1721->1722 1723 40c9f8-40c9ff 1721->1723 1725 40cd08 1722->1725 1726 40ca2f-40ca31 1722->1726 1723->1722 1728 40cd0c-40cd0e 1725->1728 1726->1725 1727 40ca37-40ca4e 1726->1727 1732 40ccf2 1727->1732 1733 40ca54-40ca56 1727->1733 1729 40cd10-40cd12 1728->1729 1730 40cd16 1728->1730 1729->1730 1730->1714 1735 40ccf5-40ccf7 1732->1735 1733->1732 1734 40ca5c-40ca76 1733->1734 1739 40cce9 1734->1739 1740 40ca7c-40ca7e 1734->1740 1736 40ccf9-40ccfb 1735->1736 1737 40ccff-40cd06 1735->1737 1736->1737 1737->1728 1739->1732 1740->1739 1741 40ca84-40ca95 1740->1741 1743 40cad1-40cad5 1741->1743 1744 40ca97-40caa0 1741->1744 1745 40caf3-40cb1b call 4024a3 call 40c45d 1743->1745 1746 40cad7-40cae0 1743->1746 1747 40caa2-40caa4 1744->1747 1748 40caa8-40cab0 1744->1748 1759 40cb1d-40cb2f call 40540c 1745->1759 1760 40cb5f-40cb62 1745->1760 1751 40cae2-40cae4 1746->1751 1752 40cae8-40caee 1746->1752 1747->1748 1749 40cab2-40cab4 1748->1749 1750 40cab8-40cac1 1748->1750 1749->1750 1754 40cac3-40cac5 1750->1754 1755 40cac9-40cacc 1750->1755 1751->1752 1752->1735 1754->1755 1755->1714 1768 40cb31-40cb33 1759->1768 1769 40cb37-40cb3f 1759->1769 1762 40cb64-40cb94 call 40cd2a call 401f0c call 40584f 1760->1762 1763 40cbd9-40cbf9 call 405cf3 call 401f0c call 40540c 1760->1763 1783 40cb96-40cbcc call 40d273 call 40584f call 40540c 1762->1783 1784 40cbfa-40cc17 1762->1784 1763->1784 1768->1769 1773 40cb41-40cb43 1769->1773 1774 40cb47-40cb50 1769->1774 1773->1774 1777 40cb52-40cb54 1774->1777 1778 40cb58-40cb5a 1774->1778 1777->1778 1778->1714 1783->1784 1798 40cbce-40cbd7 call 403f0a 1783->1798 1789 40cc22-40cc55 call 40c606 1784->1789 1790 40cc19-40cc1e 1784->1790 1796 40cca0-40cca2 1789->1796 1797 40cc57-40cc59 1789->1797 1790->1789 1799 40cca4-40cca6 1796->1799 1800 40ccaa-40ccbc call 40540c 1796->1800 1801 40cc61-40cc73 call 40540c 1797->1801 1802 40cc5b-40cc5d 1797->1802 1798->1784 1799->1800 1809 40ccc4-40cccc 1800->1809 1810 40ccbe-40ccc0 1800->1810 1811 40cc75-40cc77 1801->1811 1812 40cc7b-40cc83 1801->1812 1802->1801 1813 40ccd4-40ccdd 1809->1813 1814 40ccce-40ccd0 1809->1814 1810->1809 1811->1812 1815 40cc85-40cc87 1812->1815 1816 40cc8b-40cc94 1812->1816 1813->1720 1817 40ccdf-40cce1 1813->1817 1814->1813 1815->1816 1818 40cc96-40cc98 1816->1818 1819 40cc9c-40cc9e 1816->1819 1817->1720 1818->1819 1819->1714
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: .7z
                                        • API String ID: 3519838083-3980757742
                                        • Opcode ID: f90371e24ee69f9fe6ac478dcf492b8aaff75f239fe2342c5f44b0422b9e52e2
                                        • Instruction ID: b521b267df78481cc613f1cd2daf1531b45f8fee511e283561fe85592d7026a4
                                        • Opcode Fuzzy Hash: f90371e24ee69f9fe6ac478dcf492b8aaff75f239fe2342c5f44b0422b9e52e2
                                        • Instruction Fuzzy Hash: 56D16E71A00149EFCF10DF98C8D49AEBBB5AF49314B24867EE41AEB391C7399E41DB14
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1820 40c4d8-40c4fa call 4199a0 call 40c45d 1825 40c555-40c563 1820->1825 1826 40c4fc-40c4ff 1820->1826 1827 40c501-40c527 call 401f0c 1826->1827 1828 40c553 1826->1828 1832 40c529-40c52b 1827->1832 1833 40c52d-40c532 1827->1833 1828->1825 1834 40c571-40c57f call 40793d 1832->1834 1835 40c534-40c542 call 404f4a call 403f0a 1833->1835 1836 40c566-40c56a 1833->1836 1834->1825 1838 40c547-40c54e call 40793d 1835->1838 1836->1838 1839 40c56c 1836->1839 1838->1828 1839->1834
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040C4DD
                                          • Part of subcall function 0040C45D: __EH_prolog.LIBCMT ref: 0040C462
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: jq
                                        • API String ID: 3519838083-1684728866
                                        • Opcode ID: 0525d92d46f35548419fe5f33d88a516f1e97c9b4f97f4d5308176bbfe51ca90
                                        • Instruction ID: bbc7e673ad77c2f3a5da1a0342a5401b6d833aa7d2d7b1ef3b015a8f5ac6ec90
                                        • Opcode Fuzzy Hash: 0525d92d46f35548419fe5f33d88a516f1e97c9b4f97f4d5308176bbfe51ca90
                                        • Instruction Fuzzy Hash: B7117C75A00225EACF14AFA4CC959AEB670FF48354F00423EE121B72E1D7785E45C799
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1845 40786e-40788f call 4079af SysAllocString 1848 407891-407895 1845->1848 1849 4078a3-4078a6 1845->1849 1848->1849 1850 407897-40789c 1848->1850 1850->1849
                                        APIs
                                        • SysAllocString.OLEAUT32(00000000), ref: 00407884
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: AllocString
                                        • String ID: jq
                                        • API String ID: 2525500382-1684728866
                                        • Opcode ID: cb8f81633507c63bb8dc66f60a3cd1d9c96c2c7d82326894cd5b28f2986e899a
                                        • Instruction ID: 08cb7957e9ec639422bee52464c6f172cf0a5ece66cacd7ad1014ba17830f184
                                        • Opcode Fuzzy Hash: cb8f81633507c63bb8dc66f60a3cd1d9c96c2c7d82326894cd5b28f2986e899a
                                        • Instruction Fuzzy Hash: 8FE0ECB2918312EAD7306F55C445647B6E1EF80344B14C83EE48996664E7BDD880C79A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1851 40c8ce-40c8ed call 4199a0 call 4053e5 1856 40c90f 1851->1856 1857 40c8ef-40c90d 1851->1857 1858 40c911-40c916 1856->1858 1857->1858 1859 40c918-40c91a 1858->1859 1860 40c91e-40c930 call 407fc6 1858->1860 1859->1860 1863 40c932-40c93a GetLastError 1860->1863 1864 40c93c-40c95d call 405cf3 call 40c606 1860->1864 1865 40c96d-40c973 1863->1865 1871 40c962-40c96c call 40540c 1864->1871 1867 40c975-40c977 1865->1867 1868 40c97b-40c98b 1865->1868 1867->1868 1871->1865
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040C8D3
                                          • Part of subcall function 004053E5: malloc.MSVCRT ref: 004053EB
                                          • Part of subcall function 004053E5: _CxxThrowException.MSVCRT(?,0041E930), ref: 00405405
                                        • GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00000000,00000000,?,?,?,?,?,?,?), ref: 0040C932
                                          • Part of subcall function 0040C606: __EH_prolog.LIBCMT ref: 0040C60B
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog$ErrorExceptionLastThrowfreemalloc
                                        • String ID:
                                        • API String ID: 1455235784-0
                                        • Opcode ID: 5265ad35fdce3184c2308cfe5d5a5f9508b9e6658d0e330c9e6591bfb703ab74
                                        • Instruction ID: 13006a9ff2bb2db2c9a7a40b5c520653315d69514974fcd7a8b3486205c7d14f
                                        • Opcode Fuzzy Hash: 5265ad35fdce3184c2308cfe5d5a5f9508b9e6658d0e330c9e6591bfb703ab74
                                        • Instruction Fuzzy Hash: DA21C2B2901214EFCB109F65C948A9EBBB1EF44364F15826AFC55B72E1C7388D41DBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Control-flow Graph

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040CF77
                                          • Part of subcall function 0040722A: __EH_prolog.LIBCMT ref: 0040722F
                                          • Part of subcall function 00407492: __EH_prolog.LIBCMT ref: 00407497
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        • _CxxThrowException.MSVCRT(?,0041E9F0), ref: 0040CFD8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowfree
                                        • String ID:
                                        • API String ID: 1371406966-0
                                        • Opcode ID: 894cc8776ea603293a427e572d17dbde349a7f5f1c21b50c0bb7bd0df93fa1fa
                                        • Instruction ID: 835e712a83ce143d0d0d4f64b62db323bb4738cfee00380d8caa728ce2c6f3da
                                        • Opcode Fuzzy Hash: 894cc8776ea603293a427e572d17dbde349a7f5f1c21b50c0bb7bd0df93fa1fa
                                        • Instruction Fuzzy Hash: FD012675A40204AEC710EF26C491BDEBBF1FF85314F00822FE846A32D1CB786949CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040767F
                                        • GetLastError.KERNEL32(?,?,?,?), ref: 0040768D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer
                                        • String ID:
                                        • API String ID: 2976181284-0
                                        • Opcode ID: 7449b344c9b2a9f3f8f352f971a863f5a2482186d91cc9983dd83728de70cf9c
                                        • Instruction ID: f4dffb7e77ec5ae0868c3fa73e2b430a45e36f464e7fe576df831fc88b2a9ef1
                                        • Opcode Fuzzy Hash: 7449b344c9b2a9f3f8f352f971a863f5a2482186d91cc9983dd83728de70cf9c
                                        • Instruction Fuzzy Hash: FAF017B4904208EFCB04CF58E9808AE7BB9EB49324B208569F816A7391D375AE41DA65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ExceptionThrowmalloc
                                        • String ID:
                                        • API String ID: 2436765578-0
                                        • Opcode ID: 96b16c71e6b037255579f44c4117a7fa18857c474ab67b77d5ef7688202bbd38
                                        • Instruction ID: 139ac8734f4e39c768685a2ab3e4270d831ea46d8e304d023c04dbb67bcf092c
                                        • Opcode Fuzzy Hash: 96b16c71e6b037255579f44c4117a7fa18857c474ab67b77d5ef7688202bbd38
                                        • Instruction Fuzzy Hash: 5FD0A97510428C7ACF006FA2D8009CB3F6C8900660B00A02BF85C8E222E634C7C28B98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: b15a8df8ca74087720f9149dc9b27912cb12b0e12b76bc08ebb0cce0785994d7
                                        • Instruction ID: b23ee15f62283b2568ba25fea74014c43950f444574d056def913975de38f1a1
                                        • Opcode Fuzzy Hash: b15a8df8ca74087720f9149dc9b27912cb12b0e12b76bc08ebb0cce0785994d7
                                        • Instruction Fuzzy Hash: 39323E70900259DFDB10DFA8C584BDEBBB4AF19304F1440BEE845AB391DB78AE49CB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00412806
                                          • Part of subcall function 00413811: __EH_prolog.LIBCMT ref: 00413816
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: 51edff94990abb975f00c84083c1f471aa75bfaa39b12ef91986d894e9fc2382
                                        • Instruction ID: 6b96aaf115a561dc07c27b3ab9bbb0939e15c73199d3bb9cbfcc8b6812223371
                                        • Opcode Fuzzy Hash: 51edff94990abb975f00c84083c1f471aa75bfaa39b12ef91986d894e9fc2382
                                        • Instruction Fuzzy Hash: CAC13770A10258DFDB10EF95C985BDEB7B4EF14308F14809EE819AB292CB786E85CF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 734cfe72228689fd3396e6534126a7105ec0acf824d589afb25fe6db3797744a
                                        • Instruction ID: 5178ae1b31acc6bb52c17287953be3cc1588305aa4355c3677bd429ec24b6a67
                                        • Opcode Fuzzy Hash: 734cfe72228689fd3396e6534126a7105ec0acf824d589afb25fe6db3797744a
                                        • Instruction Fuzzy Hash: 3D915A71900149DFCB10EFA9C9859EEBBB4FF58304F20456EE806B7291CB39AE45CB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00413450
                                          • Part of subcall function 00411932: _CxxThrowException.MSVCRT(?,00420D88), ref: 00411945
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ExceptionH_prologThrow
                                        • String ID:
                                        • API String ID: 461045715-0
                                        • Opcode ID: 90e94f03d9fe783e395809472bf673a2b6d31b0c0308aee722cdb17e9949b6c1
                                        • Instruction ID: 328646ad39eb84878764cc0134ece3bb7c0fe789135d1b7bd0d0e4ce335109c6
                                        • Opcode Fuzzy Hash: 90e94f03d9fe783e395809472bf673a2b6d31b0c0308aee722cdb17e9949b6c1
                                        • Instruction Fuzzy Hash: 6A818B70A00209AFCB25EFA9C491BEEFBB1BF18304F14412EE555A3351CB39AA85CB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040D080
                                          • Part of subcall function 004053E5: malloc.MSVCRT ref: 004053EB
                                          • Part of subcall function 004053E5: _CxxThrowException.MSVCRT(?,0041E930), ref: 00405405
                                          • Part of subcall function 0040CDE5: __EH_prolog.LIBCMT ref: 0040CDEA
                                          • Part of subcall function 0040722A: __EH_prolog.LIBCMT ref: 0040722F
                                          • Part of subcall function 00401DAE: __EH_prolog.LIBCMT ref: 00401DB3
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowfreemalloc
                                        • String ID:
                                        • API String ID: 2423332413-0
                                        • Opcode ID: 37cdcf6050dd80ad9171f8c3bb514cd05c619be2807efdfaffd69dd900242610
                                        • Instruction ID: cab0ca36ea6c89eaaa18b97509a82cde8c02a224afa06496b7fec301dfdedd03
                                        • Opcode Fuzzy Hash: 37cdcf6050dd80ad9171f8c3bb514cd05c619be2807efdfaffd69dd900242610
                                        • Instruction Fuzzy Hash: 28513671D00209EFCB11EFA5D885ADEBBB5FF48304F14816EF515B72A2DB389A068B54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00410F29
                                          • Part of subcall function 004136C5: __EH_prolog.LIBCMT ref: 004136CA
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                          • Part of subcall function 004110D4: __EH_prolog.LIBCMT ref: 004110D9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: 35740016b5e6f2c6f1804e073b2db0f87c50230a418c5bf2f83fac7370e69474
                                        • Instruction ID: 73ef9f27857630eb8f619f4f46601d8bcbd8d01cb3e8c71e2b75eb4801d46074
                                        • Opcode Fuzzy Hash: 35740016b5e6f2c6f1804e073b2db0f87c50230a418c5bf2f83fac7370e69474
                                        • Instruction Fuzzy Hash: 80519170904289DFCF11DFA5C985ADEBBB4AF08304F2440AEE405A7392CB799F85CB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: ea6653e504ffe39ed9291bfabe7bbcc9e2a1c941f6fc2be3067267babc26e16a
                                        • Instruction ID: 6285e3bbb06bac71b8a60a222a68d217d5a94d67dd3ad31d6ff36d713d7c95e7
                                        • Opcode Fuzzy Hash: ea6653e504ffe39ed9291bfabe7bbcc9e2a1c941f6fc2be3067267babc26e16a
                                        • Instruction Fuzzy Hash: CF415C75500780AFCB21CF24C494AA6BBF1BF44304F14887EE59AAB652D738F959CB15
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 65f1f35eb89c8accc49011609c4c1ee3753506309f769ad08c57a4fe7e8fdb52
                                        • Instruction ID: 512d86458d17f157ff68d4d201275369944e1922b72539c05a6754b28f2d0f22
                                        • Opcode Fuzzy Hash: 65f1f35eb89c8accc49011609c4c1ee3753506309f769ad08c57a4fe7e8fdb52
                                        • Instruction Fuzzy Hash: D7318171900245DFCB24CF59C4848AABBF2FF48314B2446AEE096AB361C774ED85CF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040DBBA
                                          • Part of subcall function 0040D7F2: __EH_prolog.LIBCMT ref: 0040D7F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 84b1ac7be7d5944091699361a4ae5f8055839e7a2e08d9909bdbc32f1723b3c1
                                        • Instruction ID: 3318c05fe2475df2f744ea7094431d15421057c11434644ea95d11ea1bb5695f
                                        • Opcode Fuzzy Hash: 84b1ac7be7d5944091699361a4ae5f8055839e7a2e08d9909bdbc32f1723b3c1
                                        • Instruction Fuzzy Hash: AA11A371B10654DADF08EBA9C1163DEFBE5DF91318F14425F9066772C2CBB81B048B6A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 5a06441c7b4576814edd79900506659bb7a08fc3b4ab1eeb3a4254f01ce2dd7b
                                        • Instruction ID: 47d026ce1669ea743996861b283c84681878ff3b1dd964195c12d526481cf53c
                                        • Opcode Fuzzy Hash: 5a06441c7b4576814edd79900506659bb7a08fc3b4ab1eeb3a4254f01ce2dd7b
                                        • Instruction Fuzzy Hash: 40012972E10116DBCB20DF55C8509AEBB74FF44750B10826BE412B72A0C37C5E42DBDA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • SetFileAttributesW.KERNELBASE ref: 00406ADC
                                          • Part of subcall function 00406AEA: __EH_prolog.LIBCMT ref: 00406AEF
                                          • Part of subcall function 00406AEA: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00406B0B
                                          • Part of subcall function 00406A79: SetFileAttributesA.KERNEL32(?,?,00406ACA), ref: 00406A7B
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: File$Attributes$ApisH_prologfree
                                        • String ID:
                                        • API String ID: 1139671477-0
                                        • Opcode ID: c9f87d62a3a46c85bb97564fc79bae1531ea23e9696bc56f8462848db603ed2c
                                        • Instruction ID: 5a4acbca960fb223808e688570083969bf9306ba78e7360c801361f0078d7a1a
                                        • Opcode Fuzzy Hash: c9f87d62a3a46c85bb97564fc79bae1531ea23e9696bc56f8462848db603ed2c
                                        • Instruction Fuzzy Hash: 86E0ED20B00110ABCB107675AC16ADB37A88B46218B20C13BE403B32A1E978D952CA58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00407D81
                                          • Part of subcall function 00407CA4: __EH_prolog.LIBCMT ref: 00407CA9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 2ea15d909d7790bd45a1b301f583b2182f9a59a265a692a5f9f3671c467cdce2
                                        • Instruction ID: 286010f1982b79376d0199519aa468fd7c222059d1b2f13407d9dc67900f75ac
                                        • Opcode Fuzzy Hash: 2ea15d909d7790bd45a1b301f583b2182f9a59a265a692a5f9f3671c467cdce2
                                        • Instruction Fuzzy Hash: 46F03472A10218ABDB19DF98CC01BEEB779EF44325F10856AB826E7290C7799A05CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00405639
                                          • Part of subcall function 0040561C: fputs.MSVCRT ref: 00405626
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prologfputsfree
                                        • String ID:
                                        • API String ID: 2991183862-0
                                        • Opcode ID: 361aeee646b8e5633feb5a697179d586ebf6a84ac78b7e074c38e41508c390eb
                                        • Instruction ID: 85d77463f68a2ee20140c798da53980a4d6227e1c63ba0824e1d352e795963f4
                                        • Opcode Fuzzy Hash: 361aeee646b8e5633feb5a697179d586ebf6a84ac78b7e074c38e41508c390eb
                                        • Instruction Fuzzy Hash: D5F05872A00509AACF05BB54C843AEEBB71EB14308F10816EE501722E2DB7A1E95DA88
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • CreateDirectoryW.KERNELBASE(?,00000000,z @,?), ref: 00406C2D
                                          • Part of subcall function 00406AEA: __EH_prolog.LIBCMT ref: 00406AEF
                                          • Part of subcall function 00406AEA: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00406B0B
                                          • Part of subcall function 00406BEA: CreateDirectoryA.KERNEL32(?,00000000,00406C1A,?,z @,?), ref: 00406BED
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$ApisFileH_prologfree
                                        • String ID:
                                        • API String ID: 2455149606-0
                                        • Opcode ID: e684389bbc9d0dd0748a7c28f2bd674140749acc96f1285deb3b3f24e38ad4dc
                                        • Instruction ID: e9182faec830f53e1ada4ed54726d664073956b6a9075750bfad7de01d9d9167
                                        • Opcode Fuzzy Hash: e684389bbc9d0dd0748a7c28f2bd674140749acc96f1285deb3b3f24e38ad4dc
                                        • Instruction Fuzzy Hash: 47E0DF70B001006BDB007765FC6278A37688B4130CF10C17AE402AB1E1EE78D956C608
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00407734
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 53d42df8be4e469bf12bd33762c29c1b750572f7d2e4a948a3a83de76b307521
                                        • Instruction ID: bbe6aeb1ea1e6052ee290407a306587cef13ccc15bab7cec68d4297f07c79014
                                        • Opcode Fuzzy Hash: 53d42df8be4e469bf12bd33762c29c1b750572f7d2e4a948a3a83de76b307521
                                        • Instruction Fuzzy Hash: 59E0E575A00208FBCB11CF95D901F8E7BBABB48354F20C069F914AA260D379EA11EF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 004077BF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: 504299f87fb89d0047bb7676cf03167f2554e3be6d89c6ae7c17546a80c499e6
                                        • Instruction ID: a788cfedd4852d637b70718a4811bedd840fc10ad6fdbfa488dd85fabfb28c19
                                        • Opcode Fuzzy Hash: 504299f87fb89d0047bb7676cf03167f2554e3be6d89c6ae7c17546a80c499e6
                                        • Instruction Fuzzy Hash: 82E0E579A00208FFCB11CF95C901B8E7BBABB48354F20C069F9149A260D379AA10EF58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004136CA
                                          • Part of subcall function 0041344B: __EH_prolog.LIBCMT ref: 00413450
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: c0978009d694865c74bc2a33d11b46a2ada8b0b8ce8826f1f314ed5293309246
                                        • Instruction ID: e56c9b5a34f24c4b2b335fcfe8cb56b33002ef008c64caa7418fee8f44cfdbe5
                                        • Opcode Fuzzy Hash: c0978009d694865c74bc2a33d11b46a2ada8b0b8ce8826f1f314ed5293309246
                                        • Instruction Fuzzy Hash: 51E08C72900108FFCB019F85C802BEE7B38FB45369F10802FF00155200C37A4A60DBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00407497
                                          • Part of subcall function 0040729B: __EH_prolog.LIBCMT ref: 004072A0
                                          • Part of subcall function 0040729B: FindFirstFileW.KERNELBASE(?,?,00000000), ref: 004072CE
                                          • Part of subcall function 0040727B: FindClose.KERNELBASE(00000000,?,004072B3,00000000), ref: 00407286
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: FindH_prolog$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2004497850-0
                                        • Opcode ID: ab50a1498f827e730a9cbef3c24a5c1888fd9fa38c81ce9c362cc46269eaa863
                                        • Instruction ID: 051957bad08504a415e1d5588613521c2f285170302354068c61b22755458e09
                                        • Opcode Fuzzy Hash: ab50a1498f827e730a9cbef3c24a5c1888fd9fa38c81ce9c362cc46269eaa863
                                        • Instruction Fuzzy Hash: BAE08CF1C52505AACB08DBA1CC92BEEB334FB41318F00465EF032722D18B382508C929
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: _beginthreadex
                                        • String ID:
                                        • API String ID: 3014514943-0
                                        • Opcode ID: 6806db5be1c8f582866a3d516b1947ba29cc734cc0cae6830351c00047cb70d8
                                        • Instruction ID: fc15bd5669f08f0e8bb82dc1e75bb8b9ebf1e1d0247e18c6f40537ccf446c2e8
                                        • Opcode Fuzzy Hash: 6806db5be1c8f582866a3d516b1947ba29cc734cc0cae6830351c00047cb70d8
                                        • Instruction Fuzzy Hash: 5CD0A7B16442017FE6149B28DC06FAA77D89F84704F10842EB149D71D1D9B05C80876D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • FindClose.KERNELBASE(00000000,?,004072B3,00000000), ref: 00407286
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: 2e13a17fa00f32e2ffd5c6a4892ff0b38d3b488d50b70c37ec772d947705b619
                                        • Instruction ID: 1cd0053a2531da801a71ff8709c20484f153a7e0f794c922f16f441aa08e7b7b
                                        • Opcode Fuzzy Hash: 2e13a17fa00f32e2ffd5c6a4892ff0b38d3b488d50b70c37ec772d947705b619
                                        • Instruction Fuzzy Hash: D2D0123191826146CA642E3CB8449D337D85F0633472907EEF4B4D33E1D3749CC79654
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(00000000,?,004075C2,00000000,?,00000000,0040C92E,?,?,?,00000000,?,?,?,00000000,00000000), ref: 00407604
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: c2e6e2fd004d8fba40dcf36d88b196163c56aa3e964f2897a4a73cb698526879
                                        • Instruction ID: 7f0aceefd0840bbdeb1e8f840846108ea751048b2bb48f28a57f57ee0d2e851f
                                        • Opcode Fuzzy Hash: c2e6e2fd004d8fba40dcf36d88b196163c56aa3e964f2897a4a73cb698526879
                                        • Instruction Fuzzy Hash: 6AD012319085214BCA646E3C784C9C277D86A863B83250F6AF0B6D32E5D3759C835658
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: fputc
                                        • String ID:
                                        • API String ID: 1992160199-0
                                        • Opcode ID: 6580ff8f3b4c9b2dd5a726c106159b2c9b059c26df76a55d145085af54cf24a3
                                        • Instruction ID: cf131d332bb71641c6606e6d92cff17108708ad2684ee9b8b6e248c18e027e18
                                        • Opcode Fuzzy Hash: 6580ff8f3b4c9b2dd5a726c106159b2c9b059c26df76a55d145085af54cf24a3
                                        • Instruction Fuzzy Hash: 5FC02B7350C2307F820407987C088D7BBDCCB0C632310882FF284C2000C975DC008798
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID:
                                        • API String ID: 1795875747-0
                                        • Opcode ID: 9f3682537f81894a5db16acf5a026ad65e66c729d35f0eed1f5696105da1d0a9
                                        • Instruction ID: 3055a33b8b2916f824f64770a2b206d12f9855b6eefb6c375f87e50b719fc513
                                        • Opcode Fuzzy Hash: 9f3682537f81894a5db16acf5a026ad65e66c729d35f0eed1f5696105da1d0a9
                                        • Instruction Fuzzy Hash: EAC04C73508120AF96151A58BC05886B795DB59631721C52BF25581160DA729C109798
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • SetFileTime.KERNELBASE(?,?,?,?), ref: 0040778D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: FileTime
                                        • String ID:
                                        • API String ID: 1425588814-0
                                        • Opcode ID: 54361a933c6f66fc4a53ff628da8d91ad4607a0d9c0ba058e5ed97a55abda049
                                        • Instruction ID: 25a54983d51de781230dc2d7b5e464ac7149ddd2bb2d034677340562758f2130
                                        • Opcode Fuzzy Hash: 54361a933c6f66fc4a53ff628da8d91ad4607a0d9c0ba058e5ed97a55abda049
                                        • Instruction Fuzzy Hash: E1C04C3A158105FF8F021F70CC04C1ABFE2AF99715F10C918B25DC4070C7328024EB02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                          • Part of subcall function 004053E5: malloc.MSVCRT ref: 004053EB
                                          • Part of subcall function 004053E5: _CxxThrowException.MSVCRT(?,0041E930), ref: 00405405
                                        • memmove.MSVCRT ref: 0040918B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ExceptionThrowmallocmemmove
                                        • String ID:
                                        • API String ID: 2847158419-0
                                        • Opcode ID: cc3506a85f9da5dfc6c33b6f6673e2ce5fe04c0e303d30807e1a46dacb806c3a
                                        • Instruction ID: 482d39da45c2f8cd0462654843c70215a31e33ca96f8b29ac42986283be842ae
                                        • Opcode Fuzzy Hash: cc3506a85f9da5dfc6c33b6f6673e2ce5fe04c0e303d30807e1a46dacb806c3a
                                        • Instruction Fuzzy Hash: 80F082727047026FE2305F16DC8485BB7E9DBC5755310883FF95DA6252C639EC41C668
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 00408B9E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: CriticalLeaveSection
                                        • String ID:
                                        • API String ID: 3988221542-0
                                        • Opcode ID: 662ac572375498242c90138e4ee6cce6eb91b11312f7fa1056ea47a1be8e81c1
                                        • Instruction ID: c8783d8a7d335f4854df42e261cc132adcab2544801ccc1f9f7bd42d64c955a8
                                        • Opcode Fuzzy Hash: 662ac572375498242c90138e4ee6cce6eb91b11312f7fa1056ea47a1be8e81c1
                                        • Instruction Fuzzy Hash: 4FF0BE72A00144DFCF11DFA0D94899A7FB1EF99320B0484AFF88197252CB38A811DF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • VirtualAlloc.KERNELBASE(00000000,00020000,00001000,00000004,004142B5), ref: 00417011
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 40b3809ef12982ed2b642611d98c115126d194588586179802d3c9b16db6065e
                                        • Instruction ID: a40f0a692cbd122446d235d4316e198ba1f41a5d65a25bbecdd63107e3e8a2ec
                                        • Opcode Fuzzy Hash: 40b3809ef12982ed2b642611d98c115126d194588586179802d3c9b16db6065e
                                        • Instruction Fuzzy Hash: 3CB092B079524065FE6906208C0ABA618115348B9FF009068B301D81C4EBD49441602C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: f4a98244ba83c47b300c1d6d9d6e3f7f69ca4b653a080e097630c1b47b77b64d
                                        • Instruction ID: b47a31f33d2dab65ba19fed7834eb5a33906c8ce2160d7fdaf7cedc5739352d9
                                        • Opcode Fuzzy Hash: f4a98244ba83c47b300c1d6d9d6e3f7f69ca4b653a080e097630c1b47b77b64d
                                        • Instruction Fuzzy Hash: A5B012F051108012DE1C07347C040A73100268010B7C044B8F402C0110E729D024500D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,0040822C,?,00408206), ref: 0041702C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: FreeVirtual
                                        • String ID:
                                        • API String ID: 1263568516-0
                                        • Opcode ID: 8b940bd2d54b2e02ce6fd356d78b802ca04556ce44a6fadc815780e7f4ca2151
                                        • Instruction ID: d7362d8e6ace7fc5e0a9da9f1b294476dda612f446f3961d99752673b2bc4fc5
                                        • Opcode Fuzzy Hash: 8b940bd2d54b2e02ce6fd356d78b802ca04556ce44a6fadc815780e7f4ca2151
                                        • Instruction Fuzzy Hash: FCB0127068530039ED3C47100D05F5619101708701F1080183101A40C0C658D544854C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • free.MSVCRT(?,004144DB,?,0041448D), ref: 00416FF1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: bc1d8412276cc2565f2bd195f3b25eb86f4d6089c1ce18e73bf5630451c65e7f
                                        • Instruction ID: 8ead0745542f8c59725e415c93cd0536404af2e60b36a07842a1ea74c6f0e253
                                        • Opcode Fuzzy Hash: bc1d8412276cc2565f2bd195f3b25eb86f4d6089c1ce18e73bf5630451c65e7f
                                        • Instruction Fuzzy Hash:
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004123A0
                                          • Part of subcall function 00405AA5: _CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405AD1
                                          • Part of subcall function 00405AA5: _CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405AF8
                                          • Part of subcall function 00405AA5: _CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405B20
                                          • Part of subcall function 00405AA5: memcpy.MSVCRT ref: 00405B39
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$H_prologmemcpy
                                        • String ID:
                                        • API String ID: 3273695820-0
                                        • Opcode ID: ea1575024d801dcc0cda5af6ad971ceb36abb96347274110e3f752804487a0f9
                                        • Instruction ID: 893faa4ac55e7b3430ef41d9c653ef8b456160620576ff9ff7d6b798b256bf74
                                        • Opcode Fuzzy Hash: ea1575024d801dcc0cda5af6ad971ceb36abb96347274110e3f752804487a0f9
                                        • Instruction Fuzzy Hash: B2A1FA70A002099FCF18DF55C9919EEBBB2FF98314F14842FE815A7251D778AD92CB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b869f2f4f8dc1a01f740a5a2f5011cdac545a677f434155a1b40552727ad551f
                                        • Instruction ID: 586160e0a428f2a343ee105bc52d4287d6f34c6cf7980518a909fda8790eb816
                                        • Opcode Fuzzy Hash: b869f2f4f8dc1a01f740a5a2f5011cdac545a677f434155a1b40552727ad551f
                                        • Instruction Fuzzy Hash: B472F972A083154BC718CE29C98016AFBF3BFD5340F16862EE8A987794E774D946CB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9803c8db8919b39b22e60e951130245479d9368fb12c4fe1c3f5fb4592283aad
                                        • Instruction ID: 914d8d4abeb419496ea0cf902aa9d6872d5ddc796ecad110a15aa2eeb864abf5
                                        • Opcode Fuzzy Hash: 9803c8db8919b39b22e60e951130245479d9368fb12c4fe1c3f5fb4592283aad
                                        • Instruction Fuzzy Hash: 24023D72A082158BD709CE18C5902BDBBE2FBC5344F150A3FE89697744DB78D8C9C799
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07e337b5a94b9f233629b808c44dd0c8168d5e53dcb01da2cf7c8b99d02b393c
                                        • Instruction ID: 33472e8ce0ac9e49a25cbb5f929d8ae9c2659553d8a610cd78f8e1026f2c2182
                                        • Opcode Fuzzy Hash: 07e337b5a94b9f233629b808c44dd0c8168d5e53dcb01da2cf7c8b99d02b393c
                                        • Instruction Fuzzy Hash: 36D1A031A04515CBCB18CF28C5906FEB7B2EFC5304F1945AACC5A9F346E779A885CB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7df05fb36d0e258a535389ea28995d16e6c48d1872498011ba35c99b7642440c
                                        • Instruction ID: e435e89ad5e7a155f70d261c0c1fe4568892584fb2aa312ae2f8871ce86f404e
                                        • Opcode Fuzzy Hash: 7df05fb36d0e258a535389ea28995d16e6c48d1872498011ba35c99b7642440c
                                        • Instruction Fuzzy Hash: C0D18F72A146674FD360DF68EC80231B7A2EFD9200F8F0678CA5547262D674AA53DBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6c11ccbbe405bec54ae4001e139b4049c8f1a9239a1487f55fb83cccff2f8113
                                        • Instruction ID: 7d314292c9fbff8079a9fb1420f0aa651efc89cd32a3d239cee6106bc183fc2a
                                        • Opcode Fuzzy Hash: 6c11ccbbe405bec54ae4001e139b4049c8f1a9239a1487f55fb83cccff2f8113
                                        • Instruction Fuzzy Hash: 3951B1726187158FC304DF98D88055AF3E2FFC8304F2A8A6DDA445B315E771B91A8BC2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b5cd681b7fe923d4a2be2489c23972cb569ba397ce26d11a7b380d506af2721
                                        • Instruction ID: f10766ddd6232cb784b5b006f375ba88f20709421d03555773f0831bc5e340d6
                                        • Opcode Fuzzy Hash: 7b5cd681b7fe923d4a2be2489c23972cb569ba397ce26d11a7b380d506af2721
                                        • Instruction Fuzzy Hash: 9E41B171B109200AB35CCE3A8C851A52BC3CBCA386789C23CD5A6C66DDDDBDC15791A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e89b525241f7ddb1d172a135f55649b0ee6d269f4aaf66db969f89b51f07abc
                                        • Instruction ID: 78b86fa6527597e2b4270dee81f24323e6da0840a189db40f3b11fe9aa232233
                                        • Opcode Fuzzy Hash: 4e89b525241f7ddb1d172a135f55649b0ee6d269f4aaf66db969f89b51f07abc
                                        • Instruction Fuzzy Hash: 2D314D71B082B54BE3208E2E8C40165FFE7AFD5342F9CC2BAD0A4CB746D939D656C264
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5dd7929ecdafffd95b1f3e926932b610952614e7737c84ca0b7b3c4964c7710
                                        • Instruction ID: a79cda8a0ccb7d4d7405c1597de70ad9e48a13ab8400cbbdeb5d8bf8762204a4
                                        • Opcode Fuzzy Hash: f5dd7929ecdafffd95b1f3e926932b610952614e7737c84ca0b7b3c4964c7710
                                        • Instruction Fuzzy Hash: FE21B3315106248BD756DE1EE8D46FB73E2EBC4356F66862FE9C483280D23CA856D7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00402870
                                          • Part of subcall function 0040561C: fputs.MSVCRT ref: 00405626
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prologfputs
                                        • String ID: Can not open encrypted archive. Wrong password?$Can not open file as archive$Can't allocate required memory$Error: $jq
                                        • API String ID: 1798449854-660727338
                                        • Opcode ID: cd18a7aae110030dc8c7509fb13b7ed285f1cdb27597cf78849d0b6947d13980
                                        • Instruction ID: 6f93006310a7e4ecaf4085d375b2a29070e8adbc188e6fcd8d94a6893c825321
                                        • Opcode Fuzzy Hash: cd18a7aae110030dc8c7509fb13b7ed285f1cdb27597cf78849d0b6947d13980
                                        • Instruction Fuzzy Hash: 1611BF72A00640ABDB15FA65C585A6FB7B0FB84318F50853FE106736C2CBBEAD40DA1D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • _CxxThrowException.MSVCRT(00000001,0041E1B0), ref: 00402E1B
                                        • FileTimeToLocalFileTime.KERNEL32(00000010,00000020,jq,?,?,?,00000000,?,0000000D,00000020,0000000A,00000020,00000000,00000001), ref: 00402E33
                                        • _CxxThrowException.MSVCRT(?), ref: 00402E4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ExceptionFileThrowTime$Local
                                        • String ID: L+B$jq$l+B
                                        • API String ID: 2485030866-966932216
                                        • Opcode ID: 355529462fe17c30677c74d8c05643e0b738ccb77fc9e48370b97469747b88d3
                                        • Instruction ID: 2496a9c170a0f06d10c74f3ccf17496ceb9064226315382f00129071eb39d7b7
                                        • Opcode Fuzzy Hash: 355529462fe17c30677c74d8c05643e0b738ccb77fc9e48370b97469747b88d3
                                        • Instruction Fuzzy Hash: FB018470A40208BACF10EFA1DA45ADE77B89B04708B94806BE901B21C1E7F96B45869D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: memcmp
                                        • String ID:
                                        • API String ID: 1475443563-0
                                        • Opcode ID: ae276a2fe44e7d983430b93752e7ceb035126392cc39b9dbf909b9f09059af5b
                                        • Instruction ID: 9f5349bf7cf674084e191ad0f33d7be061119383b471bd2f022e1868b823e4bc
                                        • Opcode Fuzzy Hash: ae276a2fe44e7d983430b93752e7ceb035126392cc39b9dbf909b9f09059af5b
                                        • Instruction Fuzzy Hash: 81418CB1700206AFD7149E21CD41EAB73A8AEA5744710417EFC86EB381FB7CED4587A9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00402E83
                                        • _CxxThrowException.MSVCRT(?,0041E1B0), ref: 004030F9
                                          • Part of subcall function 0040786E: SysAllocString.OLEAUT32(00000000), ref: 00407884
                                          • Part of subcall function 00402DFE: _CxxThrowException.MSVCRT(00000001,0041E1B0), ref: 00402E1B
                                          • Part of subcall function 00402DFE: FileTimeToLocalFileTime.KERNEL32(00000010,00000020,jq,?,?,?,00000000,?,0000000D,00000020,0000000A,00000020,00000000,00000001), ref: 00402E33
                                          • Part of subcall function 00402DFE: _CxxThrowException.MSVCRT(?), ref: 00402E4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$FileTime$AllocH_prologLocalString
                                        • String ID: = $jq$l+B
                                        • API String ID: 3746970167-1325507436
                                        • Opcode ID: eb9eb1550d1a8ed2e196a80416db29cb8060510ae632c796a6a3f1711cc0fa45
                                        • Instruction ID: adaa888c81bfec7dde75ced6c72cfe3062ee73a06645ea0c1d4a13df5bce78f0
                                        • Opcode Fuzzy Hash: eb9eb1550d1a8ed2e196a80416db29cb8060510ae632c796a6a3f1711cc0fa45
                                        • Instruction Fuzzy Hash: D0819070E0124AEBCF14EFA0C5959AEBB75AF44304F20442FE401B72D1DB79AE46DB5A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040547C
                                          • Part of subcall function 00405523: fgetc.MSVCRT ref: 0040552E
                                          • Part of subcall function 00405523: _CxxThrowException.MSVCRT(?,0041DDD8), ref: 00405558
                                        • _CxxThrowException.MSVCRT(?,0041DDD8), ref: 004054D3
                                        • _CxxThrowException.MSVCRT(?,0041DDD8), ref: 004054E9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$H_prologfgetc
                                        • String ID: (.B$-B
                                        • API String ID: 1907486920-3869146835
                                        • Opcode ID: a9e3766e32b5b51e3493202c938f8ee6b20589220fa3f963b61cecb287e916a3
                                        • Instruction ID: e17e98e3704c18d16ccaee19d231d7d9e795953925ee4fbbd1b527f46cc73ee4
                                        • Opcode Fuzzy Hash: a9e3766e32b5b51e3493202c938f8ee6b20589220fa3f963b61cecb287e916a3
                                        • Instruction Fuzzy Hash: 371142B1E00509AACF15EF95D5819EEB7B4EB04304F50853FE015A72C1D77C5A868B99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00404B8B
                                        • _CxxThrowException.MSVCRT(?,0041E1B0), ref: 00404E30
                                          • Part of subcall function 00404F96: __EH_prolog.LIBCMT ref: 00404F9B
                                        • _CxxThrowException.MSVCRT(?,0041E1B0), ref: 00404DF1
                                        • _CxxThrowException.MSVCRT(00422DC0,0041E1B0), ref: 00404E06
                                        • _CxxThrowException.MSVCRT(?,0041E1B0), ref: 00404E1B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$H_prolog
                                        • String ID:
                                        • API String ID: 206451386-0
                                        • Opcode ID: e2025df0af1240f0191cd46306863cc60a3b13274b6bb1d4c7f2c6a444f3e01a
                                        • Instruction ID: b888594f10d019682cb7ca96ce158fc016d69faa4a9fc8cc948a28f285ff49a6
                                        • Opcode Fuzzy Hash: e2025df0af1240f0191cd46306863cc60a3b13274b6bb1d4c7f2c6a444f3e01a
                                        • Instruction Fuzzy Hash: 6E918DB59002099ECB10DF94C580AEEB7B5FF94318F24416BE955B72E1D738AE41CBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • _CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405AD1
                                        • _CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405AF8
                                        • _CxxThrowException.MSVCRT(00423400,0041E9F0), ref: 00405B20
                                        • memcpy.MSVCRT ref: 00405B39
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$memcpy
                                        • String ID: z @
                                        • API String ID: 2368683791-1165971878
                                        • Opcode ID: 25dc454775ed8784ea0cdedb82d16fa6faa16ee3ce24d9fadc2a57ad4e7ca640
                                        • Instruction ID: 5489951a91272120a4e0f42bb383af1c466090f88c2470b77b4ede6d70cd54ed
                                        • Opcode Fuzzy Hash: 25dc454775ed8784ea0cdedb82d16fa6faa16ee3ce24d9fadc2a57ad4e7ca640
                                        • Instruction Fuzzy Hash: 8611B672200A046FCB14EF56C8C1E9BBBE9EB44354710853FF54D97281D775F9858B68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • CharUpperW.USER32(00000000,?,?,?,?,?,0040586F), ref: 00405712
                                        • GetLastError.KERNEL32(?,0040586F), ref: 0040571E
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000004,00000000,00000000,?,0040586F), ref: 00405739
                                        • CharUpperA.USER32(?,?,0040586F), ref: 00405752
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001,?,0040586F), ref: 00405765
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: Char$ByteMultiUpperWide$ErrorLast
                                        • String ID:
                                        • API String ID: 3939315453-0
                                        • Opcode ID: e84360d828a5b438ad29ce31fdbcbe6a1dffe1f991e02af1f77327b86fda5b7a
                                        • Instruction ID: 75452525785c39542b8daf1de7388683e97a46d5a7fa59b14c76898d3bcf9971
                                        • Opcode Fuzzy Hash: e84360d828a5b438ad29ce31fdbcbe6a1dffe1f991e02af1f77327b86fda5b7a
                                        • Instruction Fuzzy Hash: C60156FA80061DBBDF1067E4ACC9DEF766CDB05354F400572F942E3250E1789E459B68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00402C4B
                                        • SysFreeString.OLEAUT32(00000000), ref: 00402D17
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                          • Part of subcall function 0040400C: __EH_prolog.LIBCMT ref: 00404011
                                        • SysFreeString.OLEAUT32(00000000), ref: 00402CF9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: FreeH_prologString$free
                                        • String ID: jq
                                        • API String ID: 4082356393-1684728866
                                        • Opcode ID: 6f91b67dd2394eef06f891f686f3869f33fc3e7b21d59ab2c92152128bc1d70d
                                        • Instruction ID: 93d44f3a5760abfc0aa86eca4c70422a2b577f86d4019f12da3c4c2222722580
                                        • Opcode Fuzzy Hash: 6f91b67dd2394eef06f891f686f3869f33fc3e7b21d59ab2c92152128bc1d70d
                                        • Instruction Fuzzy Hash: 71215971C00119EBDF05EBA5C985AEEFBB4FF18314F10816AE411B32D1DB789A05CB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004067EC
                                        • GetModuleFileNameW.KERNEL32(?,?,00000105,z @,00423400,00000000), ref: 0040681D
                                        • AreFileApisANSI.KERNEL32(00000003,z @,00423400,00000000), ref: 00406868
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: File$ApisH_prologModuleName
                                        • String ID: z @
                                        • API String ID: 605547141-1165971878
                                        • Opcode ID: 49116ac75009bc038ed5026f7558190b68c53b85c1e2b9362c61400c1daeef84
                                        • Instruction ID: d4a28a327c9532e7657e9bad19d425783da8759da1f86047db9ba15d0f13c3e9
                                        • Opcode Fuzzy Hash: 49116ac75009bc038ed5026f7558190b68c53b85c1e2b9362c61400c1daeef84
                                        • Instruction Fuzzy Hash: E6218E72A012049ADF10EFA5D8959EFBBB9EF48304F10847FE506F32D1CB794A45CA69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00406938
                                        • FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,jq,?,?), ref: 0040695F
                                        • LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,jq,?,?), ref: 0040697A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: FormatFreeH_prologLocalMessage
                                        • String ID: jq
                                        • API String ID: 1380236612-1684728866
                                        • Opcode ID: b71e4cee168a768d550c8f342afe9cdc77ca748eeb03b3606f8745f78f7f3799
                                        • Instruction ID: 6cd3834961a21a14c52cc8e407b858d4d2d7c4e386d739d67f8e828a13c53bac
                                        • Opcode Fuzzy Hash: b71e4cee168a768d550c8f342afe9cdc77ca748eeb03b3606f8745f78f7f3799
                                        • Instruction Fuzzy Hash: 371196B1D00105AACF01EF9588915EFFB79AF48318F00803FE416B2692CA784916DA64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID:
                                        • API String ID: 2221118986-0
                                        • Opcode ID: 53151738b5cb45d6da2caf6ba93a038fa4cc57067eed5bb267cb814d58c2db54
                                        • Instruction ID: 5f3c10d1147c43fa79398eed8adb35f3380fdbb8a62ed87b08de67b285ecc485
                                        • Opcode Fuzzy Hash: 53151738b5cb45d6da2caf6ba93a038fa4cc57067eed5bb267cb814d58c2db54
                                        • Instruction Fuzzy Hash: D6316D70A49B009EE320DB38C951FD7B7D9EF95708F54086EE1DEC7282D678B8418B59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040577D
                                        • CharUpperW.USER32(?,?,00000000), ref: 00405795
                                        • GetLastError.KERNEL32(?,?,00000000), ref: 004057A1
                                        • CharUpperA.USER32(?,00000000,?,?,?,00000000), ref: 004057D4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: CharUpper$ErrorH_prologLast
                                        • String ID:
                                        • API String ID: 826227211-0
                                        • Opcode ID: bb62647c35a6b4b39ff52a49b48add0468e692bfd9ef0e63dfc65056f97f077e
                                        • Instruction ID: e127b44befd83df498158281ec6462b6981a6adf9e49f6e2e91893cbe986a66e
                                        • Opcode Fuzzy Hash: bb62647c35a6b4b39ff52a49b48add0468e692bfd9ef0e63dfc65056f97f077e
                                        • Instruction Fuzzy Hash: CA119372910906DBCB05BBA4D8819EFB774FF49309F10843AE402B62A1DB384D45DF99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $
                                        • API String ID: 3519838083-227171996
                                        • Opcode ID: e31783c1878d567b13860f4767856df14e65a26e6f59c179ef8b3789cb0db0b9
                                        • Instruction ID: c09ca64c516438c389beff03a03fb747e5fcb8e83cc091244ae1e3a0488f634f
                                        • Opcode Fuzzy Hash: e31783c1878d567b13860f4767856df14e65a26e6f59c179ef8b3789cb0db0b9
                                        • Instruction Fuzzy Hash: F371783090020ACFCB20DF99D981AEEF7B1FF48314F14466ED526A72A1D734AA86CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ErrorH_prologLast
                                        • String ID: z @
                                        • API String ID: 1057991267-1165971878
                                        • Opcode ID: f4c7ae4e9819a94339cf5b68a245aee67b4628edfde3159287b698975baf48e9
                                        • Instruction ID: 5aa1cf87479b677cab348e24d28482d05f8d1d553d987a7ce873fa3599782bfd
                                        • Opcode Fuzzy Hash: f4c7ae4e9819a94339cf5b68a245aee67b4628edfde3159287b698975baf48e9
                                        • Instruction Fuzzy Hash: C051E33190410ADADF10EBA0C941AEFB770EF11308F25417BD843B72D2DB395DA6CA99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040D306
                                        • FileTimeToLocalFileTime.KERNEL32(?,?,00423400,jq,00000000), ref: 0040D3F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: FileTime$H_prologLocal
                                        • String ID: jq
                                        • API String ID: 1029125053-1684728866
                                        • Opcode ID: 4abef91a55d26890551075d35ce9528d178323eb37e1b1ce0fe207f688dd6000
                                        • Instruction ID: f4bda934816c470ee3f9dc008bf593f5f26308195b6f52696a1c0570e71294e6
                                        • Opcode Fuzzy Hash: 4abef91a55d26890551075d35ce9528d178323eb37e1b1ce0fe207f688dd6000
                                        • Instruction Fuzzy Hash: 31518070E4021A9ACF14EF95C8916AEB771EF54308F50803FE905B73D1DB7CA949CA5A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00406F2E
                                        • GetFullPathNameW.KERNEL32(?,00000105,00000000,?,z @,00423400,00000000), ref: 00406F79
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: FullH_prologNamePath
                                        • String ID: z @
                                        • API String ID: 882179163-1165971878
                                        • Opcode ID: 8b542baa3fb09bbdfc88f7eca29094e8904415202bbe43fb20294d5784b07569
                                        • Instruction ID: 456a8c749ad78801ab8f642e87f0de58938fa2083bf67819385d7e685a7d3908
                                        • Opcode Fuzzy Hash: 8b542baa3fb09bbdfc88f7eca29094e8904415202bbe43fb20294d5784b07569
                                        • Instruction Fuzzy Hash: 82519C71D00109DECB01EFA4C840AEEFBB5EF59308F20816EE042B7291DB795E56CB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040AE1B
                                          • Part of subcall function 0040AF6D: __EH_prolog.LIBCMT ref: 0040AF72
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID: P1B$z @
                                        • API String ID: 2654054672-3334625589
                                        • Opcode ID: f7947c3ff3cae27061cf9d2539886d090dfa4582e4da4e18eb94e97b8a76d47e
                                        • Instruction ID: 499cc5735afcd8b4d47c66a35ed56418ab05979329819a7782906da3536ef816
                                        • Opcode Fuzzy Hash: f7947c3ff3cae27061cf9d2539886d090dfa4582e4da4e18eb94e97b8a76d47e
                                        • Instruction Fuzzy Hash: 66412B75D0024ADECF05EBA5D586AEDBF70EF54318F10806EE401732D2DB781A49DBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004029A0
                                          • Part of subcall function 0040561C: fputs.MSVCRT ref: 00405626
                                          • Part of subcall function 00406933: __EH_prolog.LIBCMT ref: 00406938
                                          • Part of subcall function 00406933: FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,jq,?,?), ref: 0040695F
                                          • Part of subcall function 00405634: __EH_prolog.LIBCMT ref: 00405639
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog$FormatMessagefputsfree
                                        • String ID: Sub items Errors: $jq
                                        • API String ID: 1037188338-1312119105
                                        • Opcode ID: 51101253e6f0cf16317a746bccd30ed1744d818bd7373f330097276747671460
                                        • Instruction ID: 72051ac68bb0dd62284419b043163b32f3c58ea1ed6c6781e38d229c8b5fd52d
                                        • Opcode Fuzzy Hash: 51101253e6f0cf16317a746bccd30ed1744d818bd7373f330097276747671460
                                        • Instruction Fuzzy Hash: 42318171B007019BCB24EB61C585A7FB7B1FB84318F50493EE50AA36D1DA7A6841CE6D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004073CA
                                        • AreFileApisANSI.KERNEL32(?,?,00000000,00000000,00000001,z @,?,00000000), ref: 0040742D
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ApisFileH_prologfree
                                        • String ID: z @
                                        • API String ID: 4245112029-1165971878
                                        • Opcode ID: 9ab113db4abb7b6139da2337a3147859d56e8fd75d1529f8d91f029e7248bd4a
                                        • Instruction ID: 2a71f41b047c19f9f8f9ef100063250c327e39a9047e493f04ba353b08899cc8
                                        • Opcode Fuzzy Hash: 9ab113db4abb7b6139da2337a3147859d56e8fd75d1529f8d91f029e7248bd4a
                                        • Instruction Fuzzy Hash: 45211AB1A00A05EFC715DF69D481A9AFBF4FF48314B10862EE44AD3A81D735F954CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: COM$LPT
                                        • API String ID: 3519838083-915345583
                                        • Opcode ID: 524c944f07671b31d12efe39f1ab468b1d58115f29dc58dde7c5bffb4f73f28c
                                        • Instruction ID: ed55f283f029a6f36ea59cad7b791ff1191188b2774c7a0bb762d2dd47f38330
                                        • Opcode Fuzzy Hash: 524c944f07671b31d12efe39f1ab468b1d58115f29dc58dde7c5bffb4f73f28c
                                        • Instruction Fuzzy Hash: 47118C31E00115CBCB04EFD589809AFB376EF85308B5086AFD412B76C2CB399E45DAA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: __aulldiv__aullrem
                                        • String ID: jq
                                        • API String ID: 3839614884-1684728866
                                        • Opcode ID: ffef78c56428964be75a0f8506253adf945967703e0e212151cb9628b42e6588
                                        • Instruction ID: fdbb4a6bf156e63ec36fc5b3d1fbf0a96e05e40bd881586f90bf9e86ef1510b6
                                        • Opcode Fuzzy Hash: ffef78c56428964be75a0f8506253adf945967703e0e212151cb9628b42e6588
                                        • Instruction Fuzzy Hash: 1501A776A00708FBDB10DF85D881BEEB7B8FF55758F20006AE941A7291D3746E45C764
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00403DD2
                                          • Part of subcall function 0040540C: free.MSVCRT(?,004024E3,?,?,?,00000000,00401EA5,?,z @,00423400,00000000,?,?,004011CC,00000000), ref: 00405410
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prologfree
                                        • String ID: jq$z @
                                        • API String ID: 1978129608-3408136156
                                        • Opcode ID: 49ba030de8abd301e1262cc128365c39a5b7da7a69ff2a958e47ed265f3ca231
                                        • Instruction ID: 403b0aec6f4821f0d0014d847c29108503159186f5067bb4dd1b01443ce727f9
                                        • Opcode Fuzzy Hash: 49ba030de8abd301e1262cc128365c39a5b7da7a69ff2a958e47ed265f3ca231
                                        • Instruction Fuzzy Hash: 3801A931A01600DFCB14DF99C40979EFBA8EF44324F20426EA091A7692C7B86E018B59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040612B
                                          • Part of subcall function 00405C52: __EH_prolog.LIBCMT ref: 00405C57
                                          • Part of subcall function 00406041: __EH_prolog.LIBCMT ref: 00406046
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: jq$z @
                                        • API String ID: 3519838083-3408136156
                                        • Opcode ID: 0da70f7030bfe08fdb8b6ec2d71ebfc257fe4fffc7db55e8f521bb42ad752975
                                        • Instruction ID: e9deaf19a8e8a40d47764f685ae16118bc0c2711b15a17a9398cbb7b8d303620
                                        • Opcode Fuzzy Hash: 0da70f7030bfe08fdb8b6ec2d71ebfc257fe4fffc7db55e8f521bb42ad752975
                                        • Instruction Fuzzy Hash: 0701E5B1D01229DECF04EFA9C841ADEBBB4FB48318F00812EE415B3291D7784A44CFA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: jq$z @
                                        • API String ID: 3519838083-3408136156
                                        • Opcode ID: 446597cd78a5c3ee679c09b0b5f328cd49b39cf2de9c22836bfe6d576a36dd2c
                                        • Instruction ID: 2fcd53b1a9dacdef85348b448b429a3c22d34a7063514b700d04986bf48d9933
                                        • Opcode Fuzzy Hash: 446597cd78a5c3ee679c09b0b5f328cd49b39cf2de9c22836bfe6d576a36dd2c
                                        • Instruction Fuzzy Hash: BF11D7B1901744DFC321CF5AC6C0286FFF4FB09708F9089AED18A97A41C3B6A545CB45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • SetConsoleCtrlHandler.KERNEL32(0040254F,00000001,?,?,?,004041A7), ref: 0040252B
                                        • _CxxThrowException.MSVCRT(?,0041E1B0), ref: 00402545
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ConsoleCtrlExceptionHandlerThrow
                                        • String ID: 8#B
                                        • API String ID: 4041287486-4081203943
                                        • Opcode ID: 4c02f3b1afa7c6d99ae8d3d52e0a5d3e165c3c8b500b723dfd0ee80ec4e3d9b0
                                        • Instruction ID: 3fbf9acf05ef434e358c39c6909e1b5ff37404118f769d5c3f7ba3408ee342a1
                                        • Opcode Fuzzy Hash: 4c02f3b1afa7c6d99ae8d3d52e0a5d3e165c3c8b500b723dfd0ee80ec4e3d9b0
                                        • Instruction Fuzzy Hash: F0D012B1750224BADB14DB999D1ABDAB7EC9B04748B50406BB944E62C0E7F8AE40479C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • SetConsoleCtrlHandler.KERNEL32(0040254F,00000000,?,?,00404417), ref: 0040259D
                                        • _CxxThrowException.MSVCRT(?,0041E1B0), ref: 004025B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: ConsoleCtrlExceptionHandlerThrow
                                        • String ID: 8#B
                                        • API String ID: 4041287486-4081203943
                                        • Opcode ID: 772252efd9a2d5b49c771ac39d2d49f6d2f31b31515abebef65a7720b3cdb642
                                        • Instruction ID: abfa11f6a8ca77f709f8a3ccb442db122f48834c8448276bb0cfd74f51303d17
                                        • Opcode Fuzzy Hash: 772252efd9a2d5b49c771ac39d2d49f6d2f31b31515abebef65a7720b3cdb642
                                        • Instruction Fuzzy Hash: 70D09EB4640304FED714DBA6AE1AB8A76AC9B0474CF60416BB504A51D1E7F8AA40466D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1816056065.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1816015014.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816240970.000000000041D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816278373.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816302062.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1816317956.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_a2e-enterprise.jbxd
                                        Similarity
                                        • API ID: memcmp
                                        • String ID:
                                        • API String ID: 1475443563-0
                                        • Opcode ID: cbbb456cd77182ef58a72903555eb5269fd68cf8cf5e786519a58668202c7b56
                                        • Instruction ID: ef55370724e41f7c94e5c4a00684e598735f04457b5ed3082ba78311e219e7db
                                        • Opcode Fuzzy Hash: cbbb456cd77182ef58a72903555eb5269fd68cf8cf5e786519a58668202c7b56
                                        • Instruction Fuzzy Hash: E501A1B1740205ABCB049B10CC42FEB73955F64740F14826AFD05AB3C2EABDED8186CE
                                        Uniqueness

                                        Uniqueness Score: -1.00%